[selinux-policy] - Until we figure out how to fix systemd issues, allow all apps that send syslog messag - Add init_a
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jul 11 14:46:03 UTC 2012
commit 98ec5a124e5a141c79de3b6d455665dce5d6178f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jul 11 16:45:33 2012 +0200
- Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
policy-rawhide.patch | 229 +++++++++++-------
policy_contrib-rawhide.patch | 539 ++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 33 +++-
3 files changed, 612 insertions(+), 189 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 2dee3f2..7f547f8 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58436,6 +58436,20 @@ index f477c7f..d80599b 100644
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
') dnl end enable_mcs
+diff --git a/policy/mls b/policy/mls
+index d218387..c406594 100644
+--- a/policy/mls
++++ b/policy/mls
+@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsnetwrite ));
++ ( t1 == mlsnetwrite ) or
++ ( t2 == mlstrustedobject ));
+
+ # used by netlabel to restrict normal domains to same level connections
+ mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..48fc840 100644
--- a/policy/modules/admin/bootloader.fc
@@ -58906,10 +58920,18 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..9f49d01 100644
+index e0791b9..98d188e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
-@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
+ allow netutils_t self:socket create_socket_perms;
++allow netutils_t self:netlink_socket create_socket_perms;
+
+ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+@@ -48,6 +49,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
@@ -58918,7 +58940,7 @@ index e0791b9..9f49d01 100644
corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
-@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@@ -58928,7 +58950,7 @@ index e0791b9..9f49d01 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -83,7 +88,7 @@ logging_send_syslog_msg(netutils_t)
+@@ -83,7 +89,7 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
term_dontaudit_use_console(netutils_t)
@@ -58937,7 +58959,7 @@ index e0791b9..9f49d01 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -104,6 +109,8 @@ optional_policy(`
+@@ -104,6 +110,8 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
@@ -58946,7 +58968,7 @@ index e0791b9..9f49d01 100644
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
+@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
@@ -58955,7 +58977,7 @@ index e0791b9..9f49d01 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -58981,7 +59003,7 @@ index e0791b9..9f49d01 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +176,10 @@ optional_policy(`
+@@ -157,6 +177,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -58992,7 +59014,7 @@ index e0791b9..9f49d01 100644
########################################
#
# Traceroute local policy
-@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -59000,7 +59022,7 @@ index e0791b9..9f49d01 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +229,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -59359,6 +59381,18 @@ index 1bd7d84..4f57935 100644
+optional_policy(`
+ fprintd_dbus_chat(sudodomain)
+')
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index f82f0ce..204bdc8 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -20,6 +20,7 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+ /usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
++/usr/sbin/newusers -- gen_context(system_u:object_r:useradd_exec_t,s0)
+ /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 98b8b2d..da75471 100644
--- a/policy/modules/admin/usermanage.if
@@ -60162,7 +60196,7 @@ index 7590165..59539e8 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..b77f19f 100644
+index db981df..b0ff71c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -60240,7 +60274,7 @@ index db981df..b77f19f 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -60261,7 +60295,8 @@ index db981df..b77f19f 100644
-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -60334,7 +60369,7 @@ index db981df..b77f19f 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -60350,7 +60385,7 @@ index db981df..b77f19f 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -60370,7 +60405,7 @@ index db981df..b77f19f 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -60381,7 +60416,7 @@ index db981df..b77f19f 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -60402,7 +60437,7 @@ index db981df..b77f19f 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -60415,7 +60450,7 @@ index db981df..b77f19f 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -60427,7 +60462,7 @@ index db981df..b77f19f 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -60443,7 +60478,7 @@ index db981df..b77f19f 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -72824,10 +72859,10 @@ index fe0c682..93ec53f 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..d193a52 100644
+index b17e27a..9dbbafe 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0)
+@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
#
## <desc>
@@ -72872,13 +72907,14 @@ index b17e27a..d193a52 100644
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
-@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t)
+
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
-
++mls_trusted_object(sshd_t)
++
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
-+
+
type sshd_key_t;
files_type(sshd_key_t)
@@ -72893,7 +72929,7 @@ index b17e27a..d193a52 100644
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -73,6 +79,11 @@ type ssh_home_t;
+@@ -73,6 +80,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@@ -72905,7 +72941,7 @@ index b17e27a..d193a52 100644
##############################
#
-@@ -83,6 +94,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +95,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -72913,7 +72949,7 @@ index b17e27a..d193a52 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +102,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +103,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -72930,7 +72966,7 @@ index b17e27a..d193a52 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -108,20 +116,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -108,20 +117,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -72960,7 +72996,7 @@ index b17e27a..d193a52 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -133,7 +147,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -133,7 +148,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -72972,7 +73008,7 @@ index b17e27a..d193a52 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -157,37 +175,36 @@ logging_read_generic_logs(ssh_t)
+@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -73027,7 +73063,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
-@@ -195,28 +212,24 @@ optional_policy(`
+@@ -195,28 +213,24 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -73060,7 +73096,7 @@ index b17e27a..d193a52 100644
#################################
#
# sshd local policy
-@@ -227,33 +240,46 @@ optional_policy(`
+@@ -227,33 +241,46 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -73116,7 +73152,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
-@@ -261,11 +287,24 @@ optional_policy(`
+@@ -261,11 +288,24 @@ optional_policy(`
')
optional_policy(`
@@ -73142,7 +73178,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
-@@ -283,6 +322,15 @@ optional_policy(`
+@@ -283,6 +323,15 @@ optional_policy(`
')
optional_policy(`
@@ -73158,7 +73194,7 @@ index b17e27a..d193a52 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +338,29 @@ optional_policy(`
+@@ -290,6 +339,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -73188,7 +73224,7 @@ index b17e27a..d193a52 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +369,26 @@ optional_policy(`
+@@ -298,19 +370,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -73216,7 +73252,7 @@ index b17e27a..d193a52 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -73230,7 +73266,7 @@ index b17e27a..d193a52 100644
')
optional_policy(`
-@@ -339,3 +419,83 @@ optional_policy(`
+@@ -339,3 +420,83 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -73315,7 +73351,7 @@ index b17e27a..d193a52 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..f393f76 100644
+index fc86b7c..3347d48 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -73421,11 +73457,12 @@ index fc86b7c..f393f76 100644
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -77506,7 +77543,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..3ff8fef 100644
+index d26fe81..3f3a57f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -77748,7 +77785,7 @@ index d26fe81..3ff8fef 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +522,29 @@ interface(`init_exec',`
+@@ -451,6 +522,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -77760,6 +77797,25 @@ index d26fe81..3ff8fef 100644
+
+#######################################
+## <summary>
++## Check access to the init/systemd executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_access_check',`
++ gen_require(`
++ type init_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 init_exec_t:file { getattr_file_perms execute };
++')
++
++#######################################
++## <summary>
+## Dontaudit getattr on the init program.
+## </summary>
+## <param name="domain">
@@ -77778,7 +77834,7 @@ index d26fe81..3ff8fef 100644
')
########################################
-@@ -539,6 +633,24 @@ interface(`init_sigchld',`
+@@ -539,6 +652,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -77803,7 +77859,7 @@ index d26fe81..3ff8fef 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -549,10 +661,66 @@ interface(`init_sigchld',`
+@@ -549,10 +680,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -77872,7 +77928,7 @@ index d26fe81..3ff8fef 100644
')
########################################
-@@ -718,19 +886,25 @@ interface(`init_telinit',`
+@@ -718,19 +905,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -77899,7 +77955,7 @@ index d26fe81..3ff8fef 100644
')
')
-@@ -760,7 +934,7 @@ interface(`init_rw_initctl',`
+@@ -760,7 +953,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -77908,7 +77964,7 @@ index d26fe81..3ff8fef 100644
## </summary>
## </param>
#
-@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +996,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -77923,7 +77979,7 @@ index d26fe81..3ff8fef 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +1012,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -77937,7 +77993,7 @@ index d26fe81..3ff8fef 100644
')
')
-@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1032,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -77983,7 +78039,7 @@ index d26fe81..3ff8fef 100644
')
########################################
-@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1122,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -77998,7 +78054,7 @@ index d26fe81..3ff8fef 100644
files_search_etc($1)
')
-@@ -999,7 +1201,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1220,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -78009,7 +78065,7 @@ index d26fe81..3ff8fef 100644
')
########################################
-@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1340,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -78034,7 +78090,7 @@ index d26fe81..3ff8fef 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1409,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -78048,7 +78104,7 @@ index d26fe81..3ff8fef 100644
')
########################################
-@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1649,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -78076,7 +78132,7 @@ index d26fe81..3ff8fef 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1756,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -78102,7 +78158,7 @@ index d26fe81..3ff8fef 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1833,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -78127,7 +78183,7 @@ index d26fe81..3ff8fef 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1923,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -78171,7 +78227,7 @@ index d26fe81..3ff8fef 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2048,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -78180,7 +78236,7 @@ index d26fe81..3ff8fef 100644
')
########################################
-@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2089,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -78309,7 +78365,7 @@ index d26fe81..3ff8fef 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2245,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -81014,7 +81070,7 @@ index 02f4c97..54c74fe 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..4d8e1a9 100644
+index 321bb13..e9c2da9 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -81099,10 +81155,17 @@ index 321bb13..4d8e1a9 100644
########################################
## <summary>
## Send system log messages.
-@@ -550,6 +607,45 @@ interface(`logging_send_syslog_msg',`
-
- ########################################
- ## <summary>
+@@ -546,6 +603,48 @@ interface(`logging_send_syslog_msg',`
+ # will write to the console.
+ term_write_console($1)
+ term_dontaudit_read_console($1)
++ ifdef(`hide_broken_symptoms',`
++ kernel_dgram_send($1)
++ ')
++')
++
++########################################
++## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
@@ -81138,14 +81201,10 @@ index 321bb13..4d8e1a9 100644
+
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read the auditd configuration files.
- ## </summary>
- ## <param name="domain">
-@@ -739,7 +835,25 @@ interface(`logging_append_all_logs',`
+ ')
+
+ ########################################
+@@ -739,7 +838,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -81172,7 +81231,7 @@ index 321bb13..4d8e1a9 100644
')
########################################
-@@ -822,7 +936,7 @@ interface(`logging_manage_all_logs',`
+@@ -822,7 +939,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -81181,7 +81240,7 @@ index 321bb13..4d8e1a9 100644
')
########################################
-@@ -848,6 +962,44 @@ interface(`logging_read_generic_logs',`
+@@ -848,6 +965,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -81226,7 +81285,7 @@ index 321bb13..4d8e1a9 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -947,11 +1099,16 @@ interface(`logging_admin_audit',`
+@@ -947,11 +1102,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -81244,7 +81303,7 @@ index 321bb13..4d8e1a9 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -967,6 +1124,33 @@ interface(`logging_admin_audit',`
+@@ -967,6 +1127,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -81278,7 +81337,7 @@ index 321bb13..4d8e1a9 100644
')
########################################
-@@ -995,10 +1179,15 @@ interface(`logging_admin_syslog',`
+@@ -995,10 +1182,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -81296,7 +81355,7 @@ index 321bb13..4d8e1a9 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1020,6 +1209,8 @@ interface(`logging_admin_syslog',`
+@@ -1020,6 +1212,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -81305,7 +81364,7 @@ index 321bb13..4d8e1a9 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1048,3 +1239,25 @@ interface(`logging_admin',`
+@@ -1048,3 +1242,25 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 374402d..9b32038 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..979a48d 100644
+index 30861ec..9522c1a 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -481,7 +481,7 @@ index 30861ec..979a48d 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +203,30 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +203,31 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -494,6 +494,7 @@ index 30861ec..979a48d 100644
miscfiles_read_generic_certs(abrt_t)
-miscfiles_read_localization(abrt_t)
++miscfiles_read_public_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
@@ -517,7 +518,7 @@ index 30861ec..979a48d 100644
')
optional_policy(`
-@@ -167,6 +247,7 @@ optional_policy(`
+@@ -167,6 +248,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -525,7 +526,7 @@ index 30861ec..979a48d 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +259,32 @@ optional_policy(`
+@@ -178,9 +260,32 @@ optional_policy(`
')
optional_policy(`
@@ -558,7 +559,7 @@ index 30861ec..979a48d 100644
########################################
#
# abrt--helper local policy
-@@ -200,23 +304,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +305,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -587,7 +588,7 @@ index 30861ec..979a48d 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +328,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1319,14 +1320,14 @@ index d362d9c..230a2f6 100644
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/alsa.if b/alsa.if
-index 1392679..25e02df 100644
+index 1392679..64e685f 100644
--- a/alsa.if
+++ b/alsa.if
@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
-+ alsa_filetrans_home_content(unpriv_userdomain)
++ alsa_filetrans_home_content($1)
')
########################################
@@ -1472,10 +1473,18 @@ index bec220e..1d26add 100644
+ fstools_signal(amanda_t)
+')
diff --git a/amavis.if b/amavis.if
-index e31d92a..e515cb8 100644
+index e31d92a..1aa0718 100644
--- a/amavis.if
+++ b/amavis.if
-@@ -231,9 +231,13 @@ interface(`amavis_admin',`
+@@ -202,6 +202,7 @@ interface(`amavis_create_pid_files',`
+ type amavis_var_run_t;
+ ')
+
++ allow $1 amavis_var_run_t:dir rw_dir_perms;
+ allow $1 amavis_var_run_t:file create_file_perms;
+ files_search_pids($1)
+ ')
+@@ -231,9 +232,13 @@ interface(`amavis_admin',`
type amavis_initrc_exec_t;
')
@@ -1491,7 +1500,7 @@ index e31d92a..e515cb8 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 5a9b451..f94bd50 100644
+index 5a9b451..c4b2eec 100644
--- a/amavis.te
+++ b/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -1503,7 +1512,29 @@ index 5a9b451..f94bd50 100644
########################################
#
-@@ -128,15 +128,16 @@ corenet_tcp_connect_razor_port(amavis_t)
+@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+ allow amavis_t self:process { signal sigchld sigkill signull };
+ allow amavis_t self:fifo_file rw_fifo_file_perms;
+-allow amavis_t self:unix_stream_socket create_stream_socket_perms;
++allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+ allow amavis_t self:tcp_socket { listen accept };
+ allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+ files_search_spool(amavis_t)
+
+ # tmp files
++manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
++manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+ allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir } )
+
+ # var/lib files for amavis
+ manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+@@ -128,17 +130,19 @@ corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
@@ -1520,8 +1551,11 @@ index 5a9b451..f94bd50 100644
+auth_use_nsswitch(amavis_t)
auth_dontaudit_read_shadow(amavis_t)
++init_read_state(amavis_t)
# uses uptime which reads utmp - redhat bug 561383
-@@ -148,29 +149,32 @@ logging_send_syslog_msg(amavis_t)
+ init_read_utmp(amavis_t)
+ init_stream_connect_script(amavis_t)
+@@ -148,29 +152,32 @@ logging_send_syslog_msg(amavis_t)
miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
@@ -1597,7 +1631,7 @@ index e81bdbd..63ab279 100644
optional_policy(`
diff --git a/apache.fc b/apache.fc
-index fd9fa07..95f6a90 100644
+index fd9fa07..b289cef 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,39 +1,54 @@
@@ -1688,7 +1722,7 @@ index fd9fa07..95f6a90 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +92,44 @@ ifdef(`distro_suse', `
+@@ -73,31 +92,43 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -1715,7 +1749,6 @@ index fd9fa07..95f6a90 100644
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -1737,7 +1770,7 @@ index fd9fa07..95f6a90 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +141,25 @@ ifdef(`distro_debian', `
+@@ -109,3 +140,25 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -5673,10 +5706,10 @@ index 0000000..e59e51b
+/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
new file mode 100644
-index 0000000..6d7e034
+index 0000000..9d891b7
--- /dev/null
+++ b/boinc.if
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,188 @@
+## <summary>policy for boinc</summary>
+
+########################################
@@ -5811,7 +5844,6 @@ index 0000000..6d7e034
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
@@ -7528,7 +7560,7 @@ index b6bb46c..645d203 100644
/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/cgroup.if b/cgroup.if
-index 33facaf..1d39797 100644
+index 33facaf..c624aaa 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
@@ -7541,7 +7573,7 @@ index 33facaf..1d39797 100644
- allow $1 cgconfig_t:process { ptrace signal_perms };
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cglear_t:process ptrace;
++ allow $1 cglcear_t:process ptrace;
+ ')
+
+ allow $1 cgconfig_t:process signal_perms;
@@ -8395,7 +8427,7 @@ index bbac14a..87840b4 100644
+
')
diff --git a/clamav.te b/clamav.te
-index 5b7a1d7..d5c0e45 100644
+index 5b7a1d7..0bcee92 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
@@ -8546,15 +8578,16 @@ index 5b7a1d7..d5c0e45 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +227,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +227,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
++corenet_tcp_connect_squid_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -196,7 +235,6 @@ dev_read_urand(freshclam_t)
+@@ -196,7 +236,6 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
@@ -8562,7 +8595,7 @@ index 5b7a1d7..d5c0e45 100644
files_read_etc_runtime_files(freshclam_t)
auth_use_nsswitch(freshclam_t)
-@@ -207,16 +245,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +246,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -8589,7 +8622,7 @@ index 5b7a1d7..d5c0e45 100644
########################################
#
# clamscam local policy
-@@ -242,17 +286,34 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,17 +287,36 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -8616,6 +8649,8 @@ index 5b7a1d7..d5c0e45 100644
+
+tunable_policy(`clamscan_can_scan_system',`
+ files_read_non_security_files(clamscan_t)
++ files_getattr_all_pipes(clamscan_t)
++ files_getattr_all_sockets(clamscan_t)
+')
+
kernel_read_kernel_sysctls(clamscan_t)
@@ -8625,7 +8660,7 @@ index 5b7a1d7..d5c0e45 100644
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)
-@@ -264,10 +325,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -8658,10 +8693,10 @@ index b40f3f7..3676ecc 100644
#
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..7182054
+index 0000000..e59cc85
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,19 @@
+@@ -0,0 +1,20 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -8677,6 +8712,7 @@ index 0000000..7182054
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/aeolus-conductor/dbomatic\.log -- gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -8729,10 +8765,10 @@ index 0000000..7f55959
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..da2404c
+index 0000000..ebf11b1
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,198 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -8838,6 +8874,8 @@ index 0000000..da2404c
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+
++auth_use_nsswitch(deltacloudd_t)
++
+files_read_usr_files(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
@@ -8891,6 +8929,7 @@ index 0000000..da2404c
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -10329,10 +10368,10 @@ index 0000000..168f664
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..1bba4b7
+index 0000000..40f65d5
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,232 @@
+@@ -0,0 +1,239 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -10560,6 +10599,13 @@ index 0000000..1bba4b7
+optional_policy(`
+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
+ ssh_domtrans(condor_startd_t)
++
++ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++
++ optional_policy(`
++ kerberos_use(condor_startd_ssh_t)
++ ')
+')
+
+optional_policy(`
@@ -13029,7 +13075,7 @@ index 0000000..284fbae
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..25c56f7 100644
+index 848bb92..7d949a9 100644
--- a/cups.fc
+++ b/cups.fc
@@ -19,7 +19,10 @@
@@ -13051,7 +13097,7 @@ index 848bb92..25c56f7 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -60,10 +64,16 @@
+@@ -60,10 +64,18 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -13069,6 +13115,8 @@ index 848bb92..25c56f7 100644
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 305ddf4..11d010a 100644
--- a/cups.if
@@ -14164,7 +14212,7 @@ index fb4bf82..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 8e7ba54..9201358 100644
+index 8e7ba54..ffc5025 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -14238,7 +14286,7 @@ index 8e7ba54..9201358 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -135,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -135,11 +143,31 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -14249,6 +14297,10 @@ index 8e7ba54..9201358 100644
')
optional_policy(`
++ bluetooth_stream_connect(system_dbusd_t)
++')
++
++optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
@@ -14266,7 +14318,7 @@ index 8e7ba54..9201358 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +174,160 @@ optional_policy(`
+@@ -150,12 +178,160 @@ optional_policy(`
')
optional_policy(`
@@ -20942,7 +20994,7 @@ index 00a19e3..17006fc 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..8da3abc 100644
+index f5afe78..7861fc8 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,937 @@
@@ -20989,6 +21041,11 @@ index f5afe78..8da3abc 100644
+## <summary>
+## The role template for the gnome-keyring-daemon.
+## </summary>
++## <param name="user_domain">
++## <summary>
++## The user domain associated with the role.
++## </summary>
++## </param>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
@@ -20999,11 +21056,6 @@ index f5afe78..8da3abc 100644
+## The user role.
+## </summary>
+## </param>
-+## <param name="user_domain">
-+## <summary>
-+## The user domain associated with the role.
-+## </summary>
-+## </param>
+#
+interface(`gnome_role_gkeyringd',`
+ gen_require(`
@@ -25394,10 +25446,10 @@ index 0000000..868c7d0
+')
diff --git a/jockey.te b/jockey.te
new file mode 100644
-index 0000000..efa139b
+index 0000000..56b4856
--- /dev/null
+++ b/jockey.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -25438,6 +25490,7 @@ index 0000000..efa139b
+domain_use_interactive_fds(jockey_t)
+
+files_read_etc_files(jockey_t)
++files_read_usr_files(jockey_t)
+
+miscfiles_read_localization(jockey_t)
diff --git a/kde.fc b/kde.fc
@@ -26882,7 +26935,7 @@ index 0000000..6b27066
+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tpd.if b/l2tpd.if
new file mode 100644
-index 0000000..8bc2c6d
+index 0000000..562d25b
--- /dev/null
+++ b/l2tpd.if
@@ -0,0 +1,178 @@
@@ -27039,7 +27092,7 @@ index 0000000..8bc2c6d
+#
+interface(`l2tpd_admin',`
+ gen_require(`
-+ type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t;
++ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
+ type l2tp_etc_t, l2tpd_tmp_t;
+ ')
+
@@ -28362,7 +28415,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
## </summary>
diff --git a/lpd.te b/lpd.te
-index a03b63a..9b3ca81 100644
+index a03b63a..bee4750 100644
--- a/lpd.te
+++ b/lpd.te
@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -28436,7 +28489,7 @@ index a03b63a..9b3ca81 100644
# for test print
files_read_usr_files(lpr_t)
#Added to cover read_content macro
-@@ -275,19 +273,20 @@ miscfiles_read_localization(lpr_t)
+@@ -275,19 +273,21 @@ miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
@@ -28445,6 +28498,7 @@ index a03b63a..9b3ca81 100644
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
+userdom_write_user_tmp_sockets(lpr_t)
++userdom_stream_connect(lpr_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
@@ -28462,7 +28516,7 @@ index a03b63a..9b3ca81 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -305,17 +304,7 @@ tunable_policy(`use_lpd_server',`
+@@ -305,17 +305,7 @@ tunable_policy(`use_lpd_server',`
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
@@ -28481,7 +28535,7 @@ index a03b63a..9b3ca81 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -324,5 +313,13 @@ optional_policy(`
+@@ -324,5 +314,13 @@ optional_policy(`
')
optional_policy(`
@@ -30473,7 +30527,7 @@ index b3ace16..83392b6 100644
optional_policy(`
udev_read_db(modemmanager_t)
diff --git a/mojomojo.if b/mojomojo.if
-index 657a9fc..6be094b 100644
+index 657a9fc..7022903 100644
--- a/mojomojo.if
+++ b/mojomojo.if
@@ -10,27 +10,26 @@
@@ -30495,7 +30549,7 @@ index 657a9fc..6be094b 100644
- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
+ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
-+ type httpd_mojomojo_script_exec_t;
++ type httpd_mojomojo_script_exec_t, httpd_mojomo_script_t;
')
- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
@@ -35409,7 +35463,7 @@ index 0000000..415b098
+')
+
diff --git a/nscd.if b/nscd.if
-index 85188dc..783accb 100644
+index 85188dc..2b37836 100644
--- a/nscd.if
+++ b/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -35527,8 +35581,8 @@ index 85188dc..783accb 100644
admin_pattern($1, nscd_var_run_t)
+
+ nscd_systemctl($1)
-+ admin_pattern($1, ncsd_unit_file_t)
-+ allow $1 ncsd_unit_file_t:service all_service_perms;
++ admin_pattern($1, nscd_unit_file_t)
++ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
index 7936e09..d1861d5 100644
@@ -38525,6 +38579,253 @@ index 3185114..6fc91e8 100644
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
+diff --git a/phpfpm.fc b/phpfpm.fc
+new file mode 100644
+index 0000000..4c64b13
+--- /dev/null
++++ b/phpfpm.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/php-fpm.service -- gen_context(system_u:object_r:phpfpm_unit_file_t,s0)
++
++/usr/sbin/php-fpm -- gen_context(system_u:object_r:phpfpm_exec_t,s0)
++
++/var/log/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_log_t,s0)
++
++/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0)
+diff --git a/phpfpm.if b/phpfpm.if
+new file mode 100644
+index 0000000..9dcdaa8
+--- /dev/null
++++ b/phpfpm.if
+@@ -0,0 +1,168 @@
++
++## <summary> PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. </summary>
++
++########################################
++## <summary>
++## Execute php-fpm in the phpfpm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`phpfpm_domtrans',`
++ gen_require(`
++ type phpfpm_t, phpfpm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, phpfpm_exec_t, phpfpm_t)
++')
++
++########################################
++## <summary>
++## Read phpfpm's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`phpfpm_read_log',`
++ gen_require(`
++ type phpfpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++')
++
++########################################
++## <summary>
++## Append to phpfpm log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`phpfpm_append_log',`
++ gen_require(`
++ type phpfpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++')
++
++########################################
++## <summary>
++## Manage phpfpm log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`phpfpm_manage_log',`
++ gen_require(`
++ type phpfpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, phpfpm_log_t, phpfpm_log_t)
++ manage_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++ manage_lnk_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
++')
++
++########################################
++## <summary>
++## Read phpfpm PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`phpfpm_read_pid_files',`
++ gen_require(`
++ type phpfpm_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 phpfpm_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute phpfpm server in the phpfpm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`phpfpm_systemctl',`
++ gen_require(`
++ type phpfpm_t;
++ type phpfpm_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 phpfpm_unit_file_t:file read_file_perms;
++ allow $1 phpfpm_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, phpfpm_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an phpfpm environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`phpfpm_admin',`
++ gen_require(`
++ type phpfpm_t;
++ type phpfpm_log_t;
++ type phpfpm_var_run_t;
++ type phpfpm_unit_file_t;
++ ')
++
++ allow $1 phpfpm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, phpfpm_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, phpfpm_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, phpfpm_var_run_t)
++
++ phpfpm_systemctl($1)
++ admin_pattern($1, phpfpm_unit_file_t)
++ allow $1 phpfpm_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/phpfpm.te b/phpfpm.te
+new file mode 100644
+index 0000000..ae5bdb2
+--- /dev/null
++++ b/phpfpm.te
+@@ -0,0 +1,54 @@
++policy_module(phpfpm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type phpfpm_t;
++type phpfpm_exec_t;
++init_daemon_domain(phpfpm_t, phpfpm_exec_t)
++
++type phpfpm_log_t;
++logging_log_file(phpfpm_log_t)
++
++type phpfpm_var_run_t;
++files_pid_file(phpfpm_var_run_t)
++
++type phpfpm_unit_file_t;
++systemd_unit_file(phpfpm_unit_file_t)
++
++########################################
++#
++# phpfpm local policy
++#
++
++allow phpfpm_t self:capability { chown kill setgid setuid sys_chroot sys_nice };
++allow phpfpm_t self:process { setsched setrlimit signal sigkill };
++
++allow phpfpm_t self:fifo_file rw_fifo_file_perms;
++allow phpfpm_t self:tcp_socket { accept listen };
++allow phpfpm_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
++manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
++
++manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
++manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
++files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir )
++
++kernel_read_kernel_sysctls(phpfpm_t)
++
++corenet_tcp_bind_generic_port(phpfpm_t)
++
++domain_use_interactive_fds(phpfpm_t)
++
++files_read_etc_files(phpfpm_t)
++
++auth_use_nsswitch(phpfpm_t)
++
++logging_send_syslog_msg(phpfpm_t)
++
++miscfiles_read_localization(phpfpm_t)
++
++sysnet_dns_name_resolve(phpfpm_t)
diff --git a/pingd.if b/pingd.if
index 8688aae..cf34fc1 100644
--- a/pingd.if
@@ -49496,7 +49797,7 @@ index 69a6074..c9dbc93 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 82cb169..9642fe3 100644
+index 82cb169..987239e 100644
--- a/samba.if
+++ b/samba.if
@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
@@ -49786,7 +50087,17 @@ index 82cb169..9642fe3 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -727,4 +886,9 @@ interface(`samba_admin',`
+@@ -709,9 +868,6 @@ interface(`samba_admin',`
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+
+- admin_pattern($1, smbd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, smbd_var_run_t)
+ files_list_pids($1)
+
+@@ -727,4 +883,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -50367,10 +50678,10 @@ index fc22785..98b89c4 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..1651a2f 100644
+index 1898dbd..fc38344 100644
--- a/sambagui.te
+++ b/sambagui.te
-@@ -27,16 +27,19 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,21 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -50381,6 +50692,8 @@ index 1898dbd..1651a2f 100644
auth_use_nsswitch(sambagui_t)
+auth_dontaudit_read_shadow(sambagui_t)
++
++init_access_check(sambagui_t)
logging_send_syslog_msg(sambagui_t)
@@ -50391,7 +50704,7 @@ index 1898dbd..1651a2f 100644
optional_policy(`
consoletype_exec(sambagui_t)
')
-@@ -56,6 +59,7 @@ optional_policy(`
+@@ -56,6 +61,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -54783,10 +55096,10 @@ index 0000000..5ab0840
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
new file mode 100644
-index 0000000..19d13a7
+index 0000000..dd2ac36
--- /dev/null
+++ b/svnserve.if
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,118 @@
+
+## <summary>policy for svnserve</summary>
+
@@ -54846,7 +55159,6 @@ index 0000000..19d13a7
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 svnserve_unit_file_t:file read_file_perms;
+ allow $1 svnserve_unit_file_t:service manage_service_perms;
+
@@ -55656,7 +55968,7 @@ index 25eee43..621f343 100644
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/tftp.if b/tftp.if
-index 38bb312..cab8c77 100644
+index 38bb312..0a40bc5 100644
--- a/tftp.if
+++ b/tftp.if
@@ -13,9 +13,33 @@
@@ -55793,7 +56105,7 @@ index 38bb312..cab8c77 100644
+ allow $1 tftpd_t:process signal_perms;
ps_process_pattern($1, tftpd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 tftp_t:process ptrace;
++ allow $1 tftpd_t:process ptrace;
+ ')
+
+ files_list_var_lib($1)
@@ -55925,12 +56237,13 @@ index 80fe75c..cdeafc5 100644
+')
diff --git a/thin.fc b/thin.fc
new file mode 100644
-index 0000000..62d2c77
+index 0000000..8954083
--- /dev/null
+++ b/thin.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,11 @@
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
-+/usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
++
++/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
+
+/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
+
@@ -55989,10 +56302,10 @@ index 0000000..6de86e5
+')
diff --git a/thin.te b/thin.te
new file mode 100644
-index 0000000..d1903e6
+index 0000000..1ed278e
--- /dev/null
+++ b/thin.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,106 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -56036,6 +56349,7 @@ index 0000000..d1903e6
+kernel_read_system_state(thin_domain)
+
+corecmd_exec_bin(thin_domain)
++corecmd_exec_shell(thin_domain)
+
+dev_read_rand(thin_domain)
+dev_read_urand(thin_domain)
@@ -56505,10 +56819,10 @@ index 0000000..a8385bc
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/tomcat.if b/tomcat.if
new file mode 100644
-index 0000000..23251b7
+index 0000000..56f9936
--- /dev/null
+++ b/tomcat.if
-@@ -0,0 +1,353 @@
+@@ -0,0 +1,352 @@
+
+## <summary>policy for tomcat</summary>
+
@@ -56804,7 +57118,6 @@ index 0000000..23251b7
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 tomcat_unit_file_t:file read_file_perms;
+ allow $1 tomcat_unit_file_t:service manage_service_perms;
+
@@ -56990,10 +57303,10 @@ index e2e06b2..6752bc3 100644
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/tor.if b/tor.if
-index 904f13e..26f16dd 100644
+index 904f13e..5801347 100644
--- a/tor.if
+++ b/tor.if
-@@ -18,6 +18,30 @@ interface(`tor_domtrans',`
+@@ -18,6 +18,29 @@ interface(`tor_domtrans',`
domtrans_pattern($1, tor_exec_t, tor_t)
')
@@ -57014,7 +57327,6 @@ index 904f13e..26f16dd 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 tor_unit_file_t:file read_file_perms;
+ allow $1 tor_unit_file_t:service manage_service_perms;
+
@@ -57024,7 +57336,7 @@ index 904f13e..26f16dd 100644
########################################
## <summary>
## All of the rules required to administrate
-@@ -40,10 +64,14 @@ interface(`tor_admin',`
+@@ -40,10 +63,14 @@ interface(`tor_admin',`
type tor_t, tor_var_log_t, tor_etc_t;
type tor_var_lib_t, tor_var_run_t;
type tor_initrc_exec_t;
@@ -57040,7 +57352,7 @@ index 904f13e..26f16dd 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -61,4 +89,13 @@ interface(`tor_admin',`
+@@ -61,4 +88,13 @@ interface(`tor_admin',`
files_list_pids($1)
admin_pattern($1, tor_var_run_t)
@@ -57195,7 +57507,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..28c4b84 100644
+index db9d2a5..288ada9 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -57211,13 +57523,14 @@ index db9d2a5..28c4b84 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -23,30 +29,49 @@ files_pid_file(tuned_var_run_t)
+@@ -22,31 +28,49 @@ files_pid_file(tuned_var_run_t)
+ #
# tuned local policy
#
-
-+allow tuned_t self:process signal;
-+
+-
++allow tuned_t self:capability { sys_admin sys_nice };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
++allow tuned_t self:process signal;
+allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:udp_socket create_socket_perms;
+
@@ -57266,7 +57579,7 @@ index db9d2a5..28c4b84 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +83,14 @@ optional_policy(`
+@@ -58,6 +82,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -57945,10 +58258,15 @@ index 5d43bd5..879a5cb 100644
uuidd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/varnishd.if b/varnishd.if
-index 93975d6..7a665ff 100644
+index 93975d6..bd248ce 100644
--- a/varnishd.if
+++ b/varnishd.if
-@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
+@@ -151,12 +151,16 @@ interface(`varnishd_manage_log',`
+ #
+ interface(`varnishd_admin_varnishlog',`
+ gen_require(`
++ type varnishd_t;
+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
type varnishlog_var_run_t;
')
@@ -57961,7 +58279,7 @@ index 93975d6..7a665ff 100644
init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -194,8 +197,11 @@ interface(`varnishd_admin',`
+@@ -194,8 +198,11 @@ interface(`varnishd_admin',`
type varnishd_initrc_exec_t;
')
@@ -58334,7 +58652,7 @@ index 2124b6a..5072bd7 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/virt.if b/virt.if
-index 7c5d8d8..85b7d8b 100644
+index 7c5d8d8..9883b66 100644
--- a/virt.if
+++ b/virt.if
@@ -13,39 +13,45 @@
@@ -58759,8 +59077,8 @@ index 7c5d8d8..85b7d8b 100644
+ allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace_perms_perms;
-+ allow $1 virt_lxc_t:process ptrace_perms_perms;
++ allow $1 virtd_t:process ptrace_perms;
++ allow $1 virt_lxc_t:process ptrace_perms;
+ ')
+
+ allow $1 virt_lxc_t:process signal_perms;
@@ -60916,7 +61234,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index d995c70..1282d4c 100644
+index d995c70..17e2d43 100644
--- a/xen.te
+++ b/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.11.1)
@@ -60975,7 +61293,22 @@ index d995c70..1282d4c 100644
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_fifo_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -299,7 +303,6 @@ dev_rw_sysfs(xend_t)
+@@ -219,6 +223,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
+ allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+ allow xend_t self:tcp_socket create_stream_socket_perms;
+ allow xend_t self:packet_socket create_socket_perms;
++allow xend_t self:tun_socket create_socket_perms;
+
+ allow xend_t xen_image_t:dir list_dir_perms;
+ manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+@@ -294,12 +299,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_rw_tun_tap_dev(xend_t)
+
+ dev_read_urand(xend_t)
++# run lsscsi
++dev_getattr_all_chr_files(xend_t)
+ dev_filetrans_xen(xend_t)
+ dev_rw_sysfs(xend_t)
dev_rw_xen(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
@@ -60983,7 +61316,7 @@ index d995c70..1282d4c 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -320,13 +323,9 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -60997,7 +61330,7 @@ index d995c70..1282d4c 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -61006,7 +61339,7 @@ index d995c70..1282d4c 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +346,23 @@ optional_policy(`
+@@ -349,6 +349,23 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -61030,7 +61363,7 @@ index d995c70..1282d4c 100644
########################################
#
# Xen console local policy
-@@ -374,8 +388,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -61039,7 +61372,7 @@ index d995c70..1282d4c 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -413,9 +425,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -61051,7 +61384,7 @@ index d995c70..1282d4c 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +455,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -61063,7 +61396,7 @@ index d995c70..1282d4c 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +472,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -61160,7 +61493,7 @@ index d995c70..1282d4c 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +487,4 @@ optional_policy(`
+@@ -559,8 +490,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dbdbe76..1544972 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,37 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-9
+- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
+- Add init_access_check() interface
+- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
+- Allow tcpdump to create a netlink_socket
+- Label newusers like useradd
+- Change xdm log files to be labeled xdm_log_t
+- Allow sshd_t with privsep to work in MLS
+- Allow freshclam to update databases thru HTTP proxy
+- Allow s-m-config to access check on systemd
+- Allow abrt to read public files by default
+- Fix amavis_create_pid_files() interface
+- Add labeling and filename transition for dbomatic.log
+- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
+- Allow amavisd to execute fsav
+- Allow tuned to use sys_admin and sys_nice capabilities
+- Add php-fpm policy from Bryan
+- Add labeling for aeolus-configserver-thinwrapper
+- Allow thin domains to execute shell
+- Fix gnome_role_gkeyringd() interface description
+- Lot of interface fixes
+- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
+- Allow OpenMPI job to use kerberos
+- Make deltacloudd_t as nsswitch_domain
+- Allow xend_t to run lsscsi
+- Allow qemu-dm running as xend_t to create tun_socket
+- Add labeling for /opt/brother/Printers(.*/)?inf
+- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
+- Fix clamscan_can_scan_system boolean
+- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
+
* Tue Jul 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
More information about the scm-commits
mailing list