[selinux-policy] * Mon Jul 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0- - Add systemd fixes to make rawhide boo
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jul 30 15:37:36 UTC 2012
commit 42c409143036e3b74b61f924dcb98fb97f092dd2
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jul 30 17:37:17 2012 +0200
* Mon Jul 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-
- Add systemd fixes to make rawhide booting
policy-rawhide.patch | 355 +++++++++++++++++++++++++++---------------
policy_contrib-rawhide.patch | 174 +++++++++++++++------
selinux-policy.spec | 5 +-
3 files changed, 365 insertions(+), 169 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b8fd864..1f3f723 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -8579,7 +8579,7 @@ index 0000000..97f145e
+selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/condor_selinux.8 b/man/man8/condor_selinux.8
new file mode 100644
-index 0000000..a186b3e
+index 0000000..b4838c3
--- /dev/null
+++ b/man/man8/condor_selinux.8
@@ -0,0 +1,242 @@
@@ -8825,6 +8825,7 @@ index 0000000..a186b3e
+.SH "SEE ALSO"
+selinux(8), condor(8), semanage(8), restorecon(8), chcon(1)
+, setsebool(8)
+\ No newline at end of file
diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8
new file mode 100644
index 0000000..8efe64c
@@ -64086,7 +64087,7 @@ index 7590165..59539e8 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..b0ff71c 100644
+index db981df..414f3e4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -64186,7 +64187,7 @@ index db981df..b0ff71c 100644
+/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/bin/pingus -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/pingus.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -64275,27 +64276,29 @@ index db981df..b0ff71c 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +289,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+
-+/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
- /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
- /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -64306,7 +64309,7 @@ index db981df..b0ff71c 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -64327,7 +64330,7 @@ index db981df..b0ff71c 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +367,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +366,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -64340,7 +64343,7 @@ index db981df..b0ff71c 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +382,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +381,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -64352,7 +64355,7 @@ index db981df..b0ff71c 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +435,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +434,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -64368,7 +64371,7 @@ index db981df..b0ff71c 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +452,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +451,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -68601,7 +68604,7 @@ index cf04cb5..e43701b 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 4429d30..b8f8a82 100644
+index 4429d30..38dcaf6 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -68691,23 +68694,33 @@ index 4429d30..b8f8a82 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -211,6 +230,7 @@ ifdef(`distro_debian',`
+@@ -202,15 +221,9 @@ ifdef(`distro_debian',`
+ /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+-/usr/local/\.journal <<none>>
+-
+-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+-
+-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+-/usr/local/lost\+found/.* <<none>>
+-
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
+/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -219,7 +239,6 @@ ifdef(`distro_debian',`
+@@ -218,8 +231,6 @@ ifdef(`distro_debian',`
+ /usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
- /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -235,11 +254,14 @@ ifndef(`distro_redhat',`
+@@ -235,11 +246,14 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -68722,7 +68735,7 @@ index 4429d30..b8f8a82 100644
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -262,3 +284,5 @@ ifndef(`distro_redhat',`
+@@ -262,3 +276,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -71831,7 +71844,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..712189d 100644
+index 4bf45cb..9c71d8e 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -72055,7 +72068,7 @@ index 4bf45cb..712189d 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2956,5 +3092,60 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3092,79 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -72084,6 +72097,25 @@ index 4bf45cb..712189d 100644
+
+########################################
+## <summary>
++## Allow the specified domain to getattr on
++## the kernel with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_stream_getattr',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket getattr;
++')
++
++########################################
++## <summary>
+## Make the specified type usable for regular entries in proc
+## </summary>
+## <param name="type">
@@ -77489,7 +77521,7 @@ index b17e27a..5c691d1 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..3347d48 100644
+index fc86b7c..ba6be42 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -77507,7 +77539,7 @@ index fc86b7c..3347d48 100644
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-+HOME_DIR/\.cache/gdm(/.*)? -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
@@ -81406,7 +81438,7 @@ index a97a096..e1b5cd8 100644
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..77db743 100644
+index 6c4b6ee..3daf357 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
@@ -81444,7 +81476,7 @@ index 6c4b6ee..77db743 100644
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
-@@ -133,13 +142,16 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +142,25 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -81460,8 +81492,9 @@ index 6c4b6ee..77db743 100644
+init_stream_connect(fsadm_t)
logging_send_syslog_msg(fsadm_t)
++logging_stream_connect_syslog(fsadm_t)
-@@ -147,7 +159,7 @@ miscfiles_read_localization(fsadm_t)
+ miscfiles_read_localization(fsadm_t)
seutil_read_config(fsadm_t)
@@ -81470,7 +81503,7 @@ index 6c4b6ee..77db743 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +178,11 @@ optional_policy(`
+@@ -166,6 +179,11 @@ optional_policy(`
')
optional_policy(`
@@ -81482,7 +81515,7 @@ index 6c4b6ee..77db743 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -192,6 +209,10 @@ optional_policy(`
+@@ -192,6 +210,10 @@ optional_policy(`
')
optional_policy(`
@@ -82843,7 +82876,7 @@ index d26fe81..3f3a57f 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5fb9683..671de76 100644
+index 5fb9683..dfa38ad 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -83014,7 +83047,7 @@ index 5fb9683..671de76 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -156,22 +222,41 @@ mls_file_read_all_levels(init_t)
+@@ -156,22 +222,42 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -83043,6 +83076,7 @@ index 5fb9683..671de76 100644
+logging_send_audit_msgs(init_t)
logging_rw_generic_logs(init_t)
+logging_relabel_devlog_dev(init_t)
++logging_stream_connect_syslog(init_t)
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
@@ -83057,11 +83091,12 @@ index 5fb9683..671de76 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -180,12 +265,14 @@ ifdef(`distro_gentoo',`
+@@ -180,12 +266,15 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
+ fs_manage_tmpfs_files(init_t)
++ fs_manage_tmpfs_sockets(init_t)
+ fs_exec_tmpfs_files(init_t)
fs_read_tmpfs_symlinks(init_t)
fs_rw_tmpfs_chr_files(init_t)
@@ -83073,7 +83108,7 @@ index 5fb9683..671de76 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -193,16 +280,148 @@ tunable_policy(`init_upstart',`
+@@ -193,16 +282,148 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -83224,7 +83259,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -210,6 +429,18 @@ optional_policy(`
+@@ -210,6 +431,18 @@ optional_policy(`
')
optional_policy(`
@@ -83243,7 +83278,7 @@ index 5fb9683..671de76 100644
unconfined_domain(init_t)
')
-@@ -219,8 +450,8 @@ optional_policy(`
+@@ -219,8 +452,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -83254,7 +83289,7 @@ index 5fb9683..671de76 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -248,12 +479,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -248,12 +481,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -83270,7 +83305,7 @@ index 5fb9683..671de76 100644
init_write_initctl(initrc_t)
-@@ -265,20 +499,34 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -265,20 +501,34 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -83310,7 +83345,7 @@ index 5fb9683..671de76 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -286,6 +534,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -286,6 +536,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -83318,7 +83353,7 @@ index 5fb9683..671de76 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -296,8 +545,10 @@ dev_write_framebuffer(initrc_t)
+@@ -296,8 +547,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -83329,7 +83364,7 @@ index 5fb9683..671de76 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -305,17 +556,16 @@ dev_manage_generic_files(initrc_t)
+@@ -305,17 +558,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -83349,7 +83384,7 @@ index 5fb9683..671de76 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -323,6 +573,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -323,6 +575,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -83357,7 +83392,7 @@ index 5fb9683..671de76 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -330,8 +581,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -330,8 +583,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -83369,7 +83404,7 @@ index 5fb9683..671de76 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -347,8 +600,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -347,8 +602,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -83383,7 +83418,7 @@ index 5fb9683..671de76 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -358,9 +615,12 @@ fs_mount_all_fs(initrc_t)
+@@ -358,9 +617,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -83397,7 +83432,7 @@ index 5fb9683..671de76 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -370,6 +630,7 @@ mls_process_read_up(initrc_t)
+@@ -370,6 +632,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -83405,7 +83440,7 @@ index 5fb9683..671de76 100644
selinux_get_enforce_mode(initrc_t)
-@@ -381,6 +642,7 @@ term_use_all_terms(initrc_t)
+@@ -381,6 +644,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -83413,7 +83448,7 @@ index 5fb9683..671de76 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -401,18 +663,17 @@ logging_read_audit_config(initrc_t)
+@@ -401,18 +665,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -83435,7 +83470,7 @@ index 5fb9683..671de76 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -465,6 +726,10 @@ ifdef(`distro_gentoo',`
+@@ -465,6 +728,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -83446,7 +83481,7 @@ index 5fb9683..671de76 100644
alsa_read_lib(initrc_t)
')
-@@ -485,7 +750,7 @@ ifdef(`distro_redhat',`
+@@ -485,7 +752,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -83455,7 +83490,7 @@ index 5fb9683..671de76 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -500,6 +765,7 @@ ifdef(`distro_redhat',`
+@@ -500,6 +767,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -83463,7 +83498,7 @@ index 5fb9683..671de76 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -520,6 +786,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +788,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -83471,7 +83506,7 @@ index 5fb9683..671de76 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -529,8 +796,35 @@ ifdef(`distro_redhat',`
+@@ -529,8 +798,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -83507,7 +83542,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -538,14 +832,27 @@ ifdef(`distro_redhat',`
+@@ -538,14 +834,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -83535,7 +83570,7 @@ index 5fb9683..671de76 100644
')
')
-@@ -556,6 +863,39 @@ ifdef(`distro_suse',`
+@@ -556,6 +865,39 @@ ifdef(`distro_suse',`
')
')
@@ -83575,7 +83610,7 @@ index 5fb9683..671de76 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -568,6 +908,8 @@ optional_policy(`
+@@ -568,6 +910,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -83584,7 +83619,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -589,6 +931,7 @@ optional_policy(`
+@@ -589,6 +933,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -83592,7 +83627,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -601,6 +944,17 @@ optional_policy(`
+@@ -601,6 +946,17 @@ optional_policy(`
')
optional_policy(`
@@ -83610,7 +83645,7 @@ index 5fb9683..671de76 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -617,9 +971,13 @@ optional_policy(`
+@@ -617,9 +973,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -83624,7 +83659,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -644,6 +1002,10 @@ optional_policy(`
+@@ -644,6 +1004,10 @@ optional_policy(`
')
optional_policy(`
@@ -83635,7 +83670,7 @@ index 5fb9683..671de76 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -661,6 +1023,15 @@ optional_policy(`
+@@ -661,6 +1025,15 @@ optional_policy(`
')
optional_policy(`
@@ -83651,7 +83686,7 @@ index 5fb9683..671de76 100644
inn_exec_config(initrc_t)
')
-@@ -701,6 +1072,7 @@ optional_policy(`
+@@ -701,6 +1074,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -83659,7 +83694,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -718,7 +1090,13 @@ optional_policy(`
+@@ -718,7 +1092,13 @@ optional_policy(`
')
optional_policy(`
@@ -83673,7 +83708,7 @@ index 5fb9683..671de76 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -741,6 +1119,10 @@ optional_policy(`
+@@ -741,6 +1121,10 @@ optional_policy(`
')
optional_policy(`
@@ -83684,7 +83719,7 @@ index 5fb9683..671de76 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -750,10 +1132,20 @@ optional_policy(`
+@@ -750,10 +1134,20 @@ optional_policy(`
')
optional_policy(`
@@ -83705,7 +83740,7 @@ index 5fb9683..671de76 100644
quota_manage_flags(initrc_t)
')
-@@ -762,6 +1154,10 @@ optional_policy(`
+@@ -762,6 +1156,10 @@ optional_policy(`
')
optional_policy(`
@@ -83716,7 +83751,7 @@ index 5fb9683..671de76 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -783,8 +1179,6 @@ optional_policy(`
+@@ -783,8 +1181,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -83725,7 +83760,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -793,6 +1187,10 @@ optional_policy(`
+@@ -793,6 +1189,10 @@ optional_policy(`
')
optional_policy(`
@@ -83736,7 +83771,7 @@ index 5fb9683..671de76 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -802,10 +1200,12 @@ optional_policy(`
+@@ -802,10 +1202,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -83749,7 +83784,7 @@ index 5fb9683..671de76 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -817,7 +1217,6 @@ optional_policy(`
+@@ -817,7 +1219,6 @@ optional_policy(`
')
optional_policy(`
@@ -83757,7 +83792,7 @@ index 5fb9683..671de76 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -827,12 +1226,30 @@ optional_policy(`
+@@ -827,12 +1228,30 @@ optional_policy(`
')
optional_policy(`
@@ -83790,7 +83825,7 @@ index 5fb9683..671de76 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -842,6 +1259,18 @@ optional_policy(`
+@@ -842,6 +1261,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -83809,7 +83844,7 @@ index 5fb9683..671de76 100644
')
optional_policy(`
-@@ -857,6 +1286,10 @@ optional_policy(`
+@@ -857,6 +1288,10 @@ optional_policy(`
')
optional_policy(`
@@ -83820,7 +83855,7 @@ index 5fb9683..671de76 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -867,3 +1300,165 @@ optional_policy(`
+@@ -867,3 +1302,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -83987,10 +84022,10 @@ index 5fb9683..671de76 100644
+#')
+
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index ec85acb..1135ebc 100644
+index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -27,10 +27,10 @@
+@@ -27,11 +27,6 @@
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -83998,13 +84033,10 @@ index ec85acb..1135ebc 100644
-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-+/usr/local/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-+/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-+/usr/local/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-+/usr/local/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-
+-
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..9d66bf7 100644
--- a/policy/modules/system/ipsec.if
@@ -84458,7 +84490,7 @@ index 0646ee7..36e02fa 100644
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..6721637 100644
+index ef8bbaf..49286ec 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,14 +28,17 @@ ifdef(`distro_redhat',`
@@ -84504,7 +84536,7 @@ index ef8bbaf..6721637 100644
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -111,9 +119,8 @@ ifdef(`distro_redhat',`
+@@ -111,12 +119,12 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -84515,7 +84547,11 @@ index ef8bbaf..6721637 100644
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -140,6 +147,7 @@ ifdef(`distro_redhat',`
++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -140,6 +148,7 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -84523,27 +84559,76 @@ index ef8bbaf..6721637 100644
/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,8 +159,8 @@ ifdef(`distro_redhat',`
+@@ -150,9 +159,9 @@ ifdef(`distro_redhat',`
+ /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -244,8 +252,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -181,6 +190,8 @@ ifdef(`distro_redhat',`
+ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -240,14 +251,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+
+ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+ /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-@@ -299,17 +305,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+-/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Jai, Sun Microsystems (Jpackage SPRM)
+ /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -269,20 +276,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -299,17 +305,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -84588,7 +84673,7 @@ index ef8bbaf..6721637 100644
+
+/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -84609,9 +84694,8 @@ index ef8bbaf..6721637 100644
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -84639,7 +84723,6 @@ index ef8bbaf..6721637 100644
+/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`fixed',`
+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -84672,10 +84755,10 @@ index ef8bbaf..6721637 100644
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -85181,7 +85264,7 @@ index 9fd5be7..226328b 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..debdd69 100644
+index 02f4c97..be8c9a1 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -6,6 +6,8 @@
@@ -85203,7 +85286,7 @@ index 02f4c97..debdd69 100644
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
-+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
@@ -85613,7 +85696,7 @@ index 321bb13..7b4e560 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 92555db..3637166 100644
+index 92555db..6970a23 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.18.2)
@@ -85800,7 +85883,7 @@ index 92555db..3637166 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,9 +430,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,13 +430,20 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -85816,7 +85899,12 @@ index 92555db..3637166 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -401,7 +451,10 @@ kernel_read_messages(syslogd_t)
+
++kernel_stream_getattr(syslogd_t)
+ kernel_read_system_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+ kernel_read_proc_symlinks(syslogd_t)
+@@ -401,7 +452,10 @@ kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
@@ -85828,7 +85916,7 @@ index 92555db..3637166 100644
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +480,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,10 +481,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -85856,7 +85944,7 @@ index 92555db..3637166 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,7 +518,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -448,7 +519,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -85866,7 +85954,7 @@ index 92555db..3637166 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,6 +532,7 @@ init_use_fds(syslogd_t)
+@@ -460,6 +533,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -85874,7 +85962,7 @@ index 92555db..3637166 100644
miscfiles_read_localization(syslogd_t)
-@@ -493,15 +566,29 @@ optional_policy(`
+@@ -493,15 +567,29 @@ optional_policy(`
')
optional_policy(`
@@ -86335,7 +86423,7 @@ index 7b6bcb9..61aa1ce 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..88fc786 100644
+index fe3427d..242ed4e 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
@@ -86349,6 +86437,18 @@ index fe3427d..88fc786 100644
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
+@@ -36,11 +37,6 @@ ifdef(`distro_redhat',`
+
+ /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+-/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-
+-/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+-
+ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..b2a1675 100644
--- a/policy/modules/system/miscfiles.if
@@ -90228,10 +90328,10 @@ index 0000000..40fe8f5
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..93c10a9
+index 0000000..62163a7
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,439 @@
+@@ -0,0 +1,443 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -90372,6 +90472,7 @@ index 0000000..93c10a9
+init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
++logging_stream_connect_syslog(systemd_logind_t)
+
+miscfiles_read_localization(systemd_logind_t)
+
@@ -90453,6 +90554,7 @@ index 0000000..93c10a9
+init_stream_connect(systemd_passwd_agent_t)
+
+logging_send_syslog_msg(systemd_passwd_agent_t)
++logging_stream_connect_syslog(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
@@ -90540,6 +90642,7 @@ index 0000000..93c10a9
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
++logging_stream_connect_syslog(systemd_tmpfiles_t)
+
+miscfiles_filetrans_named_content(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
@@ -90649,6 +90752,7 @@ index 0000000..93c10a9
+init_write_pid_socket(systemd_logger_t)
+
+logging_send_syslog_msg(systemd_logger_t)
++logging_stream_connect_syslog(systemd_logger_t)
+
+miscfiles_read_localization(systemd_logger_t)
+
@@ -90940,7 +91044,7 @@ index 025348a..d7b15a4 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index cf279df..5cd1cf1 100644
+index cf279df..44ade49 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -91067,7 +91171,7 @@ index cf279df..5cd1cf1 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,10 +156,12 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -91075,7 +91179,12 @@ index cf279df..5cd1cf1 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -154,6 +168,8 @@ miscfiles_read_hwdata(udev_t)
+ logging_send_audit_msgs(udev_t)
++logging_stream_connect_syslog(udev_t)
+
+ miscfiles_read_localization(udev_t)
+ miscfiles_read_hwdata(udev_t)
+@@ -154,6 +169,8 @@ miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
@@ -91084,7 +91193,7 @@ index cf279df..5cd1cf1 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -91093,7 +91202,7 @@ index cf279df..5cd1cf1 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -178,16 +196,9 @@ ifdef(`distro_gentoo',`
+@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -91112,7 +91221,7 @@ index cf279df..5cd1cf1 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +227,16 @@ optional_policy(`
+@@ -216,11 +228,16 @@ optional_policy(`
')
optional_policy(`
@@ -91129,7 +91238,7 @@ index cf279df..5cd1cf1 100644
')
optional_policy(`
-@@ -230,10 +246,20 @@ optional_policy(`
+@@ -230,10 +247,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -91150,7 +91259,7 @@ index cf279df..5cd1cf1 100644
')
optional_policy(`
-@@ -259,6 +285,10 @@ optional_policy(`
+@@ -259,6 +286,10 @@ optional_policy(`
')
optional_policy(`
@@ -91161,7 +91270,7 @@ index cf279df..5cd1cf1 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +303,11 @@ optional_policy(`
+@@ -273,6 +304,11 @@ optional_policy(`
')
optional_policy(`
@@ -91173,7 +91282,7 @@ index cf279df..5cd1cf1 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +320,7 @@ optional_policy(`
+@@ -285,6 +321,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index dc3dbcd..b7ccac6 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -4742,7 +4742,7 @@ index 61c74bc..17b3ecc 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index a7a0e71..65bbd77 100644
+index a7a0e71..258486d 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -4769,15 +4769,17 @@ index a7a0e71..65bbd77 100644
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
corenet_udp_sendrecv_generic_if(avahi_t)
-@@ -74,7 +78,6 @@ fs_list_inotifyfs(avahi_t)
+@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t)
+ fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
++domain_dontaudit_signull_all_domains(avahi_t)
-files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
files_read_usr_files(avahi_t)
-@@ -92,6 +95,8 @@ sysnet_domtrans_ifconfig(avahi_t)
+@@ -92,6 +96,8 @@ sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
sysnet_etc_filetrans_config(avahi_t)
@@ -4786,7 +4788,7 @@ index a7a0e71..65bbd77 100644
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
-@@ -104,6 +109,10 @@ optional_policy(`
+@@ -104,6 +110,10 @@ optional_policy(`
')
optional_policy(`
@@ -13551,7 +13553,7 @@ index 0000000..284fbae
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..306cd8e 100644
+index 848bb92..624fc09 100644
--- a/cups.fc
+++ b/cups.fc
@@ -19,7 +19,10 @@
@@ -13586,9 +13588,9 @@ index 848bb92..306cd8e 100644
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
-+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
@@ -25918,6 +25920,19 @@ index 53e53ca..92520eb 100644
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
+diff --git a/java.fc b/java.fc
+index 72f3df0..43b488f 100644
+--- a/java.fc
++++ b/java.fc
+@@ -28,8 +28,6 @@
+ /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+
+-/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+-
+ /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ ifdef(`distro_redhat',`
diff --git a/java.te b/java.te
index 95771f4..9d7f599 100644
--- a/java.te
@@ -26864,9 +26879,27 @@ index 0c52f60..a085fbd 100644
optional_policy(`
diff --git a/kerberos.fc b/kerberos.fc
-index 3525d24..ad19527 100644
+index 3525d24..de533f9 100644
--- a/kerberos.fc
+++ b/kerberos.fc
+@@ -13,13 +13,13 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+
+-/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+-/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
++/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+ /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+ /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+
+-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
@@ -27,7 +27,15 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
@@ -29116,7 +29149,7 @@ index 572b5db..1e55f43 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..0b9e946 100644
+index 7090dae..ea589dd 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -29178,12 +29211,13 @@ index 7090dae..0b9e946 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +118,17 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +118,18 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
++systemd_getattr_unit_files(logrotate_t)
+init_stream_connect(logrotate_t)
+
+userdom_use_inherited_user_terminals(logrotate_t)
@@ -29203,7 +29237,7 @@ index 7090dae..0b9e946 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -29212,7 +29246,7 @@ index 7090dae..0b9e946 100644
')
optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
')
optional_policy(`
@@ -29223,7 +29257,7 @@ index 7090dae..0b9e946 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +168,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
')
optional_policy(`
@@ -29244,7 +29278,7 @@ index 7090dae..0b9e946 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +194,10 @@ optional_policy(`
+@@ -178,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -29255,7 +29289,7 @@ index 7090dae..0b9e946 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +214,19 @@ optional_policy(`
+@@ -194,15 +215,19 @@ optional_policy(`
')
optional_policy(`
@@ -29276,7 +29310,7 @@ index 7090dae..0b9e946 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +252,14 @@ optional_policy(`
+@@ -228,3 +253,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -29409,9 +29443,18 @@ index 75ce30f..7f05283 100644
+ cron_use_system_job_fds(logwatch_mail_t)
+')
diff --git a/lpd.fc b/lpd.fc
-index 5c9eb68..ca4fd2b 100644
+index 5c9eb68..e4f3c24 100644
--- a/lpd.fc
+++ b/lpd.fc
+@@ -24,7 +24,7 @@
+ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+-/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+ /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+
@@ -35,3 +35,4 @@
/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
@@ -32973,7 +33016,7 @@ index afa18c8..f6e2bb8 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..68e2429 100644
+index 4e2a5ba..c3643f0 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -33127,7 +33170,7 @@ index 4e2a5ba..68e2429 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,10 +257,11 @@ interface(`mta_mailserver_sender',`
+@@ -306,10 +257,15 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -33137,10 +33180,14 @@ index 4e2a5ba..68e2429 100644
typeattribute $1 mailserver_delivery;
+
+ userdom_home_manager($1)
++
++ optional_policy(`
++ mta_rw_delivery_tcp_sockets($1)
++ ')
')
#######################################
-@@ -393,12 +345,19 @@ interface(`mta_send_mail',`
+@@ -393,12 +349,19 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -33162,7 +33209,7 @@ index 4e2a5ba..68e2429 100644
')
########################################
-@@ -411,7 +370,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -411,7 +374,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -33170,7 +33217,7 @@ index 4e2a5ba..68e2429 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -422,6 +380,60 @@ interface(`mta_signal_system_mail',`
+@@ -422,6 +384,60 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -33231,7 +33278,7 @@ index 4e2a5ba..68e2429 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -440,6 +452,26 @@ interface(`mta_sendmail_exec',`
+@@ -440,6 +456,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -33258,7 +33305,7 @@ index 4e2a5ba..68e2429 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -496,6 +528,7 @@ interface(`mta_read_aliases',`
+@@ -496,6 +532,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -33266,7 +33313,7 @@ index 4e2a5ba..68e2429 100644
')
########################################
-@@ -534,7 +567,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -534,7 +571,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -33275,7 +33322,7 @@ index 4e2a5ba..68e2429 100644
')
########################################
-@@ -554,7 +587,7 @@ interface(`mta_rw_aliases',`
+@@ -554,7 +591,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -33284,7 +33331,33 @@ index 4e2a5ba..68e2429 100644
')
#######################################
-@@ -648,8 +681,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -576,6 +613,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+ dontaudit $1 mailserver_delivery:tcp_socket { read write };
+ ')
+
++######################################
++## <summary>
++## Allow attempts to read and write TCP
++## sockets of mail delivery domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mta_rw_delivery_tcp_sockets',`
++ gen_require(`
++ attribute mailserver_delivery;
++ ')
++
++ allow $1 mailserver_delivery:tcp_socket { read write };
++')
++
+ #######################################
+ ## <summary>
+ ## Connect to all mail servers over TCP. (Deprecated)
+@@ -648,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -33295,7 +33368,7 @@ index 4e2a5ba..68e2429 100644
')
#######################################
-@@ -679,7 +712,26 @@ interface(`mta_spool_filetrans',`
+@@ -679,7 +735,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -33323,7 +33396,7 @@ index 4e2a5ba..68e2429 100644
')
########################################
-@@ -699,8 +751,8 @@ interface(`mta_rw_spool',`
+@@ -699,8 +774,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -33334,7 +33407,7 @@ index 4e2a5ba..68e2429 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -840,7 +892,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -840,7 +915,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -33343,7 +33416,7 @@ index 4e2a5ba..68e2429 100644
')
########################################
-@@ -866,6 +918,36 @@ interface(`mta_manage_queue',`
+@@ -866,6 +941,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -33380,7 +33453,7 @@ index 4e2a5ba..68e2429 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +983,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +1006,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -39606,18 +39679,17 @@ index b246bdd..99f27c0 100644
files_read_etc_files(pads_t)
files_search_spool(pads_t)
diff --git a/passenger.fc b/passenger.fc
-index 545518d..e275c31 100644
+index 545518d..7d5bf4c 100644
--- a/passenger.fc
+++ b/passenger.fc
-@@ -3,6 +3,12 @@
+@@ -3,6 +3,11 @@
/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/local/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/local/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/local/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/local/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
++/usr/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
@@ -46004,7 +46076,7 @@ index 5014056..9505fce 100644
- allow unconfined_qemu_t qemu_exec_t:file execmod;
-')
diff --git a/qmail.fc b/qmail.fc
-index 0055e54..f988f51 100644
+index 0055e54..edee505 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -17,6 +17,7 @@
@@ -46015,6 +46087,15 @@ index 0055e54..f988f51 100644
/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+@@ -25,7 +26,7 @@ ifdef(`distro_debian', `
+
+ /usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+-#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
++#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+ /usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+ /usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
diff --git a/qmail.if b/qmail.if
index a55bf44..c6dee66 100644
--- a/qmail.if
@@ -59852,7 +59933,7 @@ index 904f13e..5801347 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index c842cad..7f05b44 100644
+index c842cad..3c0dfe4 100644
--- a/tor.te
+++ b/tor.te
@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
@@ -59872,15 +59953,18 @@ index c842cad..7f05b44 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -75,7 +79,6 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
+@@ -73,9 +77,9 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
+
kernel_read_system_state(tor_t)
++kernel_read_net_sysctls(tor_t)
# networking basics
-corenet_all_recvfrom_unlabeled(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
corenet_udp_sendrecv_generic_if(tor_t)
-@@ -87,6 +90,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+@@ -87,6 +91,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
corenet_tcp_bind_tor_port(tor_t)
@@ -59888,7 +59972,7 @@ index c842cad..7f05b44 100644
corenet_udp_bind_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,13 +99,14 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d9a2698..d2bc56b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jul 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-14
+- Add systemd fixes to make rawhide booting
+
* Fri Jul 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-13
- Add systemd_logind_inhibit_var_run_t attribute
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
More information about the scm-commits
mailing list