[selinux-policy] * Tue Jun 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-3 - PolicyKit path has changed - Allow h
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jun 12 12:33:36 UTC 2012
commit c8f96d3d71dda063d2568883dbd09317c951b4ed
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jun 12 14:33:10 2012 +0200
* Tue Jun 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
policy-rawhide.patch | 321 +++++++++++++++++++++++-------------------
policy_contrib-rawhide.patch | 194 ++++++++++++++++---------
selinux-policy.spec | 18 +++-
3 files changed, 320 insertions(+), 213 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b1a3db6..8fb05e8 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -64649,7 +64649,7 @@ index 4429d30..cbcd9d0 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 41346fb..9ec1de8 100644
+index 41346fb..6e7808a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -66032,7 +66032,7 @@ index 41346fb..9ec1de8 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6406,3 +7285,332 @@ interface(`files_unconfined',`
+@@ -6406,3 +7285,343 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -66364,6 +66364,17 @@ index 41346fb..9ec1de8 100644
+ files_root_filetrans($1, usr_t, dir, "export")
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "nsr")
++ files_etc_filetrans_etc_runtime($1, file, "runtime")
++ files_etc_filetrans_etc_runtime($1, dir, "blkid")
++ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
++ files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE")
++ files_etc_filetrans_etc_runtime($1, file, "ioctl.save")
++ files_etc_filetrans_etc_runtime($1, file, "nologin")
++ files_etc_filetrans_etc_runtime($1, file, "securetty")
++ files_etc_filetrans_etc_runtime($1, file, "ifstate")
++ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
++ files_etc_filetrans_etc_runtime($1, file, "hwconf")
++ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1ce8aa0..24dfed0 100644
@@ -73032,7 +73043,7 @@ index b17e27a..f87cce0 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..7421ac9 100644
+index fc86b7c..cfe92e1 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,34 @@
@@ -73125,7 +73136,7 @@ index fc86b7c..7421ac9 100644
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
@@ -74466,7 +74477,7 @@ index 130ced9..647cc5c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index c4f7c35..a4b887d 100644
+index c4f7c35..c221771 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -74790,7 +74801,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -299,20 +396,38 @@ optional_policy(`
+@@ -299,64 +396,103 @@ optional_policy(`
# XDM Local policy
#
@@ -74833,7 +74844,8 @@ index c4f7c35..a4b887d 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -320,43 +435,63 @@ can_exec(xdm_t, xdm_exec_t)
++can_exec(xdm_t, xsession_exec_t)
+
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -74903,7 +74915,7 @@ index c4f7c35..a4b887d 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,18 +500,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,18 +501,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -74931,7 +74943,7 @@ index c4f7c35..a4b887d 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -388,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +532,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -74984,7 +74996,7 @@ index c4f7c35..a4b887d 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +583,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +584,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -75010,7 +75022,7 @@ index c4f7c35..a4b887d 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +611,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -75052,7 +75064,7 @@ index c4f7c35..a4b887d 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +651,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -75102,7 +75114,7 @@ index c4f7c35..a4b887d 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +701,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -75124,7 +75136,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -514,12 +722,63 @@ optional_policy(`
+@@ -514,12 +723,63 @@ optional_policy(`
')
optional_policy(`
@@ -75188,7 +75200,7 @@ index c4f7c35..a4b887d 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +796,69 @@ optional_policy(`
+@@ -537,28 +797,69 @@ optional_policy(`
')
optional_policy(`
@@ -75267,7 +75279,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -570,6 +870,14 @@ optional_policy(`
+@@ -570,6 +871,14 @@ optional_policy(`
')
optional_policy(`
@@ -75282,7 +75294,7 @@ index c4f7c35..a4b887d 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -75292,7 +75304,7 @@ index c4f7c35..a4b887d 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -608,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -75308,7 +75320,7 @@ index c4f7c35..a4b887d 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -75330,7 +75342,7 @@ index c4f7c35..a4b887d 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,6 +965,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -75338,7 +75350,7 @@ index c4f7c35..a4b887d 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -667,23 +991,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -75370,7 +75382,7 @@ index c4f7c35..a4b887d 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -75384,7 +75396,7 @@ index c4f7c35..a4b887d 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1042,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1043,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -75393,7 +75405,7 @@ index c4f7c35..a4b887d 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -75408,7 +75420,7 @@ index c4f7c35..a4b887d 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1108,40 @@ optional_policy(`
+@@ -775,16 +1109,40 @@ optional_policy(`
')
optional_policy(`
@@ -75450,7 +75462,7 @@ index c4f7c35..a4b887d 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1150,10 @@ optional_policy(`
+@@ -793,6 +1151,10 @@ optional_policy(`
')
optional_policy(`
@@ -75461,7 +75473,7 @@ index c4f7c35..a4b887d 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -75475,7 +75487,7 @@ index c4f7c35..a4b887d 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -75484,7 +75496,7 @@ index c4f7c35..a4b887d 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1193,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1194,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -75519,7 +75531,7 @@ index c4f7c35..a4b887d 100644
')
optional_policy(`
-@@ -859,6 +1215,10 @@ optional_policy(`
+@@ -859,6 +1216,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -75530,7 +75542,7 @@ index c4f7c35..a4b887d 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -75539,7 +75551,7 @@ index c4f7c35..a4b887d 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1316,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -75571,7 +75583,7 @@ index c4f7c35..a4b887d 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1362,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1363,43 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -77152,7 +77164,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..b0bb610 100644
+index d26fe81..e07c6b7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -77213,7 +77225,7 @@ index d26fe81..b0bb610 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +235,10 @@ interface(`init_daemon_domain',`
+@@ -193,8 +235,11 @@ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -77221,10 +77233,11 @@ index d26fe81..b0bb610 100644
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
++ attribute initrc_domain;
')
typeattribute $1 daemon;
-@@ -202,39 +246,20 @@ interface(`init_daemon_domain',`
+@@ -202,40 +247,40 @@ interface(`init_daemon_domain',`
domain_type($1)
domain_entry_file($1, $2)
@@ -77241,6 +77254,7 @@ index d26fe81..b0bb610 100644
- # when using run_init
- init_use_script_ptys($1)
+ domtrans_pattern(initrc_t,$2,$1)
++ domtrans_pattern(initrc_domain, $2,$1)
ifdef(`direct_sysadm_daemon',`
domtrans_pattern(direct_run_init, $2, $1)
@@ -77259,17 +77273,35 @@ index d26fe81..b0bb610 100644
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
')
++')
+
+- optional_policy(`
+- nscd_socket_use($1)
+- ')
++#######################################
++## <summary>
++## Create initrc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a initrc daemon domain.
++## </summary>
++## </param>
++#
++interface(`init_initrc_domain',`
++ gen_require(`
++ attribute initrc_domain;
++ ')
++
++ typeattribute $1 initrc_domain;
')
-@@ -283,17 +308,20 @@ interface(`init_daemon_domain',`
+ ########################################
+@@ -283,17 +328,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -77291,7 +77323,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +384,23 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -77322,7 +77354,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -401,20 +430,41 @@ interface(`init_system_domain',`
+@@ -401,20 +450,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -77364,7 +77396,7 @@ index d26fe81..b0bb610 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+@@ -442,7 +512,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -77372,7 +77404,7 @@ index d26fe81..b0bb610 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +500,29 @@ interface(`init_exec',`
+@@ -451,6 +520,29 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -77402,7 +77434,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -539,6 +611,24 @@ interface(`init_sigchld',`
+@@ -539,6 +631,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -77427,7 +77459,7 @@ index d26fe81..b0bb610 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -549,10 +639,66 @@ interface(`init_sigchld',`
+@@ -549,10 +659,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -77496,7 +77528,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -718,19 +864,25 @@ interface(`init_telinit',`
+@@ -718,19 +884,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -77523,7 +77555,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -760,7 +912,7 @@ interface(`init_rw_initctl',`
+@@ -760,7 +932,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -77532,7 +77564,7 @@ index d26fe81..b0bb610 100644
## </summary>
## </param>
#
-@@ -803,11 +955,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +975,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -77547,7 +77579,7 @@ index d26fe81..b0bb610 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -818,11 +971,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +991,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -77561,7 +77593,7 @@ index d26fe81..b0bb610 100644
')
')
-@@ -838,19 +991,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1011,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -77607,7 +77639,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -906,9 +1081,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1101,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -77622,7 +77654,7 @@ index d26fe81..b0bb610 100644
files_search_etc($1)
')
-@@ -999,7 +1179,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1199,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -77633,7 +77665,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -1117,6 +1299,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1319,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -77658,7 +77690,7 @@ index d26fe81..b0bb610 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1368,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1388,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -77672,7 +77704,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -1413,6 +1608,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1628,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -77700,7 +77732,7 @@ index d26fe81..b0bb610 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1715,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1735,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -77726,7 +77758,7 @@ index d26fe81..b0bb610 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1792,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1812,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -77751,7 +77783,7 @@ index d26fe81..b0bb610 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1629,6 +1882,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1902,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -77795,7 +77827,7 @@ index d26fe81..b0bb610 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1717,7 +2007,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2027,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -77804,7 +77836,7 @@ index d26fe81..b0bb610 100644
')
########################################
-@@ -1758,6 +2048,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2068,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -77933,7 +77965,7 @@ index d26fe81..b0bb610 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2204,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2224,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -78219,7 +78251,7 @@ index d26fe81..b0bb610 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5fb9683..28b9f3b 100644
+index 5fb9683..0721079 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -78257,7 +78289,7 @@ index 5fb9683..28b9f3b 100644
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -25,14 +53,18 @@ attribute direct_init_entry;
+@@ -25,14 +53,21 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
@@ -78268,6 +78300,9 @@ index 5fb9683..28b9f3b 100644
# Mark process types as daemons
attribute daemon;
+attribute systemprocess;
++
++# Mark process types as initrc domain
++attribute initrc_domain;
#
# init_t is the domain of the init process.
@@ -78277,7 +78312,7 @@ index 5fb9683..28b9f3b 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -45,6 +77,9 @@ role system_r types init_t;
+@@ -45,6 +80,9 @@ role system_r types init_t;
type init_var_run_t;
files_pid_file(init_var_run_t)
@@ -78287,7 +78322,7 @@ index 5fb9683..28b9f3b 100644
#
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
-@@ -63,6 +98,8 @@ role system_r types initrc_t;
+@@ -63,6 +101,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -78296,7 +78331,7 @@ index 5fb9683..28b9f3b 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -92,7 +129,7 @@ ifdef(`enable_mls',`
+@@ -92,7 +132,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -78305,7 +78340,7 @@ index 5fb9683..28b9f3b 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -104,12 +141,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -104,12 +144,25 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -78337,7 +78372,7 @@ index 5fb9683..28b9f3b 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -119,25 +169,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -119,28 +172,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -78373,7 +78408,11 @@ index 5fb9683..28b9f3b 100644
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
-@@ -149,6 +208,8 @@ fs_list_inotifyfs(init_t)
++files_read_usr_files(init_t)
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
+@@ -149,6 +212,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -78382,7 +78421,7 @@ index 5fb9683..28b9f3b 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -156,22 +217,40 @@ mls_file_read_all_levels(init_t)
+@@ -156,22 +221,40 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -78424,7 +78463,7 @@ index 5fb9683..28b9f3b 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -180,12 +259,14 @@ ifdef(`distro_gentoo',`
+@@ -180,12 +263,14 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -78440,18 +78479,17 @@ index 5fb9683..28b9f3b 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -193,16 +274,146 @@ tunable_policy(`init_upstart',`
+@@ -193,16 +278,146 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -78564,32 +78602,33 @@ index 5fb9683..28b9f3b 100644
+ lvm_rw_pipes(init_t)
+')
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
-+ dbus_connect_system_bus(init_t)
- dbus_system_bus_client(init_t)
-+ dbus_delete_pid_files(init_t)
')
optional_policy(`
-- nscd_socket_use(init_t)
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
++ dbus_delete_pid_files(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -210,6 +421,17 @@ optional_policy(`
+@@ -210,6 +425,17 @@ optional_policy(`
')
optional_policy(`
@@ -78607,7 +78646,7 @@ index 5fb9683..28b9f3b 100644
unconfined_domain(init_t)
')
-@@ -219,8 +441,8 @@ optional_policy(`
+@@ -219,8 +445,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -78618,7 +78657,7 @@ index 5fb9683..28b9f3b 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -248,12 +470,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -248,12 +474,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -78634,7 +78673,7 @@ index 5fb9683..28b9f3b 100644
init_write_initctl(initrc_t)
-@@ -265,20 +490,34 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -265,20 +494,34 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -78673,7 +78712,7 @@ index 5fb9683..28b9f3b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -286,6 +525,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -286,6 +529,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -78681,7 +78720,7 @@ index 5fb9683..28b9f3b 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -296,8 +536,10 @@ dev_write_framebuffer(initrc_t)
+@@ -296,8 +540,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -78692,7 +78731,7 @@ index 5fb9683..28b9f3b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -305,17 +547,16 @@ dev_manage_generic_files(initrc_t)
+@@ -305,17 +551,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -78712,7 +78751,7 @@ index 5fb9683..28b9f3b 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -323,6 +564,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -323,6 +568,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -78720,7 +78759,7 @@ index 5fb9683..28b9f3b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -330,8 +572,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -330,8 +576,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -78732,7 +78771,7 @@ index 5fb9683..28b9f3b 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -347,8 +591,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -347,8 +595,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -78746,7 +78785,7 @@ index 5fb9683..28b9f3b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -358,9 +606,12 @@ fs_mount_all_fs(initrc_t)
+@@ -358,9 +610,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -78760,7 +78799,7 @@ index 5fb9683..28b9f3b 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -370,6 +621,7 @@ mls_process_read_up(initrc_t)
+@@ -370,6 +625,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -78768,7 +78807,7 @@ index 5fb9683..28b9f3b 100644
selinux_get_enforce_mode(initrc_t)
-@@ -381,6 +633,7 @@ term_use_all_terms(initrc_t)
+@@ -381,6 +637,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -78776,7 +78815,7 @@ index 5fb9683..28b9f3b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -401,18 +654,17 @@ logging_read_audit_config(initrc_t)
+@@ -401,18 +658,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -78798,7 +78837,7 @@ index 5fb9683..28b9f3b 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -465,6 +717,10 @@ ifdef(`distro_gentoo',`
+@@ -465,6 +721,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -78809,7 +78848,7 @@ index 5fb9683..28b9f3b 100644
alsa_read_lib(initrc_t)
')
-@@ -485,7 +741,7 @@ ifdef(`distro_redhat',`
+@@ -485,7 +745,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -78818,7 +78857,7 @@ index 5fb9683..28b9f3b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -500,6 +756,7 @@ ifdef(`distro_redhat',`
+@@ -500,6 +760,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -78826,7 +78865,7 @@ index 5fb9683..28b9f3b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -520,6 +777,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +781,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -78834,7 +78873,7 @@ index 5fb9683..28b9f3b 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -529,8 +787,35 @@ ifdef(`distro_redhat',`
+@@ -529,8 +791,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -78870,7 +78909,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -538,14 +823,27 @@ ifdef(`distro_redhat',`
+@@ -538,14 +827,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -78898,7 +78937,7 @@ index 5fb9683..28b9f3b 100644
')
')
-@@ -556,6 +854,39 @@ ifdef(`distro_suse',`
+@@ -556,6 +858,39 @@ ifdef(`distro_suse',`
')
')
@@ -78938,7 +78977,7 @@ index 5fb9683..28b9f3b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -568,6 +899,8 @@ optional_policy(`
+@@ -568,6 +903,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -78947,7 +78986,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -589,6 +922,7 @@ optional_policy(`
+@@ -589,6 +926,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -78955,7 +78994,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -601,6 +935,17 @@ optional_policy(`
+@@ -601,6 +939,17 @@ optional_policy(`
')
optional_policy(`
@@ -78973,7 +79012,7 @@ index 5fb9683..28b9f3b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -617,9 +962,13 @@ optional_policy(`
+@@ -617,9 +966,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -78987,7 +79026,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -644,6 +993,10 @@ optional_policy(`
+@@ -644,6 +997,10 @@ optional_policy(`
')
optional_policy(`
@@ -78998,7 +79037,7 @@ index 5fb9683..28b9f3b 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -661,6 +1014,15 @@ optional_policy(`
+@@ -661,6 +1018,15 @@ optional_policy(`
')
optional_policy(`
@@ -79014,7 +79053,7 @@ index 5fb9683..28b9f3b 100644
inn_exec_config(initrc_t)
')
-@@ -701,6 +1063,7 @@ optional_policy(`
+@@ -701,6 +1067,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -79022,7 +79061,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -718,7 +1081,13 @@ optional_policy(`
+@@ -718,7 +1085,13 @@ optional_policy(`
')
optional_policy(`
@@ -79036,7 +79075,7 @@ index 5fb9683..28b9f3b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -741,6 +1110,10 @@ optional_policy(`
+@@ -741,6 +1114,10 @@ optional_policy(`
')
optional_policy(`
@@ -79047,7 +79086,7 @@ index 5fb9683..28b9f3b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -750,10 +1123,20 @@ optional_policy(`
+@@ -750,10 +1127,20 @@ optional_policy(`
')
optional_policy(`
@@ -79068,7 +79107,7 @@ index 5fb9683..28b9f3b 100644
quota_manage_flags(initrc_t)
')
-@@ -762,6 +1145,10 @@ optional_policy(`
+@@ -762,6 +1149,10 @@ optional_policy(`
')
optional_policy(`
@@ -79079,7 +79118,7 @@ index 5fb9683..28b9f3b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -783,8 +1170,6 @@ optional_policy(`
+@@ -783,8 +1174,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -79088,7 +79127,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -793,6 +1178,10 @@ optional_policy(`
+@@ -793,6 +1182,10 @@ optional_policy(`
')
optional_policy(`
@@ -79099,7 +79138,7 @@ index 5fb9683..28b9f3b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -802,10 +1191,12 @@ optional_policy(`
+@@ -802,10 +1195,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -79112,7 +79151,7 @@ index 5fb9683..28b9f3b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -817,7 +1208,6 @@ optional_policy(`
+@@ -817,7 +1212,6 @@ optional_policy(`
')
optional_policy(`
@@ -79120,7 +79159,7 @@ index 5fb9683..28b9f3b 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -827,12 +1217,30 @@ optional_policy(`
+@@ -827,12 +1221,30 @@ optional_policy(`
')
optional_policy(`
@@ -79153,7 +79192,7 @@ index 5fb9683..28b9f3b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -842,6 +1250,18 @@ optional_policy(`
+@@ -842,6 +1254,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -79172,7 +79211,7 @@ index 5fb9683..28b9f3b 100644
')
optional_policy(`
-@@ -857,6 +1277,10 @@ optional_policy(`
+@@ -857,6 +1281,10 @@ optional_policy(`
')
optional_policy(`
@@ -79183,7 +79222,7 @@ index 5fb9683..28b9f3b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -867,3 +1291,165 @@ optional_policy(`
+@@ -867,3 +1295,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -85362,10 +85401,10 @@ index 0000000..2497606
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..eec7c72
+index 0000000..76b90b2
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,423 @@
+@@ -0,0 +1,420 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -85437,9 +85476,11 @@ index 0000000..eec7c72
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+init_status(systemd_logind_t)
++init_signal(systemd_logind_t)
+init_reboot(systemd_logind_t)
+init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t)
++init_signal_script(systemd_logind_t)
+
+kernel_read_system_state(systemd_logind_t)
+
@@ -85458,6 +85499,9 @@ index 0000000..eec7c72
+dev_write_kmsg(systemd_logind_t)
+
+domain_read_all_domains_state(systemd_logind_t)
++domain_signal_all_domains(systemd_logind_t)
++domain_signull_all_domains(systemd_logind_t)
++domain_kill_all_domains(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
@@ -85501,18 +85545,10 @@ index 0000000..eec7c72
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
+userdom_manage_user_tmp_sockets(systemd_logind_t)
-+userdom_signal_all_users(systemd_logind_t)
-+userdom_signull_all_users(systemd_logind_t)
-+userdom_kill_all_users(systemd_logind_t)
-+
-+application_signal(systemd_logind_t)
-+application_signull(systemd_logind_t)
-+application_sigkill(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
-+ cron_signal(systemd_logind_t)
+')
+
+optional_policy(`
@@ -90879,7 +90915,7 @@ index e720dcd..3361868 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 47efe9a..55dc5cc 100644
+index 47efe9a..4136fa9 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2)
@@ -90954,7 +90990,7 @@ index 47efe9a..55dc5cc 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +102,111 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -90979,6 +91015,7 @@ index 47efe9a..55dc5cc 100644
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
+files_poly_parent(user_tmp_t)
++files_mountpoint(user_tmp_t)
-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+type user_tmpfs_t, user_tmpfs_type;
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 28dd5c1..a870673 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2453,7 +2453,7 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index a36a01d..777623e 100644
+index a36a01d..f6aad32 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -3072,11 +3072,17 @@ index a36a01d..777623e 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +832,18 @@ optional_policy(`
+@@ -540,6 +832,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
+optional_policy(`
++ # needed by FreeIPA
++ dirsrv_stream_connect(httpd_t)
++ ldap_stream_connect(httpd_t)
++')
++
++optional_policy(`
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
@@ -3091,7 +3097,7 @@ index a36a01d..777623e 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,12 +853,21 @@ optional_policy(`
+@@ -549,12 +859,21 @@ optional_policy(`
')
optional_policy(`
@@ -3114,7 +3120,7 @@ index a36a01d..777623e 100644
kerberos_keytab_template(httpd, httpd_t)
')
-@@ -568,7 +881,21 @@ optional_policy(`
+@@ -568,7 +887,21 @@ optional_policy(`
')
optional_policy(`
@@ -3136,7 +3142,7 @@ index a36a01d..777623e 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -579,6 +906,7 @@ optional_policy(`
+@@ -579,6 +912,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3144,7 +3150,7 @@ index a36a01d..777623e 100644
')
optional_policy(`
-@@ -589,6 +917,33 @@ optional_policy(`
+@@ -589,6 +923,33 @@ optional_policy(`
')
optional_policy(`
@@ -3178,7 +3184,7 @@ index a36a01d..777623e 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -603,6 +958,11 @@ optional_policy(`
+@@ -603,6 +964,11 @@ optional_policy(`
')
optional_policy(`
@@ -3190,7 +3196,7 @@ index a36a01d..777623e 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -615,6 +975,12 @@ optional_policy(`
+@@ -615,6 +981,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3203,7 +3209,7 @@ index a36a01d..777623e 100644
########################################
#
# Apache helper local policy
-@@ -628,7 +994,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3216,7 +3222,7 @@ index a36a01d..777623e 100644
########################################
#
-@@ -666,28 +1036,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3260,7 +3266,7 @@ index a36a01d..777623e 100644
')
########################################
-@@ -697,6 +1069,7 @@ optional_policy(`
+@@ -697,6 +1075,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3268,7 +3274,7 @@ index a36a01d..777623e 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1084,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3292,7 +3298,7 @@ index a36a01d..777623e 100644
# for shell scripts
corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3325,7 +3331,7 @@ index a36a01d..777623e 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1181,25 @@ optional_policy(`
+@@ -781,6 +1187,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3351,7 +3357,7 @@ index a36a01d..777623e 100644
########################################
#
# Apache system script local policy
-@@ -801,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3369,7 +3375,7 @@ index a36a01d..777623e 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -815,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3426,7 +3432,7 @@ index a36a01d..777623e 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3467,7 +3473,7 @@ index a36a01d..777623e 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1335,20 @@ optional_policy(`
+@@ -854,10 +1341,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3488,7 +3494,7 @@ index a36a01d..777623e 100644
')
########################################
-@@ -903,11 +1394,146 @@ optional_policy(`
+@@ -903,11 +1400,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -10086,10 +10092,10 @@ index 0000000..168f664
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..4eb7bd9
+index 0000000..1bba4b7
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,232 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -10308,6 +10314,7 @@ index 0000000..4eb7bd9
+auth_use_nsswitch(condor_startd_t)
+
+init_domtrans_script(condor_startd_t)
++init_initrc_domain(condor_startd_t)
+
+libs_exec_lib_files(condor_startd_t)
+
@@ -13263,7 +13270,7 @@ index c43ff4c..5da88b5 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/cvs.te b/cvs.te
-index 88e7e97..1c723fb 100644
+index 88e7e97..08d7ec0 100644
--- a/cvs.te
+++ b/cvs.te
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
@@ -13298,8 +13305,12 @@ index 88e7e97..1c723fb 100644
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-@@ -90,7 +92,7 @@ mta_send_mail(cvs_t)
+@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
+ mta_send_mail(cvs_t)
+
++userdom_dontaudit_search_user_home_dirs(cvs_t)
++
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
@@ -13307,7 +13318,7 @@ index 88e7e97..1c723fb 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -112,4 +114,5 @@ optional_policy(`
+@@ -112,4 +116,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -16520,7 +16531,7 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..ef8b0d7 100644
+index 2df7766..53efc0b 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16751,7 +16762,7 @@ index 2df7766..ef8b0d7 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +338,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -16779,6 +16790,7 @@ index 2df7766..ef8b0d7 100644
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
++ mta_read_home_rw(dovecot_deliver_t)
+')
+
+optional_policy(`
@@ -20106,16 +20118,17 @@ index 4afb81f..842165a 100644
-
-libs_exec_ldconfig(glance_api_t)
diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..d776f66 100644
+index 00a19e3..17006fc 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,9 +1,53 @@
+@@ -1,9 +1,54 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -20166,7 +20179,7 @@ index 00a19e3..d776f66 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..581c9dd 100644
+index f5afe78..e283f63 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,937 @@
@@ -21276,7 +21289,7 @@ index f5afe78..581c9dd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1068,62 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1068,80 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -21292,6 +21305,24 @@ index f5afe78..581c9dd 100644
+ gnome_filetrans_gstreamer_home_content($1)
+')
+
++######################################
++## <summary>
++## Allow to execute gstreamer home content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_exec_gstreamer_home_files',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ can_exec($1, gstreamer_home_t)
++')
++
+#######################################
+## <summary>
+## file name transition gstreamer home content files.
@@ -21343,7 +21374,7 @@ index f5afe78..581c9dd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1131,306 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -21564,6 +21595,7 @@ index f5afe78..581c9dd 100644
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
++ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
@@ -26044,10 +26076,10 @@ index 0000000..8bc2c6d
+')
diff --git a/l2tpd.te b/l2tpd.te
new file mode 100644
-index 0000000..4786fde
+index 0000000..1b720ad
--- /dev/null
+++ b/l2tpd.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -26136,6 +26168,8 @@ index 0000000..4786fde
+
+term_use_ptmx(l2tpd_t)
+
++auth_read_passwd(l2tpd_t)
++
+logging_send_syslog_msg(l2tpd_t)
+
+miscfiles_read_localization(l2tpd_t)
@@ -27129,7 +27163,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..671d4e1 100644
+index 75ce30f..47aa9f5 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -27171,16 +27205,18 @@ index 75ce30f..671d4e1 100644
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-@@ -70,6 +81,8 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
++storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
++
+mls_file_read_to_clearance(logwatch_t)
+
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -27196,7 +27232,7 @@ index 75ce30f..671d4e1 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +161,24 @@ optional_policy(`
+@@ -145,3 +163,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -28700,7 +28736,7 @@ index ee72cbe..bf5fc09 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 26101cb..db61a30 100644
+index 26101cb..7393387 100644
--- a/milter.te
+++ b/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
@@ -28717,7 +28753,7 @@ index 26101cb..db61a30 100644
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
-@@ -20,6 +27,23 @@ milter_template(spamass)
+@@ -20,6 +27,24 @@ milter_template(spamass)
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
@@ -28728,6 +28764,7 @@ index 26101cb..db61a30 100644
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
++allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
@@ -28741,7 +28778,7 @@ index 26101cb..db61a30 100644
########################################
#
# milter-greylist local policy
-@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t)
+@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t)
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
@@ -32982,7 +33019,7 @@ index a648982..59f096b 100644
')
+
diff --git a/ncftool.te b/ncftool.te
-index f19ca0b..8c48c33 100644
+index f19ca0b..dfc1ba2 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
@@ -33058,7 +33095,7 @@ index f19ca0b..8c48c33 100644
optional_policy(`
consoletype_exec(ncftool_t)
')
-@@ -69,13 +83,17 @@ optional_policy(`
+@@ -69,13 +83,18 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
@@ -33066,6 +33103,7 @@ index f19ca0b..8c48c33 100644
')
optional_policy(`
++ modutils_list_module_config(ncftool_t)
modutils_read_module_config(ncftool_t)
- modutils_run_insmod(ncftool_t, ncftool_roles)
+ modutils_domtrans_insmod(ncftool_t)
@@ -38034,16 +38072,17 @@ index 4cffb07..3436696 100644
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
diff --git a/policykit.fc b/policykit.fc
-index 63d0061..c65d18f 100644
+index 63d0061..4718a93 100644
--- a/policykit.fc
+++ b/policykit.fc
-@@ -1,16 +1,18 @@
+@@ -1,16 +1,20 @@
/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -38051,11 +38090,12 @@ index 63d0061..c65d18f 100644
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
++/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
@@ -38203,7 +38243,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 44db896..67a2c44 100644
+index 44db896..11800bb 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,51 +1,73 @@
@@ -38293,7 +38333,7 @@ index 44db896..67a2c44 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -38337,6 +38377,10 @@ index 44db896..67a2c44 100644
+')
+
+optional_policy(`
++ kerberos_manage_host_rcache(policykit_t)
++')
++
++optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
@@ -38413,11 +38457,15 @@ index 44db896..67a2c44 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +191,21 @@ optional_policy(`
+@@ -118,14 +195,25 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
+optional_policy(`
++ kerberos_manage_host_rcache(policykit_auth_t)
++')
++
++optional_policy(`
+ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
@@ -38437,7 +38485,7 @@ index 44db896..67a2c44 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
@@ -38462,7 +38510,7 @@ index 44db896..67a2c44 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +246,8 @@ optional_policy(`
+@@ -167,9 +254,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -38474,7 +38522,7 @@ index 44db896..67a2c44 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
@@ -38489,7 +38537,7 @@ index 44db896..67a2c44 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -207,4 +279,3 @@ optional_policy(`
+@@ -207,4 +287,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -44832,7 +44880,7 @@ index 7dc38d1..808f9c6 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/rgmanager.te b/rgmanager.te
-index 07333db..53bff36 100644
+index 07333db..91ef567 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
@@ -44882,7 +44930,7 @@ index 07333db..53bff36 100644
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t)
+@@ -76,31 +78,37 @@ dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
@@ -44914,6 +44962,7 @@ index 07333db..53bff36 100644
auth_use_nsswitch(rgmanager_t)
+init_domtrans_script(rgmanager_t)
++init_initrc_domain(rgmanager_t)
+
logging_send_syslog_msg(rgmanager_t)
@@ -44924,7 +44973,7 @@ index 07333db..53bff36 100644
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +125,14 @@ optional_policy(`
+@@ -118,6 +126,14 @@ optional_policy(`
')
optional_policy(`
@@ -44939,7 +44988,7 @@ index 07333db..53bff36 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +155,16 @@ optional_policy(`
+@@ -140,6 +156,16 @@ optional_policy(`
')
optional_policy(`
@@ -44956,7 +45005,7 @@ index 07333db..53bff36 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -165,6 +190,8 @@ optional_policy(`
+@@ -165,6 +191,8 @@ optional_policy(`
optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
@@ -47948,19 +47997,20 @@ index a07b2f4..36b4903 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/samba.fc b/samba.fc
-index 69a6074..3d65472 100644
+index 69a6074..c9dbc93 100644
--- a/samba.fc
+++ b/samba.fc
-@@ -14,6 +14,8 @@
+@@ -14,6 +14,9 @@
#
# /usr
#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +38,10 @@
+@@ -36,6 +39,10 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
@@ -47971,7 +48021,7 @@ index 69a6074..3d65472 100644
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -48,6 +54,11 @@
+@@ -48,6 +55,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -54328,7 +54378,7 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..a0d188c
+index 0000000..7eea9cd
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,105 @@
@@ -54435,7 +54485,7 @@ index 0000000..a0d188c
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
-+ #gnome_exec_gstreamer_home_files(thumb_t)
++ gnome_exec_gstreamer_home_files(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
index bf37d98..204ac7e 100644
@@ -54764,7 +54814,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..da20967 100644
+index db9d2a5..c7b09c0 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -54780,7 +54830,7 @@ index db9d2a5..da20967 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -23,23 +29,38 @@ files_pid_file(tuned_var_run_t)
+@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
# tuned local policy
#
@@ -54809,10 +54859,12 @@ index db9d2a5..da20967 100644
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
+-
+kernel_read_kernel_sysctls(tuned_t)
++kernel_rw_kernel_sysctl(tuned_t)
+kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_vm_sysctls(tuned_t)
-
++
+dev_getattr_all_blk_files(tuned_t)
+dev_getattr_all_chr_files(tuned_t)
+dev_dontaudit_getattr_all(tuned_t)
@@ -54822,7 +54874,7 @@ index db9d2a5..da20967 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +68,10 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -54833,7 +54885,7 @@ index db9d2a5..da20967 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +83,14 @@ optional_policy(`
+@@ -58,6 +84,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -56560,7 +56612,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/virt.te b/virt.te
-index ad3068a..6713ab0 100644
+index ad3068a..5759ef5 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -57154,7 +57206,7 @@ index ad3068a..6713ab0 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,25 +657,428 @@ files_search_all(virt_domain)
+@@ -449,25 +657,430 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -57257,6 +57309,8 @@ index ad3068a..6713ab0 100644
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
++auth_read_passwd(virsh_t)
++
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fbd69a5..39f7985 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jun 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-3
+- PolicyKit path has changed
+- Allow httpd connect to dirsrv socket
+- Allow tuned to write generic kernel sysctls
+- Dontaudit logwatch to gettr on /dev/dm-2
+- Allow policykit-auth to manage kerberos files
+- Make condor_startd and rgmanager as initrc domain
+- Allow virsh to read /etc/passwd
+- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
+- xdm now needs to execute xsession_exec_t
+- Need labels for /var/lib/gdm
+- Fix files_filetrans_named_content() interface
+- Add new attribute - initrc_domain
+- Allow systemd_logind_t to signal, signull, sigkill all processes
+- Add filetrans rules for etc_runtime files
+
* Sat Jun 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
More information about the scm-commits
mailing list