[selinux-policy] * Mon Jun 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-6 - Add tomcat policy - Remove pyzor/raz
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jun 25 05:09:53 UTC 2012
commit 52ac61da456856a40a76b69e8f312599663ff23e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jun 25 07:09:24 2012 +0200
* Mon Jun 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
modules-targeted.conf | 7 +
policy-rawhide.patch | 408 +++++++++++-------
policy_contrib-rawhide.patch | 986 +++++++++++++++++++++++++++++++++++-------
selinux-policy.spec | 28 ++-
4 files changed, 1105 insertions(+), 324 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index f4909bf..1580f19 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2549,3 +2549,10 @@ man2html = module
# policy for glusterd service
#
glusterd = module
+
+# Layer: contrib
+# Module: glusterd
+#
+# policy for tomcat service
+#
+tomcat = module
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 96b449d..b43bd59 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -59563,7 +59563,7 @@ index 98b8b2d..da75471 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 81b6608..396909c 100644
+index 81b6608..527c7bb 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
@@ -59931,7 +59931,7 @@ index 81b6608..396909c 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -507,31 +549,33 @@ logging_send_syslog_msg(useradd_t)
+@@ -507,31 +549,34 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
@@ -59964,6 +59964,7 @@ index 81b6608..396909c 100644
-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
++userdom_delete_all_user_home_content(useradd_t)
optional_policy(`
mta_manage_spool(useradd_t)
@@ -59978,7 +59979,7 @@ index 81b6608..396909c 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +586,8 @@ optional_policy(`
+@@ -542,7 +587,8 @@ optional_policy(`
')
optional_policy(`
@@ -59988,7 +59989,7 @@ index 81b6608..396909c 100644
')
optional_policy(`
-@@ -550,6 +595,11 @@ optional_policy(`
+@@ -550,6 +596,11 @@ optional_policy(`
')
optional_policy(`
@@ -61987,7 +61988,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 97978e3..fab201e 100644
+index 97978e3..8af38f3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -14,12 +14,14 @@ attribute node_type;
@@ -62129,7 +62130,7 @@ index 97978e3..fab201e 100644
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -139,22 +180,32 @@ network_port(iscsi, tcp,3260,s0)
+@@ -139,87 +180,118 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -62165,7 +62166,10 @@ index 97978e3..fab201e 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -164,62 +215,82 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+ network_port(munin, tcp,4949,s0, udp,4949,s0)
++network_port(mxi, tcp,8005, s0, udp, 8005,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -62257,7 +62261,7 @@ index 97978e3..fab201e 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -228,9 +299,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -228,9 +300,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -62271,7 +62275,7 @@ index 97978e3..fab201e 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -242,17 +316,22 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -242,17 +317,22 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -62296,7 +62300,7 @@ index 97978e3..fab201e 100644
########################################
#
-@@ -297,9 +376,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -297,9 +377,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -64552,7 +64556,7 @@ index cf04cb5..e43701b 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 4429d30..cbcd9d0 100644
+index 4429d30..b8f8a82 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -64603,7 +64607,16 @@ index 4429d30..cbcd9d0 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -151,7 +161,7 @@ ifdef(`distro_debian',`
+@@ -127,6 +137,8 @@ ifdef(`distro_debian',`
+ /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+ /media/[^/]*/.* <<none>>
+ /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
++/var/run/media/.* <<none>>
+
+ #
+ # /misc
+@@ -151,7 +163,7 @@ ifdef(`distro_debian',`
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -64612,7 +64625,7 @@ index 4429d30..cbcd9d0 100644
#
# /proc
-@@ -159,6 +169,12 @@ ifdef(`distro_debian',`
+@@ -159,6 +171,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -64625,7 +64638,7 @@ index 4429d30..cbcd9d0 100644
#
# /run
#
-@@ -195,6 +211,7 @@ ifdef(`distro_debian',`
+@@ -195,6 +213,7 @@ ifdef(`distro_debian',`
/usr -d gen_context(system_u:object_r:usr_t,s0)
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
@@ -64633,7 +64646,7 @@ index 4429d30..cbcd9d0 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -211,6 +228,7 @@ ifdef(`distro_debian',`
+@@ -211,6 +230,7 @@ ifdef(`distro_debian',`
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
@@ -64641,7 +64654,7 @@ index 4429d30..cbcd9d0 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -219,7 +237,6 @@ ifdef(`distro_debian',`
+@@ -219,7 +239,6 @@ ifdef(`distro_debian',`
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -64649,7 +64662,7 @@ index 4429d30..cbcd9d0 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -235,11 +252,14 @@ ifndef(`distro_redhat',`
+@@ -235,11 +254,14 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -64664,7 +64677,7 @@ index 4429d30..cbcd9d0 100644
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -262,3 +282,5 @@ ifndef(`distro_redhat',`
+@@ -262,3 +284,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -71425,10 +71438,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..7b69ace
+index 0000000..2a0c726
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,376 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -71753,18 +71766,10 @@ index 0000000..7b69ace
+')
+
+optional_policy(`
-+ ncftool_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
-+ prelink_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
@@ -71795,18 +71800,10 @@ index 0000000..7b69ace
+')
+
+optional_policy(`
-+ vbetool_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
-+ vpn_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
@@ -72808,7 +72805,7 @@ index fe0c682..93ec53f 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..f87cce0 100644
+index b17e27a..d193a52 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0)
@@ -73214,7 +73211,7 @@ index b17e27a..f87cce0 100644
')
optional_policy(`
-@@ -339,3 +419,76 @@ optional_policy(`
+@@ -339,3 +419,83 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -73248,11 +73245,18 @@ index b17e27a..f87cce0 100644
+#
+# chroot_user_t local policy
+#
++allow chroot_user_t self:unix_dgram_socket create_socket_perms;
++
++corecmd_exec_shell(chroot_user_t)
++
++term_search_ptys(chroot_user_t)
++term_use_ptmx(chroot_user_t)
+
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
+userdom_exec_user_home_content_files(chroot_user_t)
++userdom_use_inherited_user_ptys(chroot_user_t)
+
+tunable_policy(`ssh_chroot_rw_homedirs',`
+ files_list_home(chroot_user_t)
@@ -73292,7 +73296,7 @@ index b17e27a..f87cce0 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..decae02 100644
+index fc86b7c..7da0fde 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -73393,9 +73397,10 @@ index fc86b7c..decae02 100644
+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
- /var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -75912,10 +75917,38 @@ index c4f7c35..06c447c 100644
+ unconfined_domain(xdm_unconfined_t)
+')
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..3aed6ad 100644
+index 1b6619e..232be41 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',`
+@@ -43,6 +43,27 @@ interface(`application_executable_file',`
+ corecmd_executable_file($1)
+ ')
+
++#######################################
++## <summary>
++## Make the specified type usable for files
++## that are exectuables, such as binary programs.
++## This does not include shared libraries.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used for files.
++## </summary>
++## </param>
++#
++interface(`application_executable_ioctl',`
++ gen_require(`
++ attribute application_exec_type;
++ ')
++
++ allow $1 application_exec_type:file ioctl;
++
++')
++
+ ########################################
+ ## <summary>
+ ## Execute application executables in the caller domain.
+@@ -189,6 +210,24 @@ interface(`application_dontaudit_signal',`
########################################
## <summary>
@@ -75940,7 +75973,7 @@ index 1b6619e..3aed6ad 100644
## Do not audit attempts to send kill signals
## to all application domains.
## </summary>
-@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',`
+@@ -205,3 +244,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
@@ -76070,7 +76103,7 @@ index 28ad538..82def3d 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 6ce867a..20a0b0a 100644
+index 6ce867a..ee79c5a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -76195,7 +76228,7 @@ index 6ce867a..20a0b0a 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,9 +198,84 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -76239,13 +76272,18 @@ index 6ce867a..20a0b0a 100644
+ ')
+
+ optional_policy(`
-+ ssh_agent_exec($1)
-+ ssh_read_user_home_files($1)
++ # allow execute tmux
++ screen_exec($1)
+ ')
-+')
+
-+########################################
-+## <summary>
++ optional_policy(`
++ ssh_agent_exec($1)
++ ssh_read_user_home_files($1)
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
@@ -76276,13 +76314,17 @@ index 6ce867a..20a0b0a 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
- ')
++ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -395,13 +513,15 @@ interface(`auth_domtrans_chk_passwd',`
++')
++
++########################################
++## <summary>
+ ## Use the login program as an entry point program.
+ ## </summary>
+ ## <param name="domain">
+@@ -395,13 +518,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -76299,7 +76341,7 @@ index 6ce867a..20a0b0a 100644
')
########################################
-@@ -448,6 +568,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +573,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -76325,7 +76367,7 @@ index 6ce867a..20a0b0a 100644
')
########################################
-@@ -467,7 +606,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +611,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -76333,7 +76375,7 @@ index 6ce867a..20a0b0a 100644
')
########################################
-@@ -664,6 +802,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +807,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -76344,7 +76386,7 @@ index 6ce867a..20a0b0a 100644
')
#######################################
-@@ -763,7 +905,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +910,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -76396,7 +76438,7 @@ index 6ce867a..20a0b0a 100644
')
#######################################
-@@ -959,9 +1144,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1149,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -76430,7 +76472,7 @@ index 6ce867a..20a0b0a 100644
')
########################################
-@@ -1040,6 +1246,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1251,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -76441,7 +76483,7 @@ index 6ce867a..20a0b0a 100644
')
########################################
-@@ -1157,6 +1367,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1372,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -76449,7 +76491,7 @@ index 6ce867a..20a0b0a 100644
')
#######################################
-@@ -1526,6 +1737,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1742,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -76475,7 +76517,7 @@ index 6ce867a..20a0b0a 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,37 +1906,49 @@ interface(`auth_manage_login_records',`
+@@ -1676,37 +1911,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -76535,7 +76577,7 @@ index 6ce867a..20a0b0a 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1714,87 +1956,206 @@ interface(`auth_relabel_login_records',`
+@@ -1714,87 +1961,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -77435,7 +77477,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..e07c6b7 100644
+index d26fe81..3ff8fef 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -77594,7 +77636,7 @@ index d26fe81..e07c6b7 100644
')
')
-@@ -336,22 +384,23 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +384,25 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -77603,6 +77645,7 @@ index d26fe81..e07c6b7 100644
role system_r;
+ attribute initrc_transition_domain;
+ attribute systemprocess;
++ attribute initrc_domain;
')
+ typeattribute $1 systemprocess;
@@ -77612,6 +77655,7 @@ index d26fe81..e07c6b7 100644
- domtrans_pattern(initrc_t, $2, $1)
+ domtrans_pattern(initrc_t,$2,$1)
++ domtrans_pattern(initrc_domain, $2,$1)
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
@@ -77625,7 +77669,7 @@ index d26fe81..e07c6b7 100644
')
')
-@@ -401,20 +450,41 @@ interface(`init_system_domain',`
+@@ -401,20 +452,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -77667,7 +77711,7 @@ index d26fe81..e07c6b7 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +512,6 @@ interface(`init_domtrans',`
+@@ -442,7 +514,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -77675,7 +77719,7 @@ index d26fe81..e07c6b7 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +520,29 @@ interface(`init_exec',`
+@@ -451,6 +522,29 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -77705,7 +77749,7 @@ index d26fe81..e07c6b7 100644
')
########################################
-@@ -539,6 +631,24 @@ interface(`init_sigchld',`
+@@ -539,6 +633,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -77730,7 +77774,7 @@ index d26fe81..e07c6b7 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -549,10 +659,66 @@ interface(`init_sigchld',`
+@@ -549,10 +661,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -77799,7 +77843,7 @@ index d26fe81..e07c6b7 100644
')
########################################
-@@ -718,19 +884,25 @@ interface(`init_telinit',`
+@@ -718,19 +886,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -77826,7 +77870,7 @@ index d26fe81..e07c6b7 100644
')
')
-@@ -760,7 +932,7 @@ interface(`init_rw_initctl',`
+@@ -760,7 +934,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -77835,7 +77879,7 @@ index d26fe81..e07c6b7 100644
## </summary>
## </param>
#
-@@ -803,11 +975,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -77850,7 +77894,7 @@ index d26fe81..e07c6b7 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -818,11 +991,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -77864,7 +77908,7 @@ index d26fe81..e07c6b7 100644
')
')
-@@ -838,19 +1011,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -77910,7 +77954,7 @@ index d26fe81..e07c6b7 100644
')
########################################
-@@ -906,9 +1101,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -77925,7 +77969,7 @@ index d26fe81..e07c6b7 100644
files_search_etc($1)
')
-@@ -999,7 +1199,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1201,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -77936,7 +77980,7 @@ index d26fe81..e07c6b7 100644
')
########################################
-@@ -1117,6 +1319,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -77961,7 +78005,7 @@ index d26fe81..e07c6b7 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1388,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -77975,7 +78019,7 @@ index d26fe81..e07c6b7 100644
')
########################################
-@@ -1413,6 +1628,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -78003,7 +78047,7 @@ index d26fe81..e07c6b7 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1735,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -78029,7 +78073,7 @@ index d26fe81..e07c6b7 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1812,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -78054,7 +78098,7 @@ index d26fe81..e07c6b7 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1629,6 +1902,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -78098,7 +78142,7 @@ index d26fe81..e07c6b7 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1717,7 +2027,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -78107,7 +78151,7 @@ index d26fe81..e07c6b7 100644
')
########################################
-@@ -1758,6 +2068,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -78236,7 +78280,7 @@ index d26fe81..e07c6b7 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2224,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -79715,7 +79759,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index fac0a01..6af70bb 100644
+index fac0a01..002b264 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,13 +73,15 @@ role system_r types setkey_t;
@@ -79772,7 +79816,13 @@ index fac0a01..6af70bb 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -164,11 +170,14 @@ auth_use_nsswitch(ipsec_t)
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+
++logging_read_all_logs(ipsec_mgmt_t)
+ logging_send_syslog_msg(ipsec_t)
+
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -79781,7 +79831,7 @@ index fac0a01..6af70bb 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,9 +194,9 @@ optional_policy(`
+@@ -186,9 +195,9 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -79794,7 +79844,7 @@ index fac0a01..6af70bb 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +254,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -79811,7 +79861,7 @@ index fac0a01..6af70bb 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -254,6 +273,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -79820,7 +79870,7 @@ index fac0a01..6af70bb 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -79832,7 +79882,7 @@ index fac0a01..6af70bb 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +318,12 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +319,12 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -79846,7 +79896,7 @@ index fac0a01..6af70bb 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -370,12 +396,12 @@ corecmd_exec_shell(racoon_t)
+@@ -370,12 +397,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -79865,7 +79915,7 @@ index fac0a01..6af70bb 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -404,6 +430,8 @@ miscfiles_read_localization(racoon_t)
+@@ -404,6 +431,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -79874,7 +79924,7 @@ index fac0a01..6af70bb 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -441,5 +469,6 @@ miscfiles_read_localization(setkey_t)
+@@ -441,5 +470,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -80506,7 +80556,7 @@ index 808ba93..f94b80a 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 992d105..501de4e 100644
+index 992d105..e412258 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -59,9 +59,11 @@ optional_policy(`
@@ -80570,7 +80620,7 @@ index 992d105..501de4e 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +147,10 @@ optional_policy(`
+@@ -131,6 +147,14 @@ optional_policy(`
')
optional_policy(`
@@ -80578,10 +80628,14 @@ index 992d105..501de4e 100644
+')
+
+optional_policy(`
++ kdump_manage_kdumpctl_tmp_files(ldconfig_t)
++')
++
++optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +161,3 @@ optional_policy(`
+@@ -141,6 +165,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -82169,7 +82223,7 @@ index 350c450..2debedc 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 560d5d9..86a7107 100644
+index 560d5d9..3d8e252 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1)
@@ -82350,7 +82404,7 @@ index 560d5d9..86a7107 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +205,28 @@ optional_policy(`
+@@ -184,28 +205,32 @@ optional_policy(`
')
optional_policy(`
@@ -82373,11 +82427,15 @@ index 560d5d9..86a7107 100644
optional_policy(`
- mount_domtrans(insmod_t)
+ hal_write_log(insmod_t)
++')
++
++optional_policy(`
++ hotplug_search_config(insmod_t)
')
optional_policy(`
- nis_use_ypbind(insmod_t)
-+ hotplug_search_config(insmod_t)
++ kdump_manage_kdumpctl_tmp_files(insmod_t)
')
optional_policy(`
@@ -82386,7 +82444,7 @@ index 560d5d9..86a7107 100644
')
optional_policy(`
-@@ -225,6 +246,7 @@ optional_policy(`
+@@ -225,6 +250,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -82394,7 +82452,7 @@ index 560d5d9..86a7107 100644
')
optional_policy(`
-@@ -233,6 +255,10 @@ optional_policy(`
+@@ -233,6 +259,10 @@ optional_policy(`
')
optional_policy(`
@@ -82405,7 +82463,7 @@ index 560d5d9..86a7107 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -293,9 +319,9 @@ logging_send_syslog_msg(update_modules_t)
+@@ -293,9 +323,9 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -85038,10 +85096,10 @@ index 0000000..161f271
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..2497606
+index 0000000..6a29fb0
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,697 @@
+@@ -0,0 +1,698 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -85512,6 +85570,7 @@ index 0000000..2497606
+ type systemd_passwd_var_run_t;
+ ')
+
++ init_search_pid_dirs($1)
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
@@ -86685,7 +86744,7 @@ index 0abaf84..8b34dbc 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index db7aabb..2ffcae9 100644
+index db7aabb..4012a61 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,59 @@
@@ -86704,7 +86763,7 @@ index db7aabb..2ffcae9 100644
+ # Use any Linux capability.
+
+ allow $1 self:capability ~{ sys_module };
-+ allow $1 self:capability2 syslog;
++ allow $1 self:capability2 ~{ mac_admin mac_override };
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
# Transition to myself, to make get_ordered_context_list happy.
@@ -87487,7 +87546,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..4272eef 100644
+index e720dcd..18fff60 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -89293,7 +89352,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -1856,6 +2421,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2421,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -89351,10 +89410,28 @@ index e720dcd..4272eef 100644
+
+########################################
+## <summary>
++## Delete all files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_all_user_home_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++')
++
++########################################
++## <summary>
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2506,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2524,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -89364,7 +89441,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -1904,20 +2522,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,20 +2540,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -89389,7 +89466,7 @@ index e720dcd..4272eef 100644
########################################
## <summary>
-@@ -2018,6 +2630,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2648,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -89414,7 +89491,7 @@ index e720dcd..4272eef 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2880,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2898,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -89429,7 +89506,7 @@ index e720dcd..4272eef 100644
files_search_tmp($1)
')
-@@ -2274,7 +2904,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2922,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -89438,7 +89515,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -2521,6 +3151,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3169,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -89464,7 +89541,7 @@ index e720dcd..4272eef 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3186,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3204,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -89480,7 +89557,7 @@ index e720dcd..4272eef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3214,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3232,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -89489,7 +89566,7 @@ index e720dcd..4272eef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3222,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,19 +3240,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -89503,11 +89580,31 @@ index e720dcd..4272eef 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of a user domain tty.
++## Execute user tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2592,7 +3258,25 @@ interface(`userdom_manage_user_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
+')
+
+########################################
+## <summary>
-+## Execute user tmpfs files.
++## Get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -89515,20 +89612,14 @@ index e720dcd..4272eef 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_execute_user_tmpfs_files',`
-+ gen_require(`
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
-@@ -2674,7 +3340,25 @@ interface(`userdom_use_user_ttys',`
++interface(`userdom_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+@@ -2674,6 +3358,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
--## Read and write a user domain pty.
+## Read and write a inherited user domain tty.
+## </summary>
+## <param name="domain">
@@ -89547,11 +89638,10 @@ index e720dcd..4272eef 100644
+
+########################################
+## <summary>
-+## Read and write a user domain pty.
+ ## Read and write a user domain pty.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2692,22 +3376,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3394,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -89594,7 +89684,7 @@ index e720dcd..4272eef 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3412,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3430,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -89632,7 +89722,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -2742,8 +3457,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3475,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -89662,7 +89752,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -2815,69 +3549,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3567,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -89763,7 +89853,7 @@ index e720dcd..4272eef 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3618,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3636,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -89778,7 +89868,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -2954,7 +3687,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3705,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -89787,7 +89877,7 @@ index e720dcd..4272eef 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3703,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3721,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -89821,7 +89911,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -3074,7 +3791,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3809,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -89830,7 +89920,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -3129,7 +3846,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3864,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -89877,7 +89967,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -3147,7 +3902,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3920,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -89886,7 +89976,7 @@ index e720dcd..4272eef 100644
')
########################################
-@@ -3166,6 +3921,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3939,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -89894,7 +89984,7 @@ index e720dcd..4272eef 100644
kernel_search_proc($1)
')
-@@ -3242,6 +3998,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4016,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -89937,7 +90027,7 @@ index e720dcd..4272eef 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4054,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4072,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -89962,7 +90052,7 @@ index e720dcd..4272eef 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4106,1282 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4124,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -91477,7 +91567,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..34d96df 100644
+index 6e91317..be530a5 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -91577,7 +91667,7 @@ index 6e91317..34d96df 100644
#
# Sockets
-@@ -271,3 +278,20 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -271,3 +278,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
@@ -91586,18 +91676,6 @@ index 6e91317..34d96df 100644
+# Service
+#
+define(`manage_service_perms', `{ start stop status reload kill load } ')
-+
-+#
-+# All
-+#
-+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
-+')
-+
-+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
-+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
-+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
-+define(`all_service_perms', `{ enable disable manage_service_perms } ')
-+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
--- a/policy/users
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 2ee5085..d1693f6 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -1560,7 +1560,7 @@ index e81bdbd..63ab279 100644
optional_policy(`
diff --git a/apache.fc b/apache.fc
-index fd9fa07..2679748 100644
+index fd9fa07..95f6a90 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,39 +1,54 @@
@@ -1651,7 +1651,7 @@ index fd9fa07..2679748 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +92,43 @@ ifdef(`distro_suse', `
+@@ -73,31 +92,44 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -1690,6 +1690,7 @@ index fd9fa07..2679748 100644
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -1699,7 +1700,7 @@ index fd9fa07..2679748 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +140,25 @@ ifdef(`distro_debian', `
+@@ -109,3 +141,25 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -4065,7 +4066,7 @@ index c804110..06a516f 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index 804135f..613f77f 100644
+index 804135f..0f7ec8d 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -4082,7 +4083,7 @@ index 804135f..613f77f 100644
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
-+allow arpwatch_t self:netlink_socket create_socket_perms;;
++allow arpwatch_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -14234,7 +14235,7 @@ index 0a1a61b..64742c6 100644
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff --git a/ddclient.te b/ddclient.te
-index 24ba98a..f744997 100644
+index 24ba98a..32de93f 100644
--- a/ddclient.te
+++ b/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
@@ -14247,7 +14248,13 @@ index 24ba98a..f744997 100644
type ddclient_var_t;
files_type(ddclient_var_t)
-@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
+@@ -32,17 +35,23 @@ files_pid_file(ddclient_var_run_t)
+ # Declarations
+ #
+
++
+ dontaudit ddclient_t self:capability sys_tty_config;
+ allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
@@ -14266,7 +14273,7 @@ index 24ba98a..f744997 100644
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
-@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t)
+@@ -62,6 +71,7 @@ kernel_read_software_raid_state(ddclient_t)
kernel_getattr_core_if(ddclient_t)
kernel_getattr_message_if(ddclient_t)
kernel_read_kernel_sysctls(ddclient_t)
@@ -14274,7 +14281,7 @@ index 24ba98a..f744997 100644
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+@@ -74,6 +84,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
@@ -14283,7 +14290,7 @@ index 24ba98a..f744997 100644
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
-@@ -89,10 +100,14 @@ files_read_usr_files(ddclient_t)
+@@ -89,10 +101,14 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
@@ -16456,10 +16463,10 @@ index 0000000..98ba6e1
+
+
diff --git a/dovecot.fc b/dovecot.fc
-index 3a3ecb2..ed55d7c 100644
+index 3a3ecb2..c5c1e32 100644
--- a/dovecot.fc
+++ b/dovecot.fc
-@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
+@@ -24,12 +24,13 @@ ifdef(`distro_debian',`
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -16467,6 +16474,13 @@ index 3a3ecb2..ed55d7c 100644
')
ifdef(`distro_redhat', `
+ /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ ')
+
@@ -37,6 +38,7 @@ ifdef(`distro_redhat', `
# /var
#
@@ -16596,7 +16610,7 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..0e55b6d 100644
+index 2df7766..d536976 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16688,17 +16702,15 @@ index 2df7766..0e55b6d 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t)
- userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
-+mta_manage_home_rw(dovecot_t)
++mta_manage_home_rw(dovecot_t)
mta_manage_spool(dovecot_t)
-+mta_read_home_rw(dovecot_t)
optional_policy(`
- kerberos_keytab_template(dovecot, dovecot_t)
+@@ -160,10 +171,24 @@ optional_policy(`
')
optional_policy(`
@@ -16723,7 +16735,7 @@ index 2df7766..0e55b6d 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +206,8 @@ optional_policy(`
+@@ -180,8 +205,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -16734,7 +16746,7 @@ index 2df7766..0e55b6d 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -16744,7 +16756,7 @@ index 2df7766..0e55b6d 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -16757,7 +16769,7 @@ index 2df7766..0e55b6d 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -16767,7 +16779,7 @@ index 2df7766..0e55b6d 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +269,8 @@ optional_policy(`
+@@ -236,6 +268,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -16776,7 +16788,7 @@ index 2df7766..0e55b6d 100644
')
optional_policy(`
-@@ -243,6 +278,8 @@ optional_policy(`
+@@ -243,6 +277,8 @@ optional_policy(`
')
optional_policy(`
@@ -16785,7 +16797,7 @@ index 2df7766..0e55b6d 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +287,42 @@ optional_policy(`
+@@ -250,23 +286,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -16830,7 +16842,7 @@ index 2df7766..0e55b6d 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +338,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -16841,8 +16853,11 @@ index 2df7766..0e55b6d 100644
- fs_manage_nfs_dirs(dovecot_t)
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
--')
+userdom_home_manager(dovecot_deliver_t)
++
++optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
+ ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(dovecot_deliver_t)
@@ -16851,21 +16866,16 @@ index 2df7766..0e55b6d 100644
- fs_manage_cifs_dirs(dovecot_t)
- fs_manage_cifs_files(dovecot_t)
- fs_manage_cifs_symlinks(dovecot_t)
++mta_manage_spool(dovecot_deliver_t)
++mta_read_queue(dovecot_deliver_t)
++mta_manage_home_rw(dovecot_deliver_t)
++
+optional_policy(`
-+ gnome_manage_data(dovecot_deliver_t)
++ postfix_use_fds_master(dovecot_deliver_t)
')
optional_policy(`
- mta_manage_spool(dovecot_deliver_t)
-+ mta_read_queue(dovecot_deliver_t)
-+ mta_read_home_rw(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
-+ postfix_use_fds_master(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
+- mta_manage_spool(dovecot_deliver_t)
+ # Handle sieve scripts
+ sendmail_domtrans(dovecot_deliver_t)
')
@@ -18763,31 +18773,20 @@ index 8fa451c..f3a67c9 100644
')
diff --git a/firstboot.te b/firstboot.te
-index c4d8998..2a18d96 100644
+index c4d8998..9101c30 100644
--- a/firstboot.te
+++ b/firstboot.te
-@@ -19,6 +19,9 @@ role system_r types firstboot_t;
- type firstboot_etc_t;
- files_config_file(firstboot_etc_t)
-
-+type firstboot_tmp_t;
-+files_tmp_file(firstboot_tmp_t)
-+
- ########################################
- #
- # Local policy
-@@ -33,6 +36,10 @@ allow firstboot_t self:passwd rootok;
+@@ -33,6 +33,9 @@ allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file read_file_perms;
-+manage_dirs_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t)
-+manage_files_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t)
-+files_tmp_filetrans(firstboot_t, firstboot_tmp_t, { dir file })
++files_manage_generic_tmp_dirs(firstboot_t)
++files_manage_generic_tmp_files(firstboot_t)
+
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-@@ -62,6 +69,8 @@ files_read_usr_files(firstboot_t)
+@@ -62,6 +65,8 @@ files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
@@ -18796,7 +18795,7 @@ index c4d8998..2a18d96 100644
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
-@@ -75,12 +84,10 @@ logging_send_syslog_msg(firstboot_t)
+@@ -75,12 +80,10 @@ logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
@@ -18812,7 +18811,7 @@ index c4d8998..2a18d96 100644
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
-@@ -103,8 +110,18 @@ optional_policy(`
+@@ -103,8 +106,18 @@ optional_policy(`
')
optional_policy(`
@@ -18831,7 +18830,7 @@ index c4d8998..2a18d96 100644
optional_policy(`
samba_rw_config(firstboot_t)
-@@ -113,7 +130,7 @@ optional_policy(`
+@@ -113,7 +126,7 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
@@ -18840,7 +18839,7 @@ index c4d8998..2a18d96 100644
')
optional_policy(`
-@@ -125,6 +142,7 @@ optional_policy(`
+@@ -125,6 +138,7 @@ optional_policy(`
')
optional_policy(`
@@ -18848,7 +18847,7 @@ index c4d8998..2a18d96 100644
gnome_manage_config(firstboot_t)
')
-@@ -132,4 +150,5 @@ optional_policy(`
+@@ -132,4 +146,5 @@ optional_policy(`
xserver_domtrans(firstboot_t)
xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
@@ -25009,21 +25008,23 @@ index 0000000..f9b9c0f
+')
+
diff --git a/kdump.fc b/kdump.fc
-index c66934f..9f05409 100644
+index c66934f..dd91210 100644
--- a/kdump.fc
+++ b/kdump.fc
-@@ -3,3 +3,9 @@
+@@ -3,3 +3,11 @@
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
-+/usr/lib/systemd/system/kdump.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
++/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdumpctl_unit_file_t,s0)
++
++/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
diff --git a/kdump.if b/kdump.if
-index 4198ff5..9bf4898 100644
+index 4198ff5..d1ab262 100644
--- a/kdump.if
+++ b/kdump.if
@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
@@ -25082,7 +25083,35 @@ index 4198ff5..9bf4898 100644
####################################
## <summary>
## Manage kdump configuration file.
-@@ -96,10 +138,14 @@ interface(`kdump_admin',`
+@@ -75,6 +117,27 @@ interface(`kdump_manage_config',`
+ allow $1 kdump_etc_t:file manage_file_perms;
+ ')
+
++###################################
++## <summary>
++## Manage kdump /var/tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kdump_manage_kdumpctl_tmp_files',`
++ gen_require(`
++ type kdumpctl_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
++')
++
+ ######################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -96,10 +159,14 @@ interface(`kdump_admin',`
gen_require(`
type kdump_t, kdump_etc_t;
type kdump_initrc_exec_t;
@@ -25098,7 +25127,7 @@ index 4198ff5..9bf4898 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -108,4 +154,8 @@ interface(`kdump_admin',`
+@@ -108,4 +175,8 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -25108,20 +25137,31 @@ index 4198ff5..9bf4898 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index b29d8e2..ed79499 100644
+index b29d8e2..c1b4a64 100644
--- a/kdump.te
+++ b/kdump.te
-@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
+@@ -15,6 +15,20 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
++type kdumpctl_t;
++type kdumpctl_exec_t;
++init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
++init_initrc_domain(kdumpctl_t)
++
++type kdumpctl_unit_file_t;
++systemd_unit_file(kdumpctl_unit_file_t)
++
++type kdumpctl_tmp_t;
++files_tmp_file(kdumpctl_tmp_t)
++
#####################################
#
# kdump local policy
-@@ -24,6 +27,7 @@ allow kdump_t self:capability { sys_boot dac_override };
+@@ -24,6 +38,7 @@ allow kdump_t self:capability { sys_boot dac_override };
read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
@@ -25129,6 +25169,91 @@ index b29d8e2..ed79499 100644
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
+@@ -36,3 +51,84 @@ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
+
+ term_use_console(kdump_t)
++
++#######################################
++#
++# kdumpctl local policy
++#
++
++#cjp:almost all rules are needed by dracut
++
++kdump_domtrans(kdumpctl_t)
++
++allow kdumpctl_t self:capability dac_override;
++allow kdumpctl_t self:process setfscreate;
++
++allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
++files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
++
++read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
++
++kernel_read_system_state(kdumpctl_t)
++
++corecmd_exec_bin(kdumpctl_t)
++corecmd_exec_shell(kdumpctl_t)
++
++dev_read_sysfs(kdumpctl_t)
++# dracut
++dev_manage_all_dev_nodes(kdumpctl_t)
++
++domain_use_interactive_fds(kdumpctl_t)
++
++files_create_kernel_img(kdumpctl_t)
++files_read_etc_files(kdumpctl_t)
++files_read_etc_runtime_files(kdumpctl_t)
++files_read_usr_files(kdumpctl_t)
++files_read_kernel_modules(kdumpctl_t)
++files_getattr_all_dirs(kdumpctl_t)
++
++fs_getattr_all_fs(kdumpctl_t)
++
++application_executable_ioctl(kdumpctl_t)
++
++auth_read_passwd(kdumpctl_t)
++
++init_exec(kdumpctl_t)
++systemd_exec_systemctl(kdumpctl_t)
++
++libs_exec_ld_so(kdumpctl_t)
++
++logging_send_syslog_msg(kdumpctl_t)
++
++miscfiles_read_localization(kdumpctl_t)
++
++optional_policy(`
++ gpg_exec(kdumpctl_t)
++')
++
++optional_policy(`
++ lvm_read_config(kdumpctl_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(kdumpctl_t)
++ modutils_list_module_config(kdumpctl_t)
++ modutils_read_module_config(kdumpctl_t)
++')
++
++optional_policy(`
++ plymouthd_domtrans_plymouth(kdumpctl_t)
++')
++
++optional_policy(`
++ ssh_exec(kdumpctl_t)
++')
++
++optional_policy(`
++ unconfined_domain(kdumpctl_t)
++')
diff --git a/kdumpgui.te b/kdumpgui.te
index 0c52f60..a085fbd 100644
--- a/kdumpgui.te
@@ -30165,7 +30290,7 @@ index b397fde..30bfefb 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index 0724816..0749777 100644
+index 0724816..8a17b85 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
@@ -30293,7 +30418,7 @@ index 0724816..0749777 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,25 +316,33 @@ optional_policy(`
+@@ -297,25 +316,35 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -30325,17 +30450,19 @@ index 0724816..0749777 100644
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -323,31 +350,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -323,31 +352,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -30389,7 +30516,7 @@ index 0724816..0749777 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +399,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -356,6 +401,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -30397,7 +30524,7 @@ index 0724816..0749777 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,15 +407,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,15 +409,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -30415,12 +30542,13 @@ index 0724816..0749777 100644
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
+
++libs_exec_ld_so(mozilla_plugin_t)
+libs_exec_lib_files(mozilla_plugin_t)
+
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -384,35 +435,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -384,35 +438,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -30468,7 +30596,7 @@ index 0724816..0749777 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,24 +465,36 @@ optional_policy(`
+@@ -422,24 +468,36 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -30509,7 +30637,7 @@ index 0724816..0749777 100644
')
optional_policy(`
-@@ -447,10 +502,102 @@ optional_policy(`
+@@ -447,10 +505,102 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -31008,7 +31136,7 @@ index afa18c8..f6e2bb8 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..d5a1725 100644
+index 4e2a5ba..68e2429 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -31415,7 +31543,7 @@ index 4e2a5ba..d5a1725 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +983,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -31508,6 +31636,7 @@ index 4e2a5ba..d5a1725 100644
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+ ifdef(`distro_redhat',`
@@ -33700,7 +33829,7 @@ index 2324d9e..da61d01 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..103f6f8 100644
+index 0619395..ff617f1 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -33798,7 +33927,14 @@ index 0619395..103f6f8 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -133,30 +165,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t)
+
+ auth_use_nsswitch(NetworkManager_t)
+
++libs_exec_ldconfig(NetworkManager_t)
++
+ logging_send_syslog_msg(NetworkManager_t)
+
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -33838,7 +33974,7 @@ index 0619395..103f6f8 100644
')
optional_policy(`
-@@ -176,10 +215,17 @@ optional_policy(`
+@@ -176,10 +217,17 @@ optional_policy(`
')
optional_policy(`
@@ -33856,7 +33992,7 @@ index 0619395..103f6f8 100644
')
')
-@@ -191,6 +237,7 @@ optional_policy(`
+@@ -191,6 +239,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -33864,7 +34000,7 @@ index 0619395..103f6f8 100644
')
optional_policy(`
-@@ -202,23 +249,45 @@ optional_policy(`
+@@ -202,23 +251,45 @@ optional_policy(`
')
optional_policy(`
@@ -33899,18 +34035,18 @@ index 0619395..103f6f8 100644
# Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ modutils_domtrans_insmod(NetworkManager_t)
')
optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
++')
++
++optional_policy(`
+ openvpn_read_config(NetworkManager_t)
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +303,10 @@ optional_policy(`
+@@ -234,6 +305,10 @@ optional_policy(`
')
optional_policy(`
@@ -33921,7 +34057,7 @@ index 0619395..103f6f8 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +314,7 @@ optional_policy(`
+@@ -241,6 +316,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -33929,7 +34065,7 @@ index 0619395..103f6f8 100644
')
optional_policy(`
-@@ -254,6 +328,10 @@ optional_policy(`
+@@ -254,6 +330,10 @@ optional_policy(`
')
optional_policy(`
@@ -33940,7 +34076,7 @@ index 0619395..103f6f8 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +341,7 @@ optional_policy(`
+@@ -263,6 +343,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -37720,10 +37856,10 @@ index e9cf8a4..9a7e5dc 100644
diff --git a/piranha.fc b/piranha.fc
new file mode 100644
-index 0000000..2c7e06f
+index 0000000..20ea9f5
--- /dev/null
+++ b/piranha.fc
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,24 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
@@ -37732,8 +37868,6 @@ index 0000000..2c7e06f
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
-+/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
-+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
@@ -40120,7 +40254,7 @@ index 46bee12..99499ef 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index 69cbd06..2f19c1c 100644
+index 69cbd06..080e2e1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,10 +1,19 @@
@@ -40541,7 +40675,7 @@ index 69cbd06..2f19c1c 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +732,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +732,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -40563,6 +40697,7 @@ index 69cbd06..2f19c1c 100644
+allow postfix_domain self:unix_stream_socket connectto;
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
+
++allow postfix_master_t postfix_domain:fifo_file { read write };
+allow postfix_master_t postfix_domain:process signal;
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+allow postfix_domain postfix_master_t:file read;
@@ -46256,7 +46391,7 @@ index 137605a..7624759 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..d45cfe5 100644
+index 783f678..f82fdec 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -46269,7 +46404,7 @@ index 783f678..d45cfe5 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,24 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,26 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -46295,6 +46430,8 @@ index 783f678..d45cfe5 100644
+miscfiles_read_certs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
++
++rpm_read_db(rhsmcertd_t)
diff --git a/ricci.fc b/ricci.fc
index 5b08327..ed5dc05 100644
--- a/ricci.fc
@@ -47168,7 +47305,7 @@ index dddabcf..fa20a5d 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index 19bb611..42ca54c 100644
+index 19bb611..2719eee 100644
--- a/rpc.te
+++ b/rpc.te
@@ -10,7 +10,7 @@ policy_module(rpc, 1.13.1)
@@ -47314,11 +47451,12 @@ index 19bb611..42ca54c 100644
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
-@@ -148,8 +184,10 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,8 +184,11 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
++userdom_list_user_tmp(nfsd_t)
+
# Write access to public_content_t and public_content_rw_t
-tunable_policy(`allow_nfsd_anon_write',`
@@ -47326,7 +47464,7 @@ index 19bb611..42ca54c 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -158,7 +196,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -47334,7 +47472,7 @@ index 19bb611..42ca54c 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +207,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +208,11 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -47348,7 +47486,7 @@ index 19bb611..42ca54c 100644
')
########################################
-@@ -181,7 +221,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +222,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -47357,7 +47495,7 @@ index 19bb611..42ca54c 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +239,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +240,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -47365,7 +47503,7 @@ index 19bb611..42ca54c 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +251,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +252,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -47383,7 +47521,7 @@ index 19bb611..42ca54c 100644
')
optional_policy(`
-@@ -226,6 +267,11 @@ optional_policy(`
+@@ -226,6 +268,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -52281,15 +52419,16 @@ index c117e8b..0eb909b 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index 179bc1b..735c400 100644
+index 179bc1b..ad84161 100644
--- a/snort.te
+++ b/snort.te
-@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
+@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
++allow snort_t self:netlink_socket create_socket_perms;
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
@@ -52409,13 +52548,17 @@ index 93fe7bf..1b07ed4 100644
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/spamassassin.fc b/spamassassin.fc
-index 6b3abf9..21f3e07 100644
+index 6b3abf9..663ebeb 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
-@@ -1,15 +1,38 @@
+@@ -1,15 +1,50 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
++/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
@@ -52447,12 +52590,20 @@ index 6b3abf9..21f3e07 100644
+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
++/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+
+/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
+
++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++
++/var/log/pyzord\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
++
++/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
++/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
index c954f31..82fc7f6 100644
--- a/spamassassin.if
@@ -52670,10 +52821,10 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..4b5b6fa 100644
+index 1bbf73b..716877c 100644
--- a/spamassassin.te
+++ b/spamassassin.te
-@@ -6,52 +6,101 @@ policy_module(spamassassin, 2.5.0)
+@@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0)
#
## <desc>
@@ -52722,6 +52873,36 @@ index 1bbf73b..4b5b6fa 100644
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-userdom_user_tmp_file(spamc_tmp_t)
++
++type spamd_update_t;
++type spamd_update_exec_t;
++application_domain(spamd_update_t, spamd_update_exec_t)
++cron_system_entry(spamd_update_t, spamd_update_exec_t)
++role system_r types spamd_update_t;
+
+ type spamd_t;
+ type spamd_exec_t;
+ init_daemon_domain(spamd_t, spamd_exec_t)
+
++type spamd_compiled_t;
++files_type(spamd_compiled_t)
++
++type spamd_initrc_exec_t;
++init_script_file(spamd_initrc_exec_t)
++
++type spamd_log_t;
++logging_log_file(spamd_log_t)
++
+ type spamd_spool_t;
+-files_type(spamd_spool_t)
++files_spool_file(spamd_spool_t)
+
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+@@ -63,6 +52,89 @@ files_type(spamd_var_lib_t)
+ type spamd_var_run_t;
+ files_pid_file(spamd_var_run_t)
+
+ifdef(`distro_redhat',`
+ # spamassassin client executable
+ type spamc_t;
@@ -52750,6 +52931,28 @@ index 1bbf73b..4b5b6fa 100644
+
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
++ typealias spamc_t alias pyzor_t;
++ typealias spamc_exec_t alias pyzor_exec_t;
++ typealias spamd_t alias pyzord_t;
++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
++ typealias spamd_exec_t alias pyzord_exec_t;
++ typealias spamc_tmp_t alias pyzor_tmp_t;
++ typealias spamd_log_t alias pyzor_log_t;
++ typealias spamd_log_t alias pyzord_log_t;
++ typealias spamd_var_lib_t alias pyzor_var_lib_t;
++ typealias spamd_etc_t alias pyzor_etc_t;
++ typealias spamc_home_t alias pyzor_home_t;
++ typealias spamc_home_t alias user_pyzor_home_t;
++ typealias spamc_t alias razor_t;
++ typealias spamc_exec_t alias razor_exec_t;
++ typealias spamd_log_t alias razor_log_t;
++ typealias spamd_var_lib_t alias razor_var_lib_t;
++ typealias spamd_etc_t alias razor_etc_t;
++ typealias spamc_home_t alias razor_home_t;
++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
@@ -52783,32 +52986,10 @@ index 1bbf73b..4b5b6fa 100644
+ ubac_constrained(spamc_tmp_t)
+')
+
-+type spamd_update_t;
-+type spamd_update_exec_t;
-+application_domain(spamd_update_t, spamd_update_exec_t)
-+cron_system_entry(spamd_update_t, spamd_update_exec_t)
-+role system_r types spamd_update_t;
-
- type spamd_t;
- type spamd_exec_t;
- init_daemon_domain(spamd_t, spamd_exec_t)
-
-+type spamd_compiled_t;
-+files_type(spamd_compiled_t)
-+
-+type spamd_initrc_exec_t;
-+init_script_file(spamd_initrc_exec_t)
-+
-+type spamd_log_t;
-+logging_log_file(spamd_log_t)
-+
- type spamd_spool_t;
--files_type(spamd_spool_t)
-+files_spool_file(spamd_spool_t)
-
- type spamd_tmp_t;
- files_tmp_file(spamd_tmp_t)
-@@ -98,12 +147,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ ##############################
+ #
+ # Standalone program local policy
+@@ -98,12 +170,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
@@ -52823,7 +53004,7 @@ index 1bbf73b..4b5b6fa 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -144,6 +195,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -144,6 +218,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -52833,7 +53014,7 @@ index 1bbf73b..4b5b6fa 100644
sysnet_read_config(spamassassin_t)
')
-@@ -154,25 +208,13 @@ tunable_policy(`spamd_enable_home_dirs',`
+@@ -154,25 +231,13 @@ tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_symlinks(spamd_t)
')
@@ -52860,7 +53041,7 @@ index 1bbf73b..4b5b6fa 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -180,6 +222,8 @@ optional_policy(`
+@@ -180,6 +245,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -52869,7 +53050,7 @@ index 1bbf73b..4b5b6fa 100644
')
########################################
-@@ -202,15 +246,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -202,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -52902,7 +53083,7 @@ index 1bbf73b..4b5b6fa 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -222,6 +283,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -222,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -52910,7 +53091,7 @@ index 1bbf73b..4b5b6fa 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -240,9 +302,14 @@ files_read_usr_files(spamc_t)
+@@ -240,9 +325,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -52925,7 +53106,7 @@ index 1bbf73b..4b5b6fa 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -250,27 +317,35 @@ seutil_read_config(spamc_t)
+@@ -250,27 +340,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -52967,7 +53148,7 @@ index 1bbf73b..4b5b6fa 100644
')
########################################
-@@ -282,7 +357,7 @@ optional_policy(`
+@@ -282,7 +380,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -52976,7 +53157,7 @@ index 1bbf73b..4b5b6fa 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -298,10 +373,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -298,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -52995,7 +53176,7 @@ index 1bbf73b..4b5b6fa 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,11 +392,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -310,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -53013,7 +53194,7 @@ index 1bbf73b..4b5b6fa 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -363,23 +449,23 @@ files_read_var_lib_files(spamd_t)
+@@ -363,23 +472,23 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -53045,7 +53226,7 @@ index 1bbf73b..4b5b6fa 100644
')
optional_policy(`
-@@ -395,7 +481,9 @@ optional_policy(`
+@@ -395,7 +504,9 @@ optional_policy(`
')
optional_policy(`
@@ -53055,7 +53236,7 @@ index 1bbf73b..4b5b6fa 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -404,25 +492,17 @@ optional_policy(`
+@@ -404,25 +515,17 @@ optional_policy(`
')
optional_policy(`
@@ -53083,7 +53264,7 @@ index 1bbf73b..4b5b6fa 100644
postgresql_stream_connect(spamd_t)
')
-@@ -433,6 +513,10 @@ optional_policy(`
+@@ -433,6 +536,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -53094,7 +53275,7 @@ index 1bbf73b..4b5b6fa 100644
')
optional_policy(`
-@@ -440,6 +524,7 @@ optional_policy(`
+@@ -440,6 +547,7 @@ optional_policy(`
')
optional_policy(`
@@ -53102,7 +53283,7 @@ index 1bbf73b..4b5b6fa 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +532,51 @@ optional_policy(`
+@@ -447,3 +555,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -54771,10 +54952,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..89684c9
+index 0000000..f6538d0
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -54870,6 +55051,7 @@ index 0000000..89684c9
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
+xserver_dontaudit_read_xdm_pid(thumb_t)
++xserver_dontaudit_xdm_tmp_dirs(thumb_t)
+xserver_stream_connect(thumb_t)
+
+optional_policy(`
@@ -54997,6 +55179,496 @@ index 0521d5a..3d3f88a 100644
- unconfined_domain(tmpreaper_t)
+ rpm_manage_cache(tmpreaper_t)
')
+diff --git a/tomcat.fc b/tomcat.fc
+new file mode 100644
+index 0000000..1647b92
+--- /dev/null
++++ b/tomcat.fc
+@@ -0,0 +1,11 @@
++/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
++
++/usr/sbin/tomcat -- gen_context(system_u:object_r:tomcat_exec_t,s0)
++
++/var/cache/tomcat(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
++
++/var/lib/tomcat(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
++
++/var/log/tomcat(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
++
++/var/run/tomcat.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
+diff --git a/tomcat.if b/tomcat.if
+new file mode 100644
+index 0000000..23251b7
+--- /dev/null
++++ b/tomcat.if
+@@ -0,0 +1,353 @@
++
++## <summary>policy for tomcat</summary>
++
++######################################
++## <summary>
++## Creates types and rules for a basic
++## tomcat daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`tomcat_domain_template',`
++ gen_require(`
++ attribute tomcat_domain;
++ ')
++
++ type $1_t, tomcat_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ can_exec($1_t, $1_exec_t)
++
++')
++
++########################################
++## <summary>
++## Transition to tomcat.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tomcat_domtrans',`
++ gen_require(`
++ type tomcat_t, tomcat_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, tomcat_exec_t, tomcat_t)
++')
++
++########################################
++## <summary>
++## Search tomcat cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_search_cache',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ allow $1 tomcat_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read tomcat cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_read_cache_files',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## tomcat cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_cache_files',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_cache_dirs',`
++ gen_require(`
++ type tomcat_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
++')
++
++########################################
++## <summary>
++## Read tomcat's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`tomcat_read_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++## <summary>
++## Append to tomcat log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_append_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_log',`
++ gen_require(`
++ type tomcat_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
++ manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
++ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
++')
++
++########################################
++## <summary>
++## Search tomcat lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_search_lib',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ allow $1 tomcat_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read tomcat lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_read_lib_files',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_lib_files',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage tomcat lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_manage_lib_dirs',`
++ gen_require(`
++ type tomcat_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read tomcat PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tomcat_read_pid_files',`
++ gen_require(`
++ type tomcat_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 tomcat_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute tomcat server in the tomcat domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tomcat_systemctl',`
++ gen_require(`
++ type tomcat_t;
++ type tomcat_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 tomcat_unit_file_t:file read_file_perms;
++ allow $1 tomcat_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, tomcat_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an tomcat environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`tomcat_admin',`
++ gen_require(`
++ type tomcat_t;
++ type tomcat_cache_t;
++ type tomcat_log_t;
++ type tomcat_var_lib_t;
++ type tomcat_var_run_t;
++ type tomcat_unit_file_t;
++ ')
++
++ allow $1 tomcat_t:process { ptrace signal_perms };
++ ps_process_pattern($1, tomcat_t)
++
++ files_search_var($1)
++ admin_pattern($1, tomcat_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, tomcat_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, tomcat_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, tomcat_var_run_t)
++
++ tomcat_systemctl($1)
++ admin_pattern($1, tomcat_unit_file_t)
++ allow $1 tomcat_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/tomcat.te b/tomcat.te
+new file mode 100644
+index 0000000..a986de8
+--- /dev/null
++++ b/tomcat.te
+@@ -0,0 +1,108 @@
++policy_module(tomcat, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute tomcat_domain;
++
++tomcat_domain_template(tomcat)
++
++type tomcat_cache_t;
++files_type(tomcat_cache_t)
++
++type tomcat_log_t;
++logging_log_file(tomcat_log_t)
++
++type tomcat_var_lib_t;
++files_type(tomcat_var_lib_t)
++
++type tomcat_var_run_t;
++files_pid_file(tomcat_var_run_t)
++
++type tomcat_tmp_t;
++files_tmp_file(tomcat_tmp_t)
++
++type tomcat_unit_file_t;
++systemd_unit_file(tomcat_unit_file_t)
++
++#######################################
++#
++# tomcat local policy
++#
++
++optional_policy(`
++ unconfined_domain(tomcat_t)
++')
++
++########################################
++#
++# tomcat domain local policy
++#
++
++allow tomcat_t self:process execmem;
++allow tomcat_t self:process { signal signull };
++
++allow tomcat_t self:tcp_socket { accept listen };
++allow tomcat_domain self:fifo_file rw_fifo_file_perms;
++allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
++manage_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
++manage_lnk_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
++files_var_filetrans(tomcat_domain, tomcat_cache_t, { dir file })
++
++manage_dirs_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t)
++manage_files_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t)
++logging_log_filetrans(tomcat_domain, tomcat_log_t, { dir file })
++
++manage_dirs_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t)
++manage_files_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t)
++files_var_lib_filetrans(tomcat_domain, tomcat_var_lib_t, { dir file })
++
++manage_dirs_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t)
++manage_files_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t)
++files_pid_filetrans(tomcat_domain, tomcat_var_run_t, { dir file })
++
++manage_dirs_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
++manage_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
++manage_fifo_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
++files_tmp_filetrans(tomcat_t, tomcat_tmp_t, { file fifo_file dir })
++
++# we want to stay in a new tomcat domain if we call tomcat binary from a script
++# initrc_t at tomcat_test_exec_t->tomcat_test_t at tomcat_exec_t->tomcat_test_t
++can_exec(tomcat_domain, tomcat_exec_t)
++
++kernel_read_system_state(tomcat_domain)
++kernel_read_network_state(tomcat_domain)
++
++corecmd_exec_bin(tomcat_domain)
++corecmd_exec_shell(tomcat_domain)
++
++corenet_tcp_bind_generic_node(tomcat_domain)
++corenet_udp_bind_generic_node(tomcat_domain)
++corenet_tcp_bind_http_port(tomcat_domain)
++corenet_tcp_bind_http_cache_port(tomcat_domain)
++corenet_tcp_bind_mxi_port(tomcat_domain)
++corenet_tcp_connect_http_port(tomcat_domain)
++corenet_tcp_connect_mxi_port(tomcat_domain)
++
++dev_read_rand(tomcat_domain)
++dev_read_urand(tomcat_domain)
++dev_read_sysfs(tomcat_domain)
++
++domain_use_interactive_fds(tomcat_domain)
++
++fs_getattr_all_fs(tomcat_domain)
++fs_read_hugetlbfs_files(tomcat_domain)
++
++files_read_etc_files(tomcat_domain)
++files_read_usr_files(tomcat_domain)
++
++auth_read_passwd(tomcat_domain)
++
++miscfiles_read_localization(tomcat_domain)
++
++sysnet_dns_name_resolve(tomcat_domain)
++
diff --git a/tor.fc b/tor.fc
index e2e06b2..6752bc3 100644
--- a/tor.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 88b9896..700b953 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -235,7 +235,7 @@ fi;
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
if [ %1 -ne 1 ]; then \
- /usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+ /usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor 2>/dev/null; \
fi \
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp /etc/selinux/%2/modules/active/modules/razor.pp /etc/selinux/%2/modules/active/modules/pyzord.pp \
/usr/sbin/semodule -B -n -s %2; \
@@ -491,6 +491,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jun 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-6
+- Add tomcat policy
+- Remove pyzor/razor policy
+- rhsmcertd reads the rpm database
+- Dontaudit thumb to setattr on xdm_tmp dir
+- Allow wicd to execute ldconfig in the networkmanager_t domain
+- Add /var/run/cherokee\.pid labeling
+- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
+- Allow postfix-master to r/w pipes other postfix domains
+- Allow snort to create netlink_socket
+- Add kdumpctl policy
+- Allow firstboot to create tmp_t files/directories
+- /usr/bin/paster should not be labeled as piranha_exec_t
+- remove initrc_domain from tomcat
+- Allow ddclient to read /etc/passwd
+- Allow useradd to delete all file types stored in the users homedir
+- Allow ldconfig and insmod to manage kdumpctl tmp files
+- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
+- Transition xauth files within firstboot_tmp_t
+- Fix labeling of /run/media to match /media
+- Label all lxdm.log as xserver_log_t
+- Add port definition for mxi port
+- Allow local_login_t to execute tmux
+
* Tue Jun 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-5
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
More information about the scm-commits
mailing list