[selinux-policy/f17] * Wed May 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-120 - Add clamscan_can_scan_system boolea
Miroslav Grepl
mgrepl at fedoraproject.org
Thu May 3 11:46:33 UTC 2012
commit 146b7fd6a6e3752550c80702f37cbf0837f91a81
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu May 3 13:46:08 2012 +0200
* Wed May 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-120
- Add clamscan_can_scan_system boolean
- Allow mysqld to read kernel network state
- Allow sshd to read/write condor lib files
- Allow sshd to read/write condor-startd tcp socket
- Fix description on httpd_graceful_shutdown
- Allow glance_registry to communicate with mysql
- dbus_system_domain is using systemd to lauch applications
- add interfaces to allow domains to send kill signals to user mail agents
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
- Lots of new access required for secure containers
- Corosync needs sys_admin capability
- ALlow colord to create shm
- .orc should be allowed to be created by any app that can create gstream ho
- Add boolean to control whether or not mozilla plugins can create random co
- Add new interface to allow domains to list msyql_db directories, needed f
- shutdown has to be allowed to delete etc_runtime_t
- Fail2ban needs to read /etc/passwd
- Allow ldconfig to create /var/cache/ldconfig
- Allow tgtd to read hardware state information
- Allow collectd to create packet socket
- Allow chronyd to send signal to itself
- Allow collectd to read /dev/random
- Allow collectd to send signal to itself
- firewalld needs to execute restorecon
- Allow restorecon and other login domains to execute restorecon
policy-F16.patch | 1476 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 29 +-
2 files changed, 1019 insertions(+), 486 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9bc97c9..05241df 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -61428,10 +61428,18 @@ index 47a8f7d..a609a22 100644
optional_policy(`
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
-index c8ef84b..eb4bd05 100644
+index c8ef84b..c761721 100644
--- a/policy/modules/admin/sectoolm.te
+++ b/policy/modules/admin/sectoolm.te
-@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
+@@ -8,6 +8,7 @@ policy_module(sectoolm, 1.0.0)
+ type sectoolm_t;
+ type sectoolm_exec_t;
+ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
++init_daemon_domain(sectoolm_t, sectoolm_exec_t)
+
+ type sectool_var_lib_t;
+ files_type(sectool_var_lib_t)
+@@ -23,7 +24,7 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
@@ -61440,7 +61448,7 @@ index c8ef84b..eb4bd05 100644
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
+@@ -70,12 +71,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -61453,7 +61461,7 @@ index c8ef84b..eb4bd05 100644
libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
-@@ -84,6 +78,17 @@ logging_send_syslog_msg(sectoolm_t)
+@@ -84,6 +79,17 @@ logging_send_syslog_msg(sectoolm_t)
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
@@ -61745,7 +61753,7 @@ index d0604cf..b66057c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..8fbe943 100644
+index 8966ec9..d3528a0 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -61767,7 +61775,7 @@ index 8966ec9..8fbe943 100644
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+@@ -33,18 +34,22 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
@@ -61777,10 +61785,11 @@ index 8966ec9..8fbe943 100644
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
++files_delete_boot_flag(shutdown_t)
++
++mls_file_write_to_clearance(shutdown_t)
-term_use_all_terms(shutdown_t)
-+mls_file_write_to_clearance(shutdown_t)
-+
+term_use_all_inherited_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
@@ -61792,7 +61801,7 @@ index 8966ec9..8fbe943 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
+@@ -54,10 +59,24 @@ logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
@@ -63396,7 +63405,7 @@ index 0000000..27363a4
+')
+
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index 37475dd..6026789 100644
+index 37475dd..130f87c 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -63411,7 +63420,7 @@ index 37475dd..6026789 100644
kernel_read_system_state(cpufreqselector_t)
-@@ -27,10 +28,12 @@ corecmd_search_bin(cpufreqselector_t)
+@@ -27,13 +28,16 @@ corecmd_search_bin(cpufreqselector_t)
dev_rw_sysfs(cpufreqselector_t)
@@ -63425,7 +63434,11 @@ index 37475dd..6026789 100644
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-@@ -53,3 +56,7 @@ optional_policy(`
++ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(cpufreqselector_t)
+@@ -53,3 +57,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
@@ -63606,10 +63619,10 @@ index 0000000..2bd5790
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..175de9d
+index 0000000..c97a6ea
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,75 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -63620,6 +63633,7 @@ index 0000000..175de9d
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
++init_daemon_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
@@ -63823,7 +63837,7 @@ index 00a19e3..a6bcf1f 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..a19d881 100644
+index f5afe78..43a7a9e 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,900 @@
@@ -64914,7 +64928,7 @@ index f5afe78..a19d881 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1049,38 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1049,40 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -64944,10 +64958,12 @@ index f5afe78..a19d881 100644
+ gen_require(`
+ type gstreamer_home_t;
+ ')
++
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
')
########################################
@@ -64957,7 +64973,7 @@ index f5afe78..a19d881 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1088,303 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1090,301 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -65227,9 +65243,7 @@ index f5afe78..a19d881 100644
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
-+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
-+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
-+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ gnome_filetrans_gstreamer_home_content($1)
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
@@ -65278,7 +65292,7 @@ index f5afe78..a19d881 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..7a11c30 100644
+index 2505654..8090e6a 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -65314,7 +65328,7 @@ index 2505654..7a11c30 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -30,12 +50,33 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -30,12 +50,35 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -65341,15 +65355,17 @@ index 2505654..7a11c30 100644
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
++init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
++init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
##############################
#
# Local Policy
-@@ -75,3 +116,157 @@ optional_policy(`
+@@ -75,3 +118,157 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -66200,10 +66216,10 @@ index 0000000..fb58f33
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..a323883
+index 0000000..1c5ae9f
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,38 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -66214,6 +66230,7 @@ index 0000000..a323883
+type jockey_t;
+type jockey_exec_t;
+dbus_system_domain(jockey_t, jockey_exec_t)
++init_daemon_domain(jockey_t, jockey_exec_t)
+
+type jockey_cache_t;
+files_type(jockey_cache_t)
@@ -66278,10 +66295,10 @@ index 0000000..cf65577
+')
diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
new file mode 100644
-index 0000000..169421f
+index 0000000..f9b9c0f
--- /dev/null
+++ b/policy/modules/apps/kde.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
@@ -66292,6 +66309,7 @@ index 0000000..169421f
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
+dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
++init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
+#
@@ -66323,20 +66341,21 @@ index 0000000..169421f
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..1b16fa4 100644
+index 2dde73a..6096f4d 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -9,6 +9,9 @@ type kdumpgui_t;
+@@ -8,6 +8,10 @@ policy_module(kdumpgui, 1.0.1)
+ type kdumpgui_t;
type kdumpgui_exec_t;
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-
++init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
++
+type kdumpgui_tmp_t;
+files_tmp_file(kdumpgui_tmp_t)
-+
+
######################################
#
- # system-config-kdump local policy
-@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+@@ -18,6 +22,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -66347,7 +66366,7 @@ index 2dde73a..1b16fa4 100644
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
-@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+@@ -36,6 +44,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -66356,7 +66375,7 @@ index 2dde73a..1b16fa4 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -45,8 +54,20 @@ logging_send_syslog_msg(kdumpgui_t)
+@@ -45,8 +55,20 @@ logging_send_syslog_msg(kdumpgui_t)
miscfiles_read_localization(kdumpgui_t)
@@ -66377,7 +66396,7 @@ index 2dde73a..1b16fa4 100644
optional_policy(`
consoletype_exec(kdumpgui_t)
')
-@@ -58,6 +79,7 @@ optional_policy(`
+@@ -58,6 +80,7 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -66837,10 +66856,24 @@ index fbb5c5a..637eb37 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..174e347 100644
+index 2e9318b..7253482 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
-@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
+@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
+ ## </desc>
+ gen_tunable(mozilla_read_content, false)
+
++## <desc>
++## <p>
++## Allow mozilla_plugins to create random content in the users home directory
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_enable_homedirs, false)
++
+ type mozilla_t;
+ type mozilla_exec_t;
+ typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+@@ -25,6 +32,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -66848,7 +66881,7 @@ index 2e9318b..174e347 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
-@@ -33,13 +34,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+@@ -33,13 +41,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
@@ -66871,7 +66904,7 @@ index 2e9318b..174e347 100644
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
-@@ -111,7 +121,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
+@@ -111,7 +128,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
@@ -66881,7 +66914,7 @@ index 2e9318b..174e347 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -156,6 +168,8 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -156,6 +175,8 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -66890,7 +66923,7 @@ index 2e9318b..174e347 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,27 +179,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +186,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -66924,7 +66957,7 @@ index 2e9318b..174e347 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -262,6 +270,7 @@ optional_policy(`
+@@ -262,6 +277,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -66932,7 +66965,7 @@ index 2e9318b..174e347 100644
')
optional_policy(`
-@@ -278,10 +287,6 @@ optional_policy(`
+@@ -278,10 +294,6 @@ optional_policy(`
')
optional_policy(`
@@ -66943,7 +66976,7 @@ index 2e9318b..174e347 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +301,33 @@ optional_policy(`
+@@ -296,25 +308,33 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -66985,7 +67018,7 @@ index 2e9318b..174e347 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +335,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +342,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -66996,7 +67029,7 @@ index 2e9318b..174e347 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,12 +348,11 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,12 +355,11 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -67012,7 +67045,7 @@ index 2e9318b..174e347 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,9 +360,15 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,9 +367,15 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -67028,7 +67061,7 @@ index 2e9318b..174e347 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +377,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +384,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67036,7 +67069,7 @@ index 2e9318b..174e347 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,6 +385,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,6 +392,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -67044,7 +67077,7 @@ index 2e9318b..174e347 100644
fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos(mozilla_plugin_t)
-@@ -383,35 +407,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +414,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67091,7 +67124,7 @@ index 2e9318b..174e347 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +436,19 @@ optional_policy(`
+@@ -421,11 +443,19 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67111,7 +67144,7 @@ index 2e9318b..174e347 100644
')
optional_policy(`
-@@ -438,18 +461,98 @@ optional_policy(`
+@@ -438,18 +468,103 @@ optional_policy(`
')
optional_policy(`
@@ -67145,7 +67178,7 @@ index 2e9318b..174e347 100644
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
-+')
+ ')
+
+########################################
+#
@@ -67213,7 +67246,12 @@ index 2e9318b..174e347 100644
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
- ')
++')
++
++tunable_policy(`mozilla_plugin_enable_homedirs',`
++ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
++')
++
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -73508,7 +73546,7 @@ index 4f3b542..0ebac89 100644
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..83554ff 100644
+index 99b71cb..c3154ee 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -73690,7 +73728,7 @@ index 99b71cb..83554ff 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +211,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +211,32 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -73702,6 +73740,7 @@ index 99b71cb..83554ff 100644
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openhpid, tcp,4743,s0, udp,4743,s0)
+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -73723,7 +73762,7 @@ index 99b71cb..83554ff 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -175,38 +244,46 @@ network_port(pulseaudio, tcp,4713,s0)
+@@ -175,38 +245,46 @@ network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
@@ -73776,7 +73815,7 @@ index 99b71cb..83554ff 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +292,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +293,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -73790,7 +73829,7 @@ index 99b71cb..83554ff 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +309,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +310,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -73798,7 +73837,7 @@ index 99b71cb..83554ff 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +319,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +320,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -73811,7 +73850,7 @@ index 99b71cb..83554ff 100644
########################################
#
-@@ -282,9 +369,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +370,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -73946,7 +73985,7 @@ index 6cf8784..21a5923 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..31a502b 100644
+index f820f3b..36ef4e2 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -74393,28 +74432,46 @@ index f820f3b..31a502b 100644
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-+## Read and write the printer device.
++## Relabel the printer device node.
## </summary>
## <param name="domain">
## <summary>
-@@ -3218,12 +3474,13 @@ interface(`dev_rw_printer',`
+@@ -3218,12 +3474,31 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
-interface(`dev_read_printk',`
-+interface(`dev_manage_printer',`
++interface(`dev_relabel_printer',`
gen_require(`
- type device_t, printk_device_t;
-+ type device_t, printer_device_t;
++ type printer_device_t;
')
- read_chr_files_pattern($1, device_t, printk_device_t)
++ allow $1 printer_device_t:chr_file relabel_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write the printer device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_printer',`
++ gen_require(`
++ type device_t, printer_device_t;
++ ')
++
+ manage_chr_files_pattern($1, device_t, printer_device_t)
+ dev_filetrans_printer_named_dev($1)
')
########################################
-@@ -3811,6 +4068,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3811,6 +4086,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -74457,7 +74514,7 @@ index f820f3b..31a502b 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3860,6 +4153,7 @@ interface(`dev_list_sysfs',`
+@@ -3860,6 +4171,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -74465,7 +74522,7 @@ index f820f3b..31a502b 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3902,23 +4196,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,23 +4214,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -74486,7 +74543,7 @@ index f820f3b..31a502b 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -74505,7 +74562,7 @@ index f820f3b..31a502b 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -74519,7 +74576,7 @@ index f820f3b..31a502b 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3972,6 +4292,62 @@ interface(`dev_rw_sysfs',`
+@@ -3972,6 +4310,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -74582,7 +74639,7 @@ index f820f3b..31a502b 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4445,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4463,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -74608,7 +74665,7 @@ index f820f3b..31a502b 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4498,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4516,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -74633,7 +74690,7 @@ index f820f3b..31a502b 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4908,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4926,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -74658,7 +74715,7 @@ index f820f3b..31a502b 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5126,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5144,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -74685,7 +74742,7 @@ index f820f3b..31a502b 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5235,861 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5253,861 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -76205,7 +76262,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..1dfeb37 100644
+index ff006ea..991c77e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -76541,7 +76598,7 @@ index ff006ea..1dfeb37 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2915,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2915,42 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -76563,10 +76620,28 @@ index ff006ea..1dfeb37 100644
+
+########################################
+## <summary>
++## Do not audit attempts to write etc_runtime files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file write;
++')
++
++########################################
++## <summary>
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2970,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2988,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -76574,7 +76649,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -2796,6 +2992,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +3010,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -76582,7 +76657,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -3364,7 +3561,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3579,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -76591,7 +76666,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -3502,20 +3699,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3717,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -76635,7 +76710,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -3804,7 +4019,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4037,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -76644,7 +76719,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -3900,82 +4115,223 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,58 +4133,199 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -76729,13 +76804,11 @@ index ff006ea..1dfeb37 100644
-interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
-- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
@@ -76746,37 +76819,26 @@ index ff006ea..1dfeb37 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
- ')
-
--########################################
++')
++
+######################################
- ## <summary>
--## Search the tmp directory (/tmp).
++## <summary>
+## Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
@@ -76886,34 +76948,10 @@ index ff006ea..1dfeb37 100644
+interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
-+ ')
-+
-+ dontaudit $1 tmp_t:dir getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Search the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_search_tmp',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ allow $1 tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
- ## <summary>
- ## Do not audit attempts to search the tmp directory (/tmp).
- ## </summary>
-@@ -4017,7 +4373,7 @@ interface(`files_list_tmp',`
+ ')
+
+ dontaudit $1 tmp_t:dir getattr;
+@@ -4017,7 +4391,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -76922,7 +76960,7 @@ index ff006ea..1dfeb37 100644
## </summary>
## </param>
#
-@@ -4029,6 +4385,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4403,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -76947,7 +76985,7 @@ index ff006ea..1dfeb37 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4459,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4477,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -76980,7 +77018,7 @@ index ff006ea..1dfeb37 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4539,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4557,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -77023,7 +77061,7 @@ index ff006ea..1dfeb37 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4638,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4656,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -77032,7 +77070,7 @@ index ff006ea..1dfeb37 100644
## </summary>
## </param>
#
-@@ -4262,7 +4698,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4716,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -77041,7 +77079,7 @@ index ff006ea..1dfeb37 100644
## </summary>
## </param>
#
-@@ -4318,7 +4754,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4772,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -77050,7 +77088,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -4342,6 +4778,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4796,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -77067,7 +77105,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -4681,7 +5127,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5145,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -77076,7 +77114,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -4914,6 +5360,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5378,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -77101,7 +77139,7 @@ index ff006ea..1dfeb37 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5084,7 +5548,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5566,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -77110,7 +77148,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -5219,7 +5683,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5701,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77119,7 +77157,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -5259,6 +5723,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5741,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -77145,7 +77183,7 @@ index ff006ea..1dfeb37 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5787,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5805,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -77171,7 +77209,7 @@ index ff006ea..1dfeb37 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5819,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5837,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -77180,7 +77218,7 @@ index ff006ea..1dfeb37 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5840,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5858,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -77196,7 +77234,7 @@ index ff006ea..1dfeb37 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5855,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5873,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -77208,7 +77246,8 @@ index ff006ea..1dfeb37 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+########################################
+## <summary>
+## Set the attributes of the /var/lock directory.
@@ -77223,13 +77262,12 @@ index ff006ea..1dfeb37 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5373,6 +5897,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5915,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -77237,7 +77275,7 @@ index ff006ea..1dfeb37 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5910,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5928,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -77245,7 +77283,7 @@ index ff006ea..1dfeb37 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5936,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5954,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -77254,7 +77292,7 @@ index ff006ea..1dfeb37 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5952,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5970,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -77271,7 +77309,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -5452,7 +5976,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5994,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -77280,7 +77318,7 @@ index ff006ea..1dfeb37 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6017,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6035,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -77289,7 +77327,7 @@ index ff006ea..1dfeb37 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6039,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6057,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -77298,7 +77336,7 @@ index ff006ea..1dfeb37 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6071,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6089,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -77309,28 +77347,20 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -5608,19 +6132,56 @@ interface(`files_search_pids',`
+@@ -5608,6 +6150,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
--########################################
+######################################
- ## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
++## <summary>
+## Add and remove entries from pid directories.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
-- gen_require(`
++## </param>
++#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
@@ -77358,26 +77388,15 @@ index ff006ea..1dfeb37 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
- type var_run_t;
- ')
-
-@@ -5629,6 +6190,25 @@ interface(`files_dontaudit_search_pids',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -5629,8 +6208,27 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
+## </summary>
@@ -77397,10 +77416,12 @@ index ff006ea..1dfeb37 100644
+
+########################################
+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
++## List the contents of the runtime process
++## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6316,7 @@ interface(`files_pid_filetrans',`
+ ## <param name="domain">
+ ## <summary>
+@@ -5736,7 +6334,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77409,7 +77430,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -5815,6 +6395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6413,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -77526,7 +77547,7 @@ index ff006ea..1dfeb37 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6522,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6540,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -77589,7 +77610,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -5900,6 +6646,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6664,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -77680,7 +77701,7 @@ index ff006ea..1dfeb37 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6872,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6890,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -77689,7 +77710,7 @@ index ff006ea..1dfeb37 100644
')
########################################
-@@ -6117,3 +6947,324 @@ interface(`files_unconfined',`
+@@ -6117,3 +6965,324 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -85814,10 +85835,10 @@ index 6480167..d0bf548 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..3ee87ed 100644
+index 3136c6a..d4ba46f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,261 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -85907,6 +85928,13 @@ index 3136c6a..3ee87ed 100644
+
+## <desc>
+## <p>
++## Allow HTTPD to connect to port 80 for graceful shutdown
++## </p>
++## </desc>
++gen_tunable(httpd_graceful_shutdown, false)
++
++## <desc>
++## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
## </desc>
@@ -85947,17 +85975,17 @@ index 3136c6a..3ee87ed 100644
+## </desc>
+gen_tunable(httpd_can_connect_zabbix, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
@@ -86135,7 +86163,7 @@ index 3136c6a..3ee87ed 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +291,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +298,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -86144,7 +86172,7 @@ index 3136c6a..3ee87ed 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +302,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +309,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -86154,7 +86182,7 @@ index 3136c6a..3ee87ed 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +344,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +351,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -86177,7 +86205,7 @@ index 3136c6a..3ee87ed 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +368,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +375,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -86188,7 +86216,7 @@ index 3136c6a..3ee87ed 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +379,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -86196,7 +86224,7 @@ index 3136c6a..3ee87ed 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +401,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +408,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -86220,7 +86248,7 @@ index 3136c6a..3ee87ed 100644
########################################
#
# Apache server local policy
-@@ -281,11 +437,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -86234,7 +86262,7 @@ index 3136c6a..3ee87ed 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +487,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -86245,7 +86273,7 @@ index 3136c6a..3ee87ed 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +498,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -86256,7 +86284,7 @@ index 3136c6a..3ee87ed 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +515,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -86266,7 +86294,7 @@ index 3136c6a..3ee87ed 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +528,17 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -86281,11 +86309,13 @@ index 3136c6a..3ee87ed 100644
+corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
-corenet_tcp_connect_http_port(httpd_t)
-+#corenet_tcp_connect_http_port(httpd_t)
++tunable_policy(`httpd_graceful_shutdown',`
++ corenet_tcp_connect_http_port(httpd_t)
++')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +547,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +556,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -86301,7 +86331,7 @@ index 3136c6a..3ee87ed 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +560,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +569,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -86309,7 +86339,7 @@ index 3136c6a..3ee87ed 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +572,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +581,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -86413,7 +86443,7 @@ index 3136c6a..3ee87ed 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +677,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +686,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -86477,7 +86507,7 @@ index 3136c6a..3ee87ed 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +741,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +750,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -86500,7 +86530,7 @@ index 3136c6a..3ee87ed 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +771,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +780,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -86521,7 +86551,7 @@ index 3136c6a..3ee87ed 100644
')
optional_policy(`
-@@ -513,7 +795,13 @@ optional_policy(`
+@@ -513,7 +804,13 @@ optional_policy(`
')
optional_policy(`
@@ -86536,7 +86566,7 @@ index 3136c6a..3ee87ed 100644
')
optional_policy(`
-@@ -528,7 +816,19 @@ optional_policy(`
+@@ -528,7 +825,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -86557,7 +86587,7 @@ index 3136c6a..3ee87ed 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +837,13 @@ optional_policy(`
+@@ -537,8 +846,13 @@ optional_policy(`
')
optional_policy(`
@@ -86572,7 +86602,7 @@ index 3136c6a..3ee87ed 100644
')
')
-@@ -556,7 +861,21 @@ optional_policy(`
+@@ -556,7 +870,21 @@ optional_policy(`
')
optional_policy(`
@@ -86594,7 +86624,7 @@ index 3136c6a..3ee87ed 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +886,7 @@ optional_policy(`
+@@ -567,6 +895,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -86602,7 +86632,7 @@ index 3136c6a..3ee87ed 100644
')
optional_policy(`
-@@ -577,6 +897,29 @@ optional_policy(`
+@@ -577,6 +906,29 @@ optional_policy(`
')
optional_policy(`
@@ -86632,7 +86662,7 @@ index 3136c6a..3ee87ed 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +934,11 @@ optional_policy(`
+@@ -591,6 +943,11 @@ optional_policy(`
')
optional_policy(`
@@ -86644,7 +86674,7 @@ index 3136c6a..3ee87ed 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +951,12 @@ optional_policy(`
+@@ -603,6 +960,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -86657,7 +86687,7 @@ index 3136c6a..3ee87ed 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +970,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +979,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -86670,7 +86700,7 @@ index 3136c6a..3ee87ed 100644
########################################
#
-@@ -654,28 +1012,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1021,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -86714,7 +86744,7 @@ index 3136c6a..3ee87ed 100644
')
########################################
-@@ -685,6 +1045,8 @@ optional_policy(`
+@@ -685,6 +1054,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -86723,7 +86753,7 @@ index 3136c6a..3ee87ed 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1061,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1070,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -86749,7 +86779,7 @@ index 3136c6a..3ee87ed 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1107,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1116,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -86782,7 +86812,7 @@ index 3136c6a..3ee87ed 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1154,25 @@ optional_policy(`
+@@ -769,6 +1163,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -86808,7 +86838,7 @@ index 3136c6a..3ee87ed 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1193,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1202,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -86826,7 +86856,7 @@ index 3136c6a..3ee87ed 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1212,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1221,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -86883,7 +86913,7 @@ index 3136c6a..3ee87ed 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1263,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1272,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -86924,7 +86954,7 @@ index 3136c6a..3ee87ed 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1308,20 @@ optional_policy(`
+@@ -842,10 +1317,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -86945,7 +86975,7 @@ index 3136c6a..3ee87ed 100644
')
########################################
-@@ -891,11 +1367,142 @@ optional_policy(`
+@@ -891,11 +1376,142 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -86969,7 +86999,7 @@ index 3136c6a..3ee87ed 100644
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
+
+########################################
+#
@@ -87068,7 +87098,7 @@ index 3136c6a..3ee87ed 100644
+
+optional_policy(`
+ nscd_socket_use(httpd_script_type)
-+')
+ ')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
@@ -88766,10 +88796,10 @@ index 0000000..d694c0a
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..bccefc9
+index 0000000..4b22dcf
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -88780,6 +88810,7 @@ index 0000000..bccefc9
+type blueman_t;
+type blueman_exec_t;
+dbus_system_domain(blueman_t, blueman_exec_t)
++init_daemon_domain(blueman_t, blueman_exec_t)
+
+########################################
+#
@@ -91242,7 +91273,7 @@ index 9a0da94..113eae2 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..025e26f 100644
+index fa82327..898d0db 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -91258,7 +91289,12 @@ index fa82327..025e26f 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
+ #
+
+ allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+-allow chronyd_t self:process { getcap setcap setrlimit };
++allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
@@ -91456,10 +91492,10 @@ index 1f11572..87840b4 100644
+
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..b817047 100644
+index f758323..ced0ce2 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
-@@ -1,9 +1,16 @@
+@@ -1,9 +1,23 @@
policy_module(clamav, 1.9.0)
## <desc>
@@ -91473,13 +91509,20 @@ index f758323..b817047 100644
+gen_tunable(clamscan_read_user_content, false)
+
+## <desc>
++## <p>
++## Allow clamscan to non security files on a system
++## </p>
++## </desc>
++gen_tunable(clamscan_can_scan_system, false)
++
++## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
-@@ -24,6 +31,9 @@ files_config_file(clamd_etc_t)
+@@ -24,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
@@ -91489,7 +91532,7 @@ index f758323..b817047 100644
# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
-@@ -64,6 +74,8 @@ logging_log_file(freshclam_var_log_t)
+@@ -64,6 +81,8 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
@@ -91498,7 +91541,7 @@ index f758323..b817047 100644
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +92,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+@@ -80,6 +99,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
@@ -91506,7 +91549,7 @@ index f758323..b817047 100644
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-@@ -89,9 +102,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -89,9 +109,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
@@ -91518,7 +91561,7 @@ index f758323..b817047 100644
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -110,6 +124,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+@@ -110,6 +131,7 @@ corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
@@ -91526,7 +91569,7 @@ index f758323..b817047 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,13 +142,6 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,13 +149,6 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
@@ -91540,7 +91583,7 @@ index f758323..b817047 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +150,31 @@ optional_policy(`
+@@ -142,13 +157,31 @@ optional_policy(`
')
optional_policy(`
@@ -91573,7 +91616,7 @@ index f758323..b817047 100644
')
########################################
-@@ -178,10 +204,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +211,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -91592,7 +91635,7 @@ index f758323..b817047 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +221,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +228,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -91600,7 +91643,7 @@ index f758323..b817047 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +240,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -91627,7 +91670,7 @@ index f758323..b817047 100644
########################################
#
# clamscam local policy
-@@ -242,15 +281,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +288,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -91652,12 +91695,16 @@ index f758323..b817047 100644
+ userdom_dontaudit_read_user_home_content_files(clamscan_t)
+')
+
++tunable_policy(`clamscan_can_scan_system',`
++ files_read_non_security_files(clamscan_t)
++')
++
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +317,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -92795,10 +92842,10 @@ index 0000000..40415f8
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..9bd6b56
+index 0000000..e7ca6fc
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,88 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -92834,10 +92881,12 @@ index 0000000..9bd6b56
+#
+# collectd local policy
+#
++
+allow collectd_t self:capability ipc_lock;
-+allow collectd_t self:process fork;
++allow collectd_t self:process { signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
++allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -92855,6 +92904,8 @@ index 0000000..9bd6b56
+kernel_read_system_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
++dev_read_urand(collectd_t)
++dev_read_rand(collectd_t)
+
+files_getattr_all_dirs(collectd_t)
+files_read_etc_files(collectd_t)
@@ -92927,7 +92978,7 @@ index 733e4e6..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..6d575af 100644
+index 74505cc..dbd4f7f 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -92938,7 +92989,7 @@ index 74505cc..6d575af 100644
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
-@@ -18,14 +19,19 @@ files_tmpfs_file(colord_tmpfs_t)
+@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
@@ -92955,10 +93006,11 @@ index 74505cc..6d575af 100644
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:tcp_socket create_stream_socket_perms;
++allow colord_t self:shm create_shm_perms;
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +47,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +48,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -92974,7 +93026,7 @@ index 74505cc..6d575af 100644
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +62,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +63,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -92983,7 +93035,7 @@ index 74505cc..6d575af 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +79,35 @@ files_list_mnt(colord_t)
+@@ -65,19 +80,35 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -93020,7 +93072,7 @@ index 74505cc..6d575af 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +119,12 @@ optional_policy(`
+@@ -89,6 +120,12 @@ optional_policy(`
')
optional_policy(`
@@ -93033,7 +93085,7 @@ index 74505cc..6d575af 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +132,20 @@ optional_policy(`
+@@ -96,5 +133,20 @@ optional_policy(`
')
optional_policy(`
@@ -93082,10 +93134,10 @@ index 0000000..a9ad037
+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if
new file mode 100644
-index 0000000..88a0b5d
+index 0000000..2c150a6
--- /dev/null
+++ b/policy/modules/services/condor.if
-@@ -0,0 +1,272 @@
+@@ -0,0 +1,309 @@
+
+## <summary>policy for condor</summary>
+
@@ -93236,6 +93288,25 @@ index 0000000..88a0b5d
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
++######################################
++## <summary>
++## Read and write condor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
++
+########################################
+## <summary>
+## Manage condor lib files.
@@ -93318,6 +93389,24 @@ index 0000000..88a0b5d
+')
+
+
++#######################################
++## <summary>
++## Read and write condor_startd server TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_startd',`
++ gen_require(`
++ type condor_startd_t;
++ ')
++
++ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -93946,7 +94035,7 @@ index 5220c9d..11e5dc4 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..a5d4e70 100644
+index 04969e5..bc57217 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -93971,7 +94060,7 @@ index 04969e5..a5d4e70 100644
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock };
++allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+# for hearbeat
+allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
@@ -98007,10 +98096,20 @@ index f706b99..9b9f4ad 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..fb64f1d 100644
+index f231f17..51d1512 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
-@@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+@@ -8,14 +8,17 @@ policy_module(devicekit, 1.1.0)
+ type devicekit_t;
+ type devicekit_exec_t;
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
++init_daemon_domain(devicekit_t, devicekit_exec_t)
+
+ type devicekit_power_t;
+ type devicekit_power_exec_t;
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
++init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
+
type devicekit_disk_t;
type devicekit_disk_exec_t;
dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
@@ -98018,7 +98117,7 @@ index f231f17..fb64f1d 100644
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
-@@ -26,6 +27,9 @@ files_pid_file(devicekit_var_run_t)
+@@ -26,6 +29,9 @@ files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
@@ -98028,7 +98127,7 @@ index f231f17..fb64f1d 100644
########################################
#
# DeviceKit local policy
-@@ -62,7 +66,8 @@ optional_policy(`
+@@ -62,7 +68,8 @@ optional_policy(`
# DeviceKit disk local policy
#
@@ -98038,7 +98137,7 @@ index f231f17..fb64f1d 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +80,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +82,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -98053,7 +98152,7 @@ index f231f17..fb64f1d 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +106,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +108,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -98061,7 +98160,7 @@ index f231f17..fb64f1d 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +115,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +117,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -98080,7 +98179,7 @@ index f231f17..fb64f1d 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,14 +140,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,14 +142,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -98099,7 +98198,7 @@ index f231f17..fb64f1d 100644
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
-@@ -178,55 +194,85 @@ optional_policy(`
+@@ -178,55 +196,85 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -98190,7 +98289,7 @@ index f231f17..fb64f1d 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +281,12 @@ optional_policy(`
+@@ -235,7 +283,12 @@ optional_policy(`
')
optional_policy(`
@@ -98203,7 +98302,7 @@ index f231f17..fb64f1d 100644
')
optional_policy(`
-@@ -261,14 +312,21 @@ optional_policy(`
+@@ -261,14 +314,21 @@ optional_policy(`
')
optional_policy(`
@@ -98226,7 +98325,7 @@ index f231f17..fb64f1d 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +334,30 @@ optional_policy(`
+@@ -276,9 +336,30 @@ optional_policy(`
')
optional_policy(`
@@ -101180,7 +101279,7 @@ index f590a1f..eb6f870 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..afb6deb 100644
+index 2a69e5e..78841e5 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -101244,7 +101343,7 @@ index 2a69e5e..afb6deb 100644
optional_policy(`
apache_read_log(fail2ban_t)
')
-@@ -94,5 +110,43 @@ optional_policy(`
+@@ -94,5 +110,45 @@ optional_policy(`
')
optional_policy(`
@@ -101282,6 +101381,8 @@ index 2a69e5e..afb6deb 100644
+files_read_usr_files(fail2ban_client_t)
+files_search_pids(fail2ban_client_t)
+
++auth_read_passwd(fail2ban_client_t)
++
+miscfiles_read_localization(fail2ban_client_t)
+
+optional_policy(`
@@ -101706,10 +101807,10 @@ index 0000000..c4c7510
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..3e016c3
+index 0000000..b3727f1
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,91 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -101771,12 +101872,17 @@ index 0000000..3e016c3
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
+
++fs_getattr_xattr_fs(firewalld_t)
++
+auth_read_passwd(firewalld_t)
+
+logging_send_syslog_msg(firewalld_t)
+
+miscfiles_read_localization(firewalld_t)
+
++seutil_exec_setfiles(firewalld_t)
++seutil_read_file_contexts(firewalld_t)
++
+optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+
@@ -101820,10 +101926,18 @@ index ebad8c4..eeddf7b 100644
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
-index 7df52c7..8512254 100644
+index 7df52c7..26422af 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
-@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
+@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
+ type fprintd_t;
+ type fprintd_exec_t;
+ dbus_system_domain(fprintd_t, fprintd_exec_t)
++init_daemon_domain(fprintd_t, fprintd_exec_t)
+
+ type fprintd_var_lib_t;
+ files_type(fprintd_var_lib_t)
+@@ -17,9 +18,10 @@ files_type(fprintd_var_lib_t)
# Local policy
#
@@ -101836,7 +101950,7 @@ index 7df52c7..8512254 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -54,4 +55,5 @@ optional_policy(`
+@@ -54,4 +56,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
@@ -103315,10 +103429,10 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..917428e
+index 0000000..57e0566
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,112 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -103404,6 +103518,11 @@ index 0000000..917428e
+
+logging_send_syslog_msg(glance_registry_t)
+
++
++optional_policy(`
++ mysql_stream_connect(glance_registry_t)
++')
++
+########################################
+#
+# glance-api local policy
@@ -103467,10 +103586,17 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..e9fde69 100644
+index 4fde46b..469a6e3 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -14,19 +14,30 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -8,25 +8,37 @@ policy_module(gnomeclock, 1.0.0)
+ type gnomeclock_t;
+ type gnomeclock_exec_t;
+ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
+
+ ########################################
+ #
# gnomeclock local policy
#
@@ -103505,7 +103631,7 @@ index 4fde46b..e9fde69 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +46,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +47,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -109012,10 +109138,18 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..6c9f30c 100644
+index b3ace16..83392b6 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
-@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+@@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0)
+ type modemmanager_t;
+ type modemmanager_exec_t;
+ dbus_system_domain(modemmanager_t, modemmanager_exec_t)
++init_daemon_domain(modemmanager_t, modemmanager_exec_t)
+ typealias modemmanager_t alias ModemManager_t;
+ typealias modemmanager_exec_t alias ModemManager_exec_t;
+
+@@ -16,7 +17,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
# ModemManager local policy
#
@@ -109025,7 +109159,7 @@ index b3ace16..6c9f30c 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,25 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +30,25 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
@@ -109238,7 +109372,7 @@ index 256166a..a8fe27a 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..b37f19e 100644
+index 343cee3..555300e 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -109470,10 +109604,46 @@ index 343cee3..b37f19e 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +371,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +371,60 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
++## Send all user mail client a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_signal_user_agent',`
++ gen_require(`
++ attribute mta_user_agent;
++ ')
++
++ allow $1 mta_user_agent:process signal;
++')
++
++########################################
++## <summary>
++## Send all user mail client a kill signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_kill_user_agent',`
++ gen_require(`
++ attribute mta_user_agent;
++ ')
++
++ allow $1 mta_user_agent:process sigkill;
++')
++
++########################################
++## <summary>
+## Send system mail client a kill signal
+## </summary>
+## <param name="domain">
@@ -109495,7 +109665,7 @@ index 343cee3..b37f19e 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +407,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +443,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -109522,7 +109692,7 @@ index 343cee3..b37f19e 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +463,8 @@ interface(`mta_write_config',`
+@@ -474,7 +499,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -109532,7 +109702,7 @@ index 343cee3..b37f19e 100644
')
########################################
-@@ -494,6 +484,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +520,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -109540,7 +109710,7 @@ index 343cee3..b37f19e 100644
')
########################################
-@@ -532,7 +523,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +559,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -109549,7 +109719,7 @@ index 343cee3..b37f19e 100644
')
########################################
-@@ -552,7 +543,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +579,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -109558,7 +109728,7 @@ index 343cee3..b37f19e 100644
')
#######################################
-@@ -646,8 +637,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +673,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -109569,7 +109739,7 @@ index 343cee3..b37f19e 100644
')
#######################################
-@@ -677,7 +668,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +704,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -109597,7 +109767,7 @@ index 343cee3..b37f19e 100644
')
########################################
-@@ -697,8 +707,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +743,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -109608,7 +109778,7 @@ index 343cee3..b37f19e 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +848,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +884,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -109617,7 +109787,7 @@ index 343cee3..b37f19e 100644
')
########################################
-@@ -864,6 +874,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +910,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -109654,7 +109824,7 @@ index 343cee3..b37f19e 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +939,118 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +975,118 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -110574,7 +110744,7 @@ index cc7192c..eeb72ba 100644
#
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..1c07da0 100644
+index e9c0982..404ed6d 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -110635,7 +110805,34 @@ index e9c0982..1c07da0 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
+@@ -122,6 +159,26 @@ interface(`mysql_search_db',`
+
+ ########################################
+ ## <summary>
++## List the directories that contain MySQL
++## database storage.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_list_db',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 mysqld_db_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Read and write to the MySQL database directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -252,12 +309,12 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@@ -110650,7 +110847,7 @@ index e9c0982..1c07da0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -273,6 +330,24 @@ interface(`mysql_domtrans_mysql_safe',`
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
@@ -110675,7 +110872,7 @@ index e9c0982..1c07da0 100644
#####################################
## <summary>
## Read MySQL PID files.
-@@ -313,6 +368,67 @@ interface(`mysql_search_pid_files',`
+@@ -313,6 +388,67 @@ interface(`mysql_search_pid_files',`
########################################
## <summary>
@@ -110743,7 +110940,7 @@ index e9c0982..1c07da0 100644
## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
-@@ -329,27 +445,45 @@ interface(`mysql_search_pid_files',`
+@@ -329,27 +465,45 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -110795,7 +110992,7 @@ index e9c0982..1c07da0 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..49848dd 100644
+index 0a0d63c..a798a26 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -110838,7 +111035,7 @@ index 0a0d63c..49848dd 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,13 +85,19 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,13 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -110850,7 +111047,9 @@ index 0a0d63c..49848dd 100644
+
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
++kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
++kernel_read_network_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
+corecmd_exec_bin(mysqld_t)
@@ -110859,7 +111058,7 @@ index 0a0d63c..49848dd 100644
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
-@@ -122,13 +135,8 @@ miscfiles_read_localization(mysqld_t)
+@@ -122,13 +137,8 @@ miscfiles_read_localization(mysqld_t)
sysnet_read_config(mysqld_t)
@@ -110874,7 +111073,7 @@ index 0a0d63c..49848dd 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -154,10 +162,11 @@ optional_policy(`
+@@ -154,10 +164,11 @@ optional_policy(`
#
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
@@ -110887,7 +111086,7 @@ index 0a0d63c..49848dd 100644
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +179,35 @@ kernel_read_system_state(mysqld_safe_t)
+@@ -170,26 +181,35 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
@@ -113656,10 +113855,10 @@ index 0000000..d3b9544
+')
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
new file mode 100644
-index 0000000..4a6f24c
+index 0000000..21a4f33
--- /dev/null
+++ b/policy/modules/services/obex.te
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,27 @@
+policy_module(obex,1.0.0)
+
+########################################
@@ -113670,6 +113869,7 @@ index 0000000..4a6f24c
+type obex_t;
+type obex_exec_t;
+dbus_system_domain(obex_t, obex_exec_t)
++init_daemon_domain(obex_t, obex_exec_t)
+
+########################################
+#
@@ -113989,6 +114189,244 @@ index 7f8fdc2..047d985 100644
optional_policy(`
seutil_sigchld_newrole(openct_t)
+diff --git a/policy/modules/services/openhpid.fc b/policy/modules/services/openhpid.fc
+new file mode 100644
+index 0000000..9441fd7
+--- /dev/null
++++ b/policy/modules/services/openhpid.fc
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
++
++/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
++
++/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
++
++/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
+diff --git a/policy/modules/services/openhpid.if b/policy/modules/services/openhpid.if
+new file mode 100644
+index 0000000..598789a
+--- /dev/null
++++ b/policy/modules/services/openhpid.if
+@@ -0,0 +1,159 @@
++
++## <summary>policy for openhpid</summary>
++
++
++########################################
++## <summary>
++## Transition to openhpid.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openhpid_domtrans',`
++ gen_require(`
++ type openhpid_t, openhpid_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
++')
++
++
++########################################
++## <summary>
++## Execute openhpid server in the openhpid domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_initrc_domtrans',`
++ gen_require(`
++ type openhpid_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Search openhpid lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_search_lib',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ allow $1 openhpid_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read openhpid lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_read_lib_files',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openhpid lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_manage_lib_files',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage openhpid lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openhpid_manage_lib_dirs',`
++ gen_require(`
++ type openhpid_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an openhpid environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`openhpid_admin',`
++ gen_require(`
++ type openhpid_t;
++ type openhpid_initrc_exec_t;
++ type openhpid_var_lib_t;
++ ')
++
++ allow $1 openhpid_t:process { ptrace signal_perms };
++ ps_process_pattern($1, openhpid_t)
++
++ openhpid_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 openhpid_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, openhpid_var_lib_t)
++
++
++
++')
++
+diff --git a/policy/modules/services/openhpid.te b/policy/modules/services/openhpid.te
+new file mode 100644
+index 0000000..faa9b16
+--- /dev/null
++++ b/policy/modules/services/openhpid.te
+@@ -0,0 +1,53 @@
++policy_module(openhpid, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openhpid_t;
++type openhpid_exec_t;
++init_daemon_domain(openhpid_t, openhpid_exec_t)
++
++type openhpid_initrc_exec_t;
++init_script_file(openhpid_initrc_exec_t)
++
++type openhpid_var_lib_t;
++files_type(openhpid_var_lib_t)
++
++type openhpid_var_run_t;
++files_pid_file(openhpid_var_run_t)
++
++########################################
++#
++# openhpid local policy
++#
++
++allow openhpid_t self:capability { kill };
++allow openhpid_t self:process { fork signal };
++
++allow openhpid_t self:fifo_file rw_fifo_file_perms;
++allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
++allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
++allow openhpid_t self:tcp_socket create_stream_socket_perms;
++allow openhpid_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
++manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
++files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
++
++manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
++files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
++
++corenet_tcp_bind_generic_node(openhpid_t)
++corenet_tcp_bind_openhpid_port(openhpid_t)
++
++domain_use_interactive_fds(openhpid_t)
++
++dev_read_urand(openhpid_t)
++
++files_read_etc_files(openhpid_t)
++
++logging_send_syslog_msg(openhpid_t)
++
++miscfiles_read_localization(openhpid_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index d883214..d6afa87 100644
--- a/policy/modules/services/openvpn.if
@@ -118172,7 +118610,7 @@ index b524673..1cca3d2 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..b489ca6 100644
+index 2af42e7..2a05225 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -118278,7 +118716,7 @@ index 2af42e7..b489ca6 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +184,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,9 +184,10 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -118286,8 +118724,11 @@ index 2af42e7..b489ca6 100644
+userdom_use_inherited_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
++userdom_search_admin_dir(pppd_t)
-@@ -187,13 +195,21 @@ optional_policy(`
+ ppp_exec(pppd_t)
+
+@@ -187,13 +196,21 @@ optional_policy(`
')
optional_policy(`
@@ -118310,7 +118751,7 @@ index 2af42e7..b489ca6 100644
')
optional_policy(`
-@@ -243,14 +259,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +260,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -118330,7 +118771,7 @@ index 2af42e7..b489ca6 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +285,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +286,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
@@ -125870,10 +126311,18 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..6ccfa96 100644
+index 086cd5f..e010142 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
-@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t)
+@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+ type setroubleshoot_fixit_t;
+ type setroubleshoot_fixit_exec_t;
+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
++init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
+ type setroubleshoot_var_lib_t;
+ files_type(setroubleshoot_var_lib_t)
+@@ -30,8 +31,10 @@ files_pid_file(setroubleshoot_var_run_t)
# setroubleshootd local policy
#
@@ -125885,7 +126334,7 @@ index 086cd5f..6ccfa96 100644
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,17 +51,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+@@ -49,17 +52,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
@@ -125908,7 +126357,7 @@ index 086cd5f..6ccfa96 100644
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
-@@ -85,6 +91,7 @@ files_getattr_all_files(setroubleshootd_t)
+@@ -85,6 +92,7 @@ files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
files_getattr_all_sockets(setroubleshootd_t)
files_read_all_symlinks(setroubleshootd_t)
@@ -125916,7 +126365,7 @@ index 086cd5f..6ccfa96 100644
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -125924,7 +126373,7 @@ index 086cd5f..6ccfa96 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,6 +112,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -125933,7 +126382,7 @@ index 086cd5f..6ccfa96 100644
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +122,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -125942,7 +126391,7 @@ index 086cd5f..6ccfa96 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -125966,7 +126415,7 @@ index 086cd5f..6ccfa96 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,7 +172,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,7 +173,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -125978,7 +126427,7 @@ index 086cd5f..6ccfa96 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +189,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -128115,7 +128564,7 @@ index 22adaca..60103b5 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..a67b643 100644
+index 2dad3c8..1cbfcad 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -128344,7 +128793,7 @@ index 2dad3c8..a67b643 100644
#################################
#
# sshd local policy
-@@ -232,33 +243,40 @@ optional_policy(`
+@@ -232,33 +243,45 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -128391,10 +128840,15 @@ index 2dad3c8..a67b643 100644
+
+optional_policy(`
+ amanda_search_var_lib(sshd_t)
++')
++
++optional_policy(`
++ condor_rw_lib_files(sshd_t)
++ condor_rw_tcp_sockets_startd(sshd_t)
')
optional_policy(`
-@@ -266,11 +284,24 @@ optional_policy(`
+@@ -266,11 +289,24 @@ optional_policy(`
')
optional_policy(`
@@ -128420,7 +128874,7 @@ index 2dad3c8..a67b643 100644
')
optional_policy(`
-@@ -284,6 +315,15 @@ optional_policy(`
+@@ -284,6 +320,15 @@ optional_policy(`
')
optional_policy(`
@@ -128436,7 +128890,7 @@ index 2dad3c8..a67b643 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +332,26 @@ optional_policy(`
+@@ -292,26 +337,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -128482,7 +128936,7 @@ index 2dad3c8..a67b643 100644
') dnl endif TODO
########################################
-@@ -322,19 +362,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +367,26 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -128510,7 +128964,7 @@ index 2dad3c8..a67b643 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +398,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +403,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -128524,7 +128978,7 @@ index 2dad3c8..a67b643 100644
')
optional_policy(`
-@@ -363,3 +412,76 @@ optional_policy(`
+@@ -363,3 +417,76 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -129324,7 +129778,7 @@ index 8294f6f..4847b43 100644
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index 665bf7c..a1ea37a 100644
+index 665bf7c..55c5868 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
@@ -129363,7 +129817,7 @@ index 665bf7c..a1ea37a 100644
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
-+dev_search_sysfs(tgtd_t)
++dev_read_sysfs(tgtd_t)
+
files_read_etc_files(tgtd_t)
@@ -130571,7 +131025,7 @@ index 2124b6a..9fdf440 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..c542fe7 100644
+index 7c5d8d8..a0da632 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -130961,8 +131415,8 @@ index 7c5d8d8..c542fe7 100644
+ allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace;
-+ allow $1 virt_lxc_t:process ptrace;
++ allow $1 virtd_t:process ptrace_perms_perms;
++ allow $1 virt_lxc_t:process ptrace_perms_perms;
+ ')
+
+ allow $1 virt_lxc_t:process signal_perms;
@@ -131203,7 +131657,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..9ad0913 100644
+index 3eca020..23c752e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -131626,18 +132080,19 @@ index 3eca020..9ad0913 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +445,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +445,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
++sysnet_signull_ifconfig(virtd_t)
+sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -131658,7 +132113,7 @@ index 3eca020..9ad0913 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +488,10 @@ optional_policy(`
+@@ -313,6 +489,10 @@ optional_policy(`
')
optional_policy(`
@@ -131669,7 +132124,7 @@ index 3eca020..9ad0913 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +505,14 @@ optional_policy(`
+@@ -326,6 +506,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -131684,7 +132139,7 @@ index 3eca020..9ad0913 100644
')
optional_policy(`
-@@ -334,11 +521,14 @@ optional_policy(`
+@@ -334,11 +522,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -131699,7 +132154,7 @@ index 3eca020..9ad0913 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +550,11 @@ optional_policy(`
+@@ -360,11 +551,11 @@ optional_policy(`
')
optional_policy(`
@@ -131716,7 +132171,7 @@ index 3eca020..9ad0913 100644
')
optional_policy(`
-@@ -394,20 +584,36 @@ optional_policy(`
+@@ -394,20 +585,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -131756,7 +132211,7 @@ index 3eca020..9ad0913 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +624,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +625,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -131770,7 +132225,7 @@ index 3eca020..9ad0913 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +637,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +638,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -131783,7 +132238,7 @@ index 3eca020..9ad0913 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +650,409 @@ files_search_all(virt_domain)
+@@ -440,25 +651,427 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -131940,7 +132395,7 @@ index 3eca020..9ad0913 100644
+# virt_lxc local policy
+#
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_resource };
-+allow virtd_lxc_t self:process { setrlimit setsched getcap setcap signal_perms };
++allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
@@ -131965,6 +132420,7 @@ index 3eca020..9ad0913 100644
+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(svirt_lxc_file_t)
+
+storage_manage_fixed_disk(virtd_lxc_t)
@@ -131979,9 +132435,12 @@ index 3eca020..9ad0913 100644
+
+dev_relabel_all_dev_nodes(virtd_lxc_t)
+dev_rw_sysfs(virtd_lxc_t)
++dev_read_sysfs(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
++files_search_all(virtd_lxc_t)
++files_getattr_all_files(virtd_lxc_t)
+files_read_etc_files(virtd_lxc_t)
+files_read_usr_files(virtd_lxc_t)
+files_relabel_rootfs(virtd_lxc_t)
@@ -132005,6 +132464,7 @@ index 3eca020..9ad0913 100644
+
+selinux_mount_fs(virtd_lxc_t)
+selinux_unmount_fs(virtd_lxc_t)
++seutil_read_config(virtd_lxc_t)
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
@@ -132019,6 +132479,15 @@ index 3eca020..9ad0913 100644
+seutil_domtrans_setfiles(virtd_lxc_t)
+seutil_read_default_contexts(virtd_lxc_t)
+
++selinux_get_enforce_mode(virtd_lxc_t)
++selinux_get_fs_mount(virtd_lxc_t)
++selinux_validate_context(virtd_lxc_t)
++selinux_compute_access_vector(virtd_lxc_t)
++selinux_compute_create_context(virtd_lxc_t)
++selinux_compute_relabel_context(virtd_lxc_t)
++selinux_compute_user_contexts(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
+#optional_policy(`
@@ -132035,8 +132504,10 @@ index 3eca020..9ad0913 100644
+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
++allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -132044,10 +132515,11 @@ index 3eca020..9ad0913 100644
+allow svirt_lxc_domain self:sem create_sem_perms;
+allow svirt_lxc_domain self:shm create_shm_perms;
+allow svirt_lxc_domain self:msgq create_msgq_perms;
-+allow svirt_lxc_domain self:unix_stream_socket create_stream_socket_perms;
++allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
++
+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -132056,35 +132528,36 @@ index 3eca020..9ad0913 100644
+rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
++allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
++allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+
+kernel_getattr_proc(svirt_lxc_domain)
+kernel_read_kernel_sysctls(svirt_lxc_domain)
++kernel_read_net_sysctls(svirt_lxc_domain)
+kernel_read_system_state(svirt_lxc_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+
+corecmd_exec_all_executables(svirt_lxc_domain)
+
-+dev_read_urand(svirt_lxc_domain)
-+dev_dontaudit_read_rand(svirt_lxc_domain)
-+dev_read_sysfs(svirt_lxc_domain)
-+
++files_read_kernel_modules(svirt_lxc_net_t)
+files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
++files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+files_entrypoint_all_files(svirt_lxc_domain)
+files_search_all(svirt_lxc_domain)
+files_read_config_files(svirt_lxc_domain)
+files_read_usr_files(svirt_lxc_domain)
+files_read_usr_symlinks(svirt_lxc_domain)
+
-+fs_getattr_tmpfs(svirt_lxc_domain)
-+fs_getattr_xattr_fs(svirt_lxc_domain)
++fs_getattr_all_fs(svirt_lxc_domain)
+fs_list_inotifyfs(svirt_lxc_domain)
-+fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
+
+auth_dontaudit_read_passwd(svirt_lxc_domain)
+auth_dontaudit_read_login_records(svirt_lxc_domain)
+auth_dontaudit_write_login_records(svirt_lxc_domain)
+auth_search_pam_console_data(svirt_lxc_domain)
+
++clock_read_adjtime(svirt_lxc_domain)
++
+init_read_utmp(svirt_lxc_domain)
+init_dontaudit_write_utmp(svirt_lxc_domain)
+
@@ -132092,18 +132565,13 @@ index 3eca020..9ad0913 100644
+
+miscfiles_read_localization(svirt_lxc_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
++miscfiles_read_fonts(svirt_lxc_domain)
+
+mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+
-+selinux_get_fs_mount(svirt_lxc_domain)
-+selinux_validate_context(svirt_lxc_domain)
-+selinux_compute_access_vector(svirt_lxc_domain)
-+selinux_compute_create_context(svirt_lxc_domain)
-+selinux_compute_relabel_context(svirt_lxc_domain)
-+selinux_compute_user_contexts(svirt_lxc_domain)
-+seutil_read_default_contexts(svirt_lxc_domain)
-+
-+miscfiles_read_fonts(svirt_lxc_domain)
++optional_policy(`
++ udev_read_pid_files(svirt_lxc_domain)
++')
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
@@ -132111,16 +132579,19 @@ index 3eca020..9ad0913 100644
+
+virt_lxc_domain_template(svirt_lxc_net)
+
++allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice };
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
+allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
++allow svirt_lxc_net_t self:socket create_socket_perms;
++allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+corenet_udp_bind_generic_node(svirt_lxc_net_t)
+
-+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service };
++dev_read_sysfs(svirt_lxc_net_t)
+
+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
@@ -132132,6 +132603,8 @@ index 3eca020..9ad0913 100644
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
+
++auth_use_nsswitch(svirt_lxc_net_t)
++
+#######################################
+#
+# svirt_prot_exec local policy
@@ -140766,7 +141239,7 @@ index 560dc48..e644b1e 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..296a2e2 100644
+index 808ba93..f94b80a 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -147,6 +147,7 @@ interface(`libs_manage_ld_so',`
@@ -140875,7 +141348,7 @@ index 808ba93..296a2e2 100644
')
########################################
-@@ -534,3 +538,24 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +538,26 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -140893,27 +141366,33 @@ index 808ba93..296a2e2 100644
+interface(`libs_filetrans_named_content',`
+ gen_require(`
+ type ld_so_cache_t;
++ type ldconfig_cache_t;
+ ')
+
++ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..cc8dabb 100644
+index e5836d3..648d152 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
-@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
+@@ -59,9 +59,11 @@ optional_policy(`
+
+ allow ldconfig_t self:capability { dac_override sys_chroot };
++manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
++files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig")
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
@@ -140928,7 +141407,7 @@ index e5836d3..cc8dabb 100644
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_read_usr_files(ldconfig_t)
-@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t)
+@@ -94,7 +100,8 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
@@ -140938,7 +141417,7 @@ index e5836d3..cc8dabb 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +110,12 @@ ifdef(`distro_ubuntu',`
')
')
@@ -140951,7 +141430,7 @@ index e5836d3..cc8dabb 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',`
+@@ -114,6 +127,9 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -140961,7 +141440,7 @@ index e5836d3..cc8dabb 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
-@@ -131,6 +145,10 @@ optional_policy(`
+@@ -131,6 +147,10 @@ optional_policy(`
')
optional_policy(`
@@ -140972,7 +141451,7 @@ index e5836d3..cc8dabb 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +159,3 @@ optional_policy(`
+@@ -141,6 +161,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -144025,7 +144504,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..ddca0f1 100644
+index 7ed9819..0e6151b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -144070,11 +144549,12 @@ index 7ed9819..ddca0f1 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,26 +96,36 @@ role system_r types run_init_t;
+@@ -88,26 +96,37 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
++init_daemon_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
role system_r types semanage_t;
@@ -144109,7 +144589,7 @@ index 7ed9819..ddca0f1 100644
########################################
#
# Checkpolicy local policy
-@@ -139,7 +157,7 @@ term_use_console(checkpolicy_t)
+@@ -139,7 +158,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@@ -144118,7 +144598,7 @@ index 7ed9819..ddca0f1 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -176,13 +194,15 @@ term_list_ptys(load_policy_t)
+@@ -176,13 +195,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -144135,7 +144615,7 @@ index 7ed9819..ddca0f1 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -204,7 +224,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -204,7 +225,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
@@ -144144,7 +144624,7 @@ index 7ed9819..ddca0f1 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +236,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +237,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -144153,7 +144633,7 @@ index 7ed9819..ddca0f1 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +253,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +254,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -144161,7 +144641,7 @@ index 7ed9819..ddca0f1 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +281,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +282,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -144198,7 +144678,7 @@ index 7ed9819..ddca0f1 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +338,10 @@ kernel_use_fds(restorecond_t)
+@@ -312,6 +339,10 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -144209,7 +144689,7 @@ index 7ed9819..ddca0f1 100644
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -323,8 +353,8 @@ selinux_compute_create_context(restorecond_t)
+@@ -323,8 +354,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
@@ -144220,7 +144700,7 @@ index 7ed9819..ddca0f1 100644
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
-@@ -335,6 +365,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +366,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -144229,7 +144709,7 @@ index 7ed9819..ddca0f1 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,16 +385,19 @@ optional_policy(`
+@@ -353,16 +386,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -144250,7 +144730,7 @@ index 7ed9819..ddca0f1 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -380,6 +415,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +416,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -144259,7 +144739,7 @@ index 7ed9819..ddca0f1 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -388,6 +425,7 @@ auth_dontaudit_read_shadow(run_init_t)
+@@ -388,6 +426,7 @@ auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
@@ -144267,7 +144747,7 @@ index 7ed9819..ddca0f1 100644
logging_send_syslog_msg(run_init_t)
-@@ -396,7 +434,7 @@ miscfiles_read_localization(run_init_t)
+@@ -396,7 +435,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@@ -144276,7 +144756,7 @@ index 7ed9819..ddca0f1 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -405,6 +443,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +444,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -144296,7 +144776,7 @@ index 7ed9819..ddca0f1 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,185 +471,200 @@ optional_policy(`
+@@ -420,185 +472,200 @@ optional_policy(`
# semodule local policy
#
@@ -144700,7 +145180,7 @@ index 694fd94..ff9af99 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..22c9f0d 100644
+index ff80d0a..b8c1b90 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -49,10 +49,6 @@ interface(`sysnet_run_dhcpc',`
@@ -144853,10 +145333,30 @@ index ff80d0a..22c9f0d 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -554,6 +645,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +645,45 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
++## Send a null signal to ifconfig.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.pwd
++
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sysnet_signull_ifconfig',`
++ gen_require(`
++ type ifconfig_t;
++ ')
++
++ allow $1 ifconfig_t:process signull;
++')
++
++########################################
++## <summary>
+## Send a kill signal to iconfig.
+## </summary>
+## <param name="domain">
@@ -144879,7 +145379,7 @@ index ff80d0a..22c9f0d 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -661,6 +771,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +791,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -144888,7 +145388,7 @@ index ff80d0a..22c9f0d 100644
sysnet_read_config($1)
optional_policy(`
-@@ -698,6 +810,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +830,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
sysnet_read_config($1)
@@ -144898,7 +145398,7 @@ index ff80d0a..22c9f0d 100644
')
########################################
-@@ -731,3 +846,73 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +866,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -146023,10 +146523,10 @@ index 0000000..3b0ab09
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..12e4001
+index 0000000..2abb18f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,415 @@
+@@ -0,0 +1,418 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -146102,6 +146602,8 @@ index 0000000..12e4001
+init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t)
+
++kernel_read_system_state(systemd_logind_t)
++
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
@@ -146258,6 +146760,7 @@ index 0000000..12e4001
+dev_relabel_cpu_online(systemd_tmpfiles_t)
+dev_read_cpu_online(systemd_tmpfiles_t)
+dev_manage_printer(systemd_tmpfiles_t)
++dev_relabel_printer(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -147727,7 +148230,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..730b0d4 100644
+index 4b2878a..1c1102f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -148607,7 +149110,7 @@ index 4b2878a..730b0d4 100644
userdom_change_password_template($1)
-@@ -730,78 +911,86 @@ template(`userdom_login_user_template', `
+@@ -730,78 +911,89 @@ template(`userdom_login_user_template', `
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@@ -148684,6 +149187,9 @@ index 4b2878a..730b0d4 100644
+ miscfiles_exec_tetex_data($1_usertype)
+
+ seutil_read_config($1_usertype)
++ seutil_read_file_contexts($1_usertype)
++ seutil_read_default_contexts($1_usertype)
++ seutil_exec_setfiles($1_usertype)
- seutil_read_config($1_t)
+ optional_policy(`
@@ -148728,7 +149234,7 @@ index 4b2878a..730b0d4 100644
')
')
-@@ -833,6 +1022,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1025,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -148738,7 +149244,7 @@ index 4b2878a..730b0d4 100644
##############################
#
# Local policy
-@@ -874,45 +1066,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1069,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -148868,7 +149374,7 @@ index 4b2878a..730b0d4 100644
')
')
-@@ -947,7 +1212,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1215,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -148877,7 +149383,7 @@ index 4b2878a..730b0d4 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1221,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1224,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -148895,7 +149401,7 @@ index 4b2878a..730b0d4 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1246,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1249,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -148965,7 +149471,7 @@ index 4b2878a..730b0d4 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -148976,7 +149482,7 @@ index 4b2878a..730b0d4 100644
')
')
-@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -148985,7 +149491,7 @@ index 4b2878a..730b0d4 100644
')
##############################
-@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -148993,7 +149499,7 @@ index 4b2878a..730b0d4 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -149003,7 +149509,7 @@ index 4b2878a..730b0d4 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -149011,7 +149517,7 @@ index 4b2878a..730b0d4 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -149025,7 +149531,7 @@ index 4b2878a..730b0d4 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -149068,7 +149574,7 @@ index 4b2878a..730b0d4 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -149077,7 +149583,7 @@ index 4b2878a..730b0d4 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -149086,7 +149592,7 @@ index 4b2878a..730b0d4 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -149097,7 +149603,7 @@ index 4b2878a..730b0d4 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -149126,7 +149632,7 @@ index 4b2878a..730b0d4 100644
')
optional_policy(`
-@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -149142,7 +149648,7 @@ index 4b2878a..730b0d4 100644
')
optional_policy(`
-@@ -1279,11 +1619,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1622,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -149203,7 +149709,7 @@ index 4b2878a..730b0d4 100644
ubac_constrained($1)
')
-@@ -1395,12 +1784,32 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,12 +1787,32 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -149237,7 +149743,7 @@ index 4b2878a..730b0d4 100644
## </summary>
## <desc>
## <p>
-@@ -1441,6 +1850,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1853,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -149252,7 +149758,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1456,9 +1873,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1876,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -149264,7 +149770,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1515,6 +1934,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1937,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -149307,7 +149813,7 @@ index 4b2878a..730b0d4 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2044,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2047,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -149316,7 +149822,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1603,10 +2060,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2063,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -149331,7 +149837,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1649,6 +2108,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2111,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -149375,7 +149881,7 @@ index 4b2878a..730b0d4 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2164,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2167,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -149401,7 +149907,7 @@ index 4b2878a..730b0d4 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1698,14 +2213,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2216,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -149439,7 +149945,7 @@ index 4b2878a..730b0d4 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2253,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2256,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -149457,7 +149963,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1779,6 +2319,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2322,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -149518,7 +150024,7 @@ index 4b2878a..730b0d4 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2404,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2407,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -149528,7 +150034,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -1827,20 +2420,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2423,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -149553,7 +150059,7 @@ index 4b2878a..730b0d4 100644
########################################
## <summary>
-@@ -1941,6 +2528,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2531,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -149578,7 +150084,7 @@ index 4b2878a..730b0d4 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2613,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2616,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -149587,7 +150093,7 @@ index 4b2878a..730b0d4 100644
files_search_home($1)
')
-@@ -2039,7 +2644,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2647,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -149596,7 +150102,7 @@ index 4b2878a..730b0d4 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2763,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2766,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -149611,7 +150117,7 @@ index 4b2878a..730b0d4 100644
files_search_tmp($1)
')
-@@ -2182,7 +2787,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2790,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -149620,7 +150126,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -2390,7 +2995,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2998,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -149629,7 +150135,7 @@ index 4b2878a..730b0d4 100644
files_search_tmp($1)
')
-@@ -2419,6 +3024,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3027,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -149655,7 +150161,7 @@ index 4b2878a..730b0d4 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3059,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3062,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -149671,7 +150177,7 @@ index 4b2878a..730b0d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3087,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3090,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -149680,7 +150186,7 @@ index 4b2878a..730b0d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3095,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3098,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -149715,7 +150221,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -2572,7 +3213,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3216,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -149724,7 +150230,7 @@ index 4b2878a..730b0d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,83 +3221,151 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,83 +3224,151 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -149917,7 +150423,7 @@ index 4b2878a..730b0d4 100644
gen_require(`
attribute userdomain;
')
-@@ -2713,69 +3422,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,69 +3425,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -150018,7 +150524,7 @@ index 4b2878a..730b0d4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2783,12 +3491,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3494,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -150033,7 +150539,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -2852,7 +3560,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3563,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -150042,7 +150548,7 @@ index 4b2878a..730b0d4 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3576,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3579,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -150076,7 +150582,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -2972,7 +3664,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3667,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -150085,7 +150591,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -3027,7 +3719,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3722,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -150132,7 +150638,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -3045,7 +3775,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3778,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -150141,7 +150647,7 @@ index 4b2878a..730b0d4 100644
')
########################################
-@@ -3064,6 +3794,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3797,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -150149,7 +150655,7 @@ index 4b2878a..730b0d4 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3871,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3874,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -150192,7 +150698,7 @@ index 4b2878a..730b0d4 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3927,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3930,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -150217,7 +150723,7 @@ index 4b2878a..730b0d4 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3979,1291 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3982,1291 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f6145c7..870242e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 119%{?dist}
+Release: 120%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -490,6 +490,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-120
+- Add clamscan_can_scan_system boolean
+- Allow mysqld to read kernel network state
+- Allow sshd to read/write condor lib files
+- Allow sshd to read/write condor-startd tcp socket
+- Fix description on httpd_graceful_shutdown
+- Allow glance_registry to communicate with mysql
+- dbus_system_domain is using systemd to lauch applications
+- add interfaces to allow domains to send kill signals to user mail agents
+- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
+- Lots of new access required for secure containers
+- Corosync needs sys_admin capability
+- ALlow colord to create shm
+- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
+- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
+- Add new interface to allow domains to list msyql_db directories, needed for libra
+- shutdown has to be allowed to delete etc_runtime_t
+- Fail2ban needs to read /etc/passwd
+- Allow ldconfig to create /var/cache/ldconfig
+- Allow tgtd to read hardware state information
+- Allow collectd to create packet socket
+- Allow chronyd to send signal to itself
+- Allow collectd to read /dev/random
+- Allow collectd to send signal to itself
+- firewalld needs to execute restorecon
+- Allow restorecon and other login domains to execute restorecon
+
* Tue Apr 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-119
- Allow logrotate to getattr on systemd unit files
- Add support for tor systemd unit file
More information about the scm-commits
mailing list