[selinux-policy/f17] - Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network
Miroslav Grepl
mgrepl at fedoraproject.org
Mon May 28 11:04:34 UTC 2012
commit 4229b2ecadff15790216e5ca3451a53518c8bec6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon May 28 13:04:08 2012 +0200
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
policy-F16.patch | 944 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 13 +-
2 files changed, 688 insertions(+), 269 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 7dc1bb9..e1ea92a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58440,10 +58440,10 @@ index 63ef90e..a535b31 100644
')
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index d362d9c..bd80fc3 100644
+index d362d9c..230a2f6 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
-@@ -11,10 +11,15 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -58457,7 +58457,6 @@ index d362d9c..bd80fc3 100644
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
-+/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 1392679..25e02df 100644
@@ -59371,15 +59370,11 @@ index c4d8998..bd59f2e 100644
+ xserver_stream_connect(firstboot_t)
')
diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
-index c66934f..6b92a91 100644
+index c66934f..9f05409 100644
--- a/policy/modules/admin/kdump.fc
+++ b/policy/modules/admin/kdump.fc
-@@ -1,5 +1,13 @@
- /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
- /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+@@ -3,3 +3,9 @@
-+/lib/systemd/system/kdump.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
@@ -60782,15 +60777,13 @@ index 5dd42f5..b4ebb85 100644
+ dbus_connect_system_bus(quota_nld_t)
+')
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
-index 7077413..8aa9c0e 100644
+index 7077413..0428aee 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
-@@ -1,3 +1,12 @@
+@@ -1,3 +1,10 @@
-/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+
-+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
@@ -66601,6 +66594,192 @@ index 0bac996..ca2388d 100644
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+diff --git a/policy/modules/apps/man2html.fc b/policy/modules/apps/man2html.fc
+new file mode 100644
+index 0000000..2907017
+--- /dev/null
++++ b/policy/modules/apps/man2html.fc
+@@ -0,0 +1,5 @@
++/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
++
++/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+diff --git a/policy/modules/apps/man2html.if b/policy/modules/apps/man2html.if
+new file mode 100644
+index 0000000..68fddff
+--- /dev/null
++++ b/policy/modules/apps/man2html.if
+@@ -0,0 +1,133 @@
++
++## <summary>policy for httpd_man2html_script</summary>
++
++########################################
++## <summary>
++## Transition to httpd_man2html_script.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_domtrans',`
++ gen_require(`
++ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
++')
++
++########################################
++## <summary>
++## Search httpd_man2html_script cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_search_cache',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read httpd_man2html_script cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_read_cache_files',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## httpd_man2html_script cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_manage_cache_files',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++########################################
++## <summary>
++## Manage httpd_man2html_script cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_man2html_script_manage_cache_dirs',`
++ gen_require(`
++ type httpd_man2html_script_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an httpd_man2html_script environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`httpd_man2html_script_admin',`
++ gen_require(`
++ type httpd_man2html_script_t;
++ type httpd_man2html_script_cache_t;
++ ')
++
++ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, httpd_man2html_script_t)
++
++ files_search_var($1)
++ admin_pattern($1, httpd_man2html_script_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/apps/man2html.te b/policy/modules/apps/man2html.te
+new file mode 100644
+index 0000000..863c57c
+--- /dev/null
++++ b/policy/modules/apps/man2html.te
+@@ -0,0 +1,30 @@
++policy_module(man2html, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(man2html)
++
++type httpd_man2html_script_cache_t;
++files_type(httpd_man2html_script_cache_t)
++
++########################################
++#
++# httpd_man2html_script local policy
++#
++
++allow httpd_man2html_script_t self:process { fork };
++
++
++manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
++files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
++
++domain_use_interactive_fds(httpd_man2html_script_t)
++
++files_read_etc_files(httpd_man2html_script_t)
++
++miscfiles_read_localization(httpd_man2html_script_t)
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index dff0f12..ecab36d 100644
--- a/policy/modules/apps/mono.te
@@ -66615,10 +66794,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..ff22091 100644
+index 93ac529..6e03a8c 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,15 @@
+@@ -1,8 +1,16 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -66631,10 +66810,11 @@ index 93ac529..ff22091 100644
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -14,16 +21,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +22,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -66673,7 +66853,7 @@ index 93ac529..ff22091 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..ca297bf 100644
+index fbb5c5a..ce9aee0 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -66816,7 +66996,7 @@ index fbb5c5a..ca297bf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,80 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,98 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -66852,6 +67032,24 @@ index fbb5c5a..ca297bf 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
++#######################################
++## <summary>
++## Dontaudit read/write to a mozilla_plugin tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type mozilla_plugin_tmp_t;
++ ')
++
++ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
++')
++
+########################################
+## <summary>
+## Create, read, write, and delete
@@ -66905,7 +67103,7 @@ index fbb5c5a..ca297bf 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..fd0d0b7 100644
+index 2e9318b..52e6751 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67025,7 +67223,7 @@ index 2e9318b..fd0d0b7 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +308,33 @@ optional_policy(`
+@@ -296,25 +308,34 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -67063,11 +67261,12 @@ index 2e9318b..fd0d0b7 100644
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +342,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +343,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -67078,7 +67277,7 @@ index 2e9318b..fd0d0b7 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +355,30 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +356,30 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -67115,7 +67314,7 @@ index 2e9318b..fd0d0b7 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +387,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +388,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67123,11 +67322,12 @@ index 2e9318b..fd0d0b7 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,11 +395,13 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,11 +396,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
++fs_dontaudit_read_tmpfs_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos(mozilla_plugin_t)
@@ -67137,7 +67337,7 @@ index 2e9318b..fd0d0b7 100644
application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
-@@ -383,35 +418,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +420,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67184,7 +67384,7 @@ index 2e9318b..fd0d0b7 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +447,19 @@ optional_policy(`
+@@ -421,11 +449,19 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67204,7 +67404,7 @@ index 2e9318b..fd0d0b7 100644
')
optional_policy(`
-@@ -438,18 +472,103 @@ optional_policy(`
+@@ -438,18 +474,103 @@ optional_policy(`
')
optional_policy(`
@@ -73801,7 +74001,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..048159a 100644
+index 99b71cb..c4af8e2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -73984,7 +74184,7 @@ index 99b71cb..048159a 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,61 +212,81 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,61 +212,82 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -74061,6 +74261,7 @@ index 99b71cb..048159a 100644
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
++network_port(svn, tcp,3690,s0, udp,3690,s0)
network_port(swat, tcp,901,s0)
-network_port(syslogd, udp,514,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
@@ -74074,7 +74275,7 @@ index 99b71cb..048159a 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +295,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +296,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -74088,7 +74289,7 @@ index 99b71cb..048159a 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +312,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +313,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -74096,7 +74297,7 @@ index 99b71cb..048159a 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +322,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +323,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -74109,7 +74310,7 @@ index 99b71cb..048159a 100644
########################################
#
-@@ -282,9 +372,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +373,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -78407,7 +78608,7 @@ index cda5588..e89e4bf 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..b131b1b 100644
+index 97fcdac..aa54b2c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -78480,7 +78681,7 @@ index 97fcdac..b131b1b 100644
+#######################################
+## <summary>
-+## Dontaudit search cgroup directories.
++## Do not audit attempts to search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -78575,6 +78776,15 @@ index 97fcdac..b131b1b 100644
## Do not audit attempts to read all
## noxattrfs files.
## </summary>
+@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',`
+
+ ########################################
+ ## <summary>
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a CIFS filesystem.
+ ## </summary>
+ ## <param name="domain">
@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
@@ -78798,7 +79008,7 @@ index 97fcdac..b131b1b 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,6 +2407,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -78806,6 +79016,12 @@ index 97fcdac..b131b1b 100644
')
########################################
+ ## <summary>
+-## Dontaudit List inotifyfs filesystem.
++## Do not audit attempts to list inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -2480,6 +2740,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -78848,6 +79064,15 @@ index 97fcdac..b131b1b 100644
## Append files
## on a NFS filesystem.
## </summary>
+@@ -2564,7 +2845,7 @@ interface(`fs_append_nfs_files',`
+
+ ########################################
+ ## <summary>
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
@@ -2584,6 +2865,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
@@ -78900,6 +79125,15 @@ index 97fcdac..b131b1b 100644
')
########################################
+@@ -2622,7 +2939,7 @@ interface(`fs_read_nfs_symlinks',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit read symbolic links on a NFS filesystem.
++## Do not audit attempts to read symbolic links on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -2736,7 +3053,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
@@ -78992,6 +79226,33 @@ index 97fcdac..b131b1b 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
+@@ -3387,7 +3743,7 @@ interface(`fs_search_ramfs',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit Search directories on a ramfs
++## Do not audit attempts to search directories on a ramfs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3424,7 +3780,7 @@ interface(`fs_manage_ramfs_dirs',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit read on a ramfs files.
++## Do not audit attempts to read on a ramfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3442,7 +3798,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+
+ ########################################
+ ## <summary>
+-## Dontaudit read on a ramfs fifo_files.
++## Do not audit attempts to read on a ramfs fifo_files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -3810,6 +4166,24 @@ interface(`fs_unmount_tmpfs',`
########################################
@@ -79094,11 +79355,20 @@ index 97fcdac..b131b1b 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4175,6 +4603,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4156,7 +4584,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
-+## dontaudit Read and write block nodes on tmpfs filesystems.
+-## dontaudit Read and write character nodes on tmpfs filesystems.
++## Do not audit attempts to read and write character nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4175,6 +4603,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -79116,10 +79386,28 @@ index 97fcdac..b131b1b 100644
+
+########################################
+## <summary>
++## Do not audit attempts to read files on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:blk_file read;
++')
++
++########################################
++## <summary>
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4232,6 +4678,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4232,6 +4696,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -79144,7 +79432,7 @@ index 97fcdac..b131b1b 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4251,6 +4715,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4733,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -79170,7 +79458,7 @@ index 97fcdac..b131b1b 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4940,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4958,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -79179,7 +79467,7 @@ index 97fcdac..b131b1b 100644
')
########################################
-@@ -4503,7 +4988,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +5006,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -79188,7 +79476,7 @@ index 97fcdac..b131b1b 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5351,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5369,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -83860,15 +84148,14 @@ index e88b95f..9b6536a 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..537d005 100644
+index 1bd5812..196cfc9 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,17 @@
+@@ -1,13 +1,16 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
@@ -83884,7 +84171,7 @@ index 1bd5812..537d005 100644
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +19,19 @@
+@@ -15,6 +18,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -84596,11 +84883,10 @@ index 30861ec..ec4a1db 100644
+
+miscfiles_read_localization(abrt_domain)
diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc
-index 1adca53..55984af 100644
+index 1adca53..18e0e41 100644
--- a/policy/modules/services/accountsd.fc
+++ b/policy/modules/services/accountsd.fc
-@@ -1,3 +1,6 @@
-+/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
@@ -87432,13 +87718,12 @@ index 3136c6a..044e417 100644
+')
+
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
-index cd07b96..cfeb0b7 100644
+index cd07b96..f3506be 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
-+/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
@@ -87450,7 +87735,7 @@ index cd07b96..cfeb0b7 100644
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-@@ -13,3 +18,4 @@
+@@ -13,3 +17,4 @@
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
@@ -87558,11 +87843,10 @@ index d052bf0..77e6e19 100644
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc
-index 0123777..80ebf5e 100644
+index 0123777..f2f0c35 100644
--- a/policy/modules/services/apm.fc
+++ b/policy/modules/services/apm.fc
-@@ -1,3 +1,5 @@
-+/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
+@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
#
@@ -87781,13 +88065,12 @@ index 1c8c27e..1fbabf7 100644
')
diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
-index a86a6c7..9589871 100644
+index a86a6c7..ab50afe 100644
--- a/policy/modules/services/arpwatch.fc
+++ b/policy/modules/services/arpwatch.fc
-@@ -1,5 +1,8 @@
+@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
-+/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
#
@@ -88082,14 +88365,13 @@ index 2b348c7..0000000
- udev_read_db(entropyd_t)
-')
diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
-index f16ab68..c7cdabd 100644
+index f16ab68..e4178a4 100644
--- a/policy/modules/services/automount.fc
+++ b/policy/modules/services/automount.fc
-@@ -4,6 +4,9 @@
+@@ -4,6 +4,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
-+/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
#
@@ -88231,13 +88513,12 @@ index 39799db..fe1653e 100644
')
diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc
-index 7e36549..b85d8c5 100644
+index 7e36549..010b2bc 100644
--- a/policy/modules/services/avahi.fc
+++ b/policy/modules/services/avahi.fc
-@@ -1,5 +1,8 @@
+@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
-+/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
@@ -88614,19 +88895,16 @@ index 0000000..7c301dc
+
+miscfiles_read_localization(bcfg2_t)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index 59aa54f..0bee346 100644
+index 59aa54f..b01072c 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
-@@ -4,6 +4,14 @@
+@@ -4,6 +4,11 @@
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
-+/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
@@ -89230,14 +89508,13 @@ index 0000000..d5b66f6
+ gnome_search_gconf(blueman_t)
+')
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
-index dc687e6..02abd9a 100644
+index dc687e6..e0255eb 100644
--- a/policy/modules/services/bluetooth.fc
+++ b/policy/modules/services/bluetooth.fc
-@@ -7,6 +7,9 @@
+@@ -7,6 +7,8 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
-+/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
#
@@ -89669,10 +89946,10 @@ index 0000000..9fe3f9e
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..f713e4f
+index 0000000..b1c752c
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,190 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -89796,6 +90073,8 @@ index 0000000..f713e4f
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
++auth_read_passwd(boinc_t)
++
+term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
+
@@ -91440,16 +91719,14 @@ index dad226c..59c2a27 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..83f3c9f 100644
+index fd8cd0b..f33885f 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
-@@ -2,8 +2,14 @@
+@@ -2,8 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-+/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
-+
-+/usr/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
@@ -91726,14 +92003,13 @@ index fa82327..898d0db 100644
gpsd_rw_shm(chronyd_t)
')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
-index e8e9a21..eb0b83c 100644
+index e8e9a21..22986ef 100644
--- a/policy/modules/services/clamav.fc
+++ b/policy/modules/services/clamav.fc
-@@ -8,9 +8,14 @@
+@@ -8,9 +8,13 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
-+/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -92507,10 +92783,10 @@ index f8463c0..126b293 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..a3cb6c3 100644
+index 1cf6c4e..0858f92 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,37 @@
+@@ -1,7 +1,35 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -92519,8 +92795,6 @@ index 1cf6c4e..a3cb6c3 100644
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
-+/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
@@ -93019,14 +93293,13 @@ index 0258b48..5f685a0 100644
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc
new file mode 100644
-index 0000000..7f89824
+index 0000000..2e1007b
--- /dev/null
+++ b/policy/modules/services/collectd.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
-+/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
@@ -93324,14 +93597,13 @@ index 0000000..e7ca6fc
+')
+
diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
-index 78b2fea..fe2456c 100644
+index 78b2fea..ef975ac 100644
--- a/policy/modules/services/colord.fc
+++ b/policy/modules/services/colord.fc
-@@ -1,4 +1,8 @@
+@@ -1,4 +1,7 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
-+/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
@@ -94094,11 +94366,10 @@ index 0000000..4eb7bd9
+ unconfined_domain(condor_startd_t)
+')
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
-index 32233ab..42bce81 100644
+index 32233ab..7058d21 100644
--- a/policy/modules/services/consolekit.fc
+++ b/policy/modules/services/consolekit.fc
-@@ -1,3 +1,6 @@
-+/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
@@ -94336,14 +94607,13 @@ index e67a003..cc813f3 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..176271c 100644
+index 3a6d7eb..bb32bf0 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
-@@ -1,12 +1,23 @@
+@@ -1,12 +1,22 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
-+/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -95175,21 +95445,20 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..f57c986 100644
+index 2eefc08..16adc00 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -2,6 +2,10 @@
-
+@@ -3,6 +3,9 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-+/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-
++
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -11,17 +15,20 @@
+
+@@ -11,17 +14,20 @@
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
@@ -95212,7 +95481,7 @@ index 2eefc08..f57c986 100644
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <<none>>
-@@ -45,3 +52,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +51,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -98800,15 +99069,13 @@ index f231f17..f6803f2 100644
+ xserver_stream_connect(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
-index 767e0c7..c8306c2 100644
+index 767e0c7..9553bcf 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
-@@ -1,8 +1,12 @@
+@@ -1,8 +1,10 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
-+/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -99772,15 +100039,13 @@ index dc1056c..bd60100 100644
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
-index b886676..2b4d0f6 100644
+index b886676..3d5ca2b 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
-@@ -1,12 +1,16 @@
+@@ -1,12 +1,14 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
-+/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
-+
+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
@@ -102095,16 +102360,15 @@ index 9b7036a..4770f61 100644
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
-index 0000000..2920a80
+index 0000000..f440549
--- /dev/null
+++ b/policy/modules/services/firewalld.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+
-+/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
+
+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
@@ -102401,23 +102665,20 @@ index 7df52c7..26422af 100644
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
-index 69dcd2a..030dbb6 100644
+index 69dcd2a..4d97da7 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
-@@ -6,6 +6,12 @@
+@@ -6,6 +6,9 @@
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
-+/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
#
# /usr
#
-@@ -29,3 +35,4 @@
+@@ -29,3 +32,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
@@ -105986,7 +106247,7 @@ index 3525d24..36582cd 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..276cf5f 100644
+index 604f67b..ea249fa 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -106204,10 +106465,10 @@ index 604f67b..276cf5f 100644
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
-+ type kerberos_home_t;
++ type krb5_home_t;
+ ')
+
-+ userdom_admin_home_dir_filetrans($1, kerberos_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
+
+########################################
@@ -106222,10 +106483,10 @@ index 604f67b..276cf5f 100644
+#
+interface(`kerberos_filetrans_home_content',`
+ gen_require(`
-+ type kerberos_home_t;
++ type krb5_home_t;
+ ')
+
-+ userdom_user_home_dir_filetrans($1, kerberos_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
+
+########################################
@@ -107289,10 +107550,10 @@ index 0000000..4786fde
+ ppp_kill(l2tpd_t)
+')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..276a021 100644
+index c62f23e..8b1a1dd 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
-@@ -1,6 +1,12 @@
+@@ -1,6 +1,10 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
@@ -107300,13 +107561,11 @@ index c62f23e..276a021 100644
+
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
-+/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -15,3 +21,4 @@ ifdef(`distro_debian',`
+@@ -15,3 +19,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
@@ -108033,7 +108292,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
## </summary>
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..6abf078 100644
+index 93c14ca..d3d5067 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -108140,7 +108399,7 @@ index 93c14ca..6abf078 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -326,5 +317,9 @@ optional_policy(`
+@@ -326,5 +317,13 @@ optional_policy(`
')
optional_policy(`
@@ -108150,6 +108409,10 @@ index 93c14ca..6abf078 100644
+optional_policy(`
logging_send_syslog_msg(lpr_t)
')
++
++optional_policy(`
++ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
++')
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
index 14ad189..c7daa85 100644
--- a/policy/modules/services/mailman.fc
@@ -108502,23 +108765,16 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..8d0e555
+index 0000000..515def0
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,37 @@
+/etc/rc\.d/init\.d/matahari-host -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-sysconfig -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init.d/matahari-sysconfig-console -- gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
-+/lib/systemd/system/matahari-host.* -- gen_context(system_u:object_r:matahari_hostd_unit_file_t,s0)
-+/lib/systemd/system/matahari-network.* -- gen_context(system_u:object_r:matahari_netd_unit_file_t,s0)
-+/lib/systemd/system/matahari-rpc.* -- gen_context(system_u:object_r:matahari_rpcd_unit_file_t,s0)
-+/lib/systemd/system/matahari-service.* -- gen_context(system_u:object_r:matahari_serviced_unit_file_t,s0)
-+/lib/systemd/system/matahari-sysconfig.* -- gen_context(system_u:object_r:matahari_sysconfigd_unit_file_t,s0)
-+/lib/systemd/system/matahari-sysconfig-console.* -- gen_context(system_u:object_r:matahari_sysconfigd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/matahari-host.* -- gen_context(system_u:object_r:matahari_hostd_unit_file_t,s0)
+/usr/lib/systemd/system/matahari-network.* -- gen_context(system_u:object_r:matahari_netd_unit_file_t,s0)
+/usr/lib/systemd/system/matahari-rpc.* -- gen_context(system_u:object_r:matahari_rpcd_unit_file_t,s0)
@@ -111526,10 +111782,10 @@ index f17583b..923fdfb 100644
+ nscd_socket_use(munin_plugin_domain)
+')
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
-index cc7192c..f121707 100644
+index cc7192c..cb169dc 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
-@@ -1,6 +1,16 @@
+@@ -1,6 +1,14 @@
# mysql database server
#
@@ -111538,8 +111794,6 @@ index cc7192c..f121707 100644
+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
-+/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
-+
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
+#
@@ -112449,10 +112703,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..5d84233 100644
+index 386543b..8fe1d63 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,21 @@
+@@ -1,6 +1,19 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -112469,13 +112723,11 @@ index 386543b..5d84233 100644
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
-+/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
-+
+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -12,15 +27,19 @@
+@@ -12,15 +25,19 @@
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -112913,7 +113165,7 @@ index 0619395..103f6f8 100644
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
-index 15448d5..d8d7571 100644
+index 15448d5..36b45bd 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
@@ -112936,16 +113188,11 @@ index 15448d5..d8d7571 100644
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
-@@ -19,3 +20,13 @@
+@@ -19,3 +20,8 @@
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
-+/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
-+/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
-+
+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
@@ -113250,10 +113497,10 @@ index 4876cae..9f3b09b 100644
diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
new file mode 100644
-index 0000000..d4e64d8
+index 0000000..02dc6dc
--- /dev/null
+++ b/policy/modules/services/nova.fc
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,32 @@
+
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
@@ -113268,19 +113515,6 @@ index 0000000..d4e64d8
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+
-+/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
-+/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
-+
+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
@@ -114126,15 +114360,13 @@ index ded9fb6..9d1e60a 100644
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
-index e79dccc..55ad854 100644
+index e79dccc..e8d3e38 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
-@@ -10,6 +10,10 @@
+@@ -10,6 +10,8 @@
/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-+/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
@@ -115742,7 +115974,7 @@ index 8ac407e..45673ad 100644
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
-index b246bdd..84afa7a 100644
+index b246bdd..e6a686f 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -1,4 +1,4 @@
@@ -115775,7 +116007,15 @@ index b246bdd..84afa7a 100644
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t)
+@@ -37,6 +37,7 @@ allow pads_t pads_var_run_t:file manage_file_perms;
+ files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+ kernel_read_sysctl(pads_t)
++kernel_read_network_state(pads_t)
+
+ corecmd_search_bin(pads_t)
+
+@@ -48,6 +49,7 @@ corenet_tcp_connect_prelude_port(pads_t)
dev_read_rand(pads_t)
dev_read_urand(pads_t)
@@ -117337,10 +117577,10 @@ index 1e7169d..67a2c44 100644
-
diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc
new file mode 100644
-index 0000000..81419ea
+index 0000000..11f77ee
--- /dev/null
+++ b/policy/modules/services/polipo.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,16 @@
+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
+
@@ -117348,7 +117588,6 @@ index 0000000..81419ea
+
+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+
-+/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
+
+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
@@ -119269,15 +119508,13 @@ index db843e2..4389e81 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
-index 2d82c6d..fdee468 100644
+index 2d82c6d..ff2c96a 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
-@@ -11,19 +11,26 @@
+@@ -11,19 +11,24 @@
# Fix /etc/ppp {up,down} family scripts (see man pppd)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-+/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
@@ -119301,7 +119538,7 @@ index 2d82c6d..fdee468 100644
#
# /var
-@@ -34,5 +41,7 @@
+@@ -34,5 +39,7 @@
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
@@ -123337,14 +123574,13 @@ index 93c896a..a99868e 100644
+')
diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc
new file mode 100644
-index 0000000..cf8d6f4
+index 0000000..48beae9
--- /dev/null
+++ b/policy/modules/services/rhev.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,8 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
-+/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
@@ -124576,23 +124812,20 @@ index 30c4b75..e07c2ff 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..ce7da4f 100644
+index 5c70c0c..b0c22f7 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
-@@ -6,6 +6,12 @@
+@@ -6,6 +6,9 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
-+/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
-+/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-+
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
#
# /sbin
#
-@@ -15,12 +21,14 @@
+@@ -15,12 +18,14 @@
#
# /usr
#
@@ -124607,7 +124840,7 @@ index 5c70c0c..ce7da4f 100644
#
# /var
-@@ -29,3 +37,4 @@
+@@ -29,3 +34,4 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
@@ -125454,15 +125687,10 @@ index a07b2f4..36b4903 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..cd3b8b4 100644
+index 69a6074..5c02dec 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
-@@ -11,9 +11,13 @@
- /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
- /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
-
-+/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-+
+@@ -14,6 +14,8 @@
#
# /usr
#
@@ -125471,7 +125699,7 @@ index 69a6074..cd3b8b4 100644
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -36,6 +40,9 @@
+@@ -36,6 +38,9 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
@@ -125481,7 +125709,7 @@ index 69a6074..cd3b8b4 100644
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -51,3 +58,7 @@
+@@ -51,3 +56,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -130218,6 +130446,215 @@ index f646c66..5370bb8 100644
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+diff --git a/policy/modules/services/svnserve.fc b/policy/modules/services/svnserve.fc
+new file mode 100644
+index 0000000..5ab0840
+--- /dev/null
++++ b/policy/modules/services/svnserve.fc
+@@ -0,0 +1,12 @@
++/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
++
++/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
++
++/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
++/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
++
++/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
++/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
++
++/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
++/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+diff --git a/policy/modules/services/svnserve.if b/policy/modules/services/svnserve.if
+new file mode 100644
+index 0000000..bab5617
+--- /dev/null
++++ b/policy/modules/services/svnserve.if
+@@ -0,0 +1,125 @@
++
++## <summary>policy for svnserve</summary>
++
++
++########################################
++## <summary>
++## Transition to svnserve.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`svnserve_domtrans',`
++ gen_require(`
++ type svnserve_t, svnserve_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, svnserve_exec_t, svnserve_t)
++')
++
++
++########################################
++## <summary>
++## Execute svnserve server in the svnserve domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`svnserve_initrc_domtrans',`
++ gen_require(`
++ type svnserve_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
++')
++
++#######################################
++## <summary>
++## Execute svnserve server in the svnserve domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`svnserve_systemctl',`
++ gen_require(`
++ type svnserve_t;
++ type svnserve_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 svnserve_unit_file_t:file read_file_perms;
++ allow $1 svnserve_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, svnserve_t)
++')
++
++########################################
++## <summary>
++## Read svnserve PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`svnserve_read_pid_files',`
++ gen_require(`
++ type svnserve_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 svnserve_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an svnserve environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`svnserve_admin',`
++ gen_require(`
++ type svnserve_t;
++ type svnserve_var_run_t;
++ type svnserve_unit_file_t;
++ ')
++
++ allow $1 svnserve_t:process { ptrace signal_perms };
++ ps_process_pattern($1, svnserve_t)
++
++ files_search_pids($1)
++ admin_pattern($1, svnserve_var_run_t)
++
++ svnserve_systemctl($1)
++ admin_pattern($1, svnserve_unit_file_t)
++ allow $1 svnserve_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
++
+diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te
+new file mode 100644
+index 0000000..df04e25
+--- /dev/null
++++ b/policy/modules/services/svnserve.te
+@@ -0,0 +1,54 @@
++policy_module(svnserve, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type svnserve_t;
++type svnserve_exec_t;
++init_daemon_domain(svnserve_t, svnserve_exec_t)
++
++type svnserve_initrc_exec_t;
++init_script_file(svnserve_initrc_exec_t)
++
++type svnserve_var_run_t;
++files_pid_file(svnserve_var_run_t)
++
++type svnserve_content_t;
++files_type(svnserve_content_t)
++
++type svnserve_unit_file_t;
++systemd_unit_file(svnserve_unit_file_t)
++
++########################################
++#
++# svnserve local policy
++#
++
++allow svnserve_t self:fifo_file rw_fifo_file_perms;
++allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
++manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
++
++manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
++manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
++files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
++
++corenet_udp_bind_generic_node(svnserve_t)
++#corenet_tcp_connect_svn_port(svnserve_t)
++#corenet_tcp_bind_svn_port(svnserve_t)
++#corenet_udp_bind_svn_port(svnserve_t)
++
++domain_use_interactive_fds(svnserve_t)
++
++files_read_etc_files(svnserve_t)
++files_read_usr_files(svnserve_t)
++
++logging_send_syslog_msg(svnserve_t)
++
++miscfiles_read_localization(svnserve_t)
++
++sysnet_dns_name_resolve(svnserve_t)
++
diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
index 08d999c..bca4388 100644
--- a/policy/modules/services/sysstat.fc
@@ -130726,14 +131163,13 @@ index 665bf7c..55c5868 100644
+ iscsi_manage_semaphores(tgtd_t)
+')
diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
-index e2e06b2..ee50cb5 100644
+index e2e06b2..6752bc3 100644
--- a/policy/modules/services/tor.fc
+++ b/policy/modules/services/tor.fc
-@@ -4,6 +4,9 @@
+@@ -4,6 +4,8 @@
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
-+/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
+
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
@@ -138741,7 +139177,7 @@ index dcc5f1c..5610417 100644
daemontools_manage_svc(svc_start_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..368d3c2 100644
+index a97a096..e1b5cd8 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -138757,14 +139193,7 @@ index a97a096..368d3c2 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -36,12 +34,51 @@
- /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-+/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+
- /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -41,7 +39,44 @@
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -139061,7 +139490,7 @@ index 1a3d970..0995a02 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..c03898b 100644
+index 354ce93..abe4723 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -2,6 +2,7 @@
@@ -139072,26 +139501,19 @@ index 354ce93..c03898b 100644
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -33,6 +34,18 @@ ifdef(`distro_gentoo', `
+@@ -33,6 +34,11 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
+#
-+# systemd init scripts
-+#
-+/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
-+
-+#
+# /sbin
+#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -50,11 +63,23 @@ ifdef(`distro_gentoo', `
+@@ -50,11 +56,23 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -139115,7 +139537,7 @@ index 354ce93..c03898b 100644
#
# /var
-@@ -63,6 +88,7 @@ ifdef(`distro_gentoo', `
+@@ -63,6 +81,7 @@ ifdef(`distro_gentoo', `
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
@@ -139123,7 +139545,7 @@ index 354ce93..c03898b 100644
ifdef(`distro_gentoo', `
/var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
-@@ -76,3 +102,4 @@ ifdef(`distro_suse', `
+@@ -76,3 +95,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -141559,25 +141981,22 @@ index 55a6cd8..02378d2 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..b534565 100644
+index 05fb364..5effebe 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,11 @@
+@@ -1,7 +1,8 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
-+/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +16,15 @@
+@@ -12,8 +13,15 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -142747,26 +143166,22 @@ index a0b379d..95bf920 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..b6abcb5 100644
+index 02f4c97..54c74fe 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -6,6 +6,9 @@
+@@ -6,6 +6,8 @@
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-+/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0)
+
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
-@@ -17,12 +20,28 @@
+@@ -17,12 +19,25 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
@@ -142790,7 +143205,7 @@ index 02f4c97..b6abcb5 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -34,11 +53,11 @@ ifdef(`distro_suse', `
+@@ -34,11 +49,11 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -142804,7 +143219,7 @@ index 02f4c97..b6abcb5 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +65,7 @@ ifdef(`distro_suse', `
+@@ -46,6 +61,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -142812,7 +143227,7 @@ index 02f4c97..b6abcb5 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,6 +74,7 @@ ifndef(`distro_gentoo',`
+@@ -54,6 +70,7 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -142820,7 +143235,7 @@ index 02f4c97..b6abcb5 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -66,6 +87,7 @@ ifdef(`distro_redhat',`
+@@ -66,6 +83,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -142828,7 +143243,7 @@ index 02f4c97..b6abcb5 100644
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-@@ -73,4 +95,9 @@ ifdef(`distro_redhat',`
+@@ -73,4 +91,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -143420,15 +143835,14 @@ index b6ec597..dec9390 100644
optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..63893d1 100644
+index 879bb1e..101d1c0 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -28,23 +28,28 @@ ifdef(`distro_gentoo',`
+@@ -28,23 +28,27 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
-+/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
@@ -143453,7 +143867,7 @@ index 879bb1e..63893d1 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +93,67 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +92,67 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -143523,7 +143937,7 @@ index 879bb1e..63893d1 100644
#
# /var
-@@ -97,5 +161,7 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +160,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -146854,10 +147268,10 @@ index 34d0ec5..92fa1e9 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..638351c
+index 0000000..161f271
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,23 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -146869,12 +147283,6 @@ index 0000000..638351c
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
-+
-+/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
-+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
-+/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
-+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
-+
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
@@ -148014,7 +148422,7 @@ index 0000000..2abb18f
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..2c9eba5 100644
+index 0291685..3e3668c 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,8 @@
@@ -148043,8 +148451,6 @@ index 0291685..2c9eba5 100644
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
-+/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-+
+/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -148053,8 +148459,10 @@ index 0291685..2c9eba5 100644
+/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
++/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c349d66..8b41216 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 126%{?dist}
+Release: 127%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -493,6 +493,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-127
+- Add policy for subversion daemon
+- Allow boinc to read passwd
+- Allow pads to read kernel network state
+- Fix man2html interface for sepolgen-ifgen
+- Remove extra /usr/lib/systemd/system/smb
+- Remove all /lib/systemd and replace with /usr/lib/systemd
+- Add policy for man2html
+- Fix the label of kerberos_home_t to krb5_home_t
+- Allow mozilla plugins to use Citrix
+
* Wed May 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
More information about the scm-commits
mailing list