[selinux-policy/f18] - Add kernel_read_system_state to sandbox_client_t - Add some of the missing access to kdumpgui - Al
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 8 16:20:00 UTC 2012
commit 8def7fd434360d6ac023785faf156e549b4f240a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Oct 8 18:19:38 2012 +0200
- Add kernel_read_system_state to sandbox_client_t
- Add some of the missing access to kdumpgui
- Allow systemd_dbusd_t to status the init system
- Allow vmnet-natd to request the kernel to load a module
- Allow gsf-office-thum to append .cache/gdm/session.log
- realmd wants to read .config/dconf/user
- Firewalld wants sys_nice/setsched
- Allow tmpreaper to delete mandb cache files
- Firewalld wants sys_nice/setsched
- Allow firewalld to perform a DNS name resolution
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
- Add support for HTTPProxy* in /etc/freshclam.conf
- Fix authlogin_yubike boolean
- Extend smbd_selinux man page to include samba booleans
- Allow dhcpc to execute consoletype
- Allow ping to use inherited tmp files created in init scripts
- On full relabel with unconfined domain disabled, initrc was runni
- Allow people who delete man pages to delete mandb cache files
policy-rawhide.patch | 841 +++++++++++++++++++++++++++---------------
policy_contrib-rawhide.patch | 521 ++++++++++++++++++---------
selinux-policy.spec | 22 +-
3 files changed, 911 insertions(+), 473 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 07c17e3..36a343b 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -78418,11 +78418,10 @@ index 0000000..8436edf
+, samba_unconfined_script_selinux(8), sambagui_selinux(8)
\ No newline at end of file
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
-deleted file mode 100644
-index ca702c7..0000000
+index ca702c7..f52d532 100644
--- a/man/man8/samba_selinux.8
-+++ /dev/null
-@@ -1,56 +0,0 @@
++++ b/man/man8/samba_selinux.8
+@@ -1,56 +1 @@
-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "Samba Selinux Policy documentation"
-.SH "NAME"
-samba_selinux \- Security Enhanced Linux Policy for Samba
@@ -78479,6 +78478,7 @@ index ca702c7..0000000
-
-.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
++.so man8/smbd_selinux.8
diff --git a/man/man8/samba_unconfined_script_selinux.8 b/man/man8/samba_unconfined_script_selinux.8
new file mode 100644
index 0000000..5ee2f4c
@@ -82969,10 +82969,10 @@ index 0000000..2349e1d
+selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8
new file mode 100644
-index 0000000..5ed9df9
+index 0000000..018b887
--- /dev/null
+++ b/man/man8/smbd_selinux.8
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,417 @@
+.TH "smbd_selinux" "8" "smbd" "dwalsh at redhat.com" "smbd SELinux Policy documentation"
+.SH "NAME"
+smbd_selinux \- Security Enhanced Linux Policy for the smbd processes
@@ -83010,6 +83010,94 @@ index 0000000..5ed9df9
+.B semanage permissive -a PROCESS_TYPE
+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. smbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbd with the tightest access possible.
++
++
++.PP
++If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean.
++
++.EX
++.B setsebool -P samba_share_fusefs 1
++.EE
++
++.PP
++If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
++
++.EX
++.B setsebool -P samba_export_all_ro 1
++.EE
++
++.PP
++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.
++
++.EX
++.B setsebool -P virt_use_samba 1
++.EE
++
++.PP
++If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean.
++
++.EX
++.B setsebool -P samba_create_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean.
++
++.EX
++.B setsebool -P samba_enable_home_dirs 1
++.EE
++
++.PP
++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean.
++
++.EX
++.B setsebool -P samba_share_nfs 1
++.EE
++
++.PP
++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean.
++
++.EX
++.B setsebool -P sanlock_use_samba 1
++.EE
++
++.PP
++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean.
++
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
++
++.PP
++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean.
++
++.EX
++.B setsebool -P samba_domain_controller 1
++.EE
++
++.PP
++If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean.
++
++.EX
++.B setsebool -P samba_export_all_rw 1
++.EE
++
++.PP
++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.PP
++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean.
++
++.EX
++.B setsebool -P use_samba_home_dirs 1
++.EE
++
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+.TP
@@ -83036,6 +83124,13 @@ index 0000000..5ed9df9
+.B setsebool -P smbd_anon_write 1
+.EE
+
++.PP
++If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean.
++
++.EX
++.B setsebool -P smbd_anon_write 1
++.EE
++
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -83078,10 +83173,6 @@ index 0000000..5ed9df9
+
+- Set files with the smbd_var_run_t type, if you want to store the smbd files under the /run directory.
+
-+.br
-+.TP 5
-+Paths:
-+/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba(/.*)?, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -83286,6 +83377,9 @@ index 0000000..5ed9df9
+.B semanage port
+can also be used to manipulate the port definitions
+
++.B semanage boolean
++can also be used to manipulate the booleans
++
+.PP
+.B system-config-selinux
+is a GUI tool available to customize SELinux policy settings.
@@ -83295,7 +83389,7 @@ index 0000000..5ed9df9
+
+.SH "SEE ALSO"
+selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1)
-+, smbcontrol_selinux(8), smbmount_selinux(8)
++, setsebool(8)
\ No newline at end of file
diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8
new file mode 100644
@@ -107677,7 +107771,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..fd2a633 100644
+index e0791b9..94024ca 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
@@ -107750,17 +107844,21 @@ index e0791b9..fd2a633 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -132,9 +137,6 @@ auth_use_nsswitch(ping_t)
+@@ -130,11 +135,9 @@ kernel_read_system_state(ping_t)
- logging_send_syslog_msg(ping_t)
+ auth_use_nsswitch(ping_t)
--miscfiles_read_localization(ping_t)
+-logging_send_syslog_msg(ping_t)
-
+-miscfiles_read_localization(ping_t)
++init_rw_inherited_script_tmp_files(ping_t)
+
-userdom_use_user_terminals(ping_t)
++logging_send_syslog_msg(ping_t)
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +147,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +148,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -107786,7 +107884,7 @@ index e0791b9..fd2a633 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +173,14 @@ optional_policy(`
+@@ -157,6 +174,14 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -107801,7 +107899,7 @@ index e0791b9..fd2a633 100644
########################################
#
# Traceroute local policy
-@@ -170,7 +194,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -170,7 +195,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -107809,7 +107907,7 @@ index e0791b9..fd2a633 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +218,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -107817,7 +107915,7 @@ index e0791b9..fd2a633 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -202,11 +226,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -202,11 +227,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -113910,7 +114008,7 @@ index 8796ca3..8bcfe59 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..8e5d231 100644
+index e1e814d..5060977 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -114366,33 +114464,50 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -3382,7 +3655,7 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3135,8 +3408,8 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
--## Create, read, write, and delete block device nodes
-+## rw any files inherited from another process
- ## on new filesystems that have not yet been labeled.
+-## Create, read, write, and delete directories
+-## on new filesystems that have not yet been labeled.
++## Relabelfrom all file opbjects on new filesystems
++## that have not yet been labeled.
## </summary>
## <param name="domain">
-@@ -3391,17 +3664,36 @@ interface(`files_rw_isid_type_blk_files',`
+ ## <summary>
+@@ -3144,7 +3417,26 @@ interface(`files_delete_isid_type_dirs',`
## </summary>
## </param>
#
--interface(`files_manage_isid_type_blk_files',`
-+interface(`files_rw_inherited_isid_type_files',`
+-interface(`files_manage_isid_type_dirs',`
++interface(`files_relabelfrom_isid_type',`
++ gen_require(`
++ type file_t;
++ ')
++
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete directories
++## on new filesystems that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_isid_type_dirs',`
gen_require(`
type file_t;
')
-
-- allow $1 file_t:blk_file manage_blk_file_perms;
-+ allow $1 file_t:file rw_inherited_file_perms;
- ')
+@@ -3382,6 +3674,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
--## Create, read, write, and delete character device nodes
-+## Create, read, write, and delete block device nodes
++## rw any files inherited from another process
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -114401,21 +114516,20 @@ index e1e814d..8e5d231 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_isid_type_blk_files',`
++interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:blk_file manage_blk_file_perms;
++ allow $1 file_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete character device nodes
+ ## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
- ## <param name="domain">
-@@ -3723,20 +4015,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4034,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -114459,7 +114573,7 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -4126,6 +4436,127 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4455,127 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -114587,7 +114701,7 @@ index e1e814d..8e5d231 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4148,6 +4579,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4598,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -114614,7 +114728,7 @@ index e1e814d..8e5d231 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4612,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4631,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -114622,7 +114736,7 @@ index e1e814d..8e5d231 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4623,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4642,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -114631,7 +114745,7 @@ index e1e814d..8e5d231 100644
## </summary>
## </param>
#
-@@ -4198,6 +4650,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4669,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -114639,7 +114753,7 @@ index e1e814d..8e5d231 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4687,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4706,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -114647,7 +114761,7 @@ index e1e814d..8e5d231 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4697,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4716,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -114656,7 +114770,7 @@ index e1e814d..8e5d231 100644
## </summary>
## </param>
#
-@@ -4255,6 +4709,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4728,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -114682,7 +114796,7 @@ index e1e814d..8e5d231 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4743,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4762,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -114690,7 +114804,7 @@ index e1e814d..8e5d231 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4785,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4804,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -114723,7 +114837,7 @@ index e1e814d..8e5d231 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,6 +4865,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,6 +4884,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -114766,7 +114880,7 @@ index e1e814d..8e5d231 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4383,6 +4919,42 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4383,6 +4938,42 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -114809,7 +114923,7 @@ index e1e814d..8e5d231 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4428,7 +5000,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4428,7 +5019,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -114818,7 +114932,7 @@ index e1e814d..8e5d231 100644
## </summary>
## </param>
#
-@@ -4488,7 +5060,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4488,7 +5079,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -114827,7 +114941,7 @@ index e1e814d..8e5d231 100644
## </summary>
## </param>
#
-@@ -4573,6 +5145,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5164,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -114844,7 +114958,7 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -5150,6 +5732,24 @@ interface(`files_list_var',`
+@@ -5150,6 +5751,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -114869,7 +114983,7 @@ index e1e814d..8e5d231 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6105,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6124,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -114895,7 +115009,7 @@ index e1e814d..8e5d231 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6169,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6188,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -114904,7 +115018,7 @@ index e1e814d..8e5d231 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6177,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6196,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -114920,7 +115034,7 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -5581,6 +6201,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6220,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -114928,7 +115042,7 @@ index e1e814d..8e5d231 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6228,7 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6247,7 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -114937,7 +115051,7 @@ index e1e814d..8e5d231 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6236,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6255,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -114954,7 +115068,7 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -5640,7 +6260,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6279,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -114963,7 +115077,7 @@ index e1e814d..8e5d231 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6293,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6312,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -114971,7 +115085,7 @@ index e1e814d..8e5d231 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6320,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6339,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -114981,7 +115095,7 @@ index e1e814d..8e5d231 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6336,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6355,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -114999,7 +115113,7 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -5743,8 +6360,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6379,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -115009,7 +115123,7 @@ index e1e814d..8e5d231 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6402,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6421,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -115019,7 +115133,7 @@ index e1e814d..8e5d231 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6424,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6443,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -115029,7 +115143,7 @@ index e1e814d..8e5d231 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6461,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6480,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -115039,7 +115153,7 @@ index e1e814d..8e5d231 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6524,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6543,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -115083,7 +115197,7 @@ index e1e814d..8e5d231 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6583,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6602,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -115109,7 +115223,7 @@ index e1e814d..8e5d231 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6717,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6736,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -115117,7 +115231,7 @@ index e1e814d..8e5d231 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,6 +6825,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,6 +6844,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -115234,7 +115348,7 @@ index e1e814d..8e5d231 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -6169,12 +6947,67 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6169,12 +6966,67 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -115304,7 +115418,7 @@ index e1e814d..8e5d231 100644
')
########################################
-@@ -6245,6 +7078,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6245,6 +7097,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -115395,7 +115509,7 @@ index e1e814d..8e5d231 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6467,3 +7384,439 @@ interface(`files_unconfined',`
+@@ -6467,3 +7403,439 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -122200,7 +122314,7 @@ index 078bcd7..84ad865 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..3aefa0f 100644
+index fe0c682..0d14717 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -122793,7 +122907,7 @@ index fe0c682..3aefa0f 100644
+ type sshd_devpts_t;
+ ')
+
-+ allow $1 sshd_devpts_t:chr_file { getattr read write ioctl };
++ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b17e27a..ebd4d95 100644
@@ -124792,7 +124906,7 @@ index 130ced9..af3532c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..d75a97c 100644
+index d40f750..8e37e5c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -125464,7 +125578,7 @@ index d40f750..d75a97c 100644
')
optional_policy(`
-@@ -514,12 +733,64 @@ optional_policy(`
+@@ -514,12 +733,65 @@ optional_policy(`
')
optional_policy(`
@@ -125514,6 +125628,7 @@ index d40f750..d75a97c 100644
')
optional_policy(`
++ gnome_stream_connect_gkeyringd(xdm_t)
+ gnome_exec_keyringd(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
@@ -125529,7 +125644,7 @@ index d40f750..d75a97c 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +808,74 @@ optional_policy(`
+@@ -537,28 +809,74 @@ optional_policy(`
')
optional_policy(`
@@ -125613,7 +125728,7 @@ index d40f750..d75a97c 100644
')
optional_policy(`
-@@ -570,6 +887,14 @@ optional_policy(`
+@@ -570,6 +888,14 @@ optional_policy(`
')
optional_policy(`
@@ -125628,7 +125743,7 @@ index d40f750..d75a97c 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +919,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +920,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -125641,7 +125756,7 @@ index d40f750..d75a97c 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +936,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +937,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -125657,7 +125772,7 @@ index d40f750..d75a97c 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +963,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +964,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -125679,7 +125794,7 @@ index d40f750..d75a97c 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +983,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +984,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -125693,7 +125808,7 @@ index d40f750..d75a97c 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1009,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1010,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -125725,7 +125840,7 @@ index d40f750..d75a97c 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1041,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1042,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -125739,7 +125854,7 @@ index d40f750..d75a97c 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1060,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1061,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -125763,7 +125878,7 @@ index d40f750..d75a97c 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1125,40 @@ optional_policy(`
+@@ -775,16 +1126,40 @@ optional_policy(`
')
optional_policy(`
@@ -125805,7 +125920,7 @@ index d40f750..d75a97c 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1167,10 @@ optional_policy(`
+@@ -793,6 +1168,10 @@ optional_policy(`
')
optional_policy(`
@@ -125816,7 +125931,7 @@ index d40f750..d75a97c 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1186,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1187,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -125830,7 +125945,7 @@ index d40f750..d75a97c 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1197,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1198,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -125839,7 +125954,7 @@ index d40f750..d75a97c 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1210,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1211,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -125874,7 +125989,7 @@ index d40f750..d75a97c 100644
')
optional_policy(`
-@@ -859,6 +1232,10 @@ optional_policy(`
+@@ -859,6 +1233,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -125885,7 +126000,7 @@ index d40f750..d75a97c 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1279,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1280,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -125894,7 +126009,7 @@ index d40f750..d75a97c 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1333,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1334,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -125926,7 +126041,7 @@ index d40f750..d75a97c 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1379,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1380,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -126187,7 +126302,7 @@ index 28ad538..df78158 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..02cd20f 100644
+index f416ce9..372a87c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -126238,140 +126353,71 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -95,9 +114,13 @@ interface(`auth_use_pam',`
+@@ -95,48 +114,21 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
+ attribute polydomain;
++ attribute login_pgm;
+ type auth_home_t;
')
domain_type($1)
+ typeattribute $1 polydomain;
++ typeattribute $1 login_pgm;
+
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +128,17 @@ interface(`auth_login_pgm_domain',`
-
- # Needed for pam_selinux_permit to cleanup properly
- domain_read_all_domains_state($1)
-+ corecmd_getattr_all_executables($1)
- domain_kill_all_domains($1)
-
- # pam_keyring
- allow $1 self:capability ipc_lock;
- allow $1 self:process setkeycreate;
- allow $1 self:key manage_key_perms;
-+ userdom_manage_all_users_keys($1)
-
- files_list_var_lib($1)
-+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
- manage_files_pattern($1, var_auth_t, var_auth_t)
-
- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',`
- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
- files_var_filetrans($1, auth_cache_t, dir)
-
-+ manage_dirs_pattern($1, auth_home_t, auth_home_t)
-+ manage_files_pattern($1, auth_home_t, auth_home_t)
-+ auth_filetrans_admin_home_content($1)
-+ auth_filetrans_home_content($1)
-+
- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
- kernel_rw_afs_state($1)
-+ kernel_search_network_sysctl($1)
-+
-+ tunable_policy(`authlogin_radius',`
-+ corenet_udp_bind_all_unreserved_ports($1)
-+ ')
-+ corenet_tcp_connect_pki_ca_port($1)
-
- # for fingerprint readers
- dev_rw_input_dev($1)
- dev_rw_generic_usb_dev($1)
+ role system_r types $1;
+- # Needed for pam_selinux_permit to cleanup properly
+- domain_read_all_domains_state($1)
+- domain_kill_all_domains($1)
+-
+- # pam_keyring
+- allow $1 self:capability ipc_lock;
+- allow $1 self:process setkeycreate;
+- allow $1 self:key manage_key_perms;
+-
+- files_list_var_lib($1)
+- manage_files_pattern($1, var_auth_t, var_auth_t)
+-
+- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+- manage_files_pattern($1, auth_cache_t, auth_cache_t)
+- manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+- files_var_filetrans($1, auth_cache_t, dir)
+-
+- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+- kernel_rw_afs_state($1)
+-
+- # for fingerprint readers
+- dev_rw_input_dev($1)
+- dev_rw_generic_usb_dev($1)
+-
- files_read_etc_files($1)
-+ files_read_config_files($1)
-
- fs_list_auto_mountpoints($1)
-+ fs_manage_cgroup_dirs($1)
-+ fs_manage_cgroup_files($1)
-+ fs_read_ecryptfs_symlinks($1)
-+ fs_read_ecryptfs_files($1)
-
+-
+- fs_list_auto_mountpoints($1)
+-
selinux_get_fs_mount($1)
- selinux_validate_context($1)
-@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',`
- mls_process_set_level($1)
+- selinux_validate_context($1)
+- selinux_compute_access_vector($1)
+- selinux_compute_create_context($1)
+- selinux_compute_relabel_context($1)
+- selinux_compute_user_contexts($1)
+
+ mls_file_read_all_levels($1)
+ mls_file_write_all_levels($1)
+@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
-+ auth_manage_faillog($1)
-+ auth_manage_pam_pid($1)
auth_use_pam($1)
-
- init_rw_utmp($1)
-@@ -153,11 +196,95 @@ interface(`auth_login_pgm_domain',`
- logging_set_tty_audit($1)
-
- seutil_read_config($1)
-+ seutil_read_login_config($1)
- seutil_read_default_contexts($1)
-
-- tunable_policy(`allow_polyinstantiation',`
-- files_polyinstantiate_all($1)
-+ systemd_login_read_pid_files($1)
-+
-+ userdom_set_rlimitnh($1)
-+ userdom_read_user_home_content_symlinks($1)
-+ userdom_delete_user_tmp_files($1)
-+ userdom_search_admin_dir($1)
-+ userdom_stream_connect($1)
-+ userdom_manage_user_tmp_dirs($1)
-+ userdom_manage_user_tmp_files($1)
-+
-+ optional_policy(`
-+ afs_rw_udp_sockets($1)
-+ ')
-+
-+ optional_policy(`
-+ kerberos_read_config($1)
-+ ')
-+
-+ optional_policy(`
-+ oddjob_dbus_chat($1)
-+ oddjob_domtrans_mkhomedir($1)
-+ ')
-+
-+ optional_policy(`
-+ openct_stream_connect($1)
-+ openct_signull($1)
-+ openct_read_pid_files($1)
-+ ')
-+
-+ optional_policy(`
-+ corecmd_exec_bin($1)
-+ storage_getattr_fixed_disk_dev($1)
-+ mount_domtrans($1)
-+ mount_domtrans_ecryptmount($1)
-+ ')
-+
-+ optional_policy(`
-+ fprintd_dbus_chat($1)
-+ ')
-+
-+ optional_policy(`
-+ # allow execute tmux
-+ screen_exec($1)
-+ ')
-+
-+ optional_policy(`
-+ ssh_agent_exec($1)
-+ ssh_read_user_home_files($1)
-+ ')
+')
-+
+
+- init_rw_utmp($1)
+-
+- logging_set_loginuid($1)
+- logging_set_tty_audit($1)
+########################################
+## <summary>
+## Read authlogin state files.
@@ -126386,11 +126432,15 @@ index f416ce9..02cd20f 100644
+ gen_require(`
+ attribute polydomain;
+ ')
-+
+
+- seutil_read_config($1)
+- seutil_read_default_contexts($1)
+ kernel_search_proc($1)
+ ps_process_pattern($1, polydomain)
+')
-+
+
+- tunable_policy(`allow_polyinstantiation',`
+- files_polyinstantiate_all($1)
+########################################
+## <summary>
+## Read and write a authlogin unnamed pipe.
@@ -126410,7 +126460,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -231,6 +358,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -126436,7 +126486,7 @@ index f416ce9..02cd20f 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -395,13 +541,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +431,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -126453,7 +126503,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -448,6 +596,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -126479,7 +126529,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -467,7 +634,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -126487,7 +126537,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -664,6 +830,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -126498,7 +126548,7 @@ index f416ce9..02cd20f 100644
')
#######################################
-@@ -763,7 +933,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -126550,7 +126600,7 @@ index f416ce9..02cd20f 100644
')
#######################################
-@@ -826,7 +1039,7 @@ interface(`auth_rw_lastlog',`
+@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',`
########################################
## <summary>
@@ -126559,7 +126609,7 @@ index f416ce9..02cd20f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +1047,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -126590,7 +126640,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -854,15 +1082,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -126609,7 +126659,7 @@ index f416ce9..02cd20f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1103,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +993,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -126647,7 +126697,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -959,9 +1207,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -126681,7 +126731,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -1040,6 +1309,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -126692,7 +126742,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -1157,6 +1430,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -126700,7 +126750,7 @@ index f416ce9..02cd20f 100644
')
#######################################
-@@ -1526,6 +1800,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -126726,7 +126776,7 @@ index f416ce9..02cd20f 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,24 +1969,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -126752,7 +126802,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -1717,11 +1993,13 @@ interface(`auth_relabel_login_records',`
+@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -126769,7 +126819,7 @@ index f416ce9..02cd20f 100644
')
########################################
-@@ -1755,3 +2033,194 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1923,194 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -126965,10 +127015,10 @@ index f416ce9..02cd20f 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f145ccb..4623fe3 100644
+index f145ccb..dfba2fd 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,6 +5,12 @@ policy_module(authlogin, 2.4.0)
+@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0)
# Declarations
#
@@ -126978,15 +127028,23 @@ index f145ccb..4623fe3 100644
+## </p>
+## </desc>
+gen_tunable(authlogin_radius, false)
++
++## <desc>
++## <p>
++## Allow users to login using a yubikey server
++## </p>
++## </desc>
++gen_tunable(authlogin_yubikey, false)
## <desc>
## <p>
-@@ -16,20 +22,25 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
+@@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute polydomain;
attribute nsswitch_domain;
++attribute login_pgm;
type auth_cache_t;
logging_log_file(auth_cache_t)
@@ -127008,7 +127066,7 @@ index f145ccb..4623fe3 100644
type lastlog_t;
logging_log_file(lastlog_t)
-@@ -42,15 +53,15 @@ type pam_console_exec_t;
+@@ -42,15 +61,15 @@ type pam_console_exec_t;
init_system_domain(pam_console_t, pam_console_exec_t)
role system_r types pam_console_t;
@@ -127031,7 +127089,7 @@ index f145ccb..4623fe3 100644
type pam_var_console_t;
files_pid_file(pam_var_console_t)
-@@ -64,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
+@@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -127041,7 +127099,7 @@ index f145ccb..4623fe3 100644
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
-@@ -109,6 +123,8 @@ dev_read_urand(chkpwd_t)
+@@ -109,6 +131,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -127050,7 +127108,7 @@ index f145ccb..4623fe3 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -122,12 +138,11 @@ auth_use_nsswitch(chkpwd_t)
+@@ -122,12 +146,11 @@ auth_use_nsswitch(chkpwd_t)
logging_send_audit_msgs(chkpwd_t)
logging_send_syslog_msg(chkpwd_t)
@@ -127064,7 +127122,7 @@ index f145ccb..4623fe3 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -153,53 +168,52 @@ optional_policy(`
+@@ -153,53 +176,52 @@ optional_policy(`
# PAM local policy
#
@@ -127146,7 +127204,7 @@ index f145ccb..4623fe3 100644
')
########################################
-@@ -289,7 +303,6 @@ init_use_script_ptys(pam_console_t)
+@@ -289,7 +311,6 @@ init_use_script_ptys(pam_console_t)
logging_send_syslog_msg(pam_console_t)
@@ -127154,7 +127212,7 @@ index f145ccb..4623fe3 100644
miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +354,7 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
@@ -127162,7 +127220,7 @@ index f145ccb..4623fe3 100644
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +364,8 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +372,8 @@ auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
@@ -127173,7 +127231,7 @@ index f145ccb..4623fe3 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -380,13 +393,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +401,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -127190,7 +127248,7 @@ index f145ccb..4623fe3 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,12 +412,81 @@ ifdef(`distro_ubuntu',`
+@@ -397,12 +420,81 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -127275,7 +127333,7 @@ index f145ccb..4623fe3 100644
')
#######################################
-@@ -426,6 +510,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
+@@ -426,6 +518,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
optional_policy(`
tunable_policy(`authlogin_nsswitch_use_ldap',`
@@ -127288,7 +127346,7 @@ index f145ccb..4623fe3 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -455,7 +545,12 @@ optional_policy(`
+@@ -455,7 +553,12 @@ optional_policy(`
')
optional_policy(`
@@ -127301,6 +127359,134 @@ index f145ccb..4623fe3 100644
')
optional_policy(`
+@@ -463,3 +566,127 @@ optional_policy(`
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++#######################################
++#
++# Login Program local policy
++#
++
++domain_read_all_domains_state(login_pgm)
++corecmd_getattr_all_executables(login_pgm)
++domain_kill_all_domains(login_pgm)
++
++# pam_keyring
++allow login_pgm self:capability ipc_lock;
++allow login_pgm self:process setkeycreate;
++allow login_pgm self:key manage_key_perms;
++userdom_manage_all_users_keys(login_pgm)
++
++files_list_var_lib(login_pgm)
++manage_dirs_pattern(login_pgm, var_auth_t, var_auth_t)
++manage_files_pattern(login_pgm, var_auth_t, var_auth_t)
++
++manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
++manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
++manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
++files_var_filetrans(login_pgm, auth_cache_t, dir)
++
++manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
++manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
++auth_filetrans_admin_home_content(login_pgm)
++auth_filetrans_home_content(login_pgm)
++
++# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
++kernel_search_network_sysctl(login_pgm)
++kernel_rw_afs_state(login_pgm)
++
++tunable_policy(`authlogin_radius',`
++ corenet_udp_bind_all_unreserved_ports(login_pgm)
++')
++
++tunable_policy(`authlogin_yubikey',`
++ corenet_tcp_connect_http_port(login_pgm)
++')
++
++corenet_tcp_connect_pki_ca_port(login_pgm)
++
++# for fingerprint readers
++dev_rw_input_dev(login_pgm)
++dev_rw_generic_usb_dev(login_pgm)
++
++files_read_config_files(login_pgm)
++
++fs_list_auto_mountpoints(login_pgm)
++fs_manage_cgroup_dirs(login_pgm)
++fs_manage_cgroup_files(login_pgm)
++fs_read_ecryptfs_symlinks(login_pgm)
++fs_read_ecryptfs_files(login_pgm)
++
++selinux_validate_context(login_pgm)
++selinux_compute_access_vector(login_pgm)
++selinux_compute_create_context(login_pgm)
++selinux_compute_relabel_context(login_pgm)
++selinux_compute_user_contexts(login_pgm)
++
++auth_manage_faillog(login_pgm)
++auth_manage_pam_pid(login_pgm)
++
++init_rw_utmp(login_pgm)
++
++logging_set_loginuid(login_pgm)
++logging_set_tty_audit(login_pgm)
++
++miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++
++seutil_read_config(login_pgm)
++seutil_read_login_config(login_pgm)
++seutil_read_default_contexts(login_pgm)
++systemd_login_read_pid_files(login_pgm)
++
++userdom_set_rlimitnh(login_pgm)
++userdom_read_user_home_content_symlinks(login_pgm)
++userdom_delete_user_tmp_files(login_pgm)
++userdom_search_admin_dir(login_pgm)
++userdom_stream_connect(login_pgm)
++userdom_manage_user_tmp_dirs(login_pgm)
++userdom_manage_user_tmp_files(login_pgm)
++
++optional_policy(`
++ afs_rw_udp_sockets(login_pgm)
++')
++
++optional_policy(`
++ kerberos_read_config(login_pgm)
++')
++
++optional_policy(`
++ oddjob_dbus_chat(login_pgm)
++ oddjob_domtrans_mkhomedir(login_pgm)
++')
++
++optional_policy(`
++ openct_stream_connect(login_pgm)
++ openct_signull(login_pgm)
++ openct_read_pid_files(login_pgm)
++')
++
++optional_policy(`
++ corecmd_exec_bin(login_pgm)
++ storage_getattr_fixed_disk_dev(login_pgm)
++ mount_domtrans(login_pgm)
++ mount_domtrans_ecryptmount(login_pgm)
++')
++
++optional_policy(`
++ fprintd_dbus_chat(login_pgm)
++')
++
++optional_policy(`
++ # allow execute tmux
++ screen_exec(login_pgm)
++')
++
++optional_policy(`
++ ssh_agent_exec(login_pgm)
++ ssh_read_user_home_files(login_pgm)
++')
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
index c5e05ca..c9ddbee 100644
--- a/policy/modules/system/clock.fc
@@ -129005,7 +129191,7 @@ index d26fe81..29f6683 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..7d77221 100644
+index 4a88fa1..df9e9a9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -129458,12 +129644,13 @@ index 4a88fa1..7d77221 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +498,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +498,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_manage_generic_pids_symlinks(initrc_t)
+files_create_var_run_dirs(initrc_t)
++files_relabelfrom_isid_type(initrc_t)
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -129474,7 +129661,7 @@ index 4a88fa1..7d77221 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +522,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +523,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -129517,7 +129704,7 @@ index 4a88fa1..7d77221 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +559,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +560,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -129525,7 +129712,7 @@ index 4a88fa1..7d77221 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +570,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +571,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -129536,7 +129723,7 @@ index 4a88fa1..7d77221 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +581,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +582,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -129556,7 +129743,7 @@ index 4a88fa1..7d77221 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +598,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +599,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -129564,7 +129751,7 @@ index 4a88fa1..7d77221 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +606,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +607,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -129576,7 +129763,7 @@ index 4a88fa1..7d77221 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +625,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +626,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -129590,7 +129777,7 @@ index 4a88fa1..7d77221 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +640,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +641,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -129604,7 +129791,7 @@ index 4a88fa1..7d77221 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +655,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +656,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -129612,7 +129799,7 @@ index 4a88fa1..7d77221 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +667,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +668,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -129620,7 +129807,7 @@ index 4a88fa1..7d77221 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +686,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +687,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -129644,7 +129831,7 @@ index 4a88fa1..7d77221 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +751,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +752,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -129655,7 +129842,7 @@ index 4a88fa1..7d77221 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +775,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +776,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -129664,7 +129851,7 @@ index 4a88fa1..7d77221 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +790,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +791,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -129672,7 +129859,7 @@ index 4a88fa1..7d77221 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +811,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +812,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -129680,7 +129867,7 @@ index 4a88fa1..7d77221 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +821,39 @@ ifdef(`distro_redhat',`
+@@ -540,8 +822,39 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -129720,7 +129907,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -549,14 +861,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +862,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -129752,7 +129939,7 @@ index 4a88fa1..7d77221 100644
')
')
-@@ -567,6 +896,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +897,39 @@ ifdef(`distro_suse',`
')
')
@@ -129792,7 +129979,7 @@ index 4a88fa1..7d77221 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +941,8 @@ optional_policy(`
+@@ -579,6 +942,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -129801,7 +129988,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -600,6 +964,7 @@ optional_policy(`
+@@ -600,6 +965,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -129809,7 +129996,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -612,6 +977,17 @@ optional_policy(`
+@@ -612,6 +978,17 @@ optional_policy(`
')
optional_policy(`
@@ -129827,7 +130014,7 @@ index 4a88fa1..7d77221 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1004,13 @@ optional_policy(`
+@@ -628,9 +1005,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -129841,7 +130028,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -655,6 +1035,10 @@ optional_policy(`
+@@ -655,6 +1036,10 @@ optional_policy(`
')
optional_policy(`
@@ -129852,7 +130039,7 @@ index 4a88fa1..7d77221 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1056,15 @@ optional_policy(`
+@@ -672,6 +1057,15 @@ optional_policy(`
')
optional_policy(`
@@ -129868,7 +130055,7 @@ index 4a88fa1..7d77221 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1105,7 @@ optional_policy(`
+@@ -712,6 +1106,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -129876,7 +130063,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -729,7 +1123,14 @@ optional_policy(`
+@@ -729,7 +1124,14 @@ optional_policy(`
')
optional_policy(`
@@ -129891,7 +130078,7 @@ index 4a88fa1..7d77221 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1153,10 @@ optional_policy(`
+@@ -752,6 +1154,10 @@ optional_policy(`
')
optional_policy(`
@@ -129902,7 +130089,7 @@ index 4a88fa1..7d77221 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1166,20 @@ optional_policy(`
+@@ -761,10 +1167,20 @@ optional_policy(`
')
optional_policy(`
@@ -129923,7 +130110,7 @@ index 4a88fa1..7d77221 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1188,10 @@ optional_policy(`
+@@ -773,6 +1189,10 @@ optional_policy(`
')
optional_policy(`
@@ -129934,7 +130121,7 @@ index 4a88fa1..7d77221 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1213,6 @@ optional_policy(`
+@@ -794,8 +1214,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -129943,7 +130130,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -804,6 +1221,10 @@ optional_policy(`
+@@ -804,6 +1222,10 @@ optional_policy(`
')
optional_policy(`
@@ -129954,7 +130141,7 @@ index 4a88fa1..7d77221 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1234,12 @@ optional_policy(`
+@@ -813,10 +1235,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -129967,7 +130154,7 @@ index 4a88fa1..7d77221 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1251,6 @@ optional_policy(`
+@@ -828,8 +1252,6 @@ optional_policy(`
')
optional_policy(`
@@ -129976,7 +130163,7 @@ index 4a88fa1..7d77221 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1261,30 @@ optional_policy(`
+@@ -840,12 +1262,30 @@ optional_policy(`
')
optional_policy(`
@@ -130009,7 +130196,7 @@ index 4a88fa1..7d77221 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1294,18 @@ optional_policy(`
+@@ -855,6 +1295,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -130028,7 +130215,7 @@ index 4a88fa1..7d77221 100644
')
optional_policy(`
-@@ -870,6 +1321,10 @@ optional_policy(`
+@@ -870,6 +1322,10 @@ optional_policy(`
')
optional_policy(`
@@ -130039,7 +130226,7 @@ index 4a88fa1..7d77221 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1335,177 @@ optional_policy(`
+@@ -880,3 +1336,177 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -132795,10 +132982,35 @@ index fe3427d..b7d45f7 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..2017de8 100644
+index 926ba65..858cbfe 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
-@@ -470,7 +470,6 @@ interface(`miscfiles_legacy_read_localization',`
+@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to write generic SSL certificates.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_dontaudit_write_generic_cert_files',`
++ gen_require(`
++ type cert_t;
++ ')
++
++ dontaudit $1 cert_t:file write;
++')
++
++########################################
++## <summary>
+ ## Manage generic SSL certificates.
+ ## </summary>
+ ## <param name="domain">
+@@ -470,7 +488,6 @@ interface(`miscfiles_legacy_read_localization',`
type locale_t;
')
@@ -132806,7 +133018,7 @@ index 926ba65..2017de8 100644
allow $1 locale_t:file execute;
')
-@@ -531,6 +530,10 @@ interface(`miscfiles_read_man_pages',`
+@@ -531,6 +548,10 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:dir list_dir_perms;
read_files_pattern($1, man_t, man_t)
read_lnk_files_pattern($1, man_t, man_t)
@@ -132817,7 +133029,18 @@ index 926ba65..2017de8 100644
')
########################################
-@@ -582,6 +585,30 @@ interface(`miscfiles_manage_man_pages',`
+@@ -557,6 +578,10 @@ interface(`miscfiles_delete_man_pages',`
+ delete_dirs_pattern($1, man_t, man_t)
+ delete_files_pattern($1, man_t, man_t)
+ delete_lnk_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_delete_cache($1)
++ ')
+ ')
+
+ ########################################
+@@ -582,6 +607,30 @@ interface(`miscfiles_manage_man_pages',`
########################################
## <summary>
@@ -132848,7 +133071,7 @@ index 926ba65..2017de8 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -745,7 +772,6 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -745,7 +794,6 @@ interface(`miscfiles_etc_filetrans_localization',`
')
files_etc_filetrans($1, locale_t, file)
@@ -132856,7 +133079,7 @@ index 926ba65..2017de8 100644
')
########################################
-@@ -769,3 +795,43 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +817,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -135820,7 +136043,7 @@ index 41a1853..af08353 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index ed363e1..27de635 100644
+index ed363e1..2e7bfc1 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0)
@@ -135959,7 +136182,7 @@ index ed363e1..27de635 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -153,8 +176,19 @@ ifdef(`distro_ubuntu',`
+@@ -153,8 +176,23 @@ ifdef(`distro_ubuntu',`
')
')
@@ -135967,20 +136190,24 @@ index ed363e1..27de635 100644
+# consoletype_run(dhcpc_t, dhcpc_roles)
+#')
+
- optional_policy(`
-- consoletype_run(dhcpc_t, dhcpc_roles)
++optional_policy(`
+ chronyd_initrc_domtrans(dhcpc_t)
+ chronyd_systemctl(dhcpc_t)
+ chronyd_read_keys(dhcpc_t)
+')
+
+optional_policy(`
++ consoletype_exec(dhcpc_t)
++')
++
+ optional_policy(`
+- consoletype_run(dhcpc_t, dhcpc_roles)
+ devicekit_dontaudit_rw_log(dhcpc_t)
+ devicekit_dontaudit_read_pid_files(dhcpc_t)
')
optional_policy(`
-@@ -169,11 +203,14 @@ optional_policy(`
+@@ -169,11 +207,14 @@ optional_policy(`
')
optional_policy(`
@@ -135996,7 +136223,7 @@ index ed363e1..27de635 100644
')
optional_policy(`
-@@ -187,25 +224,41 @@ optional_policy(`
+@@ -187,25 +228,41 @@ optional_policy(`
# for the dhcp client to run ping to check IP addresses
optional_policy(`
@@ -136040,7 +136267,7 @@ index ed363e1..27de635 100644
')
optional_policy(`
-@@ -215,7 +268,11 @@ optional_policy(`
+@@ -215,7 +272,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -136053,7 +136280,7 @@ index ed363e1..27de635 100644
')
optional_policy(`
-@@ -258,6 +315,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -258,6 +319,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -136061,7 +136288,7 @@ index ed363e1..27de635 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,11 +334,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -276,11 +338,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -136079,7 +136306,7 @@ index ed363e1..27de635 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -293,7 +357,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -293,7 +361,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -136088,7 +136315,7 @@ index ed363e1..27de635 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -302,13 +366,12 @@ libs_read_lib_files(ifconfig_t)
+@@ -302,13 +370,12 @@ libs_read_lib_files(ifconfig_t)
logging_send_syslog_msg(ifconfig_t)
@@ -136105,7 +136332,7 @@ index ed363e1..27de635 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -317,7 +380,22 @@ ifdef(`distro_ubuntu',`
+@@ -317,7 +384,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -136128,7 +136355,7 @@ index ed363e1..27de635 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -328,8 +406,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -328,8 +410,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -136143,7 +136370,7 @@ index ed363e1..27de635 100644
')
optional_policy(`
-@@ -338,7 +422,15 @@ optional_policy(`
+@@ -338,7 +426,15 @@ optional_policy(`
')
optional_policy(`
@@ -136160,7 +136387,7 @@ index ed363e1..27de635 100644
')
optional_policy(`
-@@ -359,3 +451,9 @@ optional_policy(`
+@@ -359,3 +455,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index bfbd0d0..1e2dcd1 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -364,7 +364,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..55031d3 100644
+index 30861ec..a708362 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -650,7 +650,7 @@ index 30861ec..55031d3 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +330,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +330,147 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -762,6 +762,7 @@ index 30861ec..55031d3 100644
+
+read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
++kernel_read_debugfs(abrt_dump_oops_t)
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
+
@@ -2927,7 +2928,7 @@ index 6480167..604d2bd 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..5b09aa9 100644
+index 0833afb..b075368 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3636,7 +3637,7 @@ index 0833afb..5b09aa9 100644
')
optional_policy(`
-@@ -594,6 +927,37 @@ optional_policy(`
+@@ -594,6 +927,42 @@ optional_policy(`
')
optional_policy(`
@@ -3646,13 +3647,18 @@ index 0833afb..5b09aa9 100644
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
++ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_manage_lib_files(httpd_t)
++
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_dontaudit_read_all_domains_state(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
++
++ #optional_policy(`
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_manage_lib_files(httpd_t)
++ #')
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_manage_pid_content(httpd_t)
@@ -3674,7 +3680,7 @@ index 0833afb..5b09aa9 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +972,11 @@ optional_policy(`
+@@ -608,6 +977,11 @@ optional_policy(`
')
optional_policy(`
@@ -3686,7 +3692,7 @@ index 0833afb..5b09aa9 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +989,12 @@ optional_policy(`
+@@ -620,6 +994,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3699,7 +3705,7 @@ index 0833afb..5b09aa9 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1008,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1013,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3712,7 +3718,7 @@ index 0833afb..5b09aa9 100644
########################################
#
-@@ -671,28 +1050,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1055,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3756,7 +3762,7 @@ index 0833afb..5b09aa9 100644
')
########################################
-@@ -702,6 +1083,7 @@ optional_policy(`
+@@ -702,6 +1088,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3764,7 +3770,7 @@ index 0833afb..5b09aa9 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1098,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1103,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3793,7 +3799,7 @@ index 0833afb..5b09aa9 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1128,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1133,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -3811,7 +3817,7 @@ index 0833afb..5b09aa9 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1146,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1151,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3844,7 +3850,7 @@ index 0833afb..5b09aa9 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1193,25 @@ optional_policy(`
+@@ -786,6 +1198,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3870,7 +3876,7 @@ index 0833afb..5b09aa9 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1232,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1237,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3888,7 +3894,7 @@ index 0833afb..5b09aa9 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1251,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1256,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3947,7 +3953,7 @@ index 0833afb..5b09aa9 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1302,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1307,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3988,7 +3994,7 @@ index 0833afb..5b09aa9 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1347,20 @@ optional_policy(`
+@@ -859,10 +1352,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4009,7 +4015,7 @@ index 0833afb..5b09aa9 100644
')
########################################
-@@ -878,11 +1376,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1381,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4021,7 +4027,7 @@ index 0833afb..5b09aa9 100644
########################################
#
-@@ -908,11 +1404,138 @@ optional_policy(`
+@@ -908,11 +1409,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -8858,7 +8864,7 @@ index bbac14a..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index a10350e..0294412 100644
+index a10350e..7ebd38b 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
@@ -9000,7 +9006,7 @@ index a10350e..0294412 100644
')
########################################
-@@ -178,17 +207,25 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,17 +207,26 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -9024,12 +9030,13 @@ index a10350e..0294412 100644
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
++corenet_tcp_connect_http_cache_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
+corenet_tcp_connect_squid_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -196,27 +233,30 @@ dev_read_urand(freshclam_t)
+@@ -196,27 +234,30 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
@@ -9067,7 +9074,7 @@ index a10350e..0294412 100644
########################################
#
# clamscam local policy
-@@ -242,15 +282,34 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +283,34 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -9103,7 +9110,7 @@ index a10350e..0294412 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +318,19 @@ files_search_var_lib(clamscan_t)
+@@ -259,15 +319,19 @@ files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
@@ -14073,7 +14080,7 @@ index 305ddf4..236f5ba 100644
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index e5a8924..a600239 100644
+index e5a8924..c5c823c 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14397,7 +14404,12 @@ index e5a8924..a600239 100644
')
########################################
-@@ -638,6 +661,11 @@ files_search_etc(hplip_t)
+@@ -635,9 +658,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+ files_search_etc(hplip_t)
+
++allow hplip_t cupsd_unit_file_t:file read_file_perms;
++
manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
@@ -14409,15 +14421,18 @@ index e5a8924..a600239 100644
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -647,7 +675,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +677,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-corenet_all_recvfrom_unlabeled(hplip_t)
++# for python
++corecmd_exec_bin(hplip_t)
++
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +688,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -14431,16 +14446,34 @@ index e5a8924..a600239 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -685,19 +712,23 @@ domain_use_interactive_fds(hplip_t)
+@@ -673,31 +705,34 @@ dev_read_rand(hplip_t)
+ dev_rw_generic_usb_dev(hplip_t)
+ dev_rw_usbfs(hplip_t)
+
+-fs_getattr_all_fs(hplip_t)
+-fs_search_auto_mountpoints(hplip_t)
+-fs_rw_anon_inodefs_files(hplip_t)
+-
+-# for python
+-corecmd_exec_bin(hplip_t)
+-
+ domain_use_interactive_fds(hplip_t)
+
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
-logging_send_syslog_msg(hplip_t)
-+auth_read_passwd(hplip_t)
++fs_getattr_all_fs(hplip_t)
++fs_search_auto_mountpoints(hplip_t)
++fs_rw_anon_inodefs_files(hplip_t)
++
++term_use_ptmx(hplip_t)
-miscfiles_read_localization(hplip_t)
++auth_read_passwd(hplip_t)
++
+logging_send_syslog_msg(hplip_t)
sysnet_read_config(hplip_t)
@@ -14459,7 +14492,7 @@ index e5a8924..a600239 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +774,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +778,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -14467,7 +14500,7 @@ index e5a8924..a600239 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +790,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +794,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -15246,7 +15279,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..082afa9 100644
+index 625cb32..be84a05 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -15298,7 +15331,7 @@ index 625cb32..082afa9 100644
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
-@@ -110,22 +115,24 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -110,22 +115,25 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -15317,6 +15350,7 @@ index 625cb32..082afa9 100644
+init_bin_domtrans_spec(system_dbusd_t)
init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
++init_status(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
@@ -15325,7 +15359,7 @@ index 625cb32..082afa9 100644
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
-@@ -135,11 +142,35 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -135,11 +143,35 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -15361,7 +15395,7 @@ index 625cb32..082afa9 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +181,156 @@ optional_policy(`
+@@ -150,12 +182,157 @@ optional_policy(`
')
optional_policy(`
@@ -15391,6 +15425,7 @@ index 625cb32..082afa9 100644
+dbus_system_bus_client(system_bus_type)
+dbus_connect_system_bus(system_bus_type)
+
++init_status(system_bus_type)
+init_stream_connect(system_bus_type)
+init_dgram_send(system_bus_type)
+init_use_fds(system_bus_type)
@@ -20365,10 +20400,10 @@ index 0000000..c4c7510
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
-index 0000000..f4d5b52
+index 0000000..72f0c9b
--- /dev/null
+++ b/firewalld.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,91 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -20401,6 +20436,8 @@ index 0000000..f4d5b52
+# firewalld local policy
+#
+dontaudit firewalld_t self:capability sys_tty_config;
++allow firewalld_t self:capability sys_nice;
++allow firewalld_t self:process setsched;
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -20427,6 +20464,7 @@ index 0000000..f4d5b52
+
+domain_use_interactive_fds(firewalld_t)
+
++files_list_tmp(firewalld_t)
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
+
@@ -20436,6 +20474,8 @@ index 0000000..f4d5b52
+
+logging_send_syslog_msg(firewalld_t)
+
++sysnet_dns_name_resolve(firewalld_t)
++
+optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+
@@ -27936,7 +27976,7 @@ index b29d8e2..766151a 100644
+ unconfined_domain(kdumpctl_t)
+')
diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..2b8ea1e 100644
+index 0c52f60..dc204e6 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -7,7 +7,10 @@ policy_module(kdumpgui, 1.1.0)
@@ -27951,18 +27991,27 @@ index 0c52f60..2b8ea1e 100644
######################################
#
-@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+@@ -17,6 +20,11 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
-
++allow kdumpgui_t self:process sigkill;
++
+manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
+manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
+files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
-+
+
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
+@@ -26,6 +34,7 @@ corecmd_exec_shell(kdumpgui_t)
+
+ dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
+ dev_read_sysfs(kdumpgui_t)
++dev_read_urand(kdumpgui_t)
-@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+ files_manage_boot_files(kdumpgui_t)
+ files_manage_boot_symlinks(kdumpgui_t)
+@@ -36,6 +45,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -27971,7 +28020,7 @@ index 0c52f60..2b8ea1e 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -43,21 +52,36 @@ auth_use_nsswitch(kdumpgui_t)
+@@ -43,21 +54,37 @@ auth_use_nsswitch(kdumpgui_t)
logging_send_syslog_msg(kdumpgui_t)
@@ -27979,13 +28028,14 @@ index 0c52f60..2b8ea1e 100644
+mount_exec(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
-
++init_access_check(kdumpgui_t)
++
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+optional_policy(`
+ bootloader_exec(kdumpgui_t)
+')
-+
+
optional_policy(`
consoletype_exec(kdumpgui_t)
')
@@ -31431,10 +31481,10 @@ index 0000000..75b9968
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
diff --git a/mandb.if b/mandb.if
new file mode 100644
-index 0000000..c61b812
+index 0000000..5de416f
--- /dev/null
+++ b/mandb.if
-@@ -0,0 +1,152 @@
+@@ -0,0 +1,174 @@
+
+## <summary>policy for mandb</summary>
+
@@ -31516,6 +31566,28 @@ index 0000000..c61b812
+
+########################################
+## <summary>
++## Delete mandb cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_delete_cache',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ allow $1 mandb_cache_t:dir list_dir_perms;
++ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
++ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
++ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete
+## mandb cache files.
+## </summary>
@@ -37947,6 +38019,16 @@ index 0000000..f0aaecf
+ unconfined_domain(nova_volume_t)
+')
+
+diff --git a/nscd.fc b/nscd.fc
+index 623b731..429bd79 100644
+--- a/nscd.fc
++++ b/nscd.fc
+@@ -11,3 +11,5 @@
+ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+ /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
++
++/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
index 85188dc..2b37836 100644
--- a/nscd.if
@@ -40441,10 +40523,10 @@ index 0000000..fdff8eb
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..d0fa573
+index 0000000..681f8a0
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,555 @@
+@@ -0,0 +1,556 @@
+
+## <summary> policy for openshift </summary>
+
@@ -40797,6 +40879,7 @@ index 0000000..d0fa573
+ mcs_untrusted_proc($1_t)
+ domain_user_exemption_target($1_t)
+ auth_use_nsswitch($1_t)
++ domain_subj_id_change_exemption($1_t)
+ domain_obj_id_change_exemption($1_t)
+ domain_dyntrans_type($1_t)
+
@@ -41002,10 +41085,10 @@ index 0000000..d0fa573
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..b4cafe8
+index 0000000..91c558e
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,347 @@
+@@ -0,0 +1,351 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -41110,6 +41193,7 @@ index 0000000..b4cafe8
+allow openshift_domain self:msgq create_msgq_perms;
+allow openshift_domain self:shm create_shm_perms;
+allow openshift_domain self:sem create_sem_perms;
++dontaudit openshift_domain self:dir write;
+
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
+allow openshift_domain self:tcp_socket create_stream_socket_perms;
@@ -41151,6 +41235,9 @@ index 0000000..b4cafe8
+
+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
+
++#lsof
++allow openshift_domain openshift_initrc_t:tcp_socket getattr;
++
+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
+dontaudit openshift_domain openshift_var_run_t:file append;
+dontaudit openshift_domain openshift_file_type:sock_file execute;
@@ -44952,7 +45039,7 @@ index 1ddfa16..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/postfix.if b/postfix.if
-index 46bee12..a9cf37f 100644
+index 46bee12..dacb14d 100644
--- a/postfix.if
+++ b/postfix.if
@@ -28,75 +28,23 @@ interface(`postfix_stub',`
@@ -45092,7 +45179,7 @@ index 46bee12..a9cf37f 100644
+ type postfix_public_t;
+ ')
+
-+ allow $1 postfix_public_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
+')
+
########################################
@@ -45462,7 +45549,7 @@ index 46bee12..a9cf37f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..c8217ab 100644
+index a1e0f60..2312d03 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -45737,7 +45824,7 @@ index a1e0f60..c8217ab 100644
')
optional_policy(`
-@@ -304,9 +360,22 @@ optional_policy(`
+@@ -304,9 +360,26 @@ optional_policy(`
')
optional_policy(`
@@ -45745,6 +45832,10 @@ index a1e0f60..c8217ab 100644
+')
+
+optional_policy(`
++ openshift_search_lib(postfix_local_t)
++')
++
++optional_policy(`
procmail_domtrans(postfix_local_t)
')
@@ -45760,7 +45851,7 @@ index a1e0f60..c8217ab 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +398,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -45768,7 +45859,7 @@ index a1e0f60..c8217ab 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +416,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -45776,7 +45867,7 @@ index a1e0f60..c8217ab 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -356,8 +423,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -45785,7 +45876,7 @@ index a1e0f60..c8217ab 100644
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -379,18 +444,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -45811,7 +45902,7 @@ index a1e0f60..c8217ab 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +472,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -45820,7 +45911,7 @@ index a1e0f60..c8217ab 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +493,7 @@ optional_policy(`
+@@ -420,6 +497,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -45828,7 +45919,7 @@ index a1e0f60..c8217ab 100644
')
optional_policy(`
-@@ -436,11 +510,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -45846,7 +45937,7 @@ index a1e0f60..c8217ab 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +567,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -45857,7 +45948,7 @@ index a1e0f60..c8217ab 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +599,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -45870,7 +45961,7 @@ index a1e0f60..c8217ab 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +623,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -45881,7 +45972,7 @@ index a1e0f60..c8217ab 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +644,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -45893,7 +45984,7 @@ index a1e0f60..c8217ab 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +656,14 @@ optional_policy(`
+@@ -565,6 +660,14 @@ optional_policy(`
')
optional_policy(`
@@ -45908,7 +45999,7 @@ index a1e0f60..c8217ab 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +680,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -45935,7 +46026,7 @@ index a1e0f60..c8217ab 100644
')
optional_policy(`
-@@ -599,6 +706,11 @@ optional_policy(`
+@@ -599,6 +710,11 @@ optional_policy(`
')
optional_policy(`
@@ -45947,7 +46038,7 @@ index a1e0f60..c8217ab 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +723,6 @@ optional_policy(`
+@@ -611,7 +727,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -45955,7 +46046,7 @@ index a1e0f60..c8217ab 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +733,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -45963,7 +46054,7 @@ index a1e0f60..c8217ab 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +740,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -51109,10 +51200,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..093f2c8
+index 0000000..5a23bca
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,57 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -51155,6 +51246,7 @@ index 0000000..093f2c8
+')
+
+optional_policy(`
++ gnome_read_config(realmd_t)
+ gnome_read_generic_cache_files(realmd_t)
+ gnome_write_generic_cache_files(realmd_t)
+')
@@ -55387,7 +55479,7 @@ index 82cb169..9bb5db2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..b92d9af 100644
+index 905883f..12a4581 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -55776,12 +55868,12 @@ index 905883f..b92d9af 100644
-files_read_etc_files(smbcontrol_t)
+dev_read_urand(smbcontrol_t)
+
-+term_use_console(smbcontrol_t)
++files_read_usr_files(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
++term_use_console(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
-+
+sysnet_use_ldap(smbcontrol_t)
+
+userdom_use_inherited_user_terminals(smbcontrol_t)
@@ -55809,7 +55901,7 @@ index 905883f..b92d9af 100644
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,25 +687,25 @@ files_list_mnt(smbmount_t)
+@@ -645,31 +687,32 @@ files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t, file)
@@ -55840,7 +55932,14 @@ index 905883f..b92d9af 100644
########################################
#
# SWAT Local policy
-@@ -684,7 +726,8 @@ samba_domtrans_nmbd(swat_t)
+ #
+
+ allow swat_t self:capability { dac_override setuid setgid sys_resource };
++allow swat_t self:capability2 block_suspend;
+ allow swat_t self:process { setrlimit signal_perms };
+ allow swat_t self:fifo_file rw_fifo_file_perms;
+ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+@@ -684,7 +727,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -55850,7 +55949,7 @@ index 905883f..b92d9af 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -699,12 +742,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -699,12 +743,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -55865,7 +55964,7 @@ index 905883f..b92d9af 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +762,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -717,6 +763,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -55873,7 +55972,7 @@ index 905883f..b92d9af 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -726,7 +772,6 @@ kernel_read_network_state(swat_t)
+@@ -726,7 +773,6 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -55881,7 +55980,7 @@ index 905883f..b92d9af 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +789,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+@@ -744,7 +790,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
@@ -55889,7 +55988,7 @@ index 905883f..b92d9af 100644
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +803,10 @@ logging_send_syslog_msg(swat_t)
+@@ -759,7 +804,10 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -55901,7 +56000,7 @@ index 905883f..b92d9af 100644
optional_policy(`
cups_read_rw_config(swat_t)
-@@ -790,7 +837,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -790,7 +838,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -55911,7 +56010,7 @@ index 905883f..b92d9af 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -813,21 +861,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +862,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -55942,7 +56041,7 @@ index 905883f..b92d9af 100644
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,6 +891,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -840,12 +892,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -55950,7 +56049,15 @@ index 905883f..b92d9af 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -855,12 +907,14 @@ auth_manage_cache(winbind_t)
+ dev_read_sysfs(winbind_t)
+ dev_read_urand(winbind_t)
+
++files_read_usr_files(winbind_t)
++
+ fs_getattr_all_fs(winbind_t)
+ fs_search_auto_mountpoints(winbind_t)
+
+@@ -855,12 +910,14 @@ auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -55967,7 +56074,7 @@ index 905883f..b92d9af 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +928,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -55979,7 +56086,7 @@ index 905883f..b92d9af 100644
kerberos_use(winbind_t)
')
-@@ -909,9 +968,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +971,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -55990,7 +56097,7 @@ index 905883f..b92d9af 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +986,34 @@ optional_policy(`
+@@ -929,19 +989,34 @@ optional_policy(`
#
optional_policy(`
@@ -56272,10 +56379,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..1a90278
+index 0000000..f00e5c5
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,389 @@
+@@ -0,0 +1,391 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -56377,6 +56484,8 @@ index 0000000..1a90278
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
++ kernel_read_system_state($1_client_t)
++
+ mcs_untrusted_proc($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
@@ -57127,10 +57236,10 @@ index 0000000..152eddf
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
diff --git a/sanlock.fc b/sanlock.fc
-index 5d1826c..9656f79 100644
+index 5d1826c..9059165 100644
--- a/sanlock.fc
+++ b/sanlock.fc
-@@ -1,7 +1,8 @@
+@@ -1,7 +1,10 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
@@ -57140,8 +57249,10 @@ index 5d1826c..9656f79 100644
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
++
++/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
-index cfe3172..3eb745d 100644
+index cfe3172..34b861a 100644
--- a/sanlock.if
+++ b/sanlock.if
@@ -1,3 +1,4 @@
@@ -57157,38 +57268,63 @@ index cfe3172..3eb745d 100644
########################################
## <summary>
## Execute sanlock server in the sanlock domain.
-@@ -57,21 +59,21 @@ interface(`sanlock_manage_pid_files',`
+@@ -57,21 +59,44 @@ interface(`sanlock_manage_pid_files',`
########################################
## <summary>
-## Connect to sanlock over an unix stream socket.
+## Connect to sanlock over a unix stream socket.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
- interface(`sanlock_stream_connect',`
-- gen_require(`
-- type sanlock_t, sanlock_var_run_t;
-- ')
++## </param>
++#
++interface(`sanlock_stream_connect',`
+ gen_require(`
+ type sanlock_t, sanlock_var_run_t;
+ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
++')
++
++########################################
++## <summary>
++## Execute virt server in the virt domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`sanlock_stream_connect',`
++interface(`sanlock_systemctl',`
+ gen_require(`
+- type sanlock_t, sanlock_var_run_t;
++ type sanlock_unit_file_t;
++ type sanlock_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
++ systemd_exec_systemctl($1)
++ allow $1 sanlock_unit_file_t:file read_file_perms;
++ allow $1 sanlock_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sanlock_t)
')
########################################
-@@ -99,9 +101,13 @@ interface(`sanlock_admin',`
+@@ -95,13 +120,21 @@ interface(`sanlock_admin',`
+ gen_require(`
+ type sanlock_t;
+ type sanlock_initrc_exec_t;
++ type sanlock_unit_file_t;
+ ')
allow $1 sanlock_t:process signal_perms;
ps_process_pattern($1, sanlock_t)
@@ -57201,9 +57337,12 @@ index cfe3172..3eb745d 100644
role_transition $2 sanlock_initrc_exec_t system_r;
allow $2 system_r;
+
++ virt_systemctl($1)
++ admin_pattern($1, sanlock_unit_file_t)
++ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..5388405 100644
+index e02eb6c..dc256a5 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -57243,7 +57382,17 @@ index e02eb6c..5388405 100644
type sanlock_t;
type sanlock_exec_t;
-@@ -44,8 +51,9 @@ ifdef(`enable_mls',`
+@@ -32,6 +39,9 @@ logging_log_file(sanlock_log_t)
+ type sanlock_initrc_exec_t;
+ init_script_file(sanlock_initrc_exec_t)
+
++type sanlock_unit_file_t;
++systemd_unit_file(sanlock_unit_file_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -44,8 +54,9 @@ ifdef(`enable_mls',`
#
# sanlock local policy
#
@@ -57255,7 +57404,7 @@ index e02eb6c..5388405 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -58,36 +66,49 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+@@ -58,36 +69,49 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
@@ -63292,10 +63441,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..7be96bf
+index 0000000..2ac25e3
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,122 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -63411,6 +63560,7 @@ index 0000000..7be96bf
+optional_policy(`
+ # .config
+ gnome_dontaudit_search_config(thumb_t)
++ gnome_append_generic_cache_files(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+ gnome_manage_gstreamer_home_dirs(thumb_t)
@@ -63477,7 +63627,7 @@ index 67b5592..ccddff5 100644
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..45d8032 100644
+index 0521d5a..4ad0788 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
@@ -63552,20 +63702,24 @@ index 0521d5a..45d8032 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +83,13 @@ optional_policy(`
+@@ -66,9 +83,17 @@ optional_policy(`
')
optional_policy(`
- rpm_manage_cache(tmpreaper_t)
++ mandb_delete_cache(tmpreaper_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain(tmpreaper_t)
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
+ sandbox_delete_sock_files(tmpreaper_t)
+ sandbox_setattr_dirs(tmpreaper_t)
- ')
-
- optional_policy(`
-- unconfined_domain(tmpreaper_t)
++')
++
++optional_policy(`
+ rpm_manage_cache(tmpreaper_t)
')
diff --git a/tomcat.fc b/tomcat.fc
@@ -65604,7 +65758,7 @@ index 32a3c13..0cbca75 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..d85be92 100644
+index 2124b6a..4c2a0fd 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,6 +1,14 @@
@@ -65624,7 +65778,7 @@ index 2124b6a..d85be92 100644
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,50 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +20,54 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -65678,8 +65832,12 @@ index 2124b6a..d85be92 100644
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++
++/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
++/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
++/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..4bebdef 100644
+index 6f0736b..cebdb3e 100644
--- a/virt.if
+++ b/virt.if
@@ -13,64 +13,61 @@
@@ -66096,32 +66254,53 @@ index 6f0736b..4bebdef 100644
')
########################################
-@@ -468,18 +647,7 @@ interface(`virt_manage_images',`
+@@ -468,18 +647,30 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++')
+
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
-- ')
--
++########################################
++## <summary>
++## Execute virt server in the virt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_systemctl',`
++ gen_require(`
++ type virtd_unit_file_t;
++ type virtd_t;
+ ')
+
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++ systemd_exec_systemctl($1)
++ allow $1 virtd_unit_file_t:file read_file_perms;
++ allow $1 virtd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, virtd_t)
')
########################################
-@@ -502,10 +670,19 @@ interface(`virt_manage_images',`
+@@ -502,10 +693,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
+ attribute virt_domain;
+ type virt_lxc_t;
++ type virtd_unit_file_t;
')
- allow $1 virtd_t:process { ptrace signal_perms };
@@ -66137,7 +66316,7 @@ index 6f0736b..4bebdef 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +694,295 @@ interface(`virt_admin',`
+@@ -517,4 +718,299 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -66145,6 +66324,10 @@ index 6f0736b..4bebdef 100644
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process signal_perms;
++
++ virt_systemctl($1)
++ admin_pattern($1, virtd_unit_file_t)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+')
+
+########################################
@@ -66434,7 +66617,7 @@ index 6f0736b..4bebdef 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..bf78cc7 100644
+index 947bbc6..3ff8e09 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -66574,7 +66757,13 @@ index 947bbc6..bf78cc7 100644
type virtd_t;
type virtd_exec_t;
-@@ -92,6 +134,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,9 +131,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+ domain_obj_id_change_exemption(virtd_t)
+ domain_subj_id_change_exemption(virtd_t)
+
++type virtd_unit_file_t;
++systemd_unit_file(virtd_unit_file_t)
++
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -66586,7 +66775,7 @@ index 947bbc6..bf78cc7 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -100,6 +147,35 @@ ifdef(`enable_mls',`
+@@ -100,6 +150,35 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -66622,7 +66811,7 @@ index 947bbc6..bf78cc7 100644
########################################
#
# svirt local policy
-@@ -107,15 +183,13 @@ ifdef(`enable_mls',`
+@@ -107,15 +186,13 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -66640,7 +66829,7 @@ index 947bbc6..bf78cc7 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,9 +207,17 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -133,9 +210,17 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -66658,7 +66847,7 @@ index 947bbc6..bf78cc7 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -143,18 +225,26 @@ tunable_policy(`virt_use_comm',`
+@@ -143,18 +228,26 @@ tunable_policy(`virt_use_comm',`
')
tunable_policy(`virt_use_fusefs',`
@@ -66686,7 +66875,7 @@ index 947bbc6..bf78cc7 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -163,11 +253,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -163,11 +256,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -66715,7 +66904,7 @@ index 947bbc6..bf78cc7 100644
xen_rw_image_files(svirt_t)
')
-@@ -176,22 +283,41 @@ optional_policy(`
+@@ -176,22 +286,41 @@ optional_policy(`
# virtd local policy
#
@@ -66764,7 +66953,7 @@ index 947bbc6..bf78cc7 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +328,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +331,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -66799,7 +66988,7 @@ index 947bbc6..bf78cc7 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +360,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +363,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -66822,7 +67011,7 @@ index 947bbc6..bf78cc7 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +387,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +390,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -66856,7 +67045,7 @@ index 947bbc6..bf78cc7 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +419,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +422,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -66875,7 +67064,7 @@ index 947bbc6..bf78cc7 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +445,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +448,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -66885,7 +67074,7 @@ index 947bbc6..bf78cc7 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +455,32 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +458,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -66918,7 +67107,7 @@ index 947bbc6..bf78cc7 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +499,10 @@ optional_policy(`
+@@ -322,6 +502,10 @@ optional_policy(`
')
optional_policy(`
@@ -66929,7 +67118,7 @@ index 947bbc6..bf78cc7 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +516,34 @@ optional_policy(`
+@@ -335,19 +519,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -66965,7 +67154,7 @@ index 947bbc6..bf78cc7 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +558,12 @@ optional_policy(`
+@@ -362,6 +561,12 @@ optional_policy(`
')
optional_policy(`
@@ -66978,7 +67167,7 @@ index 947bbc6..bf78cc7 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +571,11 @@ optional_policy(`
+@@ -369,11 +574,11 @@ optional_policy(`
')
optional_policy(`
@@ -66995,7 +67184,7 @@ index 947bbc6..bf78cc7 100644
')
optional_policy(`
-@@ -384,6 +586,7 @@ optional_policy(`
+@@ -384,6 +589,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -67003,7 +67192,7 @@ index 947bbc6..bf78cc7 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -403,34 +606,48 @@ optional_policy(`
+@@ -403,34 +609,48 @@ optional_policy(`
# virtual domains common policy
#
@@ -67059,7 +67248,7 @@ index 947bbc6..bf78cc7 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +655,11 @@ dev_write_sound(virt_domain)
+@@ -438,10 +658,11 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -67072,7 +67261,7 @@ index 947bbc6..bf78cc7 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,23 +667,484 @@ files_search_all(virt_domain)
+@@ -449,23 +670,484 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -67574,7 +67763,7 @@ index 2511093..669dc13 100644
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmware.te b/vmware.te
-index 7d334c4..fb0da00 100644
+index 7d334c4..f716978 100644
--- a/vmware.te
+++ b/vmware.te
@@ -68,7 +68,7 @@ ifdef(`enable_mcs',`
@@ -67586,15 +67775,17 @@ index 7d334c4..fb0da00 100644
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
-@@ -98,7 +98,6 @@ kernel_read_kernel_sysctls(vmware_host_t)
+@@ -97,8 +97,8 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+ kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
kernel_read_network_state(vmware_host_t)
++kernel_request_load_module(vmware_host_t)
-corenet_all_recvfrom_unlabeled(vmware_host_t)
corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
-@@ -122,6 +121,7 @@ dev_getattr_all_blk_files(vmware_host_t)
+@@ -122,6 +122,7 @@ dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
@@ -67602,7 +67793,7 @@ index 7d334c4..fb0da00 100644
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
-@@ -129,7 +129,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -129,7 +130,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
files_list_tmp(vmware_host_t)
files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
@@ -67611,7 +67802,7 @@ index 7d334c4..fb0da00 100644
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -145,8 +145,6 @@ libs_exec_ld_so(vmware_host_t)
+@@ -145,8 +146,6 @@ libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
@@ -67620,7 +67811,7 @@ index 7d334c4..fb0da00 100644
sysnet_dns_name_resolve(vmware_host_t)
sysnet_domtrans_ifconfig(vmware_host_t)
-@@ -157,10 +155,22 @@ netutils_domtrans_ping(vmware_host_t)
+@@ -157,10 +156,22 @@ netutils_domtrans_ping(vmware_host_t)
optional_policy(`
hostname_exec(vmware_host_t)
@@ -67644,7 +67835,7 @@ index 7d334c4..fb0da00 100644
')
optional_policy(`
-@@ -269,9 +279,8 @@ libs_exec_ld_so(vmware_t)
+@@ -269,9 +280,8 @@ libs_exec_ld_so(vmware_t)
# Access X11 config files
libs_read_lib_files(vmware_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cce77ca..3db9441 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 32%{?dist}
+Release: 33%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-33
+- Add kernel_read_system_state to sandbox_client_t
+- Add some of the missing access to kdumpgui
+- Allow systemd_dbusd_t to status the init system
+- Allow vmnet-natd to request the kernel to load a module
+- Allow gsf-office-thum to append .cache/gdm/session.log
+- realmd wants to read .config/dconf/user
+- Firewalld wants sys_nice/setsched
+- Allow tmpreaper to delete mandb cache files
+- Firewalld wants sys_nice/setsched
+- Allow firewalld to perform a DNS name resolution
+- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
+- Add support for HTTPProxy* in /etc/freshclam.conf
+- Fix authlogin_yubike boolean
+- Extend smbd_selinux man page to include samba booleans
+- Allow dhcpc to execute consoletype
+- Allow ping to use inherited tmp files created in init scripts
+- On full relabel with unconfined domain disabled, initrc was running some chcon's
+- Allow people who delete man pages to delete mandb cache files
+
* Thu Oct 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-32
- Add missing permissive domains
More information about the scm-commits
mailing list