[selinux-policy/f18] * Thu Oct 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3 - Allow semanage to verify types - Allow sudo
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Oct 11 08:35:09 UTC 2012
commit 94f0f42d3a5d4cff3d95ea20fa9bf5bb7024f23a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Oct 11 10:34:25 2012 +0200
* Thu Oct 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3
- Allow semanage to verify types
- Allow sudo domain to execute user home files
- Allow session_bus_type to transition to user_tmpfs_t
- Add dontaudit caused by yum updates
- Implement pki policy but not activated
policy-rawhide.patch | 362 +++++++++++++-----------
policy_contrib-rawhide.patch | 644 ++++++++++++++++++++++++++++++++++++++++--
selinux-policy.spec | 9 +-
3 files changed, 824 insertions(+), 191 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b3a78dd..9978ecb 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -108181,10 +108181,10 @@ index 0960199..aa51ab2 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..7baf533 100644
+index d9fce57..8ae7673 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,99 @@ attribute sudodomain;
+@@ -7,3 +7,100 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -108272,6 +108272,7 @@ index d9fce57..7baf533 100644
+userdom_manage_user_tmp_symlinks(sudodomain)
+userdom_use_user_terminals(sudodomain)
+userdom_signal_all_users(sudodomain)
++userdom_exec_user_home_content_files(sudodomain)
+# for some PAM modules and for cwd
+userdom_search_user_home_content(sudodomain)
+userdom_search_admin_dir(sudodomain)
@@ -134872,7 +134873,7 @@ index 3822072..702e0e0 100644
+ logging_send_syslog_msg($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..397f91c 100644
+index ec01d0b..b28ba84 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -135375,7 +135376,7 @@ index ec01d0b..397f91c 100644
')
########################################
-@@ -522,108 +599,171 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +599,172 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -135573,9 +135574,9 @@ index ec01d0b..397f91c 100644
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
-+allow policy_manager_domain self:capability { dac_override sys_resource };
++allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
+dontaudit policy_manager_domain self:capability sys_tty_config;
-+allow policy_manager_domain self:process signal;
++allow policy_manager_domain self:process { signal setsched };
+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
+allow policy_manager_domain self:unix_dgram_socket create_socket_perms;
+allow policy_manager_domain self:fifo_file rw_fifo_file_perms;
@@ -135618,6 +135619,7 @@ index ec01d0b..397f91c 100644
+fs_getattr_all_fs(policy_manager_domain)
+
+selinux_validate_context(policy_manager_domain)
++selinux_read_policy(policy_manager_domain)
+
+term_use_all_inherited_terms(policy_manager_domain)
+
@@ -139132,7 +139134,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..a55dd07 100644
+index e720dcd..c614a1a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -139541,7 +139543,7 @@ index e720dcd..a55dd07 100644
')
#######################################
-@@ -317,6 +425,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -139549,7 +139551,31 @@ index e720dcd..a55dd07 100644
files_search_tmp($1)
')
-@@ -348,59 +457,60 @@ interface(`userdom_exec_user_tmp_files',`
+ #######################################
+ ## <summary>
++## Manage user temporary file system files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolebase/>
++#
++interface(`userdom_manage_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file manage_file_perms;
++')
++
++#######################################
++## <summary>
+ ## Role access for the user tmpfs type
+ ## that the user has full access.
+ ## </summary>
+@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -139640,7 +139666,7 @@ index e720dcd..a55dd07 100644
')
#######################################
-@@ -431,6 +541,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -139648,7 +139674,7 @@ index e720dcd..a55dd07 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +574,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +593,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -139659,7 +139685,7 @@ index e720dcd..a55dd07 100644
')
')
-@@ -491,7 +602,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +621,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -139669,7 +139695,7 @@ index e720dcd..a55dd07 100644
##############################
#
-@@ -501,41 +613,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -139744,7 +139770,7 @@ index e720dcd..a55dd07 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,100 +668,140 @@ template(`userdom_common_user_template',`
+@@ -546,100 +687,140 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -139814,29 +139840,35 @@ index e720dcd..a55dd07 100644
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
+
+ optional_policy(`
+- bluetooth_dbus_chat($1_t)
+ avahi_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- evolution_dbus_chat($1_t)
+- evolution_alarm_dbus_chat($1_t)
+ policykit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat_config($1_t)
+ bluetooth_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_dbus_chat($1_t)
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- networkmanager_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ evolution_dbus_chat($1_usertype)
@@ -139846,42 +139878,36 @@ index e720dcd..a55dd07 100644
+ optional_policy(`
+ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
-
- optional_policy(`
-- bluetooth_dbus_chat($1_t)
++
++ optional_policy(`
+ hal_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- evolution_dbus_chat($1_t)
-- evolution_alarm_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ kde_dbus_chat_backlighthelper($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat_config($1_t)
++ ')
++
++ optional_policy(`
+ modemmanager_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- hal_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
- ')
-
- optional_policy(`
-- networkmanager_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ vpn_dbus_chat($1_usertype)
- ')
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
@@ -139923,7 +139949,7 @@ index e720dcd..a55dd07 100644
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +813,52 @@ template(`userdom_common_user_template',`
+@@ -651,40 +832,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -139988,7 +140014,7 @@ index e720dcd..a55dd07 100644
')
')
-@@ -709,17 +883,33 @@ template(`userdom_common_user_template',`
+@@ -709,17 +902,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -140027,7 +140053,7 @@ index e720dcd..a55dd07 100644
userdom_change_password_template($1)
-@@ -727,82 +917,96 @@ template(`userdom_login_user_template', `
+@@ -727,82 +936,96 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -140160,7 +140186,7 @@ index e720dcd..a55dd07 100644
')
')
-@@ -834,6 +1038,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1057,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -140173,7 +140199,7 @@ index e720dcd..a55dd07 100644
##############################
#
# Local policy
-@@ -874,46 +1084,114 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1103,114 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -140301,7 +140327,7 @@ index e720dcd..a55dd07 100644
')
')
-@@ -948,27 +1226,33 @@ template(`userdom_unpriv_user_template', `
+@@ -948,27 +1245,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -140339,7 +140365,7 @@ index e720dcd..a55dd07 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,23 +1263,56 @@ template(`userdom_unpriv_user_template', `
+@@ -979,23 +1282,56 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -140406,7 +140432,7 @@ index e720dcd..a55dd07 100644
')
# Run pppd in pppd_t by default for user
-@@ -1004,7 +1321,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1004,7 +1340,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -140417,7 +140443,7 @@ index e720dcd..a55dd07 100644
')
')
-@@ -1040,7 +1359,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1040,7 +1378,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -140426,7 +140452,7 @@ index e720dcd..a55dd07 100644
')
##############################
-@@ -1067,6 +1386,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1405,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -140434,7 +140460,7 @@ index e720dcd..a55dd07 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1395,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1414,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -140444,7 +140470,7 @@ index e720dcd..a55dd07 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1412,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1431,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -140452,7 +140478,7 @@ index e720dcd..a55dd07 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1430,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1449,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -140467,7 +140493,7 @@ index e720dcd..a55dd07 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1448,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,30 +1467,39 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -140503,14 +140529,16 @@ index e720dcd..a55dd07 100644
logging_send_syslog_msg($1_t)
- modutils_domtrans_insmod($1_t)
+-
+ optional_policy(`
+ modutils_domtrans_insmod($1_t)
+ modutils_domtrans_depmod($1_t)
+ ')
-
++
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1489,8 @@ template(`userdom_admin_user_template',`
+ # cannot directly manipulate policy files with arbitrary programs.
+@@ -1152,6 +1508,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -140519,7 +140547,7 @@ index e720dcd..a55dd07 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1498,17 @@ template(`userdom_admin_user_template',`
+@@ -1159,13 +1517,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -140538,7 +140566,7 @@ index e720dcd..a55dd07 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1554,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1573,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -140547,7 +140575,7 @@ index e720dcd..a55dd07 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1568,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1587,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -140559,7 +140587,7 @@ index e720dcd..a55dd07 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1582,31 @@ template(`userdom_security_admin_template',`
+@@ -1235,29 +1601,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -140602,7 +140630,7 @@ index e720dcd..a55dd07 100644
')
optional_policy(`
-@@ -1317,12 +1666,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1685,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -140619,20 +140647,17 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1363,13 +1715,58 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,6 +1734,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
--## <param name="domain">
+## <param name="type">
- ## <summary>
--## Domain allowed access.
++## <summary>
+## Type to be used as a file in the
+## generic temporary directory.
- ## </summary>
- ## </param>
- #
--interface(`userdom_attach_admin_tun_iface',`
++## </summary>
++## </param>
++#
+interface(`userdom_user_tmp_content',`
+ gen_require(`
+ attribute user_tmp_type;
@@ -140671,17 +140696,10 @@ index e720dcd..a55dd07 100644
+## <summary>
+## Allow domain to attach to TUN devices created by administrative users.
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_attach_admin_tun_iface',`
- gen_require(`
- attribute admindomain;
- ')
-@@ -1467,11 +1864,31 @@ interface(`userdom_search_user_home_dirs',`
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -1467,11 +1883,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -140713,7 +140731,7 @@ index e720dcd..a55dd07 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1930,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1949,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -140728,7 +140746,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1528,9 +1953,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1972,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -140740,7 +140758,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1587,6 +2014,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2033,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -140783,7 +140801,7 @@ index e720dcd..a55dd07 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2129,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2148,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -140792,7 +140810,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1680,10 +2145,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2164,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -140807,7 +140825,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1726,6 +2193,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2212,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -140851,7 +140869,7 @@ index e720dcd..a55dd07 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2249,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2268,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -140877,7 +140895,7 @@ index e720dcd..a55dd07 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2298,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2317,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -140915,7 +140933,7 @@ index e720dcd..a55dd07 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2338,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2357,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -140933,7 +140951,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1856,6 +2404,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2423,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -141012,7 +141030,7 @@ index e720dcd..a55dd07 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2507,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2526,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -141022,7 +141040,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -1904,20 +2523,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,20 +2542,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -141047,7 +141065,7 @@ index e720dcd..a55dd07 100644
########################################
## <summary>
-@@ -2018,6 +2631,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2650,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -141072,7 +141090,7 @@ index e720dcd..a55dd07 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2881,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2900,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -141087,7 +141105,7 @@ index e720dcd..a55dd07 100644
files_search_tmp($1)
')
-@@ -2274,7 +2905,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2924,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -141096,15 +141114,19 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -2521,6 +3152,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,13 +3171,32 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Read user tmpfs files.
+## Getattr user tmpfs files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -141119,10 +141141,17 @@ index e720dcd..a55dd07 100644
+ fs_search_tmpfs($1)
+')
+
- ########################################
- ## <summary>
- ## Read user tmpfs files.
-@@ -2537,13 +3187,14 @@ interface(`userdom_read_user_tmpfs_files',`
++########################################
++## <summary>
++## Read user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -2537,13 +3206,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -141138,7 +141167,7 @@ index e720dcd..a55dd07 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3215,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3234,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -141147,7 +141176,7 @@ index e720dcd..a55dd07 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,19 +3223,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3242,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -141161,32 +141190,11 @@ index e720dcd..a55dd07 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of a user domain tty.
-+## Execute user tmpfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2592,9 +3241,27 @@ interface(`userdom_manage_user_tmpfs_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_user_ttys',`
-+interface(`userdom_execute_user_tmpfs_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmpfs_t;
-+ ')
-+
-+ allow $1 user_tmpfs_t:file execute;
+')
+
+########################################
+## <summary>
-+## Get the attributes of a user domain tty.
++## Execute user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -141194,13 +141202,16 @@ index e720dcd..a55dd07 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_getattr_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
-+ type user_tty_device_t;
- ')
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
+ ')
- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-@@ -2674,6 +3341,24 @@ interface(`userdom_use_user_ttys',`
+ ########################################
+@@ -2674,6 +3360,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -141225,7 +141236,7 @@ index e720dcd..a55dd07 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3377,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3396,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -141268,7 +141279,7 @@ index e720dcd..a55dd07 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3413,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3432,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -141306,7 +141317,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -2742,8 +3458,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3477,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -141336,7 +141347,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -2815,69 +3550,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3569,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -141437,7 +141448,7 @@ index e720dcd..a55dd07 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3619,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3638,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -141452,7 +141463,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -2954,7 +3688,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3707,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -141461,7 +141472,7 @@ index e720dcd..a55dd07 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3704,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3723,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -141495,7 +141506,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -3074,7 +3792,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3811,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -141504,7 +141515,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -3129,7 +3847,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3866,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -141551,7 +141562,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -3147,7 +3903,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3922,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -141560,7 +141571,7 @@ index e720dcd..a55dd07 100644
')
########################################
-@@ -3166,6 +3922,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3941,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -141568,7 +141579,7 @@ index e720dcd..a55dd07 100644
kernel_search_proc($1)
')
-@@ -3242,6 +3999,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4018,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -141611,7 +141622,7 @@ index e720dcd..a55dd07 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4055,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4074,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -141636,7 +141647,7 @@ index e720dcd..a55dd07 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4107,1300 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4126,1331 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -142937,6 +142948,37 @@ index e720dcd..a55dd07 100644
+
+ typeattribute $1 userdom_home_manager_type;
+')
++
++########################################
++## <summary>
++## Create objects in the temporary filesystem directory
++## with an automatic type transition to
++## the user temporary filesystem type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`userdom_tmpfs_filetrans',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3)
++')
++
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6a4bd85..662afd7 100644
--- a/policy/modules/system/userdomain.te
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 0bc8f5f..ad94e53 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -3000,7 +3000,7 @@ index 6480167..604d2bd 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..b075368 100644
+index 0833afb..d53ed27 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3709,7 +3709,7 @@ index 0833afb..b075368 100644
')
optional_policy(`
-@@ -594,6 +927,42 @@ optional_policy(`
+@@ -594,6 +927,51 @@ optional_policy(`
')
optional_policy(`
@@ -3741,6 +3741,15 @@ index 0833afb..b075368 100644
+')
+
+optional_policy(`
++ pki_apache_domain_signal(httpd_t)
++ pki_apache_domain_signal(httpd_t)
++ pki_manage_apache_run(httpd_t)
++ pki_manage_apache_config_files(httpd_t)
++ pki_manage_apache_log_files(httpd_t)
++ pki_manage_apache_lib(httpd_t)
++')
++
++optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
@@ -3752,7 +3761,7 @@ index 0833afb..b075368 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +977,11 @@ optional_policy(`
+@@ -608,6 +986,11 @@ optional_policy(`
')
optional_policy(`
@@ -3764,7 +3773,7 @@ index 0833afb..b075368 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +994,12 @@ optional_policy(`
+@@ -620,6 +1003,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3777,7 +3786,7 @@ index 0833afb..b075368 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1013,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1022,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3790,7 +3799,7 @@ index 0833afb..b075368 100644
########################################
#
-@@ -671,28 +1055,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1064,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3834,7 +3843,7 @@ index 0833afb..b075368 100644
')
########################################
-@@ -702,6 +1088,7 @@ optional_policy(`
+@@ -702,6 +1097,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3842,7 +3851,7 @@ index 0833afb..b075368 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1103,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1112,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3871,7 +3880,7 @@ index 0833afb..b075368 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1133,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1142,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -3889,7 +3898,7 @@ index 0833afb..b075368 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1151,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1160,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3922,7 +3931,7 @@ index 0833afb..b075368 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1198,25 @@ optional_policy(`
+@@ -786,6 +1207,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3948,7 +3957,7 @@ index 0833afb..b075368 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1237,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1246,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3966,7 +3975,7 @@ index 0833afb..b075368 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1256,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1265,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4025,7 +4034,7 @@ index 0833afb..b075368 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1307,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1316,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4066,7 +4075,7 @@ index 0833afb..b075368 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1352,20 @@ optional_policy(`
+@@ -859,10 +1361,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4087,7 +4096,7 @@ index 0833afb..b075368 100644
')
########################################
-@@ -878,11 +1381,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1390,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4099,7 +4108,7 @@ index 0833afb..b075368 100644
########################################
#
-@@ -908,11 +1409,138 @@ optional_policy(`
+@@ -908,11 +1418,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -7601,7 +7610,7 @@ index 7a6e5ba..7475aa5 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..ce333bd 100644
+index c3e3f79..6cfcb87 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,12 +18,17 @@ files_pid_file(certmonger_var_run_t)
@@ -7674,7 +7683,7 @@ index c3e3f79..ce333bd 100644
optional_policy(`
dbus_system_bus_client(certmonger_t)
-@@ -64,9 +91,42 @@ optional_policy(`
+@@ -64,9 +91,46 @@ optional_policy(`
')
optional_policy(`
@@ -7693,6 +7702,10 @@ index c3e3f79..ce333bd 100644
pcscd_stream_connect(certmonger_t)
')
+
++optional_policy(`
++ pki_rw_tomcat_cert(certmonger_t)
++')
++
+########################################
+#
+# certmonger_unconfined_script_t local policy
@@ -15369,7 +15382,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..be84a05 100644
+index 625cb32..530fbfa 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -15485,7 +15498,7 @@ index 625cb32..be84a05 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +182,157 @@ optional_policy(`
+@@ -150,12 +182,159 @@ optional_policy(`
')
optional_policy(`
@@ -15613,6 +15626,8 @@ index 625cb32..be84a05 100644
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
++userdom_manage_tmpfs_files(session_bus_type, file)
++userdom_tmpfs_filetrans(session_bus_type, file)
+
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
@@ -43627,6 +43642,574 @@ index 0000000..9ab2c4d
+files_read_etc_files(pkcsslotd_t)
+
+logging_send_syslog_msg(pkcsslotd_t)
+diff --git a/pki.fc b/pki.fc
+new file mode 100644
+index 0000000..20d2c79
+--- /dev/null
++++ b/pki.fc
+@@ -0,0 +1,51 @@
++/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
++/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
++/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++
++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
++/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
++/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
++
++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
++/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
++/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
++
++# default labeling for nCipher
++/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
++/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
++/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
++/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
++
++# old paths (for migration)
++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
++/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
++
+diff --git a/pki.if b/pki.if
+new file mode 100644
+index 0000000..2e2927f
+--- /dev/null
++++ b/pki.if
+@@ -0,0 +1,228 @@
++
++## <summary>policy for pki</summary>
++########################################
++## <summary>
++## Allow read and write pki cert files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_rw_tomcat_cert',`
++ gen_require(`
++ type pki_tomcat_cert_t;
++ ')
++
++ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`pki_apache_template',`
++ gen_require(`
++ attribute pki_apache_domain;
++ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
++ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_t, pki_apache_domain;
++ type $1_exec_t, pki_apache_executable;
++ domain_type($1_t)
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_script_exec_t, pki_apache_script;
++ init_script_file($1_script_exec_t)
++
++ type $1_etc_rw_t, pki_apache_config;
++ files_type($1_etc_rw_t)
++
++ type $1_var_run_t, pki_apache_var_run;
++ files_pid_file($1_var_run_t)
++
++ type $1_var_lib_t, pki_apache_var_lib;
++ files_type($1_var_lib_t)
++
++ type $1_log_t, pki_apache_var_log;
++ logging_log_file($1_log_t)
++
++ type $1_lock_t;
++ files_lock_file($1_lock_t)
++
++ ########################################
++ #
++ # $1 local policy
++ #
++
++ files_read_etc_files($1_t)
++ allow $1_t $1_etc_rw_t:lnk_file read;
++
++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
++ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
++ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
++ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
++
++ #talk to lunasa hsm
++ logging_send_syslog_msg($1_t)
++
++ kernel_read_kernel_sysctls($1_t)
++ kernel_read_system_state($1_t)
++
++ corenet_all_recvfrom_unlabeled($1_t)
++
++ # need to resolve addresses?
++ auth_use_nsswitch($1_t)
++
++ #pki_apache_domain_signal(httpd_t)
++ #pki_apache_domain_signal(httpd_t)
++ #pki_manage_apache_run(httpd_t)
++ #pki_manage_apache_config_files(httpd_t)
++ #pki_manage_apache_log_files(httpd_t)
++ #pki_manage_apache_lib(httpd_t)
++')
++
++#######################################
++## <summary>
++## Send a null signal to pki apache domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_apache_domain_signal',`
++ gen_require(`
++ attribute pki_apache_domain;
++ ')
++
++ allow $1 pki_apache_domain:process signal;
++')
++
++#######################################
++## <summary>
++## Send a null signal to pki apache domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_apache_domain_signull',`
++ gen_require(`
++ attribute pki_apache_domain;
++ ')
++
++ allow $1 pki_apache_domain:process signull;
++')
++
++###################################
++## <summary>
++## Allow domain to read pki apache subsystem pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_manage_apache_run',`
++ gen_require(`
++ attribute pki_apache_var_run;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
++')
++
++####################################
++## <summary>
++## Allow domain to manage pki apache subsystem lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_manage_apache_lib',`
++ gen_require(`
++ attribute pki_apache_var_lib;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
++ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
++')
++
++###################################
++## <summary>
++## Allow domain to manage pki apache subsystem log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_manage_apache_log_files',`
++ gen_require(`
++ attribute pki_apache_var_log;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
++')
++
++##################################
++## <summary>
++## Allow domain to manage pki apache subsystem config files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_manage_apache_config_files',`
++ gen_require(`
++ attribute pki_apache_config;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pki_apache_config, pki_apache_config)
++')
++
+diff --git a/pki.te b/pki.te
+new file mode 100644
+index 0000000..0f407c1
+--- /dev/null
++++ b/pki.te
+@@ -0,0 +1,271 @@
++policy_module(pki,10.0.11)
++
++########################################
++#
++# Declarations
++#
++
++attribute pki_apache_domain;
++attribute pki_apache_config;
++attribute pki_apache_executable;
++attribute pki_apache_var_lib;
++attribute pki_apache_var_log;
++attribute pki_apache_var_run;
++attribute pki_apache_pidfiles;
++attribute pki_apache_script;
++
++type pki_log_t;
++files_type(pki_log_t)
++
++type pki_common_t;
++files_type(pki_common_t)
++
++type pki_common_dev_t;
++files_type(pki_common_dev_t)
++
++type pki_tomcat_etc_rw_t;
++files_type(pki_tomcat_etc_rw_t)
++
++type pki_tomcat_cert_t;
++files_type(pki_tomcat_cert_t)
++
++tomcat_domain_template(pki_tomcat)
++
++type pki_tomcat_lock_t;
++files_lock_file(pki_tomcat_lock_t)
++
++# old type aliases for migration
++typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
++typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
++typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
++typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
++typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
++# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
++
++
++# pki policy types
++type pki_tps_tomcat_exec_t;
++files_type(pki_tps_tomcat_exec_t)
++
++pki_apache_template(pki_tps)
++
++# ra policy types
++type pki_ra_tomcat_exec_t;
++files_type(pki_ra_tomcat_exec_t)
++
++pki_apache_template(pki_ra)
++
++########################################
++#
++# pki-tomcat local policy
++#
++
++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
++allow pki_tomcat_t self:process { signal setsched signull execmem };
++
++allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
++allow pki_tomcat_t self:tcp_socket { accept listen };
++
++# allow writing to the kernel keyring
++allow pki_tomcat_t self:key { write read };
++
++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++
++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
++
++manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
++manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
++files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
++
++# allow java subsystems to talk to the ncipher hsm
++allow pki_tomcat_t pki_common_dev_t:sock_file write;
++allow pki_tomcat_t pki_common_dev_t:dir search;
++allow pki_tomcat_t pki_common_t:dir create_dir_perms;
++manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
++can_exec(pki_tomcat_t, pki_common_t)
++init_stream_connect_script(pki_tomcat_t)
++
++search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
++
++kernel_read_kernel_sysctls(pki_tomcat_t)
++
++corenet_tcp_connect_http_cache_port(pki_tomcat_t)
++corenet_tcp_connect_ldap_port(pki_tomcat_t)
++corenet_tcp_connect_smtp_port(pki_tomcat_t)
++
++selinux_get_enforce_mode(pki_tomcat_t)
++
++logging_send_audit_msgs(pki_tomcat_t)
++
++miscfiles_read_hwdata(pki_tomcat_t)
++
++# is this really needed?
++userdom_manage_user_tmp_dirs(pki_tomcat_t)
++userdom_manage_user_tmp_files(pki_tomcat_t)
++
++# forward proxy
++# need to define ports to fix this
++#corenet_tcp_connect_pki_tomcat_port(httpd_t)
++
++# for crl publishing
++allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
++
++# for ECC
++auth_getattr_shadow(pki_tomcat_t)
++
++optional_policy(`
++ consoletype_exec(pki_tomcat_t)
++')
++
++optional_policy(`
++ dirsrv_manage_var_lib(pki_tomcat_t)
++')
++
++optional_policy(`
++ hostname_exec(pki_tomcat_t)
++')
++
++# install/ uninstall instance
++# WHY? leak?
++#allow load_policy_t pki_log_t:file write;
++#allow setfiles_t pki_log_t:file write;
++
++#######################################
++#
++# tps local policy
++#
++
++# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
++allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
++
++corenet_tcp_bind_pki_tps_port(pki_tps_t)
++# customer may run an ldap server on 389
++corenet_tcp_connect_ldap_port(pki_tps_t)
++# connect to other subsystems
++corenet_tcp_connect_pki_ca_port(pki_tps_t)
++corenet_tcp_connect_pki_kra_port(pki_tps_t)
++corenet_tcp_connect_pki_tks_port(pki_tps_t)
++
++files_exec_usr_files(pki_tps_t)
++files_read_usr_files(pki_tps_t)
++
++# why do I need to add this?
++#allow httpd_t httpd_config_t:file execute;
++
++######################################
++#
++# ra local policy
++#
++
++# RA specific? talking to mysql?
++allow pki_ra_t self:udp_socket { write read create connect };
++allow pki_ra_t self:unix_dgram_socket { write create connect };
++
++corenet_tcp_bind_pki_ra_port(pki_ra_t)
++# talk to other subsystems
++corenet_tcp_connect_pki_ca_port(pki_ra_t)
++corenet_tcp_connect_smtp_port(pki_ra_t)
++
++fs_getattr_xattr_fs(pki_ra_t)
++
++files_search_spool(pki_ra_t)
++files_exec_usr_files(pki_ra_t)
++
++optional_policy(`
++ mta_send_mail(pki_ra_t)
++ mta_manage_spool(pki_ra_t)
++ mta_manage_queue(pki_ra_t)
++ mta_read_config(pki_ra_t)
++')
++
++#####################################
++#
++# pki_apache_domain local policy
++#
++
++
++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
++allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
++
++allow pki_apache_domain self:sem all_sem_perms;
++allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
++allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
++
++# allow writing to the kernel keyring
++allow pki_apache_domain self:key { write read };
++
++## internal communication is often done using fifo and unix sockets.
++allow pki_apache_domain self:fifo_file rw_file_perms;
++allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
++
++# talk to the hsm
++allow pki_apache_domain pki_common_dev_t:sock_file write;
++allow pki_apache_domain pki_common_dev_t:dir search;
++allow pki_apache_domain pki_common_t:dir create_dir_perms;
++manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
++can_exec(pki_apache_domain, pki_common_t)
++init_stream_connect_script(pki_apache_domain)
++
++corenet_sendrecv_unlabeled_packets(pki_apache_domain)
++corenet_tcp_bind_all_nodes(pki_apache_domain)
++corenet_tcp_sendrecv_all_if(pki_apache_domain)
++corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
++corenet_tcp_sendrecv_all_ports(pki_apache_domain)
++#corenet_all_recvfrom_unlabeled(pki_apache_domain)
++corenet_tcp_connect_generic_port(pki_apache_domain)
++
++# Init script handling
++domain_use_interactive_fds(pki_apache_domain)
++
++seutil_exec_setfiles(pki_apache_domain)
++
++init_dontaudit_write_utmp(pki_apache_domain)
++
++libs_use_ld_so(pki_apache_domain)
++libs_use_shared_libs(pki_apache_domain)
++libs_exec_ld_so(pki_apache_domain)
++libs_exec_lib_files(pki_apache_domain)
++
++fs_search_cgroup_dirs(pki_apache_domain)
++
++corecmd_exec_bin(pki_apache_domain)
++corecmd_exec_shell(pki_apache_domain)
++
++dev_read_urand(pki_apache_domain)
++dev_read_rand(pki_apache_domain)
++
++# shutdown script uses ps
++domain_dontaudit_read_all_domains_state(pki_apache_domain)
++ps_process_pattern(pki_apache_domain, pki_apache_domain)
++
++miscfiles_read_localization(pki_apache_domain)
++
++sysnet_read_config(pki_apache_domain)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
++ term_dontaudit_use_generic_ptys(pki_apache_domain)
++')
++
++optional_policy(`
++ # apache permissions
++ apache_exec_modules(pki_apache_domain)
++ apache_list_modules(pki_apache_domain)
++ apache_read_config(pki_apache_domain)
++ apache_exec(pki_apache_domain)
++ apache_entrypoint(pki_apache_domain)
++
++ # should be started using a script which will execute httpd
++ # start up httpd in pki_apache_domain mode
++ #can_exec(pki_apache_domain, httpd_config_t)
++ #can_exec(pki_apache_domain, httpd_suexec_exec_t)
++')
++
++# allow rpm -q in init scripts
++optional_policy(`
++ rpm_exec(pki_apache_domain)
++')
++
diff --git a/plymouthd.fc b/plymouthd.fc
index 5702ca4..498d856 100644
--- a/plymouthd.fc
@@ -54289,7 +54872,7 @@ index b2a0b6a..ee55335 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/rpm.if b/rpm.if
-index 951d8f6..8ba0f86 100644
+index 951d8f6..bedc8ae 100644
--- a/rpm.if
+++ b/rpm.if
@@ -13,10 +13,13 @@
@@ -54328,7 +54911,7 @@ index 951d8f6..8ba0f86 100644
')
########################################
-@@ -178,6 +189,41 @@ interface(`rpm_rw_pipes',`
+@@ -178,6 +189,42 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
@@ -54361,6 +54944,7 @@ index 951d8f6..8ba0f86 100644
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
++ dontaudit $1 rpm_var_lib_t:dir getattr;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+')
@@ -54370,7 +54954,7 @@ index 951d8f6..8ba0f86 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -274,8 +320,7 @@ interface(`rpm_append_log',`
+@@ -274,8 +321,7 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
@@ -54380,7 +54964,7 @@ index 951d8f6..8ba0f86 100644
')
########################################
-@@ -332,7 +377,9 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -54390,7 +54974,7 @@ index 951d8f6..8ba0f86 100644
')
#####################################
-@@ -351,8 +398,7 @@ interface(`rpm_append_tmp_files',`
+@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -54400,7 +54984,7 @@ index 951d8f6..8ba0f86 100644
')
########################################
-@@ -372,7 +418,9 @@ interface(`rpm_manage_tmp_files',`
+@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -54410,7 +54994,7 @@ index 951d8f6..8ba0f86 100644
')
########################################
-@@ -456,6 +504,7 @@ interface(`rpm_read_db',`
+@@ -456,6 +505,7 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -54418,7 +55002,7 @@ index 951d8f6..8ba0f86 100644
')
########################################
-@@ -513,7 +562,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -54427,7 +55011,7 @@ index 951d8f6..8ba0f86 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -573,3 +622,66 @@ interface(`rpm_pid_filetrans',`
+@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0f94bcb..74bc54a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-36
+- Allow semanage to verify types
+- Allow sudo domain to execute user home files
+- Allow session_bus_type to transition to user_tmpfs_t
+- Add dontaudit caused by yum updates
+- Implement pki policy but not activated
+
* Wed Oct 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-35
- tuned wants to getattr on all filesystems
- tuned needs also setsched. The build is needed for test day
More information about the scm-commits
mailing list