[selinux-policy/f18] - Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system - Add attrib
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 27 08:47:14 UTC 2012
commit 9545dbe75c27f6e766fe52ad569c58b4b3f1d649
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Sep 27 10:46:38 2012 +0200
- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system
- Add attribute to all base os types. Allow all domains to read all ro base OS types
policy-rawhide.patch | 967 +++++++++++++++++++++++++-----------------
policy_contrib-rawhide.patch | 12 +-
selinux-policy.spec | 6 +-
3 files changed, 595 insertions(+), 390 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index d5b5832..99a9d9d 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -100967,7 +100967,7 @@ index db981df..0b6597c 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..c4dc1b6 100644
+index 9e9263a..2a7d3c1 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
@@ -101048,10 +101048,10 @@ index 9e9263a..c4dc1b6 100644
read_lnk_files_pattern($1, bin_t, bin_t)
list_dirs_pattern($1, bin_t, bin_t)
can_exec($1, bin_t)
-+ #ifdef(`enable_mls',`',`
-+ # files_exec_usr_files($1)
-+ # libs_exec_lib_files($1)
-+ #')
++
++ ifdef(`enable_mls',`',`
++ files_exec_all_base_ro_files($1)
++ ')
')
########################################
@@ -101105,18 +101105,27 @@ index 9e9263a..c4dc1b6 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 1dd0427..a4ba874 100644
+index 1dd0427..6d6f456 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
-@@ -13,7 +13,7 @@ attribute exec_type;
+@@ -13,7 +13,8 @@ attribute exec_type;
#
# bin_t is the type of files in the system bin/sbin directories.
#
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t unconfined_execmem_exec_t execmem_exec_t java_exec_t mono_exec_t };
++files_ro_base_file(bin_t)
corecmd_executable_file(bin_t)
dev_associate(bin_t) #For /dev/MAKEDEV
+@@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV
+ # shell_exec_t is the type of user shells such as /bin/bash.
+ #
+ type shell_exec_t;
++files_ro_base_file(shell_exec_t)
+ corecmd_executable_file(shell_exec_t)
+
+ type chroot_exec_t;
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
index f9b25c1..9af1f7a 100644
--- a/policy/modules/kernel/corenetwork.fc
@@ -104653,10 +104662,16 @@ index d820975..21a21e4 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 06eda45..7fa1559 100644
+index 06eda45..0018592 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
-@@ -20,6 +20,7 @@ files_mountpoint(device_t)
+@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
+ #
+ type device_t;
+ fs_associate_tmpfs(device_t)
+-files_type(device_t)
++files_base_file(device_t)
+ files_mountpoint(device_t)
files_associate_tmp(device_t)
fs_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
@@ -104862,7 +104877,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..1e017ad 100644
+index cf04cb5..26c940c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -104887,7 +104902,7 @@ index cf04cb5..1e017ad 100644
## <desc>
## <p>
-@@ -86,23 +101,41 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +101,42 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -104920,6 +104935,7 @@ index cf04cb5..1e017ad 100644
+files_search_default(domain)
+files_read_inherited_tmp_files(domain)
+files_append_inherited_tmp_files(domain)
++files_read_all_base_ro_files(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -104930,7 +104946,7 @@ index cf04cb5..1e017ad 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +154,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +155,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -104949,7 +104965,7 @@ index cf04cb5..1e017ad 100644
')
optional_policy(`
-@@ -133,6 +176,8 @@ optional_policy(`
+@@ -133,6 +177,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -104958,7 +104974,7 @@ index cf04cb5..1e017ad 100644
')
########################################
-@@ -147,12 +192,18 @@ optional_policy(`
+@@ -147,12 +193,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -104978,7 +104994,7 @@ index cf04cb5..1e017ad 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +217,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +218,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -105452,7 +105468,7 @@ index 8796ca3..10f0231 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..13c475a 100644
+index e1e814d..8e5d231 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -106937,7 +106953,7 @@ index e1e814d..13c475a 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6467,3 +7384,346 @@ interface(`files_unconfined',`
+@@ -6467,3 +7384,439 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -107284,11 +107300,111 @@ index e1e814d..13c475a 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+')
++
++########################################
++## <summary>
++## Make the specified type a
++## base file.
++## </summary>
++## <desc>
++## <p>
++## Identify file type as base file type. Tools will use this attribute,
++## to help users diagnose problems.
++## </p>
++## </desc>
++## <param name="file_type">
++## <summary>
++## Type to be used as a base files.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`files_base_file',`
++ gen_require(`
++ attribute base_file_type;
++ ')
++ files_type($1)
++ typeattribute $1 base_file_type;
++')
++
++########################################
++## <summary>
++## Make the specified type a
++## base read only file.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type readable for all domains.
++## </p>
++## </desc>
++## <param name="file_type">
++## <summary>
++## Type to be used as a base read only files.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`files_ro_base_file',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++ files_base_file($1)
++ typeattribute $1 base_ro_file_type;
++')
++
++########################################
++## <summary>
++## Read all ro base files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_read_all_base_ro_files',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++
++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
++')
++
++########################################
++## <summary>
++## Execute all base ro files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_exec_all_base_ro_files',`
++ gen_require(`
++ attribute base_ro_file_type;
++ ')
++
++ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
++ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 52ef84e..59b37a3 100644
+index 52ef84e..45cb0bc 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
-@@ -10,7 +10,9 @@ attribute files_unconfined_type;
+@@ -5,12 +5,16 @@ policy_module(files, 1.17.0)
+ # Declarations
+ #
+
++attribute base_file_type;
++attribute base_ro_file_type;
+ attribute file_type;
+ attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
@@ -107298,7 +107414,27 @@ index 52ef84e..59b37a3 100644
# For labeling types that are to be polyinstantiated
attribute polydir;
-@@ -64,12 +66,21 @@ files_type(etc_t)
+@@ -48,28 +52,40 @@ attribute usercanread;
+ #
+ type boot_t;
+ files_mountpoint(boot_t)
++files_ro_base_file(boot_t)
+
+ # default_t is the default type for files that do not
+ # match any specification in the file_contexts configuration
+ # other than the generic /.* specification.
+ type default_t;
+ files_mountpoint(default_t)
++files_base_file(default_t)
+
+ #
+ # etc_t is the type of the system etc directories.
+ #
+ type etc_t, configfile;
+-files_type(etc_t)
++files_ro_base_file(etc_t)
++
+ # compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
@@ -107321,7 +107457,53 @@ index 52ef84e..59b37a3 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
-@@ -139,6 +150,7 @@ files_mountpoint(src_t)
+@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
+ #
+ type file_t;
+ files_mountpoint(file_t)
++files_base_file(file_t)
+ kernel_rootfs_mountpoint(file_t)
+ sid file gen_context(system_u:object_r:file_t,s0)
+
+@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+ # are created
+ #
+ type home_root_t;
++files_base_file(home_root_t)
+ files_mountpoint(home_root_t)
+ files_poly_parent(home_root_t)
+
+@@ -96,12 +114,13 @@ files_poly_parent(home_root_t)
+ # lost_found_t is the type for the lost+found directories.
+ #
+ type lost_found_t;
+-files_type(lost_found_t)
++files_base_file(lost_found_t)
+
+ #
+ # mnt_t is the type for mount points such as /mnt/cdrom
+ #
+ type mnt_t;
++files_base_file(mnt_t)
+ files_mountpoint(mnt_t)
+
+ #
+@@ -123,6 +142,7 @@ files_type(readable_t)
+ # root_t is the type for rootfs and the root directory.
+ #
+ type root_t;
++files_base_file(root_t)
+ files_mountpoint(root_t)
+ files_poly_parent(root_t)
+ kernel_rootfs_mountpoint(root_t)
+@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+ #
+ type src_t;
+ files_mountpoint(src_t)
++files_ro_base_file(src_t)
+
+ #
+ # system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
@@ -107329,7 +107511,11 @@ index 52ef84e..59b37a3 100644
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
#
-@@ -149,6 +161,7 @@ files_tmp_file(tmp_t)
+ # tmp_t is the type of the temporary directories
+ #
+ type tmp_t;
++files_base_file(tmp_t)
+ files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)
@@ -107337,9 +107523,23 @@ index 52ef84e..59b37a3 100644
#
# usr_t is the type for /usr.
-@@ -167,12 +180,14 @@ files_mountpoint(var_t)
+ #
+ type usr_t;
++files_ro_base_file(usr_t)
+ files_mountpoint(usr_t)
+
+ #
+ # var_t is the type of /var
+ #
+ type var_t;
++files_base_file(var_t)
+ files_mountpoint(var_t)
+
+ #
+ # var_lib_t is the type of /var/lib
#
type var_lib_t;
++files_base_file(var_lib_t)
files_mountpoint(var_lib_t)
+files_poly(var_lib_t)
@@ -107347,20 +107547,30 @@ index 52ef84e..59b37a3 100644
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
++files_base_file(var_lock_t)
files_lock_file(var_lock_t)
+files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
-@@ -187,6 +202,7 @@ files_mountpoint(var_run_t)
+ # used for pid and other runtime files.
+ #
+ type var_run_t;
++files_base_file(var_run_t)
+ files_pid_file(var_run_t)
+ files_mountpoint(var_run_t)
+
+@@ -186,7 +217,9 @@ files_mountpoint(var_run_t)
+ # var_spool_t is the type of /var/spool
#
type var_spool_t;
++files_base_file(var_spool_t)
files_tmp_file(var_spool_t)
+files_spool_file(var_spool_t)
########################################
#
-@@ -225,10 +241,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile)
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -119256,65 +119466,23 @@ index d2e40b8..084ee57 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..c932f74 100644
+index d26fe81..29f6683 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
-@@ -79,6 +79,38 @@ interface(`init_script_domain',`
- domtrans_pattern(init_run_all_scripts_domain, $2, $1)
- ')
-
-+
-+#######################################
-+## <summary>
-+## Create a domain which can be started by init.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Type to be used as a domain.
-+## </summary>
-+## </param>
-+## <param name="entry_point">
-+## <summary>
-+## Type of the program to be used as an entry point to this domain.
-+## </summary>
-+## </param>
-+#
-+interface(`init_systemd_domain',`
-+ gen_require(`
-+ type init_t;
-+ role system_r;
-+ ')
-+
-+ domain_type($1)
-+ domain_entry_file($1,$2)
-+
-+ role system_r types $1;
-+
-+ tunable_policy(`init_systemd',`
-+ domtrans_pattern(init_t,$2,$1)
-+ ')
-+')
-+
- ########################################
- ## <summary>
- ## Create a domain which can be started by init.
-@@ -105,7 +137,11 @@ interface(`init_domain',`
-
+@@ -106,6 +106,8 @@ interface(`init_domain',`
role system_r types $1;
-- domtrans_pattern(init_t, $2, $1)
-+ tunable_policy(`init_systemd',`', `
-+ domtrans_pattern(init_t, $2, $1)
-+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+ allow $1 init_t:unix_dgram_socket sendto;
-+ ')
+ domtrans_pattern(init_t, $2, $1)
++ allow init_t $1:unix_stream_socket create_stream_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +229,11 @@ interface(`init_daemon_domain',`
+@@ -192,50 +194,43 @@ interface(`init_ranged_domain',`
+ interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
- type initrc_t;
+- type initrc_t;
+ type init_t;
role system_r;
attribute daemon;
@@ -119323,7 +119491,8 @@ index d26fe81..c932f74 100644
')
typeattribute $1 daemon;
-@@ -202,40 +241,38 @@ interface(`init_daemon_domain',`
++ typeattribute $2 direct_init_entry;
+
domain_type($1)
domain_entry_file($1, $2)
@@ -119339,18 +119508,19 @@ index d26fe81..c932f74 100644
- # init script ptys are the stdin/out/err
- # when using run_init
- init_use_script_ptys($1)
-+ domtrans_pattern(initrc_t,$2,$1)
-+ domtrans_pattern(initrc_domain, $2,$1)
++ type_transition initrc_domain $2:process $1;
ifdef(`direct_sysadm_daemon',`
- domtrans_pattern(direct_run_init, $2, $1)
+- domtrans_pattern(direct_run_init, $2, $1)
- allow direct_run_init $1:process { noatsecure siginh rlimitinh };
-
+-
++ type_transition direct_run_init $2:process $1;
typeattribute $1 direct_init;
- typeattribute $2 direct_init_entry;
+- typeattribute $2 direct_init_entry;
-
- userdom_dontaudit_use_user_terminals($1)
')
++')
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
@@ -119358,14 +119528,6 @@ index d26fe81..c932f74 100644
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-+ tunable_policy(`init_upstart || init_systemd',`
-+ # Handle upstart direct transition to a executable
-+ domtrans_pattern(init_t,$2,$1)
- ')
-+')
-
-- optional_policy(`
-- nscd_socket_use($1)
- ')
+#######################################
+## <summary>
@@ -119381,12 +119543,15 @@ index d26fe81..c932f74 100644
+ gen_require(`
+ attribute initrc_domain;
+ ')
-+
+
+- optional_policy(`
+- nscd_socket_use($1)
+- ')
+ typeattribute $1 initrc_domain;
')
########################################
-@@ -283,17 +320,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +278,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -119408,40 +119573,38 @@ index d26fe81..c932f74 100644
')
')
-@@ -336,22 +376,25 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
+- type initrc_t;
+ type init_t;
- type initrc_t;
role system_r;
+ attribute initrc_transition_domain;
-+ attribute systemprocess;
++ attribute systemprocess, systemprocess_entry;
+ attribute initrc_domain;
')
+ typeattribute $1 systemprocess;
application_domain($1, $2)
-
+-
role system_r types $1;
++ typeattribute $2 systemprocess_entry;
- domtrans_pattern(initrc_t, $2, $1)
-+ domtrans_pattern(initrc_t,$2,$1)
-+ domtrans_pattern(initrc_domain, $2,$1)
-
+-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-+ tunable_policy(`init_systemd',`
-+ # Handle upstart/systemd direct transition to a executable
-+ domtrans_pattern(init_t,$2,$1)
- ')
+- ')
++ type_transition initrc_domain $2:process $1;
')
-@@ -401,20 +444,41 @@ interface(`init_system_domain',`
+ ########################################
+@@ -401,20 +395,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -119483,7 +119646,7 @@ index d26fe81..c932f74 100644
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +506,6 @@ interface(`init_domtrans',`
+@@ -442,7 +457,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -119491,12 +119654,12 @@ index d26fe81..c932f74 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +514,48 @@ interface(`init_exec',`
+@@ -451,6 +465,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
+
-+ tunable_policy(`init_systemd',`
++ optional_policy(`
+ systemd_exec_systemctl($1)
+ ')
+')
@@ -119540,7 +119703,7 @@ index d26fe81..c932f74 100644
')
########################################
-@@ -539,6 +644,24 @@ interface(`init_sigchld',`
+@@ -539,6 +595,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -119565,7 +119728,7 @@ index d26fe81..c932f74 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -549,10 +672,66 @@ interface(`init_sigchld',`
+@@ -549,10 +623,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -119634,8 +119797,11 @@ index d26fe81..c932f74 100644
')
########################################
-@@ -718,19 +897,25 @@ interface(`init_telinit',`
+@@ -716,22 +846,23 @@ interface(`init_write_initctl',`
+ interface(`init_telinit',`
+ gen_require(`
type initctl_t;
++ type init_t;
')
+ corecmd_exec_bin($1)
@@ -119646,22 +119812,25 @@ index d26fe81..c932f74 100644
init_exec($1)
- tunable_policy(`init_upstart',`
-+ tunable_policy(`init_upstart || init_systemd',`
- gen_require(`
- type init_t;
- ')
-
-+ ps_process_pattern($1, init_t)
-+ allow $1 init_t:process signal;
- # upstart uses a datagram socket instead of initctl pipe
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 init_t:unix_dgram_socket sendto;
-+ #576913
-+ allow $1 init_t:unix_stream_socket connectto;
- ')
+- gen_require(`
+- type init_t;
+- ')
+-
+- # upstart uses a datagram socket instead of initctl pipe
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 init_t:unix_dgram_socket sendto;
+- ')
++ ps_process_pattern($1, init_t)
++ allow $1 init_t:process signal;
++ # upstart uses a datagram socket instead of initctl pipe
++ allow $1 self:unix_dgram_socket create_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
++ #576913
++ allow $1 init_t:unix_stream_socket connectto;
')
-@@ -760,7 +945,7 @@ interface(`init_rw_initctl',`
+ ########################################
+@@ -760,7 +891,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -119670,7 +119839,7 @@ index d26fe81..c932f74 100644
## </summary>
## </param>
#
-@@ -803,11 +988,12 @@ interface(`init_script_file_entry_type',`
+@@ -803,11 +934,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -119685,7 +119854,7 @@ index d26fe81..c932f74 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -818,11 +1004,11 @@ interface(`init_spec_domtrans_script',`
+@@ -818,11 +950,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -119699,7 +119868,7 @@ index d26fe81..c932f74 100644
')
')
-@@ -838,19 +1024,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +970,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -119745,7 +119914,7 @@ index d26fe81..c932f74 100644
')
########################################
-@@ -906,9 +1114,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1060,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -119760,7 +119929,7 @@ index d26fe81..c932f74 100644
files_search_etc($1)
')
-@@ -999,7 +1212,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1158,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -119771,7 +119940,7 @@ index d26fe81..c932f74 100644
')
########################################
-@@ -1098,6 +1313,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1098,6 +1259,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -119797,7 +119966,7 @@ index d26fe81..c932f74 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1117,6 +1351,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1297,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -119822,7 +119991,7 @@ index d26fe81..c932f74 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1420,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1366,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -119836,7 +120005,7 @@ index d26fe81..c932f74 100644
')
########################################
-@@ -1413,6 +1660,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1606,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -119864,7 +120033,7 @@ index d26fe81..c932f74 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1767,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1713,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -119890,7 +120059,7 @@ index d26fe81..c932f74 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1844,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,6 +1790,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -119915,7 +120084,7 @@ index d26fe81..c932f74 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1629,6 +1934,43 @@ interface(`init_read_utmp',`
+@@ -1629,6 +1880,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -119959,7 +120128,7 @@ index d26fe81..c932f74 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1717,7 +2059,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1717,7 +2005,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -119968,10 +120137,11 @@ index d26fe81..c932f74 100644
')
########################################
-@@ -1758,6 +2100,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,7 +2046,129 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
+-########################################
+######################################
+## <summary>
+## Allow search directory in the /run/systemd directory.
@@ -120094,10 +120264,11 @@ index d26fe81..c932f74 100644
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
- ########################################
++########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2256,286 @@ interface(`init_udp_recvfrom_all_daemons',`
+ ## </summary>
+@@ -1792,3 +2202,286 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -120385,25 +120556,18 @@ index d26fe81..c932f74 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..b6196d7 100644
+index 4a88fa1..7d77221 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
-@@ -16,6 +16,34 @@ gen_require(`
- ## </desc>
- gen_tunable(init_upstart, false)
+@@ -11,10 +11,24 @@ gen_require(`
-+## <desc>
-+## <p>
-+## Enable support for systemd as the init program.
-+## </p>
-+## </desc>
-+gen_tunable(init_systemd, false)
-+
-+## <desc>
-+## <p>
+ ## <desc>
+ ## <p>
+-## Enable support for upstart as the init program.
+## Allow all daemons to use tcp wrappers.
-+## </p>
-+## </desc>
+ ## </p>
+ ## </desc>
+-gen_tunable(init_upstart, false)
+gen_tunable(daemons_use_tcp_wrapper, false)
+
+## <desc>
@@ -120419,11 +120583,10 @@ index 4a88fa1..b6196d7 100644
+## </p>
+## </desc>
+gen_tunable(daemons_dump_core, false)
-+
+
# used for direct running of init scripts
# by admin domains
- attribute direct_run_init;
-@@ -25,14 +53,21 @@ attribute direct_init_entry;
+@@ -25,19 +39,28 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
@@ -120434,6 +120597,7 @@ index 4a88fa1..b6196d7 100644
# Mark process types as daemons
attribute daemon;
+attribute systemprocess;
++attribute systemprocess_entry;
+
+# Mark process types as initrc domain
+attribute initrc_domain;
@@ -120446,7 +120610,13 @@ index 4a88fa1..b6196d7 100644
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
-@@ -46,6 +81,15 @@ type init_var_run_t;
+ kernel_domtrans_to(init_t, init_exec_t)
+ role system_r types init_t;
++init_initrc_domain(init_t)
+
+ #
+ # init_var_run_t is the type for /var/run/shutdown.pid.
+@@ -46,6 +69,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -120462,7 +120632,16 @@ index 4a88fa1..b6196d7 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -63,6 +107,8 @@ role system_r types initrc_t;
+@@ -54,7 +86,7 @@ type initctl_t;
+ files_type(initctl_t)
+ mls_trusted_object(initctl_t)
+
+-type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
++type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain;
+ type initrc_exec_t, init_script_file_type;
+ domain_type(initrc_t)
+ domain_entry_file(initrc_t, initrc_exec_t)
+@@ -63,6 +95,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -120471,7 +120650,7 @@ index 4a88fa1..b6196d7 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -95,7 +141,8 @@ ifdef(`enable_mls',`
+@@ -95,7 +129,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -120481,7 +120660,7 @@ index 4a88fa1..b6196d7 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -107,12 +154,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -120520,7 +120699,7 @@ index 4a88fa1..b6196d7 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -122,28 +189,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -120560,7 +120739,7 @@ index 4a88fa1..b6196d7 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -152,6 +229,8 @@ fs_list_inotifyfs(init_t)
+@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -120569,7 +120748,7 @@ index 4a88fa1..b6196d7 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -159,22 +238,40 @@ mls_file_read_all_levels(init_t)
+@@ -159,22 +226,40 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -120601,18 +120780,18 @@ index 4a88fa1..b6196d7 100644
seutil_read_config(init_t)
+seutil_read_module_store(init_t)
-
--miscfiles_read_localization(init_t)
++
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+userdom_use_user_ttys(init_t)
+
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -183,12 +280,19 @@ ifdef(`distro_gentoo',`
+@@ -183,29 +268,174 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -120629,14 +120808,13 @@ index 4a88fa1..b6196d7 100644
')
-tunable_policy(`init_upstart',`
-+tunable_policy(`init_upstart || init_systemd',`
- corecmd_shell_domtrans(init_t, initrc_t)
- ',`
- # Run the shell in the sysadm role for single-user mode.
-@@ -196,16 +300,166 @@ tunable_policy(`init_upstart',`
- sysadm_shell_domtrans(init_t)
- ')
-
+- corecmd_shell_domtrans(init_t, initrc_t)
+-',`
+- # Run the shell in the sysadm role for single-user mode.
+- # causes problems with upstart
+- sysadm_shell_domtrans(init_t)
++corecmd_shell_domtrans(init_t, initrc_t)
++
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
@@ -120654,128 +120832,122 @@ index 4a88fa1..b6196d7 100644
+ mta_read_aliases(init_t)
+')
+
-+tunable_policy(`init_systemd',`
-+ allow init_t self:system all_system_perms;
-+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-+ allow init_t self:process { setsockcreate setfscreate setrlimit };
-+ allow init_t self:process { getcap setcap };
-+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
-+ allow init_t self:netlink_selinux_socket create_socket_perms;
-+ # Until systemd is fixed
-+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
-+ allow init_t self:udp_socket create_socket_perms;
-+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
-+
-+ kernel_list_unlabeled(init_t)
-+ kernel_read_network_state(init_t)
-+ kernel_rw_kernel_sysctl(init_t)
-+ kernel_rw_net_sysctls(init_t)
-+ kernel_read_all_sysctls(init_t)
-+ kernel_read_software_raid_state(init_t)
-+ kernel_unmount_debugfs(init_t)
-+ kernel_setsched(init_t)
-+
-+ dev_write_kmsg(init_t)
-+ dev_write_urand(init_t)
-+ dev_rw_lvm_control(init_t)
-+ dev_rw_autofs(init_t)
-+ dev_manage_generic_symlinks(init_t)
-+ dev_manage_generic_dirs(init_t)
-+ dev_manage_generic_files(init_t)
-+ dev_read_generic_chr_files(init_t)
-+ dev_relabel_generic_dev_dirs(init_t)
-+ dev_relabel_all_dev_nodes(init_t)
-+ dev_relabel_all_dev_files(init_t)
-+ dev_manage_sysfs_dirs(init_t)
-+ dev_relabel_sysfs_dirs(init_t)
-+
-+ files_search_all(init_t)
-+ files_mounton_all_mountpoints(init_t)
-+ files_unmount_all_file_type_fs(init_t)
-+ files_manage_all_pid_dirs(init_t)
-+ files_manage_etc_dirs(init_t)
-+ files_manage_generic_tmp_dirs(init_t)
-+ files_relabel_all_pid_dirs(init_t)
-+ files_relabel_all_pid_files(init_t)
-+ files_create_all_pid_sockets(init_t)
-+ files_delete_all_pids(init_t)
-+ files_exec_generic_pid_files(init_t)
-+ files_create_all_pid_pipes(init_t)
-+ files_create_all_spool_sockets(init_t)
-+ files_delete_all_spool_sockets(init_t)
-+ files_manage_urandom_seed(init_t)
-+ files_list_locks(init_t)
-+ files_list_spool(init_t)
-+ files_list_var(init_t)
-+ files_list_boot(init_t)
-+ files_list_home(init_t)
-+ files_create_lock_dirs(init_t)
-+ files_relabel_all_lock_dirs(init_t)
-+ files_read_kernel_modules(init_t)
-+
-+ fs_getattr_all_fs(init_t)
-+ fs_manage_cgroup_dirs(init_t)
-+ fs_manage_cgroup_files(init_t)
-+ fs_manage_hugetlbfs_dirs(init_t)
-+ fs_manage_tmpfs_dirs(init_t)
-+ fs_relabel_tmpfs_dirs(init_t)
-+ fs_relabel_tmpfs_files(init_t)
-+ fs_relabel_tmpfs_fifo_files(init_t)
-+ fs_mount_all_fs(init_t)
-+ fs_unmount_all_fs(init_t)
-+ fs_remount_all_fs(init_t)
-+ fs_list_auto_mountpoints(init_t)
-+ fs_register_binary_executable_type(init_t)
-+ fs_relabel_tmpfs_sock_file(init_t)
-+ fs_rw_tmpfs_files(init_t)
-+ fs_relabel_cgroup_dirs(init_t)
-+ fs_search_cgroup_dirs(init_t)
-+
-+
-+ selinux_compute_access_vector(init_t)
-+ selinux_compute_create_context(init_t)
-+ selinux_validate_context(init_t)
-+ selinux_unmount_fs(init_t)
-+
-+ storage_getattr_removable_dev(init_t)
-+
-+ term_relabel_ptys_dirs(init_t)
-+
-+ auth_relabel_login_records(init_t)
-+ auth_relabel_pam_console_data_dirs(init_t)
-+
-+ clock_read_adjtime(init_t)
-+
-+ init_read_script_state(init_t)
-+
-+ modutils_read_module_config(init_t)
-+
-+ seutil_read_file_contexts(init_t)
-+
-+ systemd_exec_systemctl(init_t)
-+ systemd_manage_unit_dirs(init_t)
-+ systemd_manage_all_unit_files(init_t)
-+ systemd_logger_stream_connect(init_t)
-+ systemd_config_all_services(init_t)
-+ systemd_relabelto_fifo_file_passwd_run(init_t)
-+ systemd_relabel_unit_dirs(init_t)
-+ systemd_relabel_unit_files(init_t)
-+ systemd_config_all_services(initrc_t)
-+
-+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
-+
-+')
++allow init_t self:system all_system_perms;
++allow init_t self:unix_dgram_socket { create_socket_perms sendto };
++allow init_t self:process { setsockcreate setfscreate setrlimit };
++allow init_t self:process { getcap setcap };
++allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow init_t self:netlink_selinux_socket create_socket_perms;
++# Until systemd is fixed
++allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++allow init_t self:udp_socket create_socket_perms;
++allow init_t self:netlink_route_socket create_netlink_socket_perms;
++
++allow init_t initrc_t:unix_dgram_socket create_socket_perms;
++
++kernel_list_unlabeled(init_t)
++kernel_read_network_state(init_t)
++kernel_rw_kernel_sysctl(init_t)
++kernel_rw_net_sysctls(init_t)
++kernel_read_all_sysctls(init_t)
++kernel_read_software_raid_state(init_t)
++kernel_unmount_debugfs(init_t)
++kernel_setsched(init_t)
++
++dev_write_kmsg(init_t)
++dev_write_urand(init_t)
++dev_rw_lvm_control(init_t)
++dev_rw_autofs(init_t)
++dev_manage_generic_symlinks(init_t)
++dev_manage_generic_dirs(init_t)
++dev_manage_generic_files(init_t)
++dev_read_generic_chr_files(init_t)
++dev_relabel_generic_dev_dirs(init_t)
++dev_relabel_all_dev_nodes(init_t)
++dev_relabel_all_dev_files(init_t)
++dev_manage_sysfs_dirs(init_t)
++dev_relabel_sysfs_dirs(init_t)
++
++files_search_all(init_t)
++files_mounton_all_mountpoints(init_t)
++files_unmount_all_file_type_fs(init_t)
++files_manage_all_pid_dirs(init_t)
++files_manage_etc_dirs(init_t)
++files_manage_generic_tmp_dirs(init_t)
++files_relabel_all_pid_dirs(init_t)
++files_relabel_all_pid_files(init_t)
++files_create_all_pid_sockets(init_t)
++files_delete_all_pids(init_t)
++files_exec_generic_pid_files(init_t)
++files_create_all_pid_pipes(init_t)
++files_create_all_spool_sockets(init_t)
++files_delete_all_spool_sockets(init_t)
++files_manage_urandom_seed(init_t)
++files_list_locks(init_t)
++files_list_spool(init_t)
++files_list_var(init_t)
++files_list_boot(init_t)
++files_list_home(init_t)
++files_create_lock_dirs(init_t)
++files_relabel_all_lock_dirs(init_t)
++files_read_kernel_modules(init_t)
++fs_getattr_all_fs(init_t)
++fs_manage_cgroup_dirs(init_t)
++fs_manage_cgroup_files(init_t)
++fs_manage_hugetlbfs_dirs(init_t)
++fs_manage_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_dirs(init_t)
++fs_relabel_tmpfs_files(init_t)
++fs_relabel_tmpfs_fifo_files(init_t)
++fs_mount_all_fs(init_t)
++fs_unmount_all_fs(init_t)
++fs_remount_all_fs(init_t)
++fs_list_auto_mountpoints(init_t)
++fs_register_binary_executable_type(init_t)
++fs_relabel_tmpfs_sock_file(init_t)
++fs_rw_tmpfs_files(init_t)
++fs_relabel_cgroup_dirs(init_t)
++fs_search_cgroup_dirs(init_t)
++selinux_compute_access_vector(init_t)
++selinux_compute_create_context(init_t)
++selinux_validate_context(init_t)
++selinux_unmount_fs(init_t)
++
++storage_getattr_removable_dev(init_t)
++
++term_relabel_ptys_dirs(init_t)
++
++auth_relabel_login_records(init_t)
++auth_relabel_pam_console_data_dirs(init_t)
++
++clock_read_adjtime(init_t)
++
++init_read_script_state(init_t)
++
++modutils_read_module_config(init_t)
++
++seutil_read_file_contexts(init_t)
++
++systemd_exec_systemctl(init_t)
++systemd_manage_unit_dirs(init_t)
++systemd_manage_all_unit_files(init_t)
++systemd_logger_stream_connect(init_t)
++systemd_config_all_services(init_t)
++systemd_relabelto_fifo_file_passwd_run(init_t)
++systemd_relabel_unit_dirs(init_t)
++systemd_relabel_unit_files(init_t)
++systemd_config_all_services(initrc_t)
++
++create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
-+')
-+
+ ')
+
optional_policy(`
- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
@@ -120785,24 +120957,24 @@ index 4a88fa1..b6196d7 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -213,6 +467,22 @@ optional_policy(`
+@@ -213,6 +443,22 @@ optional_policy(`
')
optional_policy(`
@@ -120825,7 +120997,7 @@ index 4a88fa1..b6196d7 100644
unconfined_domain(init_t)
')
-@@ -222,8 +492,9 @@ optional_policy(`
+@@ -222,8 +468,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -120837,7 +121009,7 @@ index 4a88fa1..b6196d7 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +522,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +498,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -120853,7 +121025,7 @@ index 4a88fa1..b6196d7 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +522,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -120896,7 +121068,7 @@ index 4a88fa1..b6196d7 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +583,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +559,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -120904,7 +121076,7 @@ index 4a88fa1..b6196d7 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +594,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +570,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -120915,7 +121087,7 @@ index 4a88fa1..b6196d7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +605,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +581,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -120935,7 +121107,7 @@ index 4a88fa1..b6196d7 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +598,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -120943,7 +121115,7 @@ index 4a88fa1..b6196d7 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +630,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +606,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -120955,7 +121127,7 @@ index 4a88fa1..b6196d7 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +649,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +625,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -120969,7 +121141,7 @@ index 4a88fa1..b6196d7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +664,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +640,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -120983,7 +121155,7 @@ index 4a88fa1..b6196d7 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +679,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +655,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -120991,7 +121163,7 @@ index 4a88fa1..b6196d7 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +691,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +667,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -120999,7 +121171,7 @@ index 4a88fa1..b6196d7 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +710,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +686,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -121023,7 +121195,7 @@ index 4a88fa1..b6196d7 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +775,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +751,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -121034,7 +121206,7 @@ index 4a88fa1..b6196d7 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +799,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +775,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -121043,7 +121215,7 @@ index 4a88fa1..b6196d7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +814,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +790,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -121051,7 +121223,7 @@ index 4a88fa1..b6196d7 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +835,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +811,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -121059,7 +121231,7 @@ index 4a88fa1..b6196d7 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +845,39 @@ ifdef(`distro_redhat',`
+@@ -540,8 +821,39 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -121099,7 +121271,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -549,14 +885,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +861,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -121131,7 +121303,7 @@ index 4a88fa1..b6196d7 100644
')
')
-@@ -567,6 +920,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +896,39 @@ ifdef(`distro_suse',`
')
')
@@ -121171,7 +121343,7 @@ index 4a88fa1..b6196d7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +965,8 @@ optional_policy(`
+@@ -579,6 +941,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -121180,7 +121352,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -600,6 +988,7 @@ optional_policy(`
+@@ -600,6 +964,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -121188,7 +121360,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -612,6 +1001,17 @@ optional_policy(`
+@@ -612,6 +977,17 @@ optional_policy(`
')
optional_policy(`
@@ -121206,7 +121378,7 @@ index 4a88fa1..b6196d7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1028,13 @@ optional_policy(`
+@@ -628,9 +1004,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -121220,7 +121392,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -655,6 +1059,10 @@ optional_policy(`
+@@ -655,6 +1035,10 @@ optional_policy(`
')
optional_policy(`
@@ -121231,7 +121403,7 @@ index 4a88fa1..b6196d7 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1080,15 @@ optional_policy(`
+@@ -672,6 +1056,15 @@ optional_policy(`
')
optional_policy(`
@@ -121247,7 +121419,7 @@ index 4a88fa1..b6196d7 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1129,7 @@ optional_policy(`
+@@ -712,6 +1105,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -121255,7 +121427,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -729,7 +1147,14 @@ optional_policy(`
+@@ -729,7 +1123,14 @@ optional_policy(`
')
optional_policy(`
@@ -121270,7 +121442,7 @@ index 4a88fa1..b6196d7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1177,10 @@ optional_policy(`
+@@ -752,6 +1153,10 @@ optional_policy(`
')
optional_policy(`
@@ -121281,7 +121453,7 @@ index 4a88fa1..b6196d7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1190,20 @@ optional_policy(`
+@@ -761,10 +1166,20 @@ optional_policy(`
')
optional_policy(`
@@ -121302,7 +121474,7 @@ index 4a88fa1..b6196d7 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1212,10 @@ optional_policy(`
+@@ -773,6 +1188,10 @@ optional_policy(`
')
optional_policy(`
@@ -121313,7 +121485,7 @@ index 4a88fa1..b6196d7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1237,6 @@ optional_policy(`
+@@ -794,8 +1213,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -121322,7 +121494,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -804,6 +1245,10 @@ optional_policy(`
+@@ -804,6 +1221,10 @@ optional_policy(`
')
optional_policy(`
@@ -121333,7 +121505,7 @@ index 4a88fa1..b6196d7 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1258,12 @@ optional_policy(`
+@@ -813,10 +1234,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -121346,7 +121518,7 @@ index 4a88fa1..b6196d7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1275,6 @@ optional_policy(`
+@@ -828,8 +1251,6 @@ optional_policy(`
')
optional_policy(`
@@ -121355,7 +121527,7 @@ index 4a88fa1..b6196d7 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1285,30 @@ optional_policy(`
+@@ -840,12 +1261,30 @@ optional_policy(`
')
optional_policy(`
@@ -121388,7 +121560,7 @@ index 4a88fa1..b6196d7 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1318,18 @@ optional_policy(`
+@@ -855,6 +1294,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -121407,7 +121579,7 @@ index 4a88fa1..b6196d7 100644
')
optional_policy(`
-@@ -870,6 +1345,10 @@ optional_policy(`
+@@ -870,6 +1321,10 @@ optional_policy(`
')
optional_policy(`
@@ -121418,7 +121590,7 @@ index 4a88fa1..b6196d7 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1359,173 @@ optional_policy(`
+@@ -880,3 +1335,177 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -121469,16 +121641,14 @@ index 4a88fa1..b6196d7 100644
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
+
-+tunable_policy(`init_systemd',`
-+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
-+ allow init_t daemon:unix_dgram_socket create_socket_perms;
-+ allow init_t daemon:tcp_socket create_stream_socket_perms;
-+ allow init_t daemon:udp_socket create_socket_perms;
-+ allow daemon init_t:unix_dgram_socket sendto;
-+ # need write to /var/run/systemd/notify
-+ init_write_pid_socket(daemon)
-+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
-+')
++allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++allow init_t daemon:unix_dgram_socket create_socket_perms;
++allow init_t daemon:tcp_socket create_stream_socket_perms;
++allow init_t daemon:udp_socket create_socket_perms;
++allow daemon init_t:unix_dgram_socket sendto;
++# need write to /var/run/systemd/notify
++init_write_pid_socket(daemon)
++allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+
+# daemons started from init will
+# inherit fds from init for the console
@@ -121516,32 +121686,19 @@ index 4a88fa1..b6196d7 100644
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
++allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++allow init_t daemon:unix_dgram_socket create_socket_perms;
++allow daemon init_t:unix_stream_socket ioctl;
++allow daemon init_t:unix_dgram_socket sendto;
++# need write to /var/run/systemd/notify
++init_write_pid_socket(daemon)
+
-+tunable_policy(`init_systemd',`
-+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
-+ allow init_t daemon:unix_dgram_socket create_socket_perms;
-+ allow daemon init_t:unix_stream_socket ioctl;
-+ allow daemon init_t:unix_dgram_socket sendto;
-+ # need write to /var/run/systemd/notify
-+ init_write_pid_socket(daemon)
-+')
-+
-+tunable_policy(`init_systemd',`
-+ # Handle upstart/systemd direct transition to a executable
-+ allow init_t systemprocess:process { dyntransition siginh };
-+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
-+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
-+ allow systemprocess init_t:unix_dgram_socket sendto;
-+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ # RHEL4 systems seem to have a stray
-+ # fds open from the initrd
-+ ifdef(`distro_rhel4',`
-+ kernel_dontaudit_use_fds(systemprocess)
-+ ')
-+')
++# Handle upstart/systemd direct transition to a executable
++allow init_t systemprocess:process { dyntransition siginh };
++allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
++allow init_t systemprocess:unix_dgram_socket create_socket_perms;
++allow systemprocess init_t:unix_dgram_socket sendto;
++allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
+userdom_dontaudit_search_user_home_dirs(systemprocess)
+userdom_dontaudit_rw_stream(systemprocess)
@@ -121592,6 +121749,25 @@ index 4a88fa1..b6196d7 100644
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
++
++allow initrc_domain daemon:process transition;
++allow daemon initrc_domain:fd use;
++allow daemon initrc_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_domain:process sigchld;
++allow initrc_domain direct_init_entry:file { getattr open read execute };
++
++allow systemprocess initrc_domain:fd use;
++allow systemprocess initrc_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_domain:process sigchld;
++allow initrc_domain systemprocess_entry:file { getattr open read execute };
++allow initrc_domain systemprocess:process transition;
++
++ifdef(`direct_sysadm_daemon',`
++ allow daemon direct_run_init:fd use;
++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
++ allow daemon direct_run_init:process sigchld;
++ allow direct_run_init direct_init_entry:file { getattr open read execute };
++')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index ec85acb..662e79b 100644
--- a/policy/modules/system/ipsec.fc
@@ -122521,9 +122697,26 @@ index 808ba93..f94b80a 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index ad01883..8cc29a5 100644
+index ad01883..a003fa8 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
+@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
+ # lib_t is the type of files in the system lib directories.
+ #
+ type lib_t alias shlib_t;
+-files_type(lib_t)
++files_ro_base_file(lib_t)
+
+ #
+ # textrel_shlib_t is the type of shared objects in the system lib
+ # directories, which require text relocation.
+ #
+ type textrel_shlib_t alias texrel_shlib_t;
+-files_type(textrel_shlib_t)
++files_ro_base_file(textrel_shlib_t)
+
+ ifdef(`distro_gentoo',`
+ # openrc unfortunately mounts a tmpfs
@@ -59,9 +59,11 @@ optional_policy(`
allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -124661,10 +124854,10 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..5b041ee 100644
+index 4584457..0b81a4b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
-@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
+@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
')
domtrans_pattern($1, mount_exec_t, mount_t)
@@ -124673,11 +124866,12 @@ index 4584457..5b041ee 100644
+ allow $1 mount_t:fd use;
+ ps_process_pattern(mount_t, $1)
+
++ allow mount_t $1:key write;
+ allow mount_t $1:unix_stream_socket { read write };
')
########################################
-@@ -38,11 +44,84 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,84 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
@@ -124764,7 +124958,7 @@ index 4584457..5b041ee 100644
')
########################################
-@@ -91,7 +170,7 @@ interface(`mount_signal',`
+@@ -91,7 +171,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -124773,7 +124967,7 @@ index 4584457..5b041ee 100644
## </summary>
## </param>
#
-@@ -131,45 +210,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +211,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@@ -128399,10 +128593,10 @@ index 0000000..693ded2
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b7022eb
+index 0000000..05da975
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,445 @@
+@@ -0,0 +1,444 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -128416,11 +128610,11 @@ index 0000000..b7022eb
+
+type systemd_logger_t;
+type systemd_logger_exec_t;
-+init_systemd_domain(systemd_logger_t, systemd_logger_exec_t)
++init_daemon_domain(systemd_logger_t, systemd_logger_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
-+init_systemd_domain(systemd_logind_t, systemd_logind_exec_t)
++init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+
+# /run/systemd/sessions
+type systemd_logind_sessions_t;
@@ -128446,11 +128640,11 @@ index 0000000..b7022eb
+# domain for systemd-tmpfiles component
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
-+init_systemd_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
++init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
-+init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
++init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
+# type for systemd unit files
+type systemd_unit_file_t;
@@ -128847,7 +129041,6 @@ index 0000000..b7022eb
+init_read_state(systemctl_domain)
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
-+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 2575393..49fd32e 100644
--- a/policy/modules/system/udev.fc
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index a687e60..170c14a 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -42140,10 +42140,10 @@ index 0000000..9dcdaa8
+')
diff --git a/phpfpm.te b/phpfpm.te
new file mode 100644
-index 0000000..a27f1e3
+index 0000000..4e2336b
--- /dev/null
+++ b/phpfpm.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,60 @@
+policy_module(phpfpm, 1.0.0)
+
+########################################
@@ -42193,9 +42193,17 @@ index 0000000..a27f1e3
+
+auth_use_nsswitch(phpfpm_t)
+
++dev_read_rand(phpfpm_t)
++dev_read_urand(phpfpm_t)
++
+logging_send_syslog_msg(phpfpm_t)
+
+sysnet_dns_name_resolve(phpfpm_t)
++
++optional_policy(`
++ mysql_stream_connect(phpfpm_t)
++ mysql_tcp_connect(phpfpm_t)
++')
diff --git a/pingd.if b/pingd.if
index 8688aae..cf34fc1 100644
--- a/pingd.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f8ca994..4768ecb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-27
+- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes
+- Add attribute to all base os types. Allow all domains to read all ro base OS types
+
* Wed Sep 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-26
- Additional unit files to be defined as power unit files
- Fix more boolean names
More information about the scm-commits
mailing list