[selinux-policy] * Wed Jan 9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-1 - Mass merge with upstream
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 9 12:17:57 UTC 2013
commit 23a9442e407e8054de39cbaa770bcf6b7acf7949
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 9 13:16:35 2013 +0100
* Wed Jan 9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-1
- Mass merge with upstream
modules-mls-contrib.conf | 2 +-
modules-targeted-contrib.conf | 21 +-
modules-targeted.conf | 2 +-
policy-rawhide-base.patch | 3694 +-
policy-rawhide-contrib.patch |82892 +++++++++++++++++++++++------------------
selinux-policy.spec | 7 +-
6 files changed, 49175 insertions(+), 37443 deletions(-)
---
diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
index 858f1eb..0fc3d2f 100644
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -290,7 +290,7 @@ comsat = module
#
# ConsoleKit is a system daemon for tracking what users are logged
#
-consolekit = module
+#consolekit = module
# Layer: services
# Module: corosync
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 4e522bb..9e07238 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -395,7 +395,7 @@ condor = module
#
# ConsoleKit is a system daemon for tracking what users are logged
#
-consolekit = module
+#consolekit = module
# Layer: services
# Module: corosync
@@ -444,14 +444,7 @@ cron = module
#
# Cluster Daemon
#
-ctdbd = module
-
-# Layer: services
-# Module: ctdbd
-#
-# ctdbd - The CTDB cluster daemon
-#
-ctdbd = module
+ctdb = module
# Layer: services
# Module: cups
@@ -643,11 +636,11 @@ exim = module
fail2ban = module
# Layer: services
-# Module: fcoemon
+# Module: fcoe
#
-# fcoemon
+# fcoe
#
-fcoemon = module
+fcoe = module
# Layer: services
# Module: fetchmail
@@ -864,7 +857,7 @@ iscsi = module
#
#
#
-isnsd = module
+isns = module
# Layer: services
# Module: jabber
@@ -948,7 +941,7 @@ ktalk = module
#
# Layer 2 Tunnelling Protocol Daemon
#
-l2tpd = module
+l2tp = module
# Layer: services
# Module: ldap
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 7110e91..227ecab 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -390,7 +390,7 @@ clock = module
#
# ConsoleKit is a system daemon for tracking what users are logged
#
-consolekit = module
+#consolekit = module
# Layer: admin
# Module: consoletype
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 901141a..2ecf31a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
-index 39a3d40..f69289d 100644
+index 85d4cfb..b51cf37 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -110364,7 +110364,7 @@ index 4705ab6..11a1ae6 100644
+gen_tunable(selinuxuser_tcp_server,false)
+
diff --git a/policy/mcs b/policy/mcs
-index f477c7f..ff7369c 100644
+index 216b3d1..552c23a 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -1,4 +1,6 @@
@@ -110374,47 +110374,13 @@ index f477c7f..ff7369c 100644
#
# Define sensitivities
#
-@@ -69,28 +71,48 @@ gen_levels(1,mcs_num_cats)
- # - /proc/pid operations are not constrained.
-
- mlsconstrain file { read ioctl lock execute execute_no_trans }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- mlsconstrain file { write setattr append unlink link rename }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- mlsconstrain dir { search read ioctl lock }
-- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
- mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-+
-+mlsconstrain fifo_file { open }
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
-+
-+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-+
-+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
-+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
-+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
-
+@@ -99,14 +101,18 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or
-+ ( t1 != mcsuntrustedproc ));
++ ( t1 != mcs_constrained_type ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
@@ -110430,38 +110396,28 @@ index f477c7f..ff7369c 100644
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
-@@ -101,6 +123,9 @@ mlsconstrain process { ptrace }
- mlsconstrain process { sigkill sigstop }
- (( h1 dom h2 ) or ( t1 == mcskillall ));
-
-+mlsconstrain process { signal }
-+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
-+
- #
- # MCS policy for SELinux-enabled databases
- #
-@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
-+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
-+ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
++ (( l1 dom l2 ) or (t1 != mcs_constrained_type));
+
+mlsconstrain { packet peer } { recv }
+ (( l1 dom l2 ) or
-+ ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc)));
++ ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type)));
+
+# the netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
-+ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
++ (( l1 dom l2 ) or (t1 != mcs_constrained_type));
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
@@ -110513,7 +110469,7 @@ index 7a6f06f..bf04b0a 100644
-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index a778bb1..5e914db 100644
+index cc8df9d..5e914db 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -110541,7 +110497,7 @@ index a778bb1..5e914db 100644
########################################
## <summary>
## Execute bootloader interactively and do
-@@ -38,11 +56,21 @@ interface(`bootloader_domtrans',`
+@@ -38,30 +56,21 @@ interface(`bootloader_domtrans',`
#
interface(`bootloader_run',`
gen_require(`
@@ -110555,9 +110511,26 @@ index a778bb1..5e914db 100644
+
bootloader_domtrans($1)
- roleattribute $2 bootloader_roles;
-+
+-')
+
+-########################################
+-## <summary>
+-## Execute bootloader in the caller domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`bootloader_exec',`
+- gen_require(`
+- type bootloader_exec_t;
+- ')
+ role $2 types bootloader_t;
-+
+
+- corecmd_search_bin($1)
+- can_exec($1, bootloader_exec_t)
+ ifdef(`distro_redhat',`
+ # for mke2fs
+ mount_run(bootloader_t, $2)
@@ -110565,7 +110538,7 @@ index a778bb1..5e914db 100644
')
########################################
-@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
+@@ -119,7 +128,7 @@ interface(`bootloader_rw_tmp_files',`
')
files_search_tmp($1)
@@ -110574,7 +110547,7 @@ index a778bb1..5e914db 100644
')
########################################
-@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
+@@ -141,3 +150,22 @@ interface(`bootloader_create_runtime_file',`
allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
files_boot_filetrans($1, boot_runtime_t, file)
')
@@ -110598,10 +110571,10 @@ index a778bb1..5e914db 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..57890fe 100644
+index e3dbbb8..15f25f0 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
-@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
+@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
# Declarations
#
@@ -110779,7 +110752,7 @@ index ab0439a..57890fe 100644
')
optional_policy(`
-- nscd_socket_use(bootloader_t)
+- nscd_use(bootloader_t)
+ rpm_rw_pipes(bootloader_t)
')
@@ -111023,10 +110996,10 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..db9ddf7 100644
+index 8128de8..0880523 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
-@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
+@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
## <desc>
## <p>
@@ -111039,14 +111012,7 @@ index e0791b9..db9ddf7 100644
type netutils_t;
type netutils_exec_t;
-@@ -35,12 +35,13 @@ init_system_domain(traceroute_t, traceroute_exec_t)
- # Perform network administration operations and have raw access to the network.
- allow netutils_t self:capability { net_admin net_raw setuid setgid };
- dontaudit netutils_t self:capability sys_tty_config;
--allow netutils_t self:process signal_perms;
-+allow netutils_t self:process { setcap signal_perms };
- allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
- allow netutils_t self:packet_socket create_socket_perms;
+@@ -42,6 +42,7 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t self:socket create_socket_perms;
@@ -111054,9 +111020,9 @@ index e0791b9..db9ddf7 100644
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
-@@ -48,8 +49,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
-
+@@ -50,8 +51,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
+ kernel_read_network_state(netutils_t)
kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
@@ -111065,7 +111031,7 @@ index e0791b9..db9ddf7 100644
corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_generic_if(netutils_t)
corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -66,6 +68,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@@ -111075,7 +111041,7 @@ index e0791b9..db9ddf7 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -80,10 +85,9 @@ auth_use_nsswitch(netutils_t)
+@@ -82,10 +87,9 @@ auth_use_nsswitch(netutils_t)
logging_send_syslog_msg(netutils_t)
@@ -111087,7 +111053,7 @@ index e0791b9..db9ddf7 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -104,13 +108,14 @@ optional_policy(`
+@@ -106,13 +110,14 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
@@ -111105,7 +111071,7 @@ index e0791b9..db9ddf7 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
-@@ -120,6 +125,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -122,6 +127,7 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -111113,7 +111079,7 @@ index e0791b9..db9ddf7 100644
domain_use_interactive_fds(ping_t)
-@@ -130,11 +136,9 @@ kernel_read_system_state(ping_t)
+@@ -132,11 +138,9 @@ kernel_read_system_state(ping_t)
auth_use_nsswitch(ping_t)
@@ -111127,7 +111093,7 @@ index e0791b9..db9ddf7 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +149,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -111153,7 +111119,7 @@ index e0791b9..db9ddf7 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +175,15 @@ optional_policy(`
+@@ -159,6 +177,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -111169,7 +111135,7 @@ index e0791b9..db9ddf7 100644
########################################
#
# Traceroute local policy
-@@ -170,7 +197,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -111177,7 +111143,7 @@ index e0791b9..db9ddf7 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -194,6 +220,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -111185,7 +111151,7 @@ index e0791b9..db9ddf7 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -202,11 +229,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -111568,7 +111534,7 @@ index f82f0ce..204bdc8 100644
/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 98b8b2d..41f4994 100644
+index 99e3903..7270808 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
@@ -111662,7 +111628,7 @@ index 98b8b2d..41f4994 100644
')
########################################
-@@ -156,11 +176,35 @@ interface(`usermanage_kill_passwd',`
+@@ -174,11 +194,35 @@ interface(`usermanage_check_exec_passwd',`
#
interface(`usermanage_run_passwd',`
gen_require(`
@@ -111700,7 +111666,7 @@ index 98b8b2d..41f4994 100644
')
########################################
-@@ -203,11 +247,20 @@ interface(`usermanage_domtrans_admin_passwd',`
+@@ -221,11 +265,20 @@ interface(`usermanage_domtrans_admin_passwd',`
#
interface(`usermanage_run_admin_passwd',`
gen_require(`
@@ -111723,7 +111689,7 @@ index 98b8b2d..41f4994 100644
')
########################################
-@@ -245,10 +298,6 @@ interface(`usermanage_domtrans_useradd',`
+@@ -263,10 +316,6 @@ interface(`usermanage_domtrans_useradd',`
corecmd_search_bin($1)
domtrans_pattern($1, useradd_exec_t, useradd_t)
@@ -111734,7 +111700,7 @@ index 98b8b2d..41f4994 100644
')
########################################
-@@ -270,11 +319,38 @@ interface(`usermanage_domtrans_useradd',`
+@@ -306,11 +355,38 @@ interface(`usermanage_check_exec_useradd',`
#
interface(`usermanage_run_useradd',`
gen_require(`
@@ -111776,10 +111742,10 @@ index 98b8b2d..41f4994 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 673180c..82cfc6e 100644
+index d555767..2f68b4d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
+@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
# Declarations
#
@@ -112416,7 +112382,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..e2c87b3 100644
+index 644d4d7..0c58f76 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112439,7 +112405,7 @@ index db981df..e2c87b3 100644
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -71,10 +73,18 @@ ifdef(`distro_redhat',`
+@@ -69,6 +71,13 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112451,14 +112417,17 @@ index db981df..e2c87b3 100644
+/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
- /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+@@ -79,6 +88,7 @@ ifdef(`distro_redhat',`
+ ')
+
/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
+/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +107,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +111,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -112467,7 +112436,7 @@ index db981df..e2c87b3 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,10 +138,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +142,11 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -112480,7 +112449,7 @@ index db981df..e2c87b3 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -147,7 +156,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +160,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -112489,7 +112458,7 @@ index db981df..e2c87b3 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,6 +172,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +176,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112497,7 +112466,7 @@ index db981df..e2c87b3 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +188,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -112555,16 +112524,10 @@ index db981df..e2c87b3 100644
+/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mailman.*/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -215,18 +241,28 @@ ifdef(`distro_gentoo',`
+ /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112598,7 +112561,7 @@ index db981df..e2c87b3 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +277,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -112614,21 +112577,20 @@ index db981df..e2c87b3 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +298,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
--/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
+/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
-+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
@@ -112636,7 +112598,7 @@ index db981df..e2c87b3 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +324,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112652,7 +112614,7 @@ index db981df..e2c87b3 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +347,21 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112676,7 +112638,7 @@ index db981df..e2c87b3 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
+@@ -321,8 +379,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112689,7 +112651,7 @@ index db981df..e2c87b3 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +394,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112701,7 +112663,7 @@ index db981df..e2c87b3 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +440,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +447,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112718,7 +112680,7 @@ index db981df..e2c87b3 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +458,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +465,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -112918,7 +112880,7 @@ index 9e9263a..87d577e 100644
+ filetrans_pattern($1, bin_t, $2, $3, $4)
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 1dd0427..6d6f456 100644
+index 43090a0..a784e8e 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -13,7 +13,8 @@ attribute exec_type;
@@ -114385,10 +114347,10 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..72c5a3b 100644
+index 4edc40d..ae311f6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
-@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
+@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
# Declarations
#
@@ -114442,7 +114404,7 @@ index fe2ee5e..72c5a3b 100644
#
type netlabel_peer_t;
sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
-+mcs_untrusted_proc(netlabel_peer_t)
++mcs_constrained(netlabel_peer_t)
#
# port_t is the default type of INET port numbers.
@@ -114459,79 +114421,57 @@ index fe2ee5e..72c5a3b 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
- type server_packet_t, packet_type, server_packet_type;
-
- network_port(afs_bos, udp,7007,s0)
-+network_port(afs_client, udp,7001,s0)
- network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
- network_port(afs_ka, udp,7004,s0)
- network_port(afs_pt, udp,7002,s0)
- network_port(afs_vl, udp,7003,s0)
- network_port(agentx, udp,705,s0, tcp,705,s0)
-+network_port(ajaxterm, tcp,8022,s0)
- network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,10 +107,9 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
-+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+ network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+-network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
- network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
- network_port(boinc, tcp,31416,s0)
-+network_port(boinc_client_ctrl, tcp,1043,s0)
- network_port(biff) # no defined portcon
- network_port(certmaster, tcp,51235,s0)
- network_port(chronyd, udp,323,s0)
- network_port(clamd, tcp,3310,s0)
- network_port(clockspeed, udp,4041,s0)
- network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
-+network_port(cma, tcp,1050,s0, udp,1050,s0)
- network_port(cobbler, tcp,25151,s0)
-+network_port(commplex, tcp,5001,s0, udp,5001,s0)
+@@ -107,7 +129,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
-+network_port(condor, tcp, 9618,s0, udp, 9618,s0)
-+network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-+network_port(ctdb, tcp,4379,s0, udp,4379,s0)
+ network_port(condor, tcp,9618,s0, udp,9618,s0)
+ network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
+ network_port(ctdb, tcp,4379,s0, udp,4397,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
- network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -119,18 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
+-network_port(dns, tcp,53,s0, udp,53,s0)
+network_port(dogtag, tcp,7390,s0)
- network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(dnssec, tcp,8955,s0)
+network_port(echo, tcp,7,s0, udp,7,s0)
+ network_port(efs, tcp,520,s0)
+ network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
-+network_port(epmd, tcp,4369,s0, udp,4369,s0)
-+network_port(festival, tcp,1314,s0)
+ network_port(epmd, tcp,4369,s0, udp,4369,s0)
network_port(fingerd, tcp,79,s0)
-+network_port(firebird, tcp,3050,s0, udp,3050,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
-+network_port(fprot, tcp,10200,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+ network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(glance, tcp,9292,s0, udp,9292,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
-@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0)
- network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +165,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
--network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
@@ -114539,8 +114479,8 @@ index fe2ee5e..72c5a3b 100644
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
-+network_port(interwise, tcp,7778,s0, udp,7778,s0)
-+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
+ network_port(interwise, tcp,7778,s0, udp,7778,s0)
+ network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
@@ -114551,22 +114491,24 @@ index fe2ee5e..72c5a3b 100644
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
-network_port(kismet, tcp,2501,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
-+network_port(jboss_debug, tcp,8787,s0)
++network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
+network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
-+network_port(keystone, tcp,5000,s0, udp,5000,s0, tcp, 35357,s0, udp, 35357,s0)
++network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
+-network_port(l2tp, tcp,1701,s0, udp,1701,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0)
network_port(lirc, tcp,8765,s0)
@@ -114581,46 +114523,44 @@ index fe2ee5e..72c5a3b 100644
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017,s0)
network_port(monopd, tcp,1234,s0)
-+network_port(movaz_ssc, tcp,5252,s0)
+ network_port(mountd, tcp,20048,s0, udp,20048,s0)
+ network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
network_port(mpd, tcp,6600,s0)
+-network_port(msgsrvr, tcp,8787,s0, udp,8787,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
- network_port(munin, tcp,4949,s0, udp,4949,s0)
-+network_port(mxi, tcp,8005, s0, udp, 8005,s0)
- network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
- network_port(mysqlmanagerd, tcp,2273,s0)
+ network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
+@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+-network_port(nfs, tcp,2049,s0, udp,2049,s0)
+-network_port(nfsrdma, tcp,20049,s0, udp,20049,s0)
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
+network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
--network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+ network_port(oa_system, tcp,8022,s0, udp,8022,s0)
+-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
+ network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-+network_port(openhpid, tcp,4743,s0, udp,4743,s0)
-+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
- network_port(pegasus_http, tcp,5988,s0)
+@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
-+network_port(piranha, tcp,3636,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
+ network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
- network_port(postfix_policyd, tcp,10031,s0)
- network_port(postgresql, tcp,5432,s0)
- network_port(postgrey, tcp,60000,s0)
-+network_port(pptp, tcp, 1723,s0, udp, 1723, s0)
- network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,14 +252,16 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -114638,73 +114578,53 @@ index fe2ee5e..72c5a3b 100644
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
- network_port(rlogind, tcp,513,s0)
--network_port(rndc, tcp,953,s0)
--network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
-+network_port(rndc, tcp,953,s0, tcp,8953,s0)
-+network_port(router, udp,520-521,s0, tcp,521,s0)
- network_port(rsh, tcp,514,s0)
- network_port(rsync, tcp,873,s0, udp,873,s0)
+@@ -233,19 +273,20 @@ network_port(rsync, tcp,873,s0, udp,873,s0)
+ network_port(rtsp, tcp,554,s0, udp,554,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
-+network_port(sametime, tcp,1533,s0, udp,1533,s0)
+ network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
--network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
--network_port(socks) # no defined portcon
+-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
-+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+ network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
+network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+-network_port(ssdp, tcp,1900,s0, udp,1900,s0)
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
network_port(ssh, tcp,22,s0)
-+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
-+network_port(svn, tcp,3690,s0, udp,3690,s0)
network_port(stunnel) # no defined portcon
- network_port(swat, tcp,901,s0)
--network_port(syslogd, udp,514,s0)
-+network_port(sype, tcp,9911,s0, udp,9911,s0)
-+network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0)
- network_port(tcs, tcp, 30003, s0)
- network_port(telnetd, tcp,23,s0)
+ network_port(svn, tcp,3690,s0, udp,3690,s0)
+@@ -259,6 +300,7 @@ network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
--network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
-+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
-+network_port(tor_socks, tcp,9050,s0)
+ network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000-64010,s0)
+network_port(tram, tcp, 4567, s0)
network_port(transproxy, tcp,8081,s0)
+ network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
- network_port(utcpserver) # no defined portcon
-@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0)
- network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+ network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
+network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0)
network_port(wccp, udp,2048,s0)
-+network_port(websm, tcp,9090,s0, udp,9090,s0)
- network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
-+network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
-+network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
- network_port(xdmcp, udp,177,s0, tcp,177,s0)
- network_port(xen, tcp,8002,s0)
- network_port(xfs, tcp,7100,s0)
-@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0)
- network_port(zookeeper_election, tcp,3888,s0)
- network_port(zookeeper_leader, tcp,2888,s0)
- network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
-+network_port(zented, tcp,1229,s0, udp,1229,s0)
- network_port(zope, tcp,8021,s0)
-
+ network_port(websm, tcp,9090,s0, udp,9090,s0)
+-network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0)
++network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
+ network_port(winshadow, tcp,3161,s0, udp,3261,s0)
+ network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
+ network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
+@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -114723,7 +114643,7 @@ index fe2ee5e..72c5a3b 100644
########################################
#
-@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +388,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -114775,16 +114695,17 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 02b7ac1..b30f7b8 100644
+index b31c054..3a628fe 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -15,14 +15,17 @@
+@@ -15,15 +15,17 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
+/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+-/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -114797,26 +114718,22 @@ index 02b7ac1..b30f7b8 100644
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -57,8 +60,11 @@
- /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
- /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
+@@ -61,7 +63,8 @@
+ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+-/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
+/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
++/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -125,13 +131,15 @@ ifdef(`distro_suse', `
- /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
+@@ -129,12 +132,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
--/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
-+/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
+ /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
+/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -114826,7 +114743,7 @@ index 02b7ac1..b30f7b8 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -195,12 +203,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +203,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -114852,7 +114769,7 @@ index 02b7ac1..b30f7b8 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d820975..a8b5aa9 100644
+index 76f285e..f7e9534 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -115166,7 +115083,33 @@ index d820975..a8b5aa9 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1663,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',`
+@@ -1560,25 +1726,6 @@ interface(`dev_relabel_autofs_dev',`
+
+ ########################################
+ ## <summary>
+-## Read and write cachefiles character
+-## device nodes.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dev_rw_cachefiles',`
+- gen_require(`
+- type device_t, cachefiles_device_t;
+- ')
+-
+- rw_chr_files_pattern($1, device_t, cachefiles_device_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Read and write the PCMCIA card manager device.
+ ## </summary>
+ ## <param name="domain">
+@@ -1682,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',`
########################################
## <summary>
@@ -115193,7 +115136,7 @@ index d820975..a8b5aa9 100644
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
-@@ -1772,6 +1958,24 @@ interface(`dev_rw_crypto',`
+@@ -1791,6 +1958,24 @@ interface(`dev_rw_crypto',`
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -115218,7 +115161,7 @@ index d820975..a8b5aa9 100644
#######################################
## <summary>
## Set the attributes of the dlm control devices.
-@@ -2383,7 +2587,7 @@ interface(`dev_filetrans_lirc',`
+@@ -2402,7 +2587,7 @@ interface(`dev_filetrans_lirc',`
########################################
## <summary>
@@ -115227,7 +115170,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2391,17 +2595,17 @@ interface(`dev_filetrans_lirc',`
+@@ -2410,17 +2595,17 @@ interface(`dev_filetrans_lirc',`
## </summary>
## </param>
#
@@ -115249,7 +115192,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2409,17 +2613,17 @@ interface(`dev_getattr_lvm_control',`
+@@ -2428,17 +2613,17 @@ interface(`dev_getattr_lvm_control',`
## </summary>
## </param>
#
@@ -115271,7 +115214,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2427,17 +2631,17 @@ interface(`dev_read_lvm_control',`
+@@ -2446,17 +2631,17 @@ interface(`dev_read_lvm_control',`
## </summary>
## </param>
#
@@ -115293,7 +115236,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2445,17 +2649,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2464,17 +2649,17 @@ interface(`dev_rw_lvm_control',`
## </summary>
## </param>
#
@@ -115315,7 +115258,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2463,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2482,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
## </summary>
## </param>
#
@@ -115360,7 +115303,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2499,62 +2703,53 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2518,44 +2703,134 @@ interface(`dev_dontaudit_getattr_memory_dev',`
## </summary>
## </param>
#
@@ -115412,36 +115355,27 @@ index d820975..a8b5aa9 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`dev_write_raw_memory',`
++## </summary>
++## </param>
++#
+interface(`dev_dontaudit_rw_lvm_control',`
- gen_require(`
-- type device_t, memory_device_t;
-- attribute memory_raw_write;
++ gen_require(`
+ type lvm_control_t;
- ')
-
-- write_chr_files_pattern($1, device_t, memory_device_t)
--
-- allow $1 self:capability sys_rawio;
-- typeattribute $1 memory_raw_write;
++ ')
++
+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read and execute raw memory devices (e.g. /dev/mem).
++')
++
++########################################
++## <summary>
+## Delete the lvm control device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2562,7 +2757,106 @@ interface(`dev_write_raw_memory',`
- ## </summary>
- ## </param>
- #
--interface(`dev_rx_raw_memory',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`dev_delete_lvm_control_dev',`
+ gen_require(`
+ type device_t, lvm_control_t;
@@ -115516,36 +115450,10 @@ index d820975..a8b5aa9 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_write_raw_memory',`
-+ gen_require(`
-+ type device_t, memory_device_t;
-+ attribute memory_raw_write;
-+ ')
-+
-+ write_chr_files_pattern($1, device_t, memory_device_t)
-+
-+ allow $1 self:capability sys_rawio;
-+ typeattribute $1 memory_raw_write;
-+')
-+
-+########################################
-+## <summary>
-+## Read and execute raw memory devices (e.g. /dev/mem).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rx_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- ')
-@@ -2706,7 +3000,7 @@ interface(`dev_write_misc',`
+ ## </summary>
+ ## </param>
+ #
+@@ -2725,7 +3000,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -115554,7 +115462,7 @@ index d820975..a8b5aa9 100644
## </summary>
## </param>
#
-@@ -2956,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2975,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',`
type mtrr_device_t;
')
@@ -115565,7 +115473,7 @@ index d820975..a8b5aa9 100644
')
########################################
-@@ -3125,6 +3419,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3419,42 @@ interface(`dev_create_null_dev',`
########################################
## <summary>
@@ -115608,7 +115516,7 @@ index d820975..a8b5aa9 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
-@@ -3235,7 +3565,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -115635,7 +115543,7 @@ index d820975..a8b5aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3243,12 +3591,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@@ -115652,7 +115560,7 @@ index d820975..a8b5aa9 100644
')
########################################
-@@ -3836,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -115695,7 +115603,7 @@ index d820975..a8b5aa9 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3885,6 +4270,7 @@ interface(`dev_list_sysfs',`
+@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@@ -115703,7 +115611,7 @@ index d820975..a8b5aa9 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3927,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -115724,7 +115632,7 @@ index d820975..a8b5aa9 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -115743,7 +115651,7 @@ index d820975..a8b5aa9 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -115757,7 +115665,7 @@ index d820975..a8b5aa9 100644
########################################
## <summary>
## Read hardware state information.
-@@ -3997,6 +4409,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -115820,7 +115728,7 @@ index d820975..a8b5aa9 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4094,6 +4562,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -115846,32 +115754,7 @@ index d820975..a8b5aa9 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4128,6 +4615,24 @@ interface(`dev_setattr_generic_usb_dev',`
- setattr_chr_files_pattern($1, device_t, usb_device_t)
- ')
-
-+######################################
-+## <summary>
-+## Allow relabeling (to and from) of generic usb device
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to relabel.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_relabel_generic_usb_dev',`
-+ gen_require(`
-+ type usb_device_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, usb_device_t, usb_device_t)
-+')
-+
- ########################################
- ## <summary>
- ## Read generic the USB devices.
-@@ -4520,6 +5025,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -115896,7 +115779,7 @@ index d820975..a8b5aa9 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4725,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -115923,7 +115806,7 @@ index d820975..a8b5aa9 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4814,3 +5357,917 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -116842,7 +116725,7 @@ index d820975..a8b5aa9 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 06eda45..ed26516 100644
+index 6529bd9..cfec99c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -116859,7 +116742,17 @@ index 06eda45..ed26516 100644
#
# Type for /dev/agpgart
-@@ -62,6 +63,9 @@ dev_node(cpu_device_t)
+@@ -43,9 +44,6 @@ type cardmgr_dev_t;
+ dev_node(cardmgr_dev_t)
+ files_tmp_file(cardmgr_dev_t)
+
+-type cachefiles_device_t;
+-dev_node(cachefiles_device_t)
+-
+ #
+ # clock_device_t is the type of
+ # /dev/rtc.
+@@ -65,6 +63,9 @@ dev_node(cpu_device_t)
type crash_device_t;
dev_node(crash_device_t)
@@ -116869,7 +116762,7 @@ index 06eda45..ed26516 100644
# for the IBM zSeries z90crypt hardware ssl accelorator
type crypt_device_t;
dev_node(crypt_device_t)
-@@ -108,6 +112,7 @@ dev_node(ksm_device_t)
+@@ -111,6 +112,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -116877,26 +116770,17 @@ index 06eda45..ed26516 100644
#
# Type for /dev/lirc
-@@ -118,9 +123,18 @@ dev_node(lirc_device_t)
- #
- # Type for /dev/mapper/control
- #
-+type loop_control_device_t;
-+dev_node(loop_control_device_t)
-+
+@@ -118,6 +120,9 @@ dev_node(kvm_device_t)
+ type lirc_device_t;
+ dev_node(lirc_device_t)
+
+#
+# Type for /dev/mapper/control
+#
- type lvm_control_t;
- dev_node(lvm_control_t)
+ type loop_control_device_t;
+ dev_node(loop_control_device_t)
-+type mei_device_t;
-+dev_node(mei_device_t)
-+
- #
- # memory_device_t is the type of /dev/kmem,
- # /dev/mem and /dev/port.
-@@ -218,6 +232,10 @@ files_mountpoint(sysfs_t)
+@@ -227,6 +232,10 @@ files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
@@ -116907,7 +116791,7 @@ index 06eda45..ed26516 100644
#
# Type for /dev/tpm
#
-@@ -265,6 +283,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +283,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -116915,7 +116799,7 @@ index 06eda45..ed26516 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -310,5 +329,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +329,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -117063,7 +116947,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..09a61e6 100644
+index cf04cb5..7219a2a 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -117189,7 +117073,7 @@ index cf04cb5..09a61e6 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -117299,6 +117183,10 @@ index cf04cb5..09a61e6 100644
+')
+
+optional_policy(`
++ postgresql_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ postfix_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -117469,7 +117357,7 @@ index cf04cb5..09a61e6 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..cb02728 100644
+index c2c6e05..d0e6d1c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -117549,7 +117437,7 @@ index 8796ca3..cb02728 100644
-
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
@@ -117686,9 +117574,9 @@ index 8796ca3..cb02728 100644
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
- /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /var/lost\+found/.* <<none>>
-@@ -256,6 +272,7 @@ ifndef(`distro_redhat',`
+ /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /var/log/lost\+found/.* <<none>>
+@@ -262,6 +278,7 @@ ifndef(`distro_redhat',`
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
@@ -117696,14 +117584,14 @@ index 8796ca3..cb02728 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -264,3 +281,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +287,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..360fbbd 100644
+index 64ff4d7..e9ebe7b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -117909,7 +117797,32 @@ index e1e814d..360fbbd 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1182,24 +1327,6 @@ interface(`files_list_all',`
+
+ ########################################
+ ## <summary>
+-## Create all files as is.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`files_create_all_files_as',`
+- gen_require(`
+- attribute file_type;
+- ')
+-
+- allow $1 file_type:kernel_service create_files_as;
+-')
+-
+-########################################
+-## <summary>
+ ## Do not audit attempts to search the
+ ## contents of any directories on extended
+ ## attribute filesystems.
+@@ -1673,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -117934,7 +117847,7 @@ index e1e814d..360fbbd 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -117959,50 +117872,48 @@ index e1e814d..360fbbd 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2037,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
+-## Associate to root file system.
+## Set attributes of the root directory.
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Type of the file to associate.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_associate_rootfs',`
+interface(`files_setattr_root_dirs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
+ gen_require(`
+ type root_t;
+ ')
+
+- allow $1 root_t:filesystem associate;
+ allow $1 root_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from rootfs file system.
+## Relabel a rootfs filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabel_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:filesystem relabel_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',`
+ ## <summary>
+@@ -1905,7 +2068,7 @@ interface(`files_relabel_rootfs',`
+ type root_t;
+ ')
+
+- allow $1 root_t:filesystem { relabelto relabelfrom };
++ allow $1 root_t:filesystem relabel_file_perms;
+ ')
+
+ ########################################
+@@ -1928,6 +2091,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -118027,7 +117938,7 @@ index e1e814d..360fbbd 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2808,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -118052,7 +117963,7 @@ index e1e814d..360fbbd 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +2897,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -118060,7 +117971,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +2906,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118069,7 +117980,7 @@ index e1e814d..360fbbd 100644
## </summary>
## </param>
#
-@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +2962,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -118087,7 +117998,7 @@ index e1e814d..360fbbd 100644
+ type etc_t;
+ ')
+
-+ dontaudit $1 etc_t:file_class_set audit_access;
++ dontaudit $1 etc_t:dir_file_class_set audit_access;
+')
+
+########################################
@@ -118095,7 +118006,7 @@ index e1e814d..360fbbd 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +2999,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -118120,7 +118031,7 @@ index e1e814d..360fbbd 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3182,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -118128,7 +118039,7 @@ index e1e814d..360fbbd 100644
-## </summary>
-## <param name="domain">
-## <summary>
--## Domain allowed access.
+-## Domain to not audit.
-## </summary>
-## </param>
-#
@@ -118145,7 +118056,7 @@ index e1e814d..360fbbd 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3222,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -118156,7 +118067,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3230,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -118168,48 +118079,56 @@ index e1e814d..360fbbd 100644
- dontaudit $1 etc_runtime_t:file { getattr read };
+ dontaudit $1 etc_runtime_t:file setattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write
+-## etc runtime files.
+## Do not audit attempts to write etc_runtime files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3042,15 +3258,35 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+
+ ########################################
+ ## <summary>
+-## Read and write files in /etc that are dynamically
++## Do not audit attempts to read files
++## in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+#
-+interface(`files_dontaudit_write_etc_runtime_files',`
++interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
-+ dontaudit $1 etc_runtime_t:file write;
++ dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read files
-+## in /etc that are dynamically
++## Read and write files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
-+#
-+interface(`files_dontaudit_read_etc_runtime_files',`
-+ gen_require(`
-+ type etc_runtime_t;
-+ ')
-+
-+ dontaudit $1 etc_runtime_t:file { getattr read };
- ')
-
- ########################################
-@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',`
++## <rolecap/>
+ #
+ interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+@@ -3059,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -118217,7 +118136,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -118225,7 +118144,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -3059,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -118251,7 +118170,7 @@ index e1e814d..360fbbd 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3135,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -118277,7 +118196,7 @@ index e1e814d..360fbbd 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3382,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -118303,7 +118222,7 @@ index e1e814d..360fbbd 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3723,20 +4091,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4091,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -118343,11 +118262,11 @@ index e1e814d..360fbbd 100644
')
-
- dontaudit $1 mnt_t:dir list_dir_perms;
-+ dontaudit $1 mnt_t:file_class_set audit_access;
++ dontaudit $1 mnt_t:dir_file_class_set audit_access;
')
########################################
-@@ -4126,6 +4512,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4512,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -118481,7 +118400,7 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4148,6 +4661,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +4661,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -118508,7 +118427,7 @@ index e1e814d..360fbbd 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4694,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +4694,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118516,7 +118435,29 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4705,7 @@ interface(`files_getattr_tmp_dirs',`
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_tmp',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 tmp_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -118525,7 +118466,7 @@ index e1e814d..360fbbd 100644
## </summary>
## </param>
#
-@@ -4198,6 +4732,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +4751,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118533,7 +118474,7 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4769,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +4788,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118541,7 +118482,7 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4779,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +4798,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -118550,7 +118491,7 @@ index e1e814d..360fbbd 100644
## </summary>
## </param>
#
-@@ -4255,6 +4791,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +4810,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118576,7 +118517,7 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4825,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +4844,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118584,7 +118525,7 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4867,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +4886,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -118617,7 +118558,7 @@ index e1e814d..360fbbd 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,7 +4947,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -118626,7 +118567,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4373,17 +4955,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,17 +4974,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -118648,7 +118589,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4391,59 +4973,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4464,59 +4992,53 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -118719,7 +118660,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4451,54 +5027,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4524,53 +5046,131 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@@ -118781,7 +118722,6 @@ index e1e814d..360fbbd 100644
')
- dontaudit $1 tmpfile:sock_file getattr;
--')
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
@@ -118863,11 +118803,10 @@ index e1e814d..360fbbd 100644
+ ')
+
+ dontaudit $1 tmpfile:sock_file getattr;
-+')
+ ')
########################################
- ## <summary>
-@@ -4573,6 +5227,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5246,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118884,7 +118823,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5150,6 +5814,24 @@ interface(`files_list_var',`
+@@ -5223,6 +5833,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -118909,7 +118848,7 @@ index e1e814d..360fbbd 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6187,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6206,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118935,7 +118874,7 @@ index e1e814d..360fbbd 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6251,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6270,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -118944,7 +118883,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6259,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6278,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -118960,7 +118899,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5581,6 +6283,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6302,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118968,7 +118907,7 @@ index e1e814d..360fbbd 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6310,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6329,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -118996,7 +118935,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6337,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6356,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -119013,7 +118952,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5640,7 +6361,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6380,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -119022,7 +118961,7 @@ index e1e814d..360fbbd 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6394,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6413,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -119030,7 +118969,7 @@ index e1e814d..360fbbd 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6421,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5774,8 +6440,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -119040,7 +118979,7 @@ index e1e814d..360fbbd 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6437,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6456,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -119058,17 +118997,18 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5743,8 +6461,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6480,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6503,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6522,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -119078,7 +119018,7 @@ index e1e814d..360fbbd 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6525,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6544,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -119088,7 +119028,7 @@ index e1e814d..360fbbd 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6562,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6581,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -119098,7 +119038,7 @@ index e1e814d..360fbbd 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6625,43 @@ interface(`files_search_pids',`
+@@ -5985,6 +6644,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -119142,7 +119082,7 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6684,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +6703,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -119168,7 +119108,7 @@ index e1e814d..360fbbd 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6818,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +6837,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -119176,7 +119116,7 @@ index e1e814d..360fbbd 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6926,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +6945,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -119205,40 +119145,45 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
+-## Delete all process IDs.
+## Delete all pid sockets
## </summary>
## <param name="domain">
## <summary>
-@@ -6188,43 +6952,35 @@ interface(`files_read_all_pids',`
+ ## Domain allowed access.
## </summary>
## </param>
+-## <rolecap/>
#
--interface(`files_mounton_all_poly_members',`
+-interface(`files_delete_all_pids',`
+interface(`files_delete_all_pid_sockets',`
gen_require(`
-- attribute polymember;
-+ attribute pidfile;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- allow $1 polymember:dir mounton;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file delete_sock_file_perms;
')
########################################
## <summary>
--## Delete all process IDs.
+-## Delete all process ID directories.
+## Create all pid sockets
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -6287,42 +6989,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_delete_all_pids',`
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_sockets',`
gen_require(`
attribute pidfile;
@@ -119247,109 +119192,106 @@ index e1e814d..360fbbd 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:sock_file create_sock_file_perms;
')
########################################
## <summary>
--## Delete all process ID directories.
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Create all pid named pipes
## </summary>
## <param name="domain">
## <summary>
-@@ -6232,21 +6988,17 @@ interface(`files_delete_all_pids',`
+-## Domain alloed access.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_delete_all_pid_dirs',`
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_pid_pipes',`
gen_require(`
attribute pidfile;
-- type var_t, var_run_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
')
########################################
## <summary>
--## Search the contents of generic spool
--## directories (/var/spool).
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all pid named pipes
## </summary>
## <param name="domain">
## <summary>
-@@ -6254,56 +7006,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6330,18 +7025,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
--interface(`files_search_spool',`
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_pipes',`
gen_require(`
-- type var_t, var_spool_t;
+- attribute polymember;
+ attribute pidfile;
')
-- search_dirs_pattern($1, var_t, var_spool_t)
+- allow $1 polymember:dir mounton;
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
')
########################################
## <summary>
--## Do not audit attempts to search generic
--## spool directories.
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## manage all pidfile directories
+## in the /var/run directory.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -6349,37 +7044,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
--interface(`files_dontaudit_search_spool',`
+-interface(`files_search_spool',`
+interface(`files_manage_all_pid_dirs',`
gen_require(`
-- type var_spool_t;
+- type var_t, var_spool_t;
+ attribute pidfile;
')
-- dontaudit $1 var_spool_t:dir search_dir_perms;
+- search_dirs_pattern($1, var_t, var_spool_t)
+ manage_dirs_pattern($1,pidfile,pidfile)
')
+
########################################
## <summary>
--## List the contents of generic spool
--## (/var/spool) directories.
+-## Do not audit attempts to search generic
+-## spool directories.
+## Read all process ID files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
--interface(`files_list_spool',`
+-interface(`files_dontaudit_search_spool',`
+interface(`files_read_all_pids',`
gen_require(`
-- type var_t, var_spool_t;
+- type var_spool_t;
+ attribute pidfile;
+ type var_t;
')
-- list_dirs_pattern($1, var_t, var_spool_t)
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
@@ -119357,60 +119299,64 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Relable all pid files
## </summary>
## <param name="domain">
## <summary>
-@@ -6311,18 +7066,17 @@ interface(`files_list_spool',`
+@@ -6387,18 +7085,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
--interface(`files_manage_generic_spool_dirs',`
+-interface(`files_list_spool',`
+interface(`files_relabel_all_pid_files',`
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
')
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+- list_dirs_pattern($1, var_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
--## Read generic spool files.
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Execute generic programs in /var/run in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,9 +7084,273 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6406,18 +7103,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
--interface(`files_read_generic_spool',`
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_exec_generic_pid_files',`
gen_require(`
- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6425,7 +7122,252 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
@@ -119657,12 +119603,10 @@ index e1e814d..360fbbd 100644
+## </param>
+#
+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
+ gen_require(`
+ type var_t, var_spool_t;
')
-
- list_dirs_pattern($1, var_t, var_spool_t)
-@@ -6467,3 +7485,457 @@ interface(`files_unconfined',`
+@@ -6562,3 +7504,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -119918,7 +119862,7 @@ index e1e814d..360fbbd 100644
+########################################
+## <summary>
+## Do not audit attempts to check the
-+## write access on all files
++## access on all files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -119931,7 +119875,7 @@ index e1e814d..360fbbd 100644
+ attribute file_type;
+ ')
+
-+ dontaudit $1 file_type:file_class_set audit_access;
++ dontaudit $1 file_type:dir_file_class_set audit_access;
+')
+
+########################################
@@ -119986,6 +119930,7 @@ index e1e814d..360fbbd 100644
+ type mnt_t;
+ type usr_t;
+ type var_t;
++ type tmp_t;
+ ')
+
+ files_pid_filetrans($1, mnt_t, dir, "media")
@@ -120008,6 +119953,7 @@ index e1e814d..360fbbd 100644
+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
++ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+')
+
+########################################
@@ -120121,10 +120067,10 @@ index e1e814d..360fbbd 100644
+')
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 52ef84e..45cb0bc 100644
+index 148d87a..822f6be 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
-@@ -5,12 +5,16 @@ policy_module(files, 1.17.0)
+@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
# Declarations
#
@@ -120332,7 +120278,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..aa86bf7 100644
+index 8416beb..c0c1175 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -120614,33 +120560,7 @@ index 7c6b791..aa86bf7 100644
## Mount a DOS filesystem, such as
## FAT32 or NTFS.
## </summary>
-@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
-
- ########################################
- ## <summary>
-+## Allow changing of the label of a
-+## tmpfs filesystem using the context= mount option.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_relabelfrom_tmpfs',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ allow $1 tmpfs_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+## <summary>
- ## Search dosfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,6 +1954,188 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -120829,7 +120749,7 @@ index 7c6b791..aa86bf7 100644
########################################
## <summary>
## Mount a FUSE filesystem.
-@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2025,6 +2368,87 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -120917,7 +120837,7 @@ index 7c6b791..aa86bf7 100644
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -120942,7 +120862,7 @@ index 7c6b791..aa86bf7 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -120956,7 +120876,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -120964,165 +120884,93 @@ index 7c6b791..aa86bf7 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2510,81 +2973,137 @@ interface(`fs_dontaudit_read_nfs_files',`
+@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
--## Read files on a NFS filesystem.
-+## Read files on a NFS filesystem.
++## Make general progams in nfs an entrypoint for
++## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
-+interface(`fs_write_nfs_files',`
++interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ write_files_pattern($1, nfs_t, nfs_t)
++ domain_entry_file($1, nfs_t)
+')
+
+########################################
+## <summary>
-+## Execute files on a NFS filesystem.
+ ## Append files
+ ## on a NFS filesystem.
+ ## </summary>
+@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
+
+ ########################################
+ ## <summary>
+-## dontaudit Append files
++## Do not audit attempts to append files
+ ## on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+
+ ########################################
+ ## <summary>
++## Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`fs_exec_nfs_files',`
++interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, nfs_t, nfs_t)
++ allow $1 nfs_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Make general progams in nfs an entrypoint for
-+## the specified domain.
++## Read/write inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The domain for which nfs_t is an entrypoint.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`fs_nfs_entry_type',`
++interface(`fs_rw_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ domain_entry_file($1, nfs_t)
++ allow $1 nfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Append files
-+## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_write_nfs_files',`
-+interface(`fs_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- write_files_pattern($1, nfs_t, nfs_t)
-+ append_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ## <summary>
--## Execute files on a NFS filesystem.
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- ## <rolecap/>
- #
--interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- exec_files_pattern($1, nfs_t, nfs_t)
-+ dontaudit $1 nfs_t:file append_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Append files
--## on a NFS filesystem.
-+## Read inherited files on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_append_nfs_files',`
-+interface(`fs_read_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- append_files_pattern($1, nfs_t, nfs_t)
-+ allow $1 nfs_t:file read_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## dontaudit Append files
--## on a NFS filesystem.
-+## Read/write inherited files on a NFS filesystem.
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_dontaudit_append_nfs_files',`
-+interface(`fs_rw_inherited_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- dontaudit $1 nfs_t:file append_file_perms;
-+ allow $1 nfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -121131,7 +120979,7 @@ index 7c6b791..aa86bf7 100644
')
########################################
-@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -121140,7 +120988,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -121149,7 +120997,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## </param>
#
-@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -121158,7 +121006,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## </param>
#
-@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -121166,7 +121014,7 @@ index 7c6b791..aa86bf7 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -121174,7 +121022,7 @@ index 7c6b791..aa86bf7 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -121182,7 +121030,7 @@ index 7c6b791..aa86bf7 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -121207,7 +121055,7 @@ index 7c6b791..aa86bf7 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -121232,7 +121080,7 @@ index 7c6b791..aa86bf7 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -121241,7 +121089,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -121250,7 +121098,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -121259,7 +121107,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -121284,41 +121132,131 @@ index 7c6b791..aa86bf7 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3963,6 +4539,60 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3908,7 +4465,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
-+## Relabel directory on tmpfs filesystems.
+-## Mount on tmpfs directories.
++## Set the attributes of tmpfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3916,17 +4473,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_mounton_tmpfs',`
++interface(`fs_setattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir mounton;
++ allow $1 tmpfs_t:dir setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of tmpfs directories.
++## Search tmpfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3934,17 +4491,17 @@ interface(`fs_mounton_tmpfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_setattr_tmpfs_dirs',`
++interface(`fs_search_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir setattr;
++ allow $1 tmpfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search tmpfs directories.
++## List the contents of generic tmpfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3952,17 +4509,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_search_tmpfs',`
++interface(`fs_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir search_dir_perms;
++ allow $1 tmpfs_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic tmpfs directories.
++## Do not audit attempts to list the
++## contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`fs_relabel_tmpfs_dirs',`
++interface(`fs_dontaudit_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
++## Relabel directory on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3970,31 +4546,48 @@ interface(`fs_search_tmpfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_list_tmpfs',`
++interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- allow $1 tmpfs_t:dir list_dir_perms;
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to list the
+-## contents of generic tmpfs directories.
+## Relabel fifo_file on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_tmpfs',`
+interface(`fs_relabel_tmpfs_fifo_files',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+- dontaudit $1 tmpfs_t:dir list_dir_perms;
+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
@@ -121338,14 +121276,10 @@ index 7c6b791..aa86bf7 100644
+ ')
+
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete
- ## tmpfs directories
- ## </summary>
-@@ -4069,7 +4699,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+ ')
+
+ ########################################
+@@ -4105,7 +4698,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -121354,7 +121288,7 @@ index 7c6b791..aa86bf7 100644
')
########################################
-@@ -4129,6 +4759,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4758,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -121379,7 +121313,7 @@ index 7c6b791..aa86bf7 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4166,7 +4814,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4813,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -121388,7 +121322,7 @@ index 7c6b791..aa86bf7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4185,6 +4833,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4832,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -121449,7 +121383,7 @@ index 7c6b791..aa86bf7 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4944,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +4943,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -121485,7 +121419,8 @@ index 7c6b791..aa86bf7 100644
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:file unlink;
++ allow $1 tmpfs_t:dir del_entry_dir_perms;
++ allow $1 tmpfs_t:file_class_set delete_file_perms;
+')
+
+########################################
@@ -121493,7 +121428,7 @@ index 7c6b791..aa86bf7 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -121519,7 +121454,7 @@ index 7c6b791..aa86bf7 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +5225,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5225,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -121528,7 +121463,7 @@ index 7c6b791..aa86bf7 100644
')
########################################
-@@ -4513,7 +5273,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5273,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -121537,7 +121472,34 @@ index 7c6b791..aa86bf7 100644
## Example attributes:
## </p>
## <ul>
-@@ -4876,3 +5636,43 @@ interface(`fs_unconfined',`
+@@ -4596,6 +5320,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on all filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_all_access_check',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:dir_file_class_set audit_access;
++')
++
++
++########################################
++## <summary>
+ ## Get the quotas of all filesystems.
+ ## </summary>
+ ## <param name="domain">
+@@ -4912,3 +5656,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -121582,19 +121544,18 @@ index 7c6b791..aa86bf7 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 376bae8..36a5041 100644
+index 9e603f5..6a95769 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
- # types, and label the filesystem itself with the specified context.
-@@ -52,6 +54,7 @@ type anon_inodefs_t;
+@@ -53,6 +54,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -121602,7 +121563,7 @@ index 376bae8..36a5041 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,7 +70,7 @@ fs_type(capifs_t)
+@@ -68,7 +70,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -121611,7 +121572,7 @@ index 376bae8..36a5041 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -88,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -121623,7 +121584,7 @@ index 376bae8..36a5041 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +104,7 @@ type hugetlbfs_t;
+@@ -97,6 +104,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -121631,7 +121592,7 @@ index 376bae8..36a5041 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -144,11 +153,6 @@ fs_type(spufs_t)
+@@ -145,11 +153,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -121643,7 +121604,16 @@ index 376bae8..36a5041 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -175,6 +179,7 @@ fs_type(tmpfs_t)
+@@ -167,6 +170,8 @@ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+ files_mountpoint(vxfs_t)
+ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
++genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0)
++genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0)
+
+ #
+ # tmpfs_t is the type for tmpfs filesystems
+@@ -176,6 +181,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -121651,7 +121621,7 @@ index 376bae8..36a5041 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +259,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -121660,7 +121630,7 @@ index 376bae8..36a5041 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +280,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -121677,10 +121647,10 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..9f81200 100644
+index 649e458..31a14c8 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
+@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
type kernel_t;
')
@@ -121689,7 +121659,7 @@ index 4bf45cb..9f81200 100644
')
########################################
-@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
+@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
@@ -121714,7 +121684,7 @@ index 4bf45cb..9f81200 100644
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
-@@ -972,13 +990,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -121730,7 +121700,7 @@ index 4bf45cb..9f81200 100644
')
########################################
-@@ -1458,6 +1473,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -121755,7 +121725,7 @@ index 4bf45cb..9f81200 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -2066,7 +2099,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -121764,7 +121734,7 @@ index 4bf45cb..9f81200 100644
')
########################################
-@@ -2263,6 +2296,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -121790,7 +121760,7 @@ index 4bf45cb..9f81200 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2287,7 +2339,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -121799,7 +121769,7 @@ index 4bf45cb..9f81200 100644
## </summary>
## </param>
#
-@@ -2469,6 +2521,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -121824,7 +121794,7 @@ index 4bf45cb..9f81200 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2506,6 +2576,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -121849,7 +121819,7 @@ index 4bf45cb..9f81200 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2613,7 +2701,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -121858,7 +121828,7 @@ index 4bf45cb..9f81200 100644
')
########################################
-@@ -2651,6 +2739,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -121883,7 +121853,7 @@ index 4bf45cb..9f81200 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2678,6 +2784,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -121909,7 +121879,7 @@ index 4bf45cb..9f81200 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2787,6 +2912,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -121943,7 +121913,7 @@ index 4bf45cb..9f81200 100644
########################################
## <summary>
-@@ -2942,6 +3094,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -121968,7 +121938,7 @@ index 4bf45cb..9f81200 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2956,5 +3126,318 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -121978,25 +121948,6 @@ index 4bf45cb..9f81200 100644
+
+########################################
+## <summary>
-+## Allow the specified domain to connect to
-+## the kernel with a unix socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kernel_stream_connect',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
+## Allow the specified domain to getattr on
+## the kernel with a unix socket.
+## </summary>
@@ -122289,7 +122240,7 @@ index 4bf45cb..9f81200 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index ab9b6cd..ccffb0f 100644
+index 6fac350..6fc8411 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -122535,42 +122486,16 @@ index ab9b6cd..ccffb0f 100644
+read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
+list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
-index f52faaf..6bb6529 100644
+index b08a6e8..226021d 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
-@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',`
+@@ -130,3 +130,23 @@ interface(`mcs_process_set_categories',`
typeattribute $1 mcssetcats;
')
+
+########################################
+## <summary>
-+## Make specified process type MCS untrusted.
-+## </summary>
-+## <desc>
-+## <p>
-+## Make specified process type MCS untrusted. This
-+## prevents this process from sending signals to other processes
-+## with different mcs labels
-+## object.
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## The type of the process.
-+## </summary>
-+## </param>
-+#
-+interface(`mcs_untrusted_proc',`
-+ gen_require(`
-+ attribute mcsuntrustedproc;
-+ ')
-+
-+ typeattribute $1 mcsuntrustedproc;
-+')
-+
-+########################################
-+## <summary>
+## Make specified domain MCS trusted
+## for writing to sockets at any level.
+## </summary>
@@ -122589,14 +122514,13 @@ index f52faaf..6bb6529 100644
+ typeattribute $1 mcsnetwrite;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
-index 0e5b661..3168d72 100644
+index 5cbeb54..8067370 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
-@@ -10,3 +10,5 @@ attribute mcsptraceall;
- attribute mcssetcats;
+@@ -11,3 +11,4 @@ attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
-+attribute mcsuntrustedproc;
+ attribute mcs_constrained_type;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
index 7be4ddf..4d4c577 100644
@@ -123553,7 +123477,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..3541088 100644
+index 771bce1..8b0e5e6 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -123615,32 +123539,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',`
-
- ########################################
- ## <summary>
-+## Relabel a pty filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`term_relabel_pty_fs',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ allow $1 devpts_t:filesystem relabel_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the
- ## attributes of the /dev/pts directory.
- ## </summary>
-@@ -462,6 +503,24 @@ interface(`term_list_ptys',`
+@@ -481,6 +504,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
@@ -123665,7 +123564,7 @@ index 01dd2f1..3541088 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
-@@ -601,7 +660,7 @@ interface(`term_use_generic_ptys',`
+@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',`
########################################
## <summary>
@@ -123674,7 +123573,7 @@ index 01dd2f1..3541088 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
## </summary>
-@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -123682,7 +123581,7 @@ index 01dd2f1..3541088 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@@ -123709,7 +123608,7 @@ index 01dd2f1..3541088 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
-@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -123718,7 +123617,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -893,7 +973,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@@ -123727,7 +123626,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
@@ -123736,7 +123635,7 @@ index 01dd2f1..3541088 100644
## </summary>
## </param>
#
-@@ -1240,7 +1320,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -123785,7 +123684,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -1256,11 +1376,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -123799,7 +123698,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -1277,10 +1399,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -123812,7 +123711,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -1358,7 +1482,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -123841,7 +123740,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -1377,7 +1521,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -123850,7 +123749,7 @@ index 01dd2f1..3541088 100644
')
########################################
-@@ -1485,7 +1629,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -123859,7 +123758,7 @@ index 01dd2f1..3541088 100644
## </summary>
## </param>
#
-@@ -1493,3 +1637,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -124297,7 +124196,7 @@ index 01dd2f1..3541088 100644
+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 9d64659..f85e86f 100644
+index c0b88bf..a97d7cc 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -124417,10 +124316,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..ead35b9 100644
+index 5da7870..b5ab557 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,68 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -124489,7 +124388,7 @@ index e5aee97..ead35b9 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,110 @@ optional_policy(`
+@@ -23,11 +79,106 @@ optional_policy(`
')
optional_policy(`
@@ -124594,14 +124493,10 @@ index e5aee97..ead35b9 100644
+ polipo_role(staff_r, staff_t)
+ polipo_named_filetrans_cache_home_dirs(staff_t)
+ polipo_named_filetrans_config_home_files(staff_t)
-+')
-+
-+optional_policy(`
-+ git_session_role(staff_r, staff_t)
')
optional_policy(`
-@@ -35,15 +190,31 @@ optional_policy(`
+@@ -35,15 +186,31 @@ optional_policy(`
')
optional_policy(`
@@ -124635,7 +124530,7 @@ index e5aee97..ead35b9 100644
')
optional_policy(`
-@@ -52,10 +223,59 @@ optional_policy(`
+@@ -52,10 +219,55 @@ optional_policy(`
')
optional_policy(`
@@ -124657,10 +124552,6 @@ index e5aee97..ead35b9 100644
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
-+#optional_policy(`
-+# telepathy_dbus_session_role(staff_r, staff_t)
-+#')
-+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_t)
+')
@@ -124695,7 +124586,7 @@ index e5aee97..ead35b9 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +285,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +277,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124706,15 +124597,18 @@ index e5aee97..ead35b9 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -93,18 +309,10 @@ ifndef(`distro_redhat',`
- ')
+@@ -78,10 +286,6 @@ ifndef(`distro_redhat',`
optional_policy(`
-- gnome_role(staff_r, staff_t)
-- ')
+ dbus_role_template(staff, staff_r, staff_t)
-
-- optional_policy(`
- gpg_role(staff_r, staff_t)
+- optional_policy(`
+- gnome_role_template(staff, staff_r, staff_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -101,10 +305,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124725,7 +124619,7 @@ index e5aee97..ead35b9 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +333,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +325,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124736,7 +124630,7 @@ index e5aee97..ead35b9 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +345,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +337,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -124747,7 +124641,7 @@ index e5aee97..ead35b9 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +376,20 @@ ifndef(`distro_redhat',`
+@@ -176,3 +368,20 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -124797,10 +124691,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..72a70fc 100644
+index 88d0028..39285bc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
+@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -124929,14 +124823,14 @@ index 44c198a..72a70fc 100644
- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
+ #cron_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(sysadm_t)
')
optional_policy(`
- cvs_exec(sysadm_t)
++ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
@@ -124956,24 +124850,21 @@ index 44c198a..72a70fc 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +201,15 @@ optional_policy(`
+@@ -156,11 +201,11 @@ optional_policy(`
')
optional_policy(`
+- fstools_run(sysadm_t, sysadm_r)
+ firewalld_dbus_chat(sysadm_t)
-+')
-+
-+optional_policy(`
- fstools_run(sysadm_t, sysadm_r)
')
optional_policy(`
- git_role(sysadm_r, sysadm_t)
-+ git_session_role(sysadm_r, sysadm_t)
++ fstools_run(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -179,6 +228,13 @@ optional_policy(`
+@@ -179,6 +224,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -124987,7 +124878,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -186,15 +242,20 @@ optional_policy(`
+@@ -186,15 +238,20 @@ optional_policy(`
')
optional_policy(`
@@ -125011,7 +124902,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -214,22 +275,20 @@ optional_policy(`
+@@ -214,22 +271,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -125040,7 +124931,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -241,25 +300,47 @@ optional_policy(`
+@@ -241,25 +296,47 @@ optional_policy(`
')
optional_policy(`
@@ -125088,7 +124979,7 @@ index 44c198a..72a70fc 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +351,32 @@ optional_policy(`
+@@ -270,31 +347,36 @@ optional_policy(`
')
optional_policy(`
@@ -125098,31 +124989,35 @@ index 44c198a..72a70fc 100644
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
-+ prelink_run(sysadm_t, sysadm_r)
++ postgresql_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-+ quota_filetrans_named_content(sysadm_t)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
-+ raid_domtrans_mdadm(sysadm_t)
++ quota_filetrans_named_content(sysadm_t)
')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
-+ rpc_domtrans_nfsd(sysadm_t)
++ raid_domtrans_mdadm(sysadm_t)
')
optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
++ rpc_domtrans_nfsd(sysadm_t)
++')
++
++optional_policy(`
+ rpm_run(sysadm_t, sysadm_r)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
@@ -125261,26 +125156,28 @@ index 44c198a..72a70fc 100644
-
- optional_policy(`
dbus_role_template(sysadm, sysadm_r, sysadm_t)
- ')
-@@ -460,6 +553,7 @@ ifndef(`distro_redhat',`
+ optional_policy(`
+@@ -463,15 +556,75 @@ ifndef(`distro_redhat',`
+ ')
optional_policy(`
- gnome_role(sysadm_r, sysadm_t)
+- gpg_role(sysadm_r, sysadm_t)
++ gnome_role(sysadm_r, sysadm_t)
+ gnome_filetrans_admin_home_content(sysadm_t)
')
optional_policy(`
-@@ -467,11 +561,66 @@ ifndef(`distro_redhat',`
+- irc_role(sysadm_r, sysadm_t)
++ gpg_role(sysadm_r, sysadm_t)
')
optional_policy(`
-- irc_role(sysadm_r, sysadm_t)
-+ java_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
')
+-')
- optional_policy(`
-- java_role(sysadm_r, sysadm_t)
++ optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
@@ -125290,9 +125187,8 @@ index 44c198a..72a70fc 100644
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
@@ -126003,10 +125899,10 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..d609f53
+index 0000000..0b9a7bb
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,373 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -126092,15 +125988,9 @@ index 0000000..d609f53
+init_telinit(unconfined_t)
+
+logging_send_syslog_msg(unconfined_t)
-+logging_run_auditctl(unconfined_t, unconfined_r)
+
+systemd_config_all_services(unconfined_t)
+
-+seutil_run_loadpolicy(unconfined_t, unconfined_r)
-+seutil_run_setsebool(unconfined_t, unconfined_r)
-+seutil_run_setfiles(unconfined_t, unconfined_r)
-+seutil_run_semanage(unconfined_t, unconfined_r)
-+
+unconfined_domain_noaudit(unconfined_t)
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
@@ -126273,8 +126163,8 @@ index 0000000..d609f53
+ ')
+
+ optional_policy(`
-+ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
-+ ')
++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
++ ')
+
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_t)
@@ -126381,14 +126271,6 @@ index 0000000..d609f53
+')
+
+optional_policy(`
-+ webalizer_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ wine_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+ xserver_manage_home_fonts(unconfined_t)
+')
@@ -126405,11 +126287,11 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..07ceee0 100644
+index cdfddf4..35179f7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
- policy_module(unprivuser, 2.3.0)
+ policy_module(unprivuser, 2.3.1)
+## <desc>
+## <p>
@@ -126421,7 +126303,7 @@ index 9f6d4c3..07ceee0 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,99 @@ role user_r;
+@@ -12,12 +19,96 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -126434,6 +126316,7 @@ index 9f6d4c3..07ceee0 100644
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
++init_dbus_chat(user_t)
+init_status(user_t)
+
+tunable_policy(`selinuxuser_execmod',`
@@ -126515,14 +126398,10 @@ index 9f6d4c3..07ceee0 100644
+
+optional_policy(`
+ ssh_role_template(user, user_r, user_t)
-+')
-+
-+optional_policy(`
-+ git_session_role(user_r, user_t)
')
optional_policy(`
-@@ -25,6 +119,18 @@ optional_policy(`
+@@ -25,6 +116,18 @@ optional_policy(`
')
optional_policy(`
@@ -126541,18 +126420,7 @@ index 9f6d4c3..07ceee0 100644
vlock_run(user_t, user_r)
')
-@@ -66,10 +172,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- gnome_role(user_r, user_t)
-- ')
--
-- optional_policy(`
- gpg_role(user_r, user_t)
- ')
-
-@@ -102,10 +204,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +205,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -126563,7 +126431,7 @@ index 9f6d4c3..07ceee0 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +226,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +227,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -126571,7 +126439,7 @@ index 9f6d4c3..07ceee0 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +258,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +259,15 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -126588,7 +126456,7 @@ index 9f6d4c3..07ceee0 100644
+ ')
+')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f..d3cc612 100644
+index a26f84f..947af6c 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -10,6 +10,7 @@
@@ -126599,7 +126467,7 @@ index a26f84f..d3cc612 100644
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-@@ -28,9 +29,9 @@ ifdef(`distro_redhat', `
+@@ -28,9 +29,10 @@ ifdef(`distro_redhat', `
#
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
@@ -126608,17 +126476,18 @@ index a26f84f..d3cc612 100644
/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +46,4 @@ ifdef(`distro_redhat', `
+@@ -45,4 +47,4 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index ecef19f..fcbc25a 100644
+index 9d2f311..c8a2637 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -126725,20 +126594,15 @@ index ecef19f..fcbc25a 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -429,10 +449,8 @@ interface(`postgresql_stream_connect',`
- ')
+@@ -432,6 +452,7 @@ interface(`postgresql_stream_connect',`
files_search_pids($1)
-- allow $1 postgresql_t:unix_stream_socket connectto;
-- allow $1 postgresql_var_run_t:sock_file write;
-- # Some versions of postgresql put the sock file in /tmp
-- allow $1 postgresql_tmp_t:sock_file write;
-+ files_search_tmp($1)
+ files_search_tmp($1)
+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
-@@ -515,7 +533,6 @@ interface(`postgresql_unpriv_client',`
+@@ -514,7 +535,6 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
@@ -126746,7 +126610,37 @@ index ecef19f..fcbc25a 100644
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-@@ -564,33 +581,38 @@ interface(`postgresql_unconfined',`
+@@ -547,6 +567,29 @@ interface(`postgresql_unconfined',`
+
+ ########################################
+ ## <summary>
++## Transition to postgresql named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postgresql_filetrans_named_content',`
++ gen_require(`
++ type postgresql_db_t;
++ type postgresql_log_t;
++ ')
++
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate an postgresql environment
+ ## </summary>
+ ## <param name="domain">
+@@ -563,35 +606,41 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -126793,8 +126687,11 @@ index ecef19f..fcbc25a 100644
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
+ postgresql_stream_connect($1)
++ postgresql_filetrans_named_content($1)
+ ')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4318f73..e4d0b31 100644
+index 346d011..d55e727 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -126815,7 +126712,7 @@ index 4318f73..e4d0b31 100644
+## Allow unprivileged users to execute DDL statement
+## </p>
## </desc>
--gen_tunable(sepgsql_enable_users_ddl, true)
+-gen_tunable(sepgsql_enable_users_ddl, false)
+gen_tunable(postgresql_selinux_users_ddl, true)
## <desc>
@@ -126831,17 +126728,14 @@ index 4318f73..e4d0b31 100644
## Allow database admins to execute DML statement
## </p>
## </desc>
--gen_tunable(sepgsql_unconfined_dbadm, true)
+-gen_tunable(sepgsql_unconfined_dbadm, false)
+gen_tunable(postgresql_selinux_unconfined_dbadm, true)
type postgresql_t;
type postgresql_exec_t;
-@@ -233,9 +240,10 @@ allow postgresql_t self:shm create_shm_perms;
- allow postgresql_t self:tcp_socket create_stream_socket_perms;
- allow postgresql_t self:udp_socket create_stream_socket_perms;
+@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
--allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-+allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
-tunable_policy(`sepgsql_transmit_client_label',`
+
@@ -126849,7 +126743,14 @@ index 4318f73..e4d0b31 100644
allow postgresql_t self:process { setsockcreate };
')
-@@ -275,7 +283,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+@@ -270,13 +278,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
++postgresql_filetrans_named_content(postgresql_t)
+
+ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -126858,7 +126759,7 @@ index 4318f73..e4d0b31 100644
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
-@@ -303,7 +311,6 @@ kernel_list_proc(postgresql_t)
+@@ -304,7 +312,6 @@ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
@@ -126866,7 +126767,7 @@ index 4318f73..e4d0b31 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -341,8 +348,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +349,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -126876,7 +126777,7 @@ index 4318f73..e4d0b31 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -353,7 +359,6 @@ init_read_utmp(postgresql_t)
+@@ -354,7 +360,6 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@@ -126884,7 +126785,7 @@ index 4318f73..e4d0b31 100644
seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)
-@@ -366,7 +371,7 @@ optional_policy(`
+@@ -367,7 +372,7 @@ optional_policy(`
mta_getattr_spool(postgresql_t)
')
@@ -126893,7 +126794,7 @@ index 4318f73..e4d0b31 100644
allow postgresql_t self:process execmem;
')
-@@ -487,7 +492,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
+@@ -488,7 +493,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
# Note that permission of creation/deletion are eventually controlled by
# create or drop permission of individual objects within shared schemas.
# So, it just allows to create/drop user specific types.
@@ -126902,7 +126803,7 @@ index 4318f73..e4d0b31 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -535,7 +540,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +541,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -126911,7 +126812,7 @@ index 4318f73..e4d0b31 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -588,3 +593,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +594,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -126930,10 +126831,10 @@ index 4318f73..e4d0b31 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..022c7db 100644
+index 76d9f66..c61ed66 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,9 +1,23 @@
+@@ -1,4 +1,15 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
@@ -126948,16 +126849,8 @@ index 078bcd7..022c7db 100644
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host_dsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-+/etc/ssh/ssh_host_rsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0)
-
- /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+@@ -12,5 +23,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
@@ -127601,19 +127494,19 @@ index fe0c682..2b21421 100644
+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..3354b8f 100644
+index 5fc0391..129ae69 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
+@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
#
## <desc>
-## <p>
-## allow host key based authentication
-## </p>
-+## <p>
-+## allow host key based authentication
-+## </p>
++## <p>
++## allow host key based authentication
++## </p>
## </desc>
-gen_tunable(allow_ssh_keysign, false)
+gen_tunable(ssh_keysign, false)
@@ -127817,7 +127710,7 @@ index b17e27a..3354b8f 100644
')
optional_policy(`
-@@ -195,28 +218,24 @@ optional_policy(`
+@@ -195,6 +218,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -127825,32 +127718,15 @@ index b17e27a..3354b8f 100644
##############################
#
# ssh_keysign_t local policy
- #
-
--tunable_policy(`allow_ssh_keysign',`
-+tunable_policy(`ssh_keysign',`
- allow ssh_keysign_t self:capability { setgid setuid };
- allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+ allow ssh_keysign_t sshd_key_t:file { getattr read };
-- allow ssh_keysign_t sshd_key_t:file { getattr read };
-+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
+ dev_read_urand(ssh_keysign_t)
++dev_read_rand(ssh_keysign_t)
-+ dev_read_rand(ssh_keysign_t)
- dev_read_urand(ssh_keysign_t)
+ files_read_etc_files(ssh_keysign_t)
- files_read_etc_files(ssh_keysign_t)
- ')
-
--optional_policy(`
-- tunable_policy(`allow_ssh_keysign',`
-- nscd_socket_use(ssh_keysign_t)
-- ')
--')
--
- #################################
- #
- # sshd local policy
-@@ -227,33 +246,50 @@ optional_policy(`
+@@ -223,33 +248,50 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -127910,7 +127786,7 @@ index b17e27a..3354b8f 100644
')
optional_policy(`
-@@ -261,11 +297,24 @@ optional_policy(`
+@@ -257,11 +299,24 @@ optional_policy(`
')
optional_policy(`
@@ -127936,7 +127812,7 @@ index b17e27a..3354b8f 100644
')
optional_policy(`
-@@ -273,6 +322,10 @@ optional_policy(`
+@@ -269,6 +324,10 @@ optional_policy(`
')
optional_policy(`
@@ -127947,7 +127823,7 @@ index b17e27a..3354b8f 100644
rpm_use_script_fds(sshd_t)
')
-@@ -283,6 +336,28 @@ optional_policy(`
+@@ -279,6 +338,28 @@ optional_policy(`
')
optional_policy(`
@@ -127976,7 +127852,7 @@ index b17e27a..3354b8f 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +365,29 @@ optional_policy(`
+@@ -286,6 +367,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -128006,7 +127882,7 @@ index b17e27a..3354b8f 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +396,26 @@ optional_policy(`
+@@ -294,19 +398,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -128034,21 +127910,20 @@ index b17e27a..3354b8f 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +432,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +434,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
-
--optional_policy(`
-- nscd_socket_use(ssh_keygen_t)
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(ssh_keygen_t)
+ fs_manage_nfs_dirs(ssh_keygen_t)
- ')
++')
optional_policy(`
-@@ -339,3 +446,121 @@ optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+@@ -331,3 +448,124 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -128082,6 +127957,7 @@ index b17e27a..3354b8f 100644
+#
+# chroot_user_t local policy
+#
++allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+allow chroot_user_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_shell(chroot_user_t)
@@ -128089,6 +127965,8 @@ index b17e27a..3354b8f 100644
+term_search_ptys(chroot_user_t)
+term_use_ptmx(chroot_user_t)
+
++fs_getattr_all_fs(chroot_user_t)
++
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
@@ -128171,7 +128049,7 @@ index b17e27a..3354b8f 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..ba6be42 100644
+index d1f64a0..c92d1e2 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -128210,9 +128088,9 @@ index fc86b7c..ba6be42 100644
#
# /dev
-@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-
- /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -22,13 +44,20 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
+/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0)
@@ -128225,11 +128103,14 @@ index fc86b7c..ba6be42 100644
/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+-/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+
++/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +75,30 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -128248,11 +128129,13 @@ index fc86b7c..ba6be42 100644
#
+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -128260,10 +128143,13 @@ index fc86b7c..ba6be42 100644
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+ /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
- /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+@@ -92,25 +125,49 @@ ifndef(`distro_debian',`
+ /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -128276,12 +128162,12 @@ index fc86b7c..ba6be42 100644
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
--/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -128289,10 +128175,11 @@ index fc86b7c..ba6be42 100644
+
+/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+ /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -128316,7 +128203,7 @@ index fc86b7c..ba6be42 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..a75282a 100644
+index 6bf0ecc..6c7c743 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -128756,7 +128643,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -724,11 +838,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -765,11 +879,31 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -128790,7 +128677,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -752,6 +886,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +927,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -128816,7 +128703,7 @@ index 130ced9..a75282a 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +959,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -128843,7 +128730,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1017,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -128871,7 +128758,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1059,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -128896,7 +128783,7 @@ index 130ced9..a75282a 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1105,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1146,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -128924,7 +128811,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -916,7 +1143,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1184,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -128933,7 +128820,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -963,6 +1190,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1231,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -128979,7 +128866,7 @@ index 130ced9..a75282a 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1242,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1283,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -128988,7 +128875,7 @@ index 130ced9..a75282a 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1304,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1345,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -129031,7 +128918,7 @@ index 130ced9..a75282a 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1354,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1395,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -129040,7 +128927,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -1070,8 +1372,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -129052,7 +128939,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -1185,6 +1489,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1530,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -129079,7 +128966,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -1210,7 +1534,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1575,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -129088,7 +128975,7 @@ index 130ced9..a75282a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1544,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1585,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -129113,7 +129000,7 @@ index 130ced9..a75282a 100644
')
########################################
-@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1618,541 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -129658,7 +129545,7 @@ index 130ced9..a75282a 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..9f53f97 100644
+index 2696452..4a06941 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -131108,7 +130995,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..4d4ec55 100644
+index 3efd5b6..7c0ea2d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131292,24 +131179,25 @@ index f416ce9..4d4ec55 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -395,13 +431,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,6 +431,8 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
-- pcscd_read_pub_files($1)
+ pcscd_manage_pub_files($1)
+ pcscd_manage_pub_pipes($1)
+ pcscd_read_pid_files($1)
pcscd_stream_connect($1)
')
-
+@@ -402,6 +440,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
++
+ auth_domtrans_upd_passwd($1)
')
########################################
-@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +488,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -131335,7 +131223,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +526,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -131343,7 +131231,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +722,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -131354,7 +131242,7 @@ index f416ce9..4d4ec55 100644
')
#######################################
-@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +825,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -131406,7 +131294,7 @@ index f416ce9..4d4ec55 100644
')
#######################################
-@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',`
+@@ -826,7 +931,7 @@ interface(`auth_rw_lastlog',`
########################################
## <summary>
@@ -131415,7 +131303,7 @@ index f416ce9..4d4ec55 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +939,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -131446,7 +131334,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +974,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -131465,7 +131353,7 @@ index f416ce9..4d4ec55 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +993,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +995,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -131503,7 +131391,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1099,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -131537,7 +131425,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1201,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -131548,7 +131436,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1341,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -131556,7 +131444,7 @@ index f416ce9..4d4ec55 100644
')
#######################################
-@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1742,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -131582,7 +131470,7 @@ index f416ce9..4d4ec55 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1911,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -131608,7 +131496,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1935,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -131625,7 +131513,7 @@ index f416ce9..4d4ec55 100644
')
########################################
-@@ -1755,3 +1923,199 @@ interface(`auth_unconfined',`
+@@ -1805,3 +1975,199 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -131826,10 +131714,10 @@ index f416ce9..4d4ec55 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f145ccb..499ee40 100644
+index 104037e..eceffb2 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0)
+@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
# Declarations
#
@@ -132063,7 +131951,7 @@ index f145ccb..499ee40 100644
')
optional_policy(`
-- nscd_socket_use(utempter_t)
+- nscd_use(utempter_t)
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
+')
@@ -132112,15 +132000,6 @@ index f145ccb..499ee40 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -447,7 +485,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(nsswitch_domain)
-+ nscd_use(nsswitch_domain)
- ')
-
- optional_policy(`
@@ -456,6 +494,7 @@ optional_policy(`
optional_policy(`
@@ -132272,38 +132151,8 @@ index c5e05ca..c9ddbee 100644
+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
-diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
-index e2f6d93..c78ccc6 100644
---- a/policy/modules/system/clock.if
-+++ b/policy/modules/system/clock.if
-@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`
-
- ########################################
- ## <summary>
-+## Read clock drift adjustments.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`clock_read_adjtime',`
-+ gen_require(`
-+ type adjtime_t;
-+ ')
-+
-+ allow $1 adjtime_t:file read_file_perms;
-+ files_list_etc($1)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write clock drift adjustments.
- ## </summary>
- ## <param name="domain">
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index b9ed25b..91e25b5 100644
+index 3694bfe..7fcd27a 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
@@ -132333,7 +132182,7 @@ index b9ed25b..91e25b5 100644
')
optional_policy(`
-- nscd_socket_use(hwclock_t)
+- nscd_use(hwclock_t)
-')
-
-optional_policy(`
@@ -132616,7 +132465,7 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fd100fc..3e61328 100644
+index fc38c9c..dce2d4e 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
@@ -132662,7 +132511,7 @@ index fd100fc..3e61328 100644
')
optional_policy(`
-- nscd_socket_use(getty_t)
+- nscd_use(getty_t)
-')
-
-optional_policy(`
@@ -132760,7 +132609,7 @@ index 40eb10c..2a0a32c 100644
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index b2e41cc..6a37dca 100644
+index bb5c4a6..7ebb938 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
@@ -132807,7 +132656,7 @@ index b2e41cc..6a37dca 100644
-')
-
-optional_policy(`
-- nscd_socket_use(hotplug_t)
+- nscd_use(hotplug_t)
-')
-
-optional_policy(`
@@ -132815,18 +132664,20 @@ index b2e41cc..6a37dca 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index d2e40b8..3ba2e4c 100644
+index 9a4d3a7..b7b205c 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -2,6 +2,7 @@
+@@ -1,6 +1,9 @@
+ #
# /etc
#
- /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
-
++
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -31,6 +32,11 @@ ifdef(`distro_gentoo', `
+
+@@ -29,6 +32,11 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
@@ -132838,7 +132689,7 @@ index d2e40b8..3ba2e4c 100644
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -48,11 +54,23 @@ ifdef(`distro_gentoo', `
+@@ -42,11 +50,23 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -132862,7 +132713,7 @@ index d2e40b8..3ba2e4c 100644
#
# /var
-@@ -61,6 +79,7 @@ ifdef(`distro_gentoo', `
+@@ -55,6 +75,7 @@ ifdef(`distro_gentoo', `
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
@@ -132870,13 +132721,13 @@ index d2e40b8..3ba2e4c 100644
ifdef(`distro_debian',`
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -79,3 +98,4 @@ ifdef(`distro_suse', `
+@@ -73,3 +94,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..95c1bd8 100644
+index 24e7804..386109d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -106,6 +106,8 @@ interface(`init_domain',`
@@ -132955,7 +132806,7 @@ index d26fe81..95c1bd8 100644
+ ')
- optional_policy(`
-- nscd_socket_use($1)
+- nscd_use($1)
- ')
+ typeattribute $1 initrc_domain;
')
@@ -133055,8 +132906,8 @@ index d26fe81..95c1bd8 100644
+
########################################
## <summary>
- ## Execute init (/sbin/init) with a domain transition.
-@@ -442,7 +457,6 @@ interface(`init_domtrans',`
+ ## Mark the file type as a daemon run dir, allowing initrc_t
+@@ -469,7 +484,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -133064,7 +132915,7 @@ index d26fe81..95c1bd8 100644
#
interface(`init_exec',`
gen_require(`
-@@ -451,6 +465,48 @@ interface(`init_exec',`
+@@ -478,6 +492,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -133113,7 +132964,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -539,6 +595,24 @@ interface(`init_sigchld',`
+@@ -566,6 +622,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -133138,7 +132989,7 @@ index d26fe81..95c1bd8 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -549,10 +623,66 @@ interface(`init_sigchld',`
+@@ -576,10 +650,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -133207,7 +133058,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -716,22 +846,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +873,23 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -133240,7 +133091,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -760,7 +891,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +918,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -133249,7 +133100,7 @@ index d26fe81..95c1bd8 100644
## </summary>
## </param>
#
-@@ -803,11 +934,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +961,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -133264,7 +133115,7 @@ index d26fe81..95c1bd8 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -818,11 +950,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +977,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -133278,7 +133129,7 @@ index d26fe81..95c1bd8 100644
')
')
-@@ -838,19 +970,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +997,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -133324,7 +133175,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -906,9 +1060,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1087,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -133339,7 +133190,7 @@ index d26fe81..95c1bd8 100644
files_search_etc($1)
')
-@@ -999,7 +1158,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1185,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -133350,7 +133201,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -1098,6 +1259,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1286,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -133376,7 +133227,7 @@ index d26fe81..95c1bd8 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1117,6 +1297,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1324,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -133401,7 +133252,7 @@ index d26fe81..95c1bd8 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1366,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1393,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -133415,7 +133266,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -1413,6 +1606,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1633,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -133443,7 +133294,7 @@ index d26fe81..95c1bd8 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1713,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1740,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -133469,7 +133320,7 @@ index d26fe81..95c1bd8 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1790,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1817,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -133494,7 +133345,7 @@ index d26fe81..95c1bd8 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1629,6 +1880,43 @@ interface(`init_read_utmp',`
+@@ -1656,6 +1907,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -133538,7 +133389,7 @@ index d26fe81..95c1bd8 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1717,7 +2005,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2032,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -133547,7 +133398,7 @@ index d26fe81..95c1bd8 100644
')
########################################
-@@ -1758,7 +2046,134 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,7 +2073,134 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -133683,7 +133534,7 @@ index d26fe81..95c1bd8 100644
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
## </summary>
-@@ -1792,3 +2207,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2234,283 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -133968,7 +133819,7 @@ index d26fe81..95c1bd8 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..fe91700 100644
+index dd3be8d..682e5fc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -133998,7 +133849,7 @@ index 4a88fa1..fe91700 100644
# used for direct running of init scripts
# by admin domains
-@@ -25,19 +39,28 @@ attribute direct_init_entry;
+@@ -25,9 +39,17 @@ attribute direct_init_entry;
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
@@ -134014,6 +133865,9 @@ index 4a88fa1..fe91700 100644
+# Mark process types as initrc domain
+attribute initrc_domain;
+ # Mark file type as a daemon run directory
+ attribute daemonrundir;
+@@ -35,12 +57,13 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
@@ -134028,7 +133882,7 @@ index 4a88fa1..fe91700 100644
#
# init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -46,6 +69,15 @@ type init_var_run_t;
+@@ -49,6 +72,15 @@ type init_var_run_t;
files_pid_file(init_var_run_t)
#
@@ -134044,7 +133898,7 @@ index 4a88fa1..fe91700 100644
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
-@@ -54,7 +86,7 @@ type initctl_t;
+@@ -57,7 +89,7 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
@@ -134053,7 +133907,7 @@ index 4a88fa1..fe91700 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -63,6 +95,8 @@ role system_r types initrc_t;
+@@ -66,6 +98,8 @@ role system_r types initrc_t;
# of the below init_upstart tunable
# but this has a typeattribute in it
corecmd_shell_entry_type(initrc_t)
@@ -134062,7 +133916,7 @@ index 4a88fa1..fe91700 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -95,7 +129,8 @@ ifdef(`enable_mls',`
+@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -134072,7 +133926,7 @@ index 4a88fa1..fe91700 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +145,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -134111,7 +133965,7 @@ index 4a88fa1..fe91700 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,28 +180,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -134126,6 +133980,7 @@ index 4a88fa1..fe91700 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
+dev_filetrans_all_named_dev(init_t)
++dev_write_watchdog(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -134151,7 +134006,7 @@ index 4a88fa1..fe91700 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t)
+@@ -155,6 +221,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -134160,7 +134015,7 @@ index 4a88fa1..fe91700 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t)
+@@ -162,22 +230,41 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -134204,7 +134059,7 @@ index 4a88fa1..fe91700 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -183,29 +269,176 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,176 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -134375,7 +134230,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-- nscd_socket_use(init_t)
+- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -134389,7 +134244,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -213,6 +446,27 @@ optional_policy(`
+@@ -216,6 +450,27 @@ optional_policy(`
')
optional_policy(`
@@ -134417,7 +134272,7 @@ index 4a88fa1..fe91700 100644
unconfined_domain(init_t)
')
-@@ -222,8 +476,9 @@ optional_policy(`
+@@ -225,8 +480,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134429,7 +134284,7 @@ index 4a88fa1..fe91700 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +506,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134446,7 +134301,7 @@ index 4a88fa1..fe91700 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +531,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -134489,7 +134344,7 @@ index 4a88fa1..fe91700 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,9 +568,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -134501,7 +134356,7 @@ index 4a88fa1..fe91700 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -134512,7 +134367,7 @@ index 4a88fa1..fe91700 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t)
+@@ -321,17 +598,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -134532,7 +134387,7 @@ index 4a88fa1..fe91700 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134540,7 +134395,7 @@ index 4a88fa1..fe91700 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,8 +623,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -134552,7 +134407,7 @@ index 4a88fa1..fe91700 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -134566,7 +134421,7 @@ index 4a88fa1..fe91700 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +650,13 @@ fs_mount_all_fs(initrc_t)
+@@ -374,9 +657,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -134581,7 +134436,7 @@ index 4a88fa1..fe91700 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +666,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +673,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -134589,7 +134444,7 @@ index 4a88fa1..fe91700 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +678,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +685,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -134597,7 +134452,7 @@ index 4a88fa1..fe91700 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +697,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +704,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -134621,7 +134476,7 @@ index 4a88fa1..fe91700 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +762,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -134632,7 +134487,7 @@ index 4a88fa1..fe91700 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +786,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -134641,7 +134496,7 @@ index 4a88fa1..fe91700 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +801,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -134649,7 +134504,7 @@ index 4a88fa1..fe91700 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +822,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -134657,7 +134512,7 @@ index 4a88fa1..fe91700 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +832,40 @@ ifdef(`distro_redhat',`
+@@ -549,8 +842,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -134698,7 +134553,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -549,14 +873,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +883,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -134730,7 +134585,7 @@ index 4a88fa1..fe91700 100644
')
')
-@@ -567,6 +908,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +918,39 @@ ifdef(`distro_suse',`
')
')
@@ -134770,7 +134625,7 @@ index 4a88fa1..fe91700 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +953,8 @@ optional_policy(`
+@@ -588,6 +963,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -134779,7 +134634,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -600,6 +976,7 @@ optional_policy(`
+@@ -609,6 +986,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -134787,7 +134642,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -612,6 +989,17 @@ optional_policy(`
+@@ -625,6 +1003,17 @@ optional_policy(`
')
optional_policy(`
@@ -134805,7 +134660,7 @@ index 4a88fa1..fe91700 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1016,13 @@ optional_policy(`
+@@ -641,9 +1030,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -134819,7 +134674,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -655,6 +1047,10 @@ optional_policy(`
+@@ -668,6 +1061,10 @@ optional_policy(`
')
optional_policy(`
@@ -134830,7 +134685,7 @@ index 4a88fa1..fe91700 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1068,15 @@ optional_policy(`
+@@ -685,6 +1082,15 @@ optional_policy(`
')
optional_policy(`
@@ -134846,7 +134701,7 @@ index 4a88fa1..fe91700 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1117,7 @@ optional_policy(`
+@@ -725,6 +1131,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -134854,7 +134709,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -729,7 +1135,14 @@ optional_policy(`
+@@ -742,7 +1149,14 @@ optional_policy(`
')
optional_policy(`
@@ -134869,7 +134724,7 @@ index 4a88fa1..fe91700 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1165,10 @@ optional_policy(`
+@@ -765,6 +1179,10 @@ optional_policy(`
')
optional_policy(`
@@ -134880,7 +134735,7 @@ index 4a88fa1..fe91700 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1178,20 @@ optional_policy(`
+@@ -774,10 +1192,20 @@ optional_policy(`
')
optional_policy(`
@@ -134901,7 +134756,7 @@ index 4a88fa1..fe91700 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1200,10 @@ optional_policy(`
+@@ -786,6 +1214,10 @@ optional_policy(`
')
optional_policy(`
@@ -134912,7 +134767,7 @@ index 4a88fa1..fe91700 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1225,6 @@ optional_policy(`
+@@ -807,8 +1239,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -134921,7 +134776,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -804,6 +1233,10 @@ optional_policy(`
+@@ -817,6 +1247,10 @@ optional_policy(`
')
optional_policy(`
@@ -134932,7 +134787,7 @@ index 4a88fa1..fe91700 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1246,12 @@ optional_policy(`
+@@ -826,10 +1260,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -134945,24 +134800,15 @@ index 4a88fa1..fe91700 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1263,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- udev_rw_db(initrc_t)
-- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
- udev_manage_pid_files(initrc_t)
- udev_manage_pid_dirs(initrc_t)
- udev_manage_rules_files(initrc_t)
-@@ -840,12 +1273,30 @@ optional_policy(`
+@@ -856,12 +1292,31 @@ optional_policy(`
')
optional_policy(`
-- virt_stream_connect(initrc_t)
-- virt_manage_svirt_cache(initrc_t)
+ virt_manage_pid_dirs(initrc_t)
+ virt_manage_cache(initrc_t)
+ virt_manage_lib_files(initrc_t)
+ virt_stream_connect(initrc_t)
+- virt_manage_virt_cache(initrc_t)
+')
+
+# Cron jobs used to start and stop services
@@ -134987,7 +134833,7 @@ index 4a88fa1..fe91700 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1306,18 @@ optional_policy(`
+@@ -871,6 +1326,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -135006,7 +134852,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -870,6 +1333,10 @@ optional_policy(`
+@@ -886,6 +1353,10 @@ optional_policy(`
')
optional_policy(`
@@ -135017,7 +134863,7 @@ index 4a88fa1..fe91700 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1347,185 @@ optional_policy(`
+@@ -896,3 +1367,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -135203,22 +135049,6 @@ index 4a88fa1..fe91700 100644
+ allow daemon direct_run_init:process sigchld;
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
-diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index ec85acb..662e79b 100644
---- a/policy/modules/system/ipsec.fc
-+++ b/policy/modules/system/ipsec.fc
-@@ -27,11 +27,6 @@
- /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
- /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-
--/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
--
- /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
- /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
- /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..9d66bf7 100644
--- a/policy/modules/system/ipsec.if
@@ -135256,7 +135086,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index a30840c..77206a0 100644
+index 9e54bf9..ed744d2 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,13 +73,15 @@ role system_r types setkey_t;
@@ -135276,15 +135106,7 @@ index a30840c..77206a0 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -113,6 +115,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
- allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
-
- kernel_read_kernel_sysctls(ipsec_t)
-+kernel_read_net_sysctls(ipsec_t)
- kernel_list_proc(ipsec_t)
- kernel_read_proc_symlinks(ipsec_t)
- # allow pluto to access /proc/net/ipsec_eroute;
-@@ -127,20 +130,21 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +130,21 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -135313,7 +135135,7 @@ index a30840c..77206a0 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -135322,7 +135144,7 @@ index a30840c..77206a0 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -164,11 +170,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,11 +170,13 @@ auth_use_nsswitch(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -135337,7 +135159,7 @@ index a30840c..77206a0 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,9 +194,9 @@ optional_policy(`
+@@ -187,9 +194,9 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -135350,7 +135172,7 @@ index a30840c..77206a0 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -135367,7 +135189,7 @@ index a30840c..77206a0 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -135376,7 +135198,7 @@ index a30840c..77206a0 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -135388,7 +135210,7 @@ index a30840c..77206a0 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -289,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -135410,7 +135232,7 @@ index a30840c..77206a0 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -369,13 +391,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +391,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -135430,7 +135252,7 @@ index a30840c..77206a0 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -400,10 +421,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +421,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -135443,7 +135265,7 @@ index a30840c..77206a0 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -437,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -135456,7 +135278,7 @@ index a30840c..77206a0 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..5effebe 100644
+index 1b93eb7..5effebe 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,7 +1,8 @@
@@ -135471,13 +135293,14 @@ index 14cffd2..5effebe 100644
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -14,7 +15,13 @@
+@@ -14,8 +15,13 @@
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -135559,10 +135382,10 @@ index c42fbc3..7071460 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 0646ee7..da1337a 100644
+index 5dfa44b..16d64ad 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.0)
+@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.1)
# Declarations
#
@@ -135697,7 +135520,7 @@ index 0646ee7..da1337a 100644
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..a21d5fe 100644
+index 73bb3c0..e6fa600 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -135762,8 +135585,8 @@ index ef8bbaf..a21d5fe 100644
+/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -140,6 +149,8 @@ ifdef(`distro_redhat',`
+ /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+@@ -141,6 +150,8 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135772,7 +135595,7 @@ index ef8bbaf..a21d5fe 100644
/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -147,12 +158,11 @@ ifdef(`distro_redhat',`
+@@ -148,12 +159,11 @@ ifdef(`distro_redhat',`
/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135788,7 +135611,7 @@ index ef8bbaf..a21d5fe 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -181,11 +191,13 @@ ifdef(`distro_redhat',`
+@@ -182,11 +192,13 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135802,14 +135625,13 @@ index ef8bbaf..a21d5fe 100644
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +253,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135818,7 +135640,7 @@ index ef8bbaf..a21d5fe 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -269,20 +278,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -135849,7 +135671,7 @@ index ef8bbaf..a21d5fe 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +307,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -136171,7 +135993,7 @@ index 808ba93..7b506f2 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index ad01883..a003fa8 100644
+index 23a645e..1982e9c 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -136356,7 +136178,7 @@ index 0e3c2a9..40adf5a 100644
+')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 9fd5be7..7e2a02e 100644
+index c04ac46..b123de6 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -136416,7 +136238,7 @@ index 9fd5be7..7e2a02e 100644
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -117,16 +123,19 @@ term_relabel_unallocated_ttys(local_login_t)
+@@ -117,16 +123,18 @@ term_relabel_unallocated_ttys(local_login_t)
term_relabel_all_ttys(local_login_t)
term_setattr_all_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
@@ -136426,7 +136248,6 @@ index 9fd5be7..7e2a02e 100644
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
-auth_manage_pam_pid(local_login_t)
-+#auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
+auth_use_nsswitch(local_login_t)
@@ -136438,7 +136259,7 @@ index 9fd5be7..7e2a02e 100644
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
-@@ -141,19 +150,19 @@ ifdef(`distro_ubuntu',`
+@@ -141,19 +149,19 @@ ifdef(`distro_ubuntu',`
')
')
@@ -136466,7 +136287,7 @@ index 9fd5be7..7e2a02e 100644
')
optional_policy(`
-@@ -177,14 +186,6 @@ optional_policy(`
+@@ -177,14 +185,6 @@ optional_policy(`
')
optional_policy(`
@@ -136474,14 +136295,14 @@ index 9fd5be7..7e2a02e 100644
-')
-
-optional_policy(`
-- nscd_socket_use(local_login_t)
+- nscd_use(local_login_t)
-')
-
-optional_policy(`
unconfined_shell_domtrans(local_login_t)
')
-@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +215,7 @@ allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
@@ -136489,7 +136310,7 @@ index 9fd5be7..7e2a02e 100644
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +225,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +224,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -136506,7 +136327,7 @@ index 9fd5be7..7e2a02e 100644
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
-@@ -238,14 +243,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +242,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -136533,7 +136354,7 @@ index 9fd5be7..7e2a02e 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -136543,10 +136364,10 @@ index 9fd5be7..7e2a02e 100644
-')
-
-optional_policy(`
-- nscd_socket_use(sulogin_t)
+- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..70248c6 100644
+index b50c5fe..286351e 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@@ -136588,22 +136409,16 @@ index 02f4c97..70248c6 100644
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -34,11 +50,10 @@ ifdef(`distro_suse', `
-
- /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
- /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+@@ -38,13 +54,14 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
-/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +61,8 @@ ifdef(`distro_suse', `
+ /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -136612,7 +136427,7 @@ index 02f4c97..70248c6 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,6 +71,7 @@ ifndef(`distro_gentoo',`
+@@ -53,6 +70,7 @@ ifndef(`distro_gentoo',`
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -136620,7 +136435,7 @@ index 02f4c97..70248c6 100644
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
-@@ -66,11 +84,16 @@ ifdef(`distro_redhat',`
+@@ -65,11 +83,16 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -136639,7 +136454,7 @@ index 02f4c97..70248c6 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..3638d50 100644
+index 4e94884..23894f4 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -136827,7 +136642,7 @@ index 321bb13..3638d50 100644
')
########################################
-@@ -739,7 +864,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -136854,7 +136669,7 @@ index 321bb13..3638d50 100644
')
########################################
-@@ -822,7 +965,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -136863,7 +136678,7 @@ index 321bb13..3638d50 100644
')
########################################
-@@ -848,6 +991,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -136908,7 +136723,7 @@ index 321bb13..3638d50 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -868,6 +1049,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -136933,7 +136748,7 @@ index 321bb13..3638d50 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -947,11 +1146,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -136951,7 +136766,7 @@ index 321bb13..3638d50 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -967,6 +1171,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -136985,7 +136800,7 @@ index 321bb13..3638d50 100644
')
########################################
-@@ -995,10 +1226,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -137003,7 +136818,7 @@ index 321bb13..3638d50 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1020,6 +1256,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -137012,7 +136827,7 @@ index 321bb13..3638d50 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1048,3 +1286,29 @@ interface(`logging_admin',`
+@@ -1085,3 +1323,29 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -137043,10 +136858,10 @@ index 321bb13..3638d50 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..c62bd95 100644
+index 39ea221..37275c3 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
+@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
#
# Declarations
#
@@ -137324,8 +137139,8 @@ index 0034021..c62bd95 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -441,14 +511,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t)
- files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +512,18 @@ files_read_kernel_symbol_table(syslogd_t)
+ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
+fs_rw_tmpfs_files(syslogd_t)
@@ -137343,7 +137158,7 @@ index 0034021..c62bd95 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,11 +534,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -137357,7 +137172,7 @@ index 0034021..c62bd95 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -493,15 +567,36 @@ optional_policy(`
+@@ -502,15 +576,36 @@ optional_policy(`
')
optional_policy(`
@@ -137394,7 +137209,7 @@ index 0034021..c62bd95 100644
')
optional_policy(`
-@@ -512,3 +607,24 @@ optional_policy(`
+@@ -521,3 +616,24 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -137639,7 +137454,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index f8eeecd..0d42470 100644
+index e8c59a5..66465b0 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -137717,18 +137532,15 @@ index f8eeecd..0d42470 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,8 +200,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,6 +200,7 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
+manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
--files_lock_filetrans(lvm_t, lvm_lock_t, file)
-+files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
-
- manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
- manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -200,8 +210,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+ create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ files_lock_filetrans(lvm_t, lvm_lock_t, file)
+@@ -202,8 +212,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -137739,7 +137551,7 @@ index f8eeecd..0d42470 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -213,11 +224,13 @@ files_search_mnt(lvm_t)
+@@ -215,11 +226,13 @@ files_search_mnt(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
@@ -137753,7 +137565,7 @@ index f8eeecd..0d42470 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -228,11 +241,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -137768,7 +137580,7 @@ index f8eeecd..0d42470 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -244,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -137776,7 +137588,7 @@ index f8eeecd..0d42470 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,17 +269,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -137799,7 +137611,7 @@ index f8eeecd..0d42470 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -283,7 +303,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -137808,7 +137620,7 @@ index f8eeecd..0d42470 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -291,15 +311,20 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -137830,7 +137642,7 @@ index f8eeecd..0d42470 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -311,6 +336,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +338,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -137842,7 +137654,7 @@ index f8eeecd..0d42470 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +361,26 @@ optional_policy(`
+@@ -333,14 +363,26 @@ optional_policy(`
')
optional_policy(`
@@ -137870,7 +137682,7 @@ index f8eeecd..0d42470 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..2410a4e 100644
+index 9fe8e01..6c86d76 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
@@ -137883,9 +137695,9 @@ index fe3427d..2410a4e 100644
+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
-
-@@ -36,11 +37,6 @@ ifdef(`distro_redhat',`
+@@ -37,11 +38,6 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -137896,12 +137708,12 @@ index fe3427d..2410a4e 100644
-
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
- /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -75,8 +71,9 @@ ifdef(`distro_redhat',`
+ /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+@@ -77,8 +73,9 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
--/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
+
+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0)
@@ -137909,7 +137721,7 @@ index fe3427d..2410a4e 100644
/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..9cac7b3 100644
+index fc28bc3..01b8523 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -137962,9 +137774,9 @@ index 926ba65..9cac7b3 100644
')
@@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',`
- allow $1 man_t:dir list_dir_perms;
- read_files_pattern($1, man_t, man_t)
- read_lnk_files_pattern($1, man_t, man_t)
+ allow $1 { man_cache_t man_t }:dir list_dir_perms;
+ read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+
+ optional_policy(`
+ mandb_read_cache_files($1)
@@ -137972,11 +137784,10 @@ index 926ba65..9cac7b3 100644
')
########################################
-@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',`
- delete_dirs_pattern($1, man_t, man_t)
- delete_files_pattern($1, man_t, man_t)
- delete_lnk_files_pattern($1, man_t, man_t)
-+
+@@ -554,6 +577,10 @@ interface(`miscfiles_delete_man_pages',`
+ delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+ optional_policy(`
+ mandb_setattr_cache_dirs($1)
+ mandb_delete_cache($1)
@@ -137984,7 +137795,7 @@ index 926ba65..9cac7b3 100644
')
########################################
-@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',`
+@@ -622,6 +649,30 @@ interface(`miscfiles_manage_man_cache',`
########################################
## <summary>
@@ -138015,7 +137826,7 @@ index 926ba65..9cac7b3 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -784,8 +835,10 @@ interface(`miscfiles_etc_filetrans_localization',`
type locale_t;
')
@@ -138028,7 +137839,7 @@ index 926ba65..9cac7b3 100644
')
########################################
-@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +862,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -138073,10 +137884,10 @@ index 926ba65..9cac7b3 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index 622fb4f..69b6fef 100644
+index d6293de..3225647 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.0)
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
#
# Declarations
#
@@ -138085,15 +137896,13 @@ index 622fb4f..69b6fef 100644
#
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 2410551..e5026a9 100644
+index 9933677..b155a0d 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
-@@ -20,3 +20,15 @@ ifdef(`distro_gentoo',`
- /sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
- /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+@@ -23,3 +23,13 @@ ifdef(`distro_gentoo',`
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+
-+/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
+
+ /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
+
+/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
+/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
@@ -138105,7 +137914,7 @@ index 2410551..e5026a9 100644
+
+/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 350c450..2debedc 100644
+index 7449974..6375786 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -138162,7 +137971,7 @@ index 350c450..2debedc 100644
## Read the configuration options used when
## loading modules.
## </summary>
-@@ -307,11 +345,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -138183,7 +137992,7 @@ index 350c450..2debedc 100644
')
########################################
-@@ -332,3 +377,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -138210,10 +138019,10 @@ index 350c450..2debedc 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index b4ff2f7..0db04d2 100644
+index 7a49e28..7857f24 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.0)
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
# Declarations
#
@@ -138427,7 +138236,7 @@ index b4ff2f7..0db04d2 100644
')
optional_policy(`
-- nscd_socket_use(insmod_t)
+- nscd_use(insmod_t)
+ mount_domtrans(insmod_t)
')
@@ -138786,10 +138595,10 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..041c38f 100644
+index 6a50270..bd42591 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
+@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
## Allow the mount command to mount any directory or file.
## </p>
## </desc>
@@ -139087,11 +138896,10 @@ index 63931f6..041c38f 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +292,121 @@ optional_policy(`
- ')
+@@ -194,24 +293,124 @@ optional_policy(`
')
-+optional_policy(`
+ optional_policy(`
+ livecd_rw_tmp_files(mount_t)
+')
+
@@ -139120,6 +138928,10 @@ index 63931f6..041c38f 100644
+# rpc_run_rpcd(mount_t, mount_roles)
+#')
+
++optional_policy(`
+ puppet_rw_tmp(mount_t)
+ ')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
@@ -140691,7 +140503,7 @@ index 346a7cc..1285089 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 41a1853..af08353 100644
+index 6944526..8f424e5 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -140857,30 +140669,10 @@ index 41a1853..af08353 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -561,6 +675,45 @@ interface(`sysnet_signal_ifconfig',`
+@@ -580,6 +694,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
-+## Send a null signal to ifconfig.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.pwd
-+
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`sysnet_signull_ifconfig',`
-+ gen_require(`
-+ type ifconfig_t;
-+ ')
-+
-+ allow $1 ifconfig_t:process signull;
-+')
-+
-+########################################
-+## <summary>
+## Send a kill signal to iconfig.
+## </summary>
+## <param name="domain">
@@ -140903,7 +140695,7 @@ index 41a1853..af08353 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -577,6 +730,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +729,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -140911,7 +140703,7 @@ index 41a1853..af08353 100644
')
########################################
-@@ -662,8 +816,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +815,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -140920,7 +140712,7 @@ index 41a1853..af08353 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -673,6 +825,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -692,6 +824,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -140929,7 +140721,7 @@ index 41a1853..af08353 100644
sysnet_read_config($1)
optional_policy(`
-@@ -701,8 +855,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +854,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -140938,7 +140730,7 @@ index 41a1853..af08353 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -714,6 +866,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +865,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -140948,7 +140740,7 @@ index 41a1853..af08353 100644
')
########################################
-@@ -735,7 +890,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +889,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -140956,7 +140748,7 @@ index 41a1853..af08353 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -747,3 +901,73 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +900,73 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -141031,10 +140823,10 @@ index 41a1853..af08353 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index ed363e1..808e49e 100644
+index b7686d5..be7444c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0)
+@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.6)
# Declarations
#
@@ -141098,7 +140890,7 @@ index ed363e1..808e49e 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -69,6 +83,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+@@ -70,6 +84,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -141107,7 +140899,7 @@ index ed363e1..808e49e 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -90,27 +106,29 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -91,14 +107,13 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -141127,11 +140919,8 @@ index ed363e1..808e49e 100644
+corenet_udp_sendrecv_generic_node(dhcpc_t)
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
--corenet_tcp_bind_all_nodes(dhcpc_t)
--corenet_udp_bind_all_nodes(dhcpc_t)
-+corenet_tcp_bind_generic_node(dhcpc_t)
-+corenet_udp_bind_generic_node(dhcpc_t)
- corenet_udp_bind_dhcpc_port(dhcpc_t)
+ corenet_tcp_bind_all_nodes(dhcpc_t)
+@@ -108,11 +123,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -141146,7 +140935,7 @@ index ed363e1..808e49e 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -130,15 +148,20 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,15 +150,20 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -141170,7 +140959,7 @@ index ed363e1..808e49e 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -153,8 +176,23 @@ ifdef(`distro_ubuntu',`
+@@ -155,8 +178,23 @@ ifdef(`distro_ubuntu',`
')
')
@@ -141195,23 +140984,21 @@ index ed363e1..808e49e 100644
')
optional_policy(`
-@@ -169,11 +207,14 @@ optional_policy(`
+@@ -170,11 +208,8 @@ optional_policy(`
')
optional_policy(`
- hostname_run(dhcpc_t, dhcpc_roles)
+-')
+-
+-optional_policy(`
+- hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hostname_domtrans(dhcpc_t)
+# hostname_run(dhcpc_t, dhcpc_roles)
')
optional_policy(`
- hal_dontaudit_rw_dgram_sockets(dhcpc_t)
-+ hal_dontaudit_read_pid_files(dhcpc_t)
-+ hal_dontaudit_write_log(dhcpc_t)
- ')
-
- optional_policy(`
-@@ -187,25 +228,41 @@ optional_policy(`
+@@ -188,25 +223,41 @@ optional_policy(`
# for the dhcp client to run ping to check IP addresses
optional_policy(`
@@ -141255,7 +141042,7 @@ index ed363e1..808e49e 100644
')
optional_policy(`
-@@ -215,7 +272,11 @@ optional_policy(`
+@@ -216,7 +267,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -141268,7 +141055,7 @@ index ed363e1..808e49e 100644
')
optional_policy(`
-@@ -258,6 +319,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,6 +314,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -141276,7 +141063,7 @@ index ed363e1..808e49e 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,11 +338,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -277,11 +333,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -141295,7 +141082,7 @@ index ed363e1..808e49e 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -293,22 +362,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +357,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -141323,7 +141110,7 @@ index ed363e1..808e49e 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -317,7 +386,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +381,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -141346,22 +141133,17 @@ index ed363e1..808e49e 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -328,8 +412,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +407,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+- hal_dontaudit_rw_pipes(ifconfig_t)
+- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ devicekit_dontaudit_read_pid_files(ifconfig_t)
-+')
-+
-+optional_policy(`
- hal_dontaudit_rw_pipes(ifconfig_t)
- hal_dontaudit_rw_dgram_sockets(ifconfig_t)
-+ hal_dontaudit_read_pid_files(ifconfig_t)
-+ hal_write_log(ifconfig_t)
')
optional_policy(`
-@@ -338,7 +428,15 @@ optional_policy(`
+@@ -339,7 +416,15 @@ optional_policy(`
')
optional_policy(`
@@ -141378,7 +141160,7 @@ index ed363e1..808e49e 100644
')
optional_policy(`
-@@ -359,3 +457,9 @@ optional_policy(`
+@@ -360,3 +445,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -142854,7 +142636,7 @@ index 0000000..223e3f0
+init_list_pid_dirs(systemctl_domain)
+init_use_fds(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 2575393..49fd32e 100644
+index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,8 @@
@@ -142877,11 +142659,13 @@ index 2575393..49fd32e 100644
ifdef(`distro_debian',`
/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -27,9 +30,23 @@ ifdef(`distro_redhat',`
+@@ -27,11 +30,23 @@ ifdef(`distro_redhat',`
')
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-
+-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+-
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -142905,7 +142689,7 @@ index 2575393..49fd32e 100644
ifdef(`distro_debian',`
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 77a13a5..9a5a73f 100644
+index 0f64692..d7e8a01 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -143038,17 +142822,36 @@ index 77a13a5..9a5a73f 100644
')
########################################
-@@ -300,6 +348,84 @@ interface(`udev_manage_pid_files',`
+@@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',`
+
+ ########################################
+ ## <summary>
+-## Read udev pid files.
++## Create, read, write, and delete
++## udev pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`udev_read_pid_files',`
++interface(`udev_manage_pid_files',`
+ gen_require(`
type udev_var_run_t;
')
-- files_search_var_lib($1)
-+ files_search_pids($1)
- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ files_search_pids($1)
+- read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
-+
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## udev pid files.
+## Execute udev in the udev domain, and
+## allow the specified role the udev domain.
+## </summary>
@@ -143076,19 +142879,23 @@ index 77a13a5..9a5a73f 100644
+#######################################
+## <summary>
+## Allow caller to create kobject uevent socket for udev
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -291,13 +365,45 @@ interface(`udev_read_pid_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`udev_manage_pid_files',`
+interface(`udev_create_kobject_uevent_socket',`
-+ gen_require(`
+ gen_require(`
+- type udev_var_run_t;
+ type udev_t;
+ role system_r;
-+ ')
-+
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
@@ -143122,10 +142929,11 @@ index 77a13a5..9a5a73f 100644
+ domtrans_pattern(udev_t, $2, $1)
+
+ dontaudit $1 udev_t:unix_dgram_socket { read write };
-+')
-+
+ ')
+
+ ########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 29075b3..8d185fc 100644
+index a5ec88b..6e4726f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -143141,10 +142949,10 @@ index 29075b3..8d185fc 100644
type udev_var_run_t;
files_pid_file(udev_var_run_t)
+typealias udev_var_run_t alias udev_tbl_t;
+ init_daemon_run_dir(udev_var_run_t, "udev")
ifdef(`enable_mcs',`
- kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -36,9 +34,11 @@ ifdef(`enable_mcs',`
+@@ -37,9 +35,11 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -143158,7 +142966,7 @@ index 29075b3..8d185fc 100644
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -53,6 +53,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -143166,7 +142974,7 @@ index 29075b3..8d185fc 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,31 +63,35 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +64,35 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -143209,7 +143017,7 @@ index 29075b3..8d185fc 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -143217,7 +143025,7 @@ index 29075b3..8d185fc 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,23 +111,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +112,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -143253,7 +143061,7 @@ index 29075b3..8d185fc 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
-@@ -143,17 +157,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +158,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -143275,7 +143083,7 @@ index 29075b3..8d185fc 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +187,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -143284,7 +143092,7 @@ index 29075b3..8d185fc 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +198,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -143303,7 +143111,7 @@ index 29075b3..8d185fc 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +228,16 @@ optional_policy(`
+@@ -217,6 +229,10 @@ optional_policy(`
')
optional_policy(`
@@ -143314,13 +143122,15 @@ index 29075b3..8d185fc 100644
consoletype_exec(udev_t)
')
+@@ -226,6 +242,7 @@ optional_policy(`
+
optional_policy(`
cups_domtrans_config(udev_t)
+ cups_read_config(udev_t)
')
optional_policy(`
-@@ -230,10 +247,20 @@ optional_policy(`
+@@ -235,10 +252,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -143341,7 +143151,7 @@ index 29075b3..8d185fc 100644
')
optional_policy(`
-@@ -259,6 +286,10 @@ optional_policy(`
+@@ -264,6 +291,10 @@ optional_policy(`
')
optional_policy(`
@@ -143352,7 +143162,7 @@ index 29075b3..8d185fc 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +304,15 @@ optional_policy(`
+@@ -278,6 +309,15 @@ optional_policy(`
')
optional_policy(`
@@ -143368,7 +143178,7 @@ index 29075b3..8d185fc 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +325,7 @@ optional_policy(`
+@@ -290,6 +330,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -144202,7 +144012,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..53ea674 100644
+index 3c5dba7..81b2173 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -144838,7 +144648,7 @@ index e720dcd..53ea674 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,100 +687,140 @@ template(`userdom_common_user_template',`
+@@ -546,93 +687,121 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -144886,16 +144696,17 @@ index e720dcd..53ea674 100644
')
optional_policy(`
+- alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
- alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
- alsa_relabel_home_files($1_t)
-+ canna_stream_connect($1_usertype)
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
++ canna_stream_connect($1_usertype)
')
optional_policy(`
@@ -144915,37 +144726,33 @@ index e720dcd..53ea674 100644
')
optional_policy(`
-- evolution_dbus_chat($1_t)
-- evolution_alarm_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat_config($1_t)
+- consolekit_dbus_chat($1_t)
+ bluetooth_dbus_chat($1_usertype)
')
optional_policy(`
-- hal_dbus_chat($1_t)
+- cups_dbus_chat_config($1_t)
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
')
optional_policy(`
-- networkmanager_dbus_chat($1_t)
+- hal_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- networkmanager_dbus_chat($1_t)
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- policykit_dbus_chat($1_t)
+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_usertype)
@@ -144965,12 +144772,16 @@ index e720dcd..53ea674 100644
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ vpn_dbus_chat($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
-+ git_session_role($1_r, $1_usertype)
++ git_role($1_r, $1_t)
')
optional_policy(`
@@ -144990,14 +144801,15 @@ index e720dcd..53ea674 100644
')
optional_policy(`
-- locate_read_lib_files($1_t)
+- kerberos_manage_krb5_home_files($1_t)
+- kerberos_relabel_krb5_home_files($1_t)
+- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ locate_read_lib_files($1_usertype)
')
+ optional_policy(`
+@@ -646,19 +815,17 @@ template(`userdom_common_user_template',`
+
# for running depmod as part of the kernel packaging process
optional_policy(`
- modutils_read_module_config($1_t)
@@ -145012,12 +144824,16 @@ index e720dcd..53ea674 100644
')
optional_policy(`
+- mysql_manage_mysqld_home_files($1_t)
+- mysql_relabel_mysqld_home_files($1_t)
+- mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
+-
- tunable_policy(`allow_user_mysql_connect',`
+ tunable_policy(`selinuxuser_mysql_connect_enabled',`
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +832,52 @@ template(`userdom_common_user_template',`
+@@ -671,7 +838,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -145026,10 +144842,7 @@ index e720dcd..53ea674 100644
')
optional_policy(`
-- pcscd_read_pub_files($1_t)
-- pcscd_stream_connect($1_t)
-+ pcscd_read_pub_files($1_usertype)
-+ pcscd_stream_connect($1_usertype)
+@@ -680,9 +847,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -145042,6 +144855,9 @@ index e720dcd..53ea674 100644
')
')
+@@ -693,32 +860,36 @@ template(`userdom_common_user_template',`
+ ')
+
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
@@ -145054,35 +144870,40 @@ index e720dcd..53ea674 100644
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t, $1_r)
++ slrnpull_search_spool($1_usertype)
+ ')
+
+ optional_policy(`
+- virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
+- virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
+- virt_home_filetrans_virt_content($1_t, dir, "isos")
+- virt_home_filetrans_svirt_home($1_t, dir, "qemu")
+- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
+ thumb_role($1_r, $1_usertype)
')
')
-@@ -709,17 +902,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +914,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -145121,7 +144942,7 @@ index e720dcd..53ea674 100644
userdom_change_password_template($1)
-@@ -727,82 +936,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +948,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -145258,7 +145079,7 @@ index e720dcd..53ea674 100644
')
')
-@@ -834,6 +1061,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1073,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -145271,7 +145092,7 @@ index e720dcd..53ea674 100644
##############################
#
# Local policy
-@@ -874,46 +1107,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1119,91 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -145369,13 +145190,18 @@ index e720dcd..53ea674 100644
- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- gnome_role_template($1, $1_r, $1_t)
+ realmd_dbus_chat($1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -951,12 +1212,26 @@ template(`userdom_restricted_xwindows_user_template',`
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ policykit_role($1_r, $1_usertype)
+ ')
+
@@ -145383,27 +145209,23 @@ index e720dcd..53ea674 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
-+ ')
+ ')
+
+ optional_policy(`
+ udev_read_db($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ wm_role_template($1, $1_r, $1_t)
- ')
++ ')
')
-@@ -948,27 +1253,33 @@ template(`userdom_unpriv_user_template', `
+ #######################################
+@@ -990,27 +1265,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -145441,7 +145263,7 @@ index e720dcd..53ea674 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,54 +1290,89 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1302,56 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -145465,45 +145287,20 @@ index e720dcd..53ea674 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cdrecord_role($1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ cron_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ games_rw_data($1_usertype)
- ')
--')
-
--#######################################
--## <summary>
--## The template for creating an administrative user.
--## </summary>
--## <desc>
--## <p>
--## This template creates a user domain, types, and
--## rules for the user's tty, pty, home directories,
--## tmp, and tmpfs files.
--## </p>
--## <p>
--## The privileges given to administrative users are:
--## <ul>
--## <li>Raw disk access</li>
--## <li>Set all sysctls</li>
--## <li>All kernel ring buffer controls</li>
--## <li>Create, read, write, and delete all files but shadow</li>
--## <li>Manage source and binary format SELinux policy</li>
--## <li>Run insmod</li>
++ ')
++
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -145514,9 +145311,11 @@ index e720dcd..53ea674 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
@@ -145528,43 +145327,21 @@ index e720dcd..53ea674 100644
+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
-+ ppp_run_cond($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ # Run pppd in pppd_t by default for user
+@@ -1046,7 +1360,9 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
-+ ')
-+')
-+
-+#######################################
-+## <summary>
-+## The template for creating an administrative user.
-+## </summary>
-+## <desc>
-+## <p>
-+## This template creates a user domain, types, and
-+## rules for the user's tty, pty, home directories,
-+## tmp, and tmpfs files.
-+## </p>
-+## <p>
-+## The privileges given to administrative users are:
-+## <ul>
-+## <li>Raw disk access</li>
-+## <li>Set all sysctls</li>
-+## <li>All kernel ring buffer controls</li>
-+## <li>Create, read, write, and delete all files but shadow</li>
-+## <li>Manage source and binary format SELinux policy</li>
-+## <li>Run insmod</li>
- ## </ul>
- ## </p>
- ## </desc>
-@@ -1040,7 +1386,7 @@ template(`userdom_unpriv_user_template', `
+ ')
+ ')
+
+@@ -1082,7 +1398,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -145573,7 +145350,7 @@ index e720dcd..53ea674 100644
')
##############################
-@@ -1067,6 +1413,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1425,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -145581,7 +145358,7 @@ index e720dcd..53ea674 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1422,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1434,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -145591,7 +145368,7 @@ index e720dcd..53ea674 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1439,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1451,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -145599,7 +145376,7 @@ index e720dcd..53ea674 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1457,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1469,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -145614,7 +145391,7 @@ index e720dcd..53ea674 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1475,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1487,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -145657,7 +145434,7 @@ index e720dcd..53ea674 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1516,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1528,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -145666,7 +145443,7 @@ index e720dcd..53ea674 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1525,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1537,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -145685,7 +145462,7 @@ index e720dcd..53ea674 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1581,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1593,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -145694,7 +145471,7 @@ index e720dcd..53ea674 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1595,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1607,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -145706,7 +145483,7 @@ index e720dcd..53ea674 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1609,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,35 +1621,37 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -145735,27 +145512,37 @@ index e720dcd..53ea674 100644
- optional_policy(`
- dmesg_exec($1)
-- ')
--
-- optional_policy(`
-- ipsec_run_setkey($1, $2)
+ optional_policy(`
+ ipsec_run_setkey($1,$2)
')
optional_policy(`
-- netlabel_run_mgmt($1, $2)
+- ipsec_run_setkey($1, $2)
+ netlabel_run_mgmt($1,$2)
')
optional_policy(`
-@@ -1317,12 +1693,15 @@ interface(`userdom_user_application_domain',`
- interface(`userdom_user_home_content',`
+- netlabel_run_mgmt($1, $2)
++ samhain_run($1, $2)
+ ')
+-
+- optional_policy(`
+- samhain_run($1, $2)
+- ')
+-')
++')
+
+ ########################################
+ ## <summary>
+@@ -1360,14 +1706,17 @@ interface(`userdom_user_home_content',`
gen_require(`
+ attribute user_home_content_type;
type user_home_t;
+ attribute user_home_type;
')
+ typeattribute $1 user_home_content_type;
+
allow $1 user_home_t:filesystem associate;
files_type($1)
- files_poly_member($1)
@@ -145766,7 +145553,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1363,6 +1742,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1757,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -145818,7 +145605,7 @@ index e720dcd..53ea674 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1467,11 +1891,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1906,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -145850,7 +145637,7 @@ index e720dcd..53ea674 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1957,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1972,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -145865,7 +145652,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1528,9 +1980,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +1995,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -145877,7 +145664,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1587,6 +2041,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2056,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -145920,7 +145707,7 @@ index e720dcd..53ea674 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2156,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2171,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -145929,7 +145716,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1680,10 +2172,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1744,10 +2206,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -145944,51 +145731,80 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1726,6 +2220,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1772,7 +2236,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+
+ ########################################
+ ## <summary>
+-## Delete all user home content directories.
++## Delete directories in a user home subdirectory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1780,19 +2244,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_delete_all_user_home_content_dirs',`
++interface(`userdom_delete_user_home_content_dirs',`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_t:dir delete_dir_perms;
+ ')
########################################
## <summary>
+-## Delete directories in a user home subdirectory.
+## Delete all directories in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1800,31 +2262,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_delete_user_home_content_dirs',`
+interface(`userdom_delete_all_user_home_content_dirs',`
-+ gen_require(`
+ gen_require(`
+- type user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- allow $1 user_home_t:dir delete_dir_perms;
+ allow $1 user_home_type:dir delete_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Set attributes of all user home content directories.
+## Set the attributes of user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`userdom_setattr_all_user_home_content_dirs',`
+interface(`userdom_setattr_user_home_content_files',`
-+ gen_require(`
+ gen_require(`
+- attribute user_home_content_type;
+ type user_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 user_home_content_type:dir setattr_dir_perms;
+ allow $1 user_home_t:file setattr;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to set the
- ## attributes of user home files.
- ## </summary>
-@@ -1745,6 +2276,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ ')
+
+ ########################################
+@@ -1848,6 +2310,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -146014,7 +145830,7 @@ index e720dcd..53ea674 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2325,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2359,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -146052,7 +145868,7 @@ index e720dcd..53ea674 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2365,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2399,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -146070,80 +145886,86 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -1856,25 +2431,25 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1941,7 +2447,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
--## Do not audit attempts to write user home files.
+-## Delete all user home content files.
++## Delete files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:file delete_file_perms;
++')
++
++########################################
++## <summary>
+## Delete all files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
+@@ -1951,17 +2475,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_files',`
+ interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
-- type user_home_t;
+- attribute user_home_content_type;
+- type user_home_dir_t;
+ attribute user_home_type;
')
-- dontaudit $1 user_home_t:file relabel_file_perms;
+- userdom_search_user_home_content($1)
+- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+ allow $1 user_home_type:file delete_file_perms;
')
########################################
## <summary>
--## Read user home subdirectory symbolic links.
+-## Delete files in a user home subdirectory.
+## Delete sock files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1882,46 +2457,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+@@ -1969,12 +2491,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
--interface(`userdom_read_user_home_content_symlinks',`
+-interface(`userdom_delete_user_home_content_files',`
+interface(`userdom_delete_user_home_content_sock_files',`
gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_t;
+ type user_home_t;
')
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
+- allow $1 user_home_t:file delete_file_perms;
+ allow $1 user_home_t:sock_file delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Execute user home files.
++')
++
++########################################
++## <summary>
+## Delete all sock files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`userdom_exec_user_home_content_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`userdom_delete_all_user_home_content_sock_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
++ gen_require(`
+ attribute user_home_type;
- ')
-
-- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ ')
++
+ allow $1 user_home_type:sock_file delete_file_perms;
+')
-
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
++
+########################################
+## <summary>
+## Delete all files in a user home subdirectory.
@@ -146157,137 +145979,97 @@ index e720dcd..53ea674 100644
+interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
+ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+
+ ########################################
+@@ -2010,8 +2568,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -2027,20 +2584,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
')
+ files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+- ')
+-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
-- ')
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
+ ')
+-')
########################################
## <summary>
--## Do not audit attempts to execute user home files.
-+## Do not audit attempts to write user home files.
+@@ -2123,7 +2674,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+
+ ########################################
+ ## <summary>
+-## Delete all user home content symbolic links.
++## Delete symbolic links in a user home directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1929,18 +2511,17 @@ interface(`userdom_exec_user_home_content_files',`
+@@ -2131,19 +2682,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
--interface(`userdom_dontaudit_exec_user_home_content_files',`
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
+-interface(`userdom_delete_all_user_home_content_symlinks',`
++interface(`userdom_delete_user_home_content_symlinks',`
gen_require(`
- type user_home_t;
+- attribute user_home_content_type;
+- type user_home_dir_t;
++ type user_home_t;
')
-- dontaudit $1 user_home_t:file exec_file_perms;
-+ dontaudit $1 user_home_t:file relabel_file_perms;
+- userdom_search_user_home_dirs($1)
+- delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
++ allow $1 user_home_t:lnk_file delete_lnk_file_perms;
')
########################################
## <summary>
--## Create, read, write, and delete files
--## in a user home subdirectory.
-+## Read user home subdirectory symbolic links.
+-## Delete symbolic links in a user home directory.
++## Delete all symbolic links in a user home directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1948,7 +2529,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
+@@ -2151,12 +2700,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
--interface(`userdom_manage_user_home_content_files',`
-+interface(`userdom_read_user_home_content_symlinks',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Execute user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`userdom_exec_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t;
-+ attribute user_home_type;
-+ ')
-+
-+ files_search_home($1)
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ dontaudit $1 user_home_type:sock_file execute;
-+ ')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to execute user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_exec_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ dontaudit $1 user_home_t:file exec_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete files
-+## in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_manage_user_home_content_files',`
+-interface(`userdom_delete_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_symlinks',`
gen_require(`
- type user_home_dir_t, user_home_t;
+- type user_home_t;
++ attribute user_home_type;
')
-@@ -2018,6 +2658,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
- ########################################
- ## <summary>
-+## Delete all symbolic links in a user home directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_delete_all_user_home_content_symlinks',`
-+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
+- allow $1 user_home_t:lnk_file delete_lnk_file_perms;
+ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete named pipes
- ## in a user home subdirectory.
- ## </summary>
-@@ -2250,11 +2908,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ ')
+
+ ########################################
+@@ -2393,11 +2942,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -146302,7 +146084,7 @@ index e720dcd..53ea674 100644
files_search_tmp($1)
')
-@@ -2274,7 +2932,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2966,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -146311,7 +146093,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2521,6 +3179,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3213,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -146337,7 +146119,7 @@ index e720dcd..53ea674 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3214,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3248,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -146353,7 +146135,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3242,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3276,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -146362,7 +146144,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3250,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3284,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -146376,28 +146158,78 @@ index e720dcd..53ea674 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of a user domain tty.
+## Execute user tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2735,35 +3302,53 @@ interface(`userdom_manage_user_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmpfs_t;
+ ')
+
+- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++ allow $1 user_tmpfs_t:file execute;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of a user domain tty.
++## Get the attributes of a user domain tty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_getattr_user_ttys',`
++interface(`userdom_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of a user domain tty.
++## Do not audit attempts to get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_execute_user_tmpfs_files',`
++interface(`userdom_dontaudit_getattr_user_ttys',`
+ gen_require(`
-+ type user_tmpfs_t;
++ type user_tty_device_t;
+ ')
+
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
-@@ -2674,6 +3368,24 @@ interface(`userdom_use_user_ttys',`
++ dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Set the attributes of a user domain tty.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2817,6 +3402,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -146422,7 +146254,7 @@ index e720dcd..53ea674 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3404,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3438,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -146465,7 +146297,7 @@ index e720dcd..53ea674 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3440,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3474,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -146503,7 +146335,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2742,8 +3485,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3519,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -146533,7 +146365,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2815,69 +3577,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3611,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -146634,7 +146466,7 @@ index e720dcd..53ea674 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3646,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3680,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -146649,7 +146481,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -2954,7 +3715,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3749,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -146658,7 +146490,7 @@ index e720dcd..53ea674 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3731,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3765,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -146692,7 +146524,7 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -3074,7 +3819,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3853,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -146701,151 +146533,56 @@ index e720dcd..53ea674 100644
')
########################################
-@@ -3129,12 +3874,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3908,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to use user ttys.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write users
+## temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ## <summary>
--## Read the process state of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- gen_require(`
-- attribute userdomain;
-+ type user_tmp_t;
- ')
-
-- read_files_pattern($1, userdomain, userdomain)
-- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of all user domains.
-+## Allow domain to read/write inherited users
-+## fifo files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_rw_inherited_user_pipes',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:process getattr;
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Inherit the file descriptors from all user domains
-+## Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_use_all_users_fds',`
-+interface(`userdom_dontaudit_use_user_ttys',`
- gen_require(`
-- attribute userdomain;
-+ type user_tty_device_t;
- ')
-
-- allow $1 userdomain:fd use;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to inherit the file
--## descriptors from any user domains.
-+## Read the process state of all user domains.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
-+ kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
-+## Get the attributes of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ allow $1 userdomain:process getattr;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Inherit the file descriptors from all user domains
++## Allow domain to read/write inherited users
++## fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -146853,26 +146590,33 @@ index e720dcd..53ea674 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_use_all_users_fds',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:fd use;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to inherit the file
-+## descriptors from any user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',`
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -3290,7 +3983,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ type user_tty_device_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -3309,6 +4002,7 @@ interface(`userdom_read_all_users_state',`
+ ')
+
+ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -3385,6 +4079,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -146915,7 +146659,7 @@ index e720dcd..53ea674 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4135,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -146940,7 +146684,7 @@ index e720dcd..53ea674 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4187,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -148307,10 +148051,10 @@ index e720dcd..53ea674 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 6a4bd85..4f23ca8 100644
+index e2b538b..d4d6ea9 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
+@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
## <desc>
## <p>
@@ -148370,9 +148114,9 @@ index 6a4bd85..4f23ca8 100644
# all user domains
attribute userdomain;
-@@ -59,6 +53,22 @@ attribute unpriv_userdomain;
- attribute untrusted_content_type;
- attribute untrusted_content_tmp_type;
+@@ -58,6 +52,22 @@ attribute unpriv_userdomain;
+
+ attribute user_home_content_type;
+attribute userdom_home_reader_type;
+attribute userdom_home_manager_type;
@@ -148393,7 +148137,7 @@ index 6a4bd85..4f23ca8 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +80,124 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -148518,6 +148262,8 @@ index 6a4bd85..4f23ca8 100644
+ fs_manage_ecryptfs_files(userdom_home_manager_type)
+ fs_manage_ecryptfs_files(userdom_home_manager_type)
+')
++# vi /etc/mtab can cause an avc trying to relabel to self.
++dontaudit userdomain self:file relabelto;
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 1b100a3..ccc0018 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,57 +1,77 @@
diff --git a/abrt.fc b/abrt.fc
-index 1bd5812..ad5baf5 100644
+index e4f84de..ad5baf5 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,20 +1,37 @@
- /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
- /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-
--/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+@@ -1,30 +1,37 @@
+-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
++/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
++/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-
--/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
-
- /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+
-+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
- /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
- /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
-
- /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
- /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++
++/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
- /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
- /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+
+-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+# ABRT retrace server
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
-+
+
+-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+
+
+-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+# cjp: new version
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 0b827c5..cce58bb 100644
+index 058d908..cce58bb 100644
--- a/abrt.if
+++ b/abrt.if
-@@ -2,6 +2,28 @@
-
- ######################################
- ## <summary>
+@@ -1,4 +1,26 @@
+-## <summary>Automated bug-reporting tool.</summary>
++## <summary>ABRT - automated bug-reporting tool</summary>
++
++######################################
++## <summary>
+## Creates types and rules for a basic
+## ABRT daemon domain.
+## </summary>
@@ -71,12 +91,27 @@ index 0b827c5..cce58bb 100644
+
+ kernel_read_system_state($1_t)
+')
-+
-+######################################
-+## <summary>
- ## Execute abrt in the abrt domain.
+
+ ######################################
+ ## <summary>
+@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to abrt.
++## Send a null signal to abrt.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+
+ ########################################
+ ## <summary>
+-## Read process state of abrt.
++## Allow the domain to read abrt state files in /proc.
## </summary>
## <param name="domain">
+ ## <summary>
@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
@@ -92,12 +127,49 @@ index 0b827c5..cce58bb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -160,8 +183,26 @@ interface(`abrt_run_helper',`
+@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+
+ #####################################
+ ## <summary>
+-## Execute abrt-helper in the abrt
+-## helper domain.
++## Execute abrt-helper in the abrt-helper domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+ type abrt_helper_t, abrt_helper_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+ ')
########################################
## <summary>
--## Send and receive messages from
--## abrt over dbus.
+-## Execute abrt helper in the abrt
+-## helper domain, and allow the
+-## specified role the abrt helper domain.
++## Execute abrt helper in the abrt_helper domain, and
++## allow the specified role the abrt_helper domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -154,17 +174,54 @@ interface(`abrt_domtrans_helper',`
+ #
+ interface(`abrt_run_helper',`
+ gen_require(`
+- attribute_role abrt_helper_roles;
++ type abrt_helper_t;
+ ')
+
+ abrt_domtrans_helper($1)
+- roleattribute $2 abrt_helper_roles;
++ role $2 types abrt_helper_t;
++')
++
++########################################
++## <summary>
+## Read abrt cache
+## </summary>
+## <param name="domain">
@@ -118,14 +190,13 @@ index 0b827c5..cce58bb 100644
+########################################
+## <summary>
+## Append abrt cache
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -169,12 +210,52 @@ interface(`abrt_run_helper',`
- ## </summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -133,18 +204,23 @@ index 0b827c5..cce58bb 100644
+
+
+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## abrt cache files.
+## Read/Write inherited abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -172,15 +229,18 @@ interface(`abrt_run_helper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
+- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
+- abrt_manage_cache($1)
+interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -152,30 +228,53 @@ index 0b827c5..cce58bb 100644
+
+
+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## abrt cache content.
+## Manage abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`abrt_manage_cache',`
- gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
+- files_search_var($1)
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
- ')
+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
####################################
-@@ -253,6 +334,47 @@ interface(`abrt_manage_pid_files',`
+ ## <summary>
+-## Read abrt configuration files.
++## Read abrt configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -220,7 +279,7 @@ interface(`abrt_read_config',`
+
+ ######################################
+ ## <summary>
+-## Read abrt log files.
++## Read abrt logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',`
+
+ ######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## abrt PID files.
++## Create, read, write, and delete abrt PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -222,22 +321,45 @@ index 0b827c5..cce58bb 100644
+
#####################################
## <summary>
- ## All of the rules required to administrate
-@@ -276,28 +398,135 @@ interface(`abrt_admin',`
- type abrt_var_cache_t, abrt_var_log_t;
- type abrt_var_run_t, abrt_tmp_t;
- type abrt_initrc_exec_t;
+-## All of the rules required to
+-## administrate an abrt environment,
++## All of the rules required to administrate
++## an abrt environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -288,39 +387,146 @@ interface(`abrt_manage_pid_files',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the abrt domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`abrt_admin',`
+ gen_require(`
+- attribute abrt_domain;
+- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
+- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
+- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
++ type abrt_t, abrt_etc_t;
++ type abrt_var_cache_t, abrt_var_log_t;
++ type abrt_var_run_t, abrt_tmp_t;
++ type abrt_initrc_exec_t;
+ type abrt_unit_file_t;
')
-- allow $1 abrt_t:process { ptrace signal_perms };
+- allow $1 abrt_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, abrt_domain)
+ allow $1 abrt_t:process { signal_perms };
- ps_process_pattern($1, abrt_t)
-
++ ps_process_pattern($1, abrt_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 abrt_t:process ptrace;
+ ')
-+
+
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
@@ -252,8 +374,9 @@ index 0b827c5..cce58bb 100644
admin_pattern($1, abrt_var_log_t)
- files_search_var($1)
+- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
+ files_list_var($1)
- admin_pattern($1, abrt_var_cache_t)
++ admin_pattern($1, abrt_var_cache_t)
- files_search_pids($1)
+ files_list_pids($1)
@@ -366,33 +489,51 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..864d511 100644
+index cc43d25..6d98338 100644
--- a/abrt.te
+++ b/abrt.te
-@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
- # Declarations
+@@ -1,4 +1,4 @@
+-policy_module(abrt, 1.3.4)
++policy_module(abrt, 1.2.0)
+
+ ########################################
+ #
+@@ -6,129 +6,141 @@ policy_module(abrt, 1.3.4)
#
--type abrt_t;
--type abrt_exec_t;
-+## <desc>
+ ## <desc>
+-## <p>
+-## Determine whether ABRT can modify
+-## public files used for public file
+-## transfer services.
+-## </p>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
-+## </desc>
-+gen_tunable(abrt_anon_write, false)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(abrt_anon_write, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether ABRT can run in
+-## the abrt_handle_event_t domain to
+-## handle ABRT event scripts.
+-## </p>
+## <p>
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
+## </p>
-+## </desc>
-+gen_tunable(abrt_handle_event, false)
-+
-+attribute abrt_domain;
-+
+ ## </desc>
+ gen_tunable(abrt_handle_event, false)
+
+ attribute abrt_domain;
+
+-attribute_role abrt_helper_roles;
+-roleattribute system_r abrt_helper_roles;
+-
+-type abrt_t, abrt_domain;
+-type abrt_exec_t;
+abrt_basic_types_template(abrt)
init_daemon_domain(abrt_t, abrt_exec_t)
@@ -402,257 +543,309 @@ index 30861ec..864d511 100644
+type abrt_unit_file_t;
+systemd_unit_file(abrt_unit_file_t)
+
- # etc files
++# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)
-@@ -32,10 +52,20 @@ files_type(abrt_var_cache_t)
+
++# log files
+ type abrt_var_log_t;
+ logging_log_file(abrt_var_log_t)
+
++# tmp files
+ type abrt_tmp_t;
+ files_tmp_file(abrt_tmp_t)
+
++# var/cache files
+ type abrt_var_cache_t;
+ files_type(abrt_var_cache_t)
+
++# pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
+-type abrt_dump_oops_t, abrt_domain;
+-type abrt_dump_oops_exec_t;
+abrt_basic_types_template(abrt_dump_oops)
-+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
-+
+ init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
+-type abrt_handle_event_t, abrt_domain;
+-type abrt_handle_event_exec_t;
+-domain_type(abrt_handle_event_t)
+-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
+# type for abrt-handle-event to handle
+# ABRT event scripts
+abrt_basic_types_template(abrt_handle_event)
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
-+role system_r types abrt_handle_event_t;
-+
- # type needed to allow all domains
- # to handle /var/cache/abrt
--type abrt_helper_t;
+ role system_r types abrt_handle_event_t;
+
+-type abrt_helper_t, abrt_domain;
-type abrt_helper_exec_t;
+# type needed to allow all domains
+# to handle /var/cache/abrt
++# type needed to allow all domains
++# to handle /var/cache/abrt
+abrt_basic_types_template(abrt_helper)
application_domain(abrt_helper_t, abrt_helper_exec_t)
- role system_r types abrt_helper_t;
-
-@@ -43,14 +73,36 @@ ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
- ')
-
+-role abrt_helper_roles types abrt_helper_t;
++role system_r types abrt_helper_t;
+
+-type abrt_retrace_coredump_t, abrt_domain;
+-type abrt_retrace_coredump_exec_t;
+-domain_type(abrt_retrace_coredump_t)
+-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+-role system_r types abrt_retrace_coredump_t;
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
++')
++
+#
+# Support for ABRT retrace server
+#
-+
+
+-type abrt_retrace_worker_t, abrt_domain;
+-type abrt_retrace_worker_exec_t;
+-domain_type(abrt_retrace_worker_t)
+-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
-+role system_r types abrt_retrace_worker_t;
-+
+ role system_r types abrt_retrace_worker_t;
+
+abrt_basic_types_template(abrt_retrace_coredump)
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
-+type abrt_retrace_cache_t;
-+files_type(abrt_retrace_cache_t)
-+
-+type abrt_retrace_spool_t;
+ type abrt_retrace_cache_t;
+ files_type(abrt_retrace_cache_t)
+
+ type abrt_retrace_spool_t;
+-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
-+
+
+-type abrt_watch_log_t, abrt_domain;
+-type abrt_watch_log_exec_t;
+# Support abrt-watch log
+abrt_basic_types_template(abrt_watch_log)
-+init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-+
+ init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+-')
+-
########################################
#
- # abrt local policy
+-# Local policy
++# abrt local policy
#
--allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
-+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+ allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
dontaudit abrt_t self:capability sys_rawio;
--allow abrt_t self:process { signal signull setsched getsched };
-+allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
-
+ allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
++
allow abrt_t self:fifo_file rw_fifo_file_perms;
- allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
- allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
-
- # abrt etc files
+-allow abrt_t self:tcp_socket { accept listen };
++allow abrt_t self:tcp_socket create_stream_socket_perms;
++allow abrt_t self:udp_socket create_socket_perms;
++allow abrt_t self:unix_dgram_socket create_socket_perms;
++allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow abrt_t abrt_etc_t:dir list_dir_perms;
++# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
- # log file
-@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
- # abrt tmp files
++# log file
+ manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
+ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+
++# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
-+manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+ manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
- # abrt var/cache files
++# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +137,12 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+ manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+ files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+
++# abrt pid files
+ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
--files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
-+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-+
-+kernel_read_ring_buffer(abrt_t)
-+kernel_request_load_module(abrt_t)
+ files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
+-can_exec(abrt_t, abrt_tmp_t)
+-
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
++kernel_read_network_state(abrt_t)
+ kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
- corecmd_exec_bin(abrt_t)
-@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
-corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
- corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t)
- corenet_sendrecv_http_client_packets(abrt_t)
+-corenet_tcp_sendrecv_all_ports(abrt_t)
++corenet_tcp_sendrecv_generic_port(abrt_t)
+ corenet_tcp_bind_generic_node(abrt_t)
+-
+-corenet_sendrecv_all_client_packets(abrt_t)
+ corenet_tcp_connect_http_port(abrt_t)
+ corenet_tcp_connect_ftp_port(abrt_t)
+ corenet_tcp_connect_all_ports(abrt_t)
++corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
-+dev_getattr_all_blk_files(abrt_t)
-+dev_read_rand(abrt_t)
- dev_read_urand(abrt_t)
- dev_rw_sysfs(abrt_t)
- dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
- domain_signull_all_domains(abrt_t)
-
- files_getattr_all_files(abrt_t)
--files_read_etc_files(abrt_t)
-+files_read_config_files(abrt_t)
-+files_read_etc_runtime_files(abrt_t)
+ dev_getattr_all_blk_files(abrt_t)
+@@ -163,29 +173,35 @@ files_getattr_all_files(abrt_t)
+ files_read_config_files(abrt_t)
+ files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
- files_read_var_lib_files(abrt_t)
++files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t)
++files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
- files_dontaudit_list_default(abrt_t)
++files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
-+files_dontaudit_read_all_symlinks(abrt_t)
-+files_dontaudit_getattr_all_sockets(abrt_t)
-+files_list_mnt(abrt_t)
+ files_dontaudit_read_all_symlinks(abrt_t)
+ files_dontaudit_getattr_all_sockets(abrt_t)
+ files_list_mnt(abrt_t)
- fs_list_inotifyfs(abrt_t)
++fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +193,37 @@ fs_read_nfs_files(abrt_t)
+ fs_getattr_all_dirs(abrt_t)
+-fs_list_inotifyfs(abrt_t)
+ fs_read_fusefs_files(abrt_t)
+ fs_read_noxattr_fs_files(abrt_t)
+ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
--sysnet_read_config(abrt_t)
+-auth_use_nsswitch(abrt_t)
-
logging_read_generic_logs(abrt_t)
- logging_send_syslog_msg(abrt_t)
++logging_send_syslog_msg(abrt_t)
+auth_use_nsswitch(abrt_t)
+
- miscfiles_read_generic_certs(abrt_t)
--miscfiles_read_localization(abrt_t)
-+miscfiles_read_public_files(abrt_t)
++miscfiles_read_generic_certs(abrt_t)
+ miscfiles_read_public_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
-+
-+tunable_policy(`abrt_anon_write',`
-+ miscfiles_manage_public_files(abrt_t)
-+')
-+
-+optional_policy(`
-+ apache_list_modules(abrt_t)
+
+ tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+@@ -193,15 +209,11 @@ tunable_policy(`abrt_anon_write',`
+
+ optional_policy(`
+ apache_list_modules(abrt_t)
+- apache_read_module_files(abrt_t)
+ apache_read_modules(abrt_t)
-+')
+ ')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
+-
+- optional_policy(`
+- policykit_dbus_chat(abrt_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -209,6 +221,12 @@ optional_policy(`
')
optional_policy(`
-- nis_use_ypbind(abrt_t)
-+ dmesg_domtrans(abrt_t)
++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
++ mozilla_plugin_read_rw_files(abrt_t)
+')
+
+optional_policy(`
-+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
-+ mozilla_plugin_read_rw_files(abrt_t)
++ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+@@ -220,6 +238,7 @@ optional_policy(`
+ corecmd_exec_all_executables(abrt_t)
')
++# to install debuginfo packages
optional_policy(`
-@@ -167,6 +244,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
- rpm_manage_cache(abrt_t)
-+ rpm_manage_log(abrt_t)
- rpm_manage_pid_files(abrt_t)
- rpm_read_db(abrt_t)
+@@ -230,6 +249,7 @@ optional_policy(`
rpm_signull(abrt_t)
-@@ -178,9 +256,36 @@ optional_policy(`
')
++# to run mailx plugin
optional_policy(`
-+ sosreport_domtrans(abrt_t)
-+ sosreport_read_tmp_files(abrt_t)
-+ sosreport_delete_tmp_files(abrt_t)
-+')
-+
-+optional_policy(`
- sssd_stream_connect(abrt_t)
+ sendmail_domtrans(abrt_t)
+ ')
+@@ -240,9 +260,17 @@ optional_policy(`
+ sosreport_delete_tmp_files(abrt_t)
')
+optional_policy(`
-+ xserver_read_log(abrt_t)
++ sssd_stream_connect(abrt_t)
+')
+
-+#######################################
-+#
-+# abrt-handle-event local policy
-+#
-+
-+allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-+
-+tunable_policy(`abrt_handle_event',`
-+ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t)
-+',`
-+ can_exec(abrt_t, abrt_handle_event_exec_t)
++optional_policy(`
++ xserver_read_log(abrt_t)
+')
+
+ #######################################
+ #
+-# Handle-event local policy
++# abrt-handle-event local policy
+ #
+
+ allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
+@@ -253,9 +281,13 @@ tunable_policy(`abrt_handle_event',`
+ can_exec(abrt_t, abrt_handle_event_exec_t)
+ ')
+
+optional_policy(`
+ unconfined_domain(abrt_handle_event_t)
+')
+
########################################
#
- # abrt--helper local policy
-@@ -200,9 +305,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
- read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
- read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+-# Helper local policy
++# abrt--helper local policy
+ #
+
+ allow abrt_helper_t self:capability { chown setgid sys_nice };
+@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t)
-+corecmd_read_all_executables(abrt_helper_t)
-+
domain_read_all_domains_state(abrt_helper_t)
--files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
-
++
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +318,11 @@ auth_use_nsswitch(abrt_helper_t)
- logging_send_syslog_msg(abrt_helper_t)
+ auth_use_nsswitch(abrt_helper_t)
--miscfiles_read_localization(abrt_helper_t)
--
++logging_send_syslog_msg(abrt_helper_t)
++
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
--ifdef(`hide_broken_symptoms', `
-+ifdef(`hide_broken_symptoms',`
+ ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +330,149 @@ ifdef(`hide_broken_symptoms', `
+@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -660,7 +853,7 @@ index 30861ec..864d511 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -670,188 +863,130 @@ index 30861ec..864d511 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
-+
-+#######################################
-+#
+ ')
+
+ #######################################
+ #
+-# Retrace coredump policy
+# abrt retrace coredump policy
-+#
-+
-+allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-+
-+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+
-+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+
-+corecmd_exec_bin(abrt_retrace_coredump_t)
-+corecmd_exec_shell(abrt_retrace_coredump_t)
-+
-+dev_read_urand(abrt_retrace_coredump_t)
-+
-+files_read_usr_files(abrt_retrace_coredump_t)
-+
+ #
+
+ allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
+@@ -316,8 +367,11 @@ dev_read_urand(abrt_retrace_coredump_t)
+
+ files_read_usr_files(abrt_retrace_coredump_t)
+
+logging_send_syslog_msg(abrt_retrace_coredump_t)
+
-+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
-+
+ sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
+# to install debuginfo packages
-+optional_policy(`
-+ rpm_exec(abrt_retrace_coredump_t)
-+ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-+ rpm_manage_cache(abrt_retrace_coredump_t)
-+ rpm_manage_log(abrt_retrace_coredump_t)
-+ rpm_manage_pid_files(abrt_retrace_coredump_t)
-+ rpm_read_db(abrt_retrace_coredump_t)
-+ rpm_signull(abrt_retrace_coredump_t)
-+')
-+
-+#######################################
-+#
+ optional_policy(`
+ rpm_exec(abrt_retrace_coredump_t)
+ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
+@@ -330,10 +384,11 @@ optional_policy(`
+
+ #######################################
+ #
+-# Retrace worker policy
+# abrt retrace worker policy
-+#
-+
+ #
+
+-allow abrt_retrace_worker_t self:capability setuid;
+allow abrt_retrace_worker_t self:capability { setuid };
+
-+allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
-+
-+domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-+allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
-+
-+manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+
-+allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
-+
-+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
-+
-+corecmd_exec_bin(abrt_retrace_worker_t)
-+corecmd_exec_shell(abrt_retrace_worker_t)
-+
-+dev_read_urand(abrt_retrace_worker_t)
-+
-+files_read_usr_files(abrt_retrace_worker_t)
-+
+ allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
+
+ domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
+@@ -354,16 +409,22 @@ dev_read_urand(abrt_retrace_worker_t)
+
+ files_read_usr_files(abrt_retrace_worker_t)
+
+logging_send_syslog_msg(abrt_retrace_worker_t)
+
-+sysnet_dns_name_resolve(abrt_retrace_worker_t)
-+
+ sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
+')
+
-+########################################
-+#
+ ########################################
+ #
+-# Dump oops local policy
+# abrt_dump_oops local policy
-+#
-+
-+allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
+ #
+
+ allow abrt_dump_oops_t self:capability dac_override;
+ allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
+-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_search_spool(abrt_dump_oops_t)
-+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-+manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-+manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-+files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
-+
-+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
-+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
-+
-+read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
-+
+
+ files_search_spool(abrt_dump_oops_t)
+ manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -376,6 +437,7 @@ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+
+ read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
+
+kernel_read_debugfs(abrt_dump_oops_t)
-+kernel_read_kernel_sysctls(abrt_dump_oops_t)
-+kernel_read_ring_buffer(abrt_dump_oops_t)
-+
-+domain_use_interactive_fds(abrt_dump_oops_t)
-+
-+fs_list_inotifyfs(abrt_dump_oops_t)
-+
-+logging_read_generic_logs(abrt_dump_oops_t)
+ kernel_read_kernel_sysctls(abrt_dump_oops_t)
+ kernel_read_ring_buffer(abrt_dump_oops_t)
+
+@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+ fs_list_inotifyfs(abrt_dump_oops_t)
+
+ logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
-+
-+#######################################
-+#
+
+ #######################################
+ #
+-# Watch log local policy
+# abrt_watch_log local policy
-+#
-+
-+allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
+ #
+
+ allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
+-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
-+
-+read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-+
-+domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
-+
-+corecmd_exec_bin(abrt_watch_log_t)
-+
-+logging_read_all_logs(abrt_watch_log_t)
+
+ read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
+
+@@ -400,16 +463,15 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+ corecmd_exec_bin(abrt_watch_log_t)
+
+ logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
+optional_policy(`
+ unconfined_domain(abrt_watch_log_t)
+')
-+
-+#######################################
-+#
+
+ #######################################
+ #
+-# Global local policy
+# Local policy for all abrt domain
-+#
-+
-+files_read_etc_files(abrt_domain)
+ #
+
+-kernel_read_system_state(abrt_domain)
+-
+ files_read_etc_files(abrt_domain)
+-
+-logging_send_syslog_msg(abrt_domain)
+-
+-miscfiles_read_localization(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
-index 1adca53..18e0e41 100644
+index f9d8d7a..0682710 100644
--- a/accountsd.fc
+++ b/accountsd.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
+
- /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+ /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
- /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
+ /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
diff --git a/accountsd.if b/accountsd.if
-index c0f858d..4a3dab6 100644
+index bd5ec9a..a5ed692 100644
--- a/accountsd.if
+++ b/accountsd.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run accountsd.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed access.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`accountsd_domtrans',`
-@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -93,6 +93,7 @@ interface(`accountsd_read_lib_files',`
- ')
-
- files_search_var_lib($1)
-+ allow $1 accountsd_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
- ')
-
-@@ -118,28 +119,54 @@ interface(`accountsd_manage_lib_files',`
-
- ########################################
- ## <summary>
--## All of the rules required to administrate
--## an accountsd environment
-+## Execute accountsd server in the accountsd domain.
+@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -893,7 +1028,7 @@ index c0f858d..4a3dab6 100644
+ type accountsd_unit_file_t;
')
-- allow $1 accountsd_t:process { ptrace signal_perms getattr };
+- allow $1 accountsd_t:process { ptrace signal_perms };
+ allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
@@ -908,11 +1043,12 @@ index c0f858d..4a3dab6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 1632f10..074ebc9 100644
+index 313b33f..ea8883f 100644
--- a/accountsd.te
+++ b/accountsd.te
-@@ -1,5 +1,9 @@
- policy_module(accountsd, 1.0.0)
+@@ -4,6 +4,10 @@ gen_require(`
+ class passwd all_passwd_perms;
+ ')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
@@ -921,7 +1057,7 @@ index 1632f10..074ebc9 100644
########################################
#
# Declarations
-@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0)
+@@ -11,11 +15,15 @@ gen_require(`
type accountsd_t;
type accountsd_exec_t;
@@ -937,34 +1073,24 @@ index 1632f10..074ebc9 100644
+
########################################
#
- # accountsd local policy
- #
-
--allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { chown dac_override setuid setgid };
-+allow accountsd_t self:process signal;
- allow accountsd_t self:fifo_file rw_fifo_file_perms;
-+allow accountsd_t self:passwd { rootok passwd chfn chsh };
-
- manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+ # Local policy
+@@ -30,6 +38,7 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+ files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
+kernel_read_system_state(accountsd_t)
kernel_read_kernel_sysctls(accountsd_t)
+ kernel_read_system_state(accountsd_t)
- corecmd_exec_bin(accountsd_t)
-
-+dev_read_sysfs(accountsd_t)
-+
- files_read_usr_files(accountsd_t)
- files_read_mnt_files(accountsd_t)
+@@ -42,13 +51,15 @@ files_read_usr_files(accountsd_t)
+ fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
+fs_getattr_xattr_fs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
auth_use_nsswitch(accountsd_t)
+ auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
+auth_read_login_records(accountsd_t)
@@ -973,9 +1099,9 @@ index 1632f10..074ebc9 100644
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
-@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t)
-
+@@ -62,6 +73,11 @@ usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
+ consolekit_dbus_chat(accountsd_t)
consolekit_read_log(accountsd_t)
+ consolekit_dbus_chat(accountsd_t)
+')
@@ -985,26 +1111,22 @@ index 1632f10..074ebc9 100644
')
optional_policy(`
- policykit_dbus_chat(accountsd_t)
- ')
-+
-+optional_policy(`
-+ xserver_read_xdm_tmp_files(accountsd_t)
+@@ -70,4 +86,7 @@ optional_policy(`
+
+ optional_policy(`
+ xserver_read_xdm_tmp_files(accountsd_t)
+ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
-+')
+ ')
diff --git a/acct.if b/acct.if
-index e66c296..993a1e9 100644
+index 81280d0..bc4038b 100644
--- a/acct.if
+++ b/acct.if
-@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
- manage_files_pattern($1, acct_data_t, acct_data_t)
- manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
- ')
-+
-+########################################
-+## <summary>
+@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
+
+ ########################################
+ ## <summary>
+## Dontaudit Attempts to list acct_data directory
+## </summary>
+## <param name="domain">
@@ -1020,19 +1142,34 @@ index e66c296..993a1e9 100644
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
++
++#######################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an acct environment.
+ ## </summary>
+@@ -103,9 +121,13 @@ interface(`acct_admin',`
+ type acct_t, acct_initrc_exec_t, acct_data_t;
+ ')
+
+- allow $1 acct_t:process { ptrace signal_perms };
++ allow $1 acct_t:process { signal_perms };
+ ps_process_pattern($1, acct_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 acct_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, acct_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 acct_initrc_exec_t system_r;
diff --git a/acct.te b/acct.te
-index 63ef90e..31f524e 100644
+index 1a1c91a..7a449cc 100644
--- a/acct.te
+++ b/acct.te
-@@ -49,20 +49,19 @@ corecmd_exec_shell(acct_t)
-
- domain_use_interactive_fds(acct_t)
+@@ -53,14 +53,15 @@ files_list_usr(acct_t)
--files_read_etc_files(acct_t)
- files_read_etc_runtime_files(acct_t)
- files_list_usr(acct_t)
- # for nscd
- files_dontaudit_search_pids(acct_t)
+ auth_use_nsswitch(acct_t)
+auth_use_nsswitch(acct_t)
+
@@ -1044,14 +1181,15 @@ index 63ef90e..31f524e 100644
-miscfiles_read_localization(acct_t)
-
- userdom_dontaudit_use_unpriv_user_fds(acct_t)
++userdom_dontaudit_use_unpriv_user_fds(acct_t)
userdom_dontaudit_search_user_home_dirs(acct_t)
+ userdom_dontaudit_use_unpriv_user_fds(acct_t)
diff --git a/ada.te b/ada.te
-index 39c75fb..057d8b1 100644
+index 8b5ad06..8ce8f26 100644
--- a/ada.te
+++ b/ada.te
-@@ -17,7 +17,7 @@ role system_r types ada_t;
+@@ -20,7 +20,7 @@ role ada_roles types ada_t;
allow ada_t self:process { execstack execmem };
@@ -1061,15 +1199,15 @@ index 39c75fb..057d8b1 100644
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.if b/afs.if
-index 8559cdc..641044e 100644
+index 3b41be6..0b18812 100644
--- a/afs.if
+++ b/afs.if
-@@ -97,8 +97,12 @@ interface(`afs_admin',`
- type afs_t, afs_initrc_exec_t;
+@@ -100,8 +100,12 @@ interface(`afs_admin',`
+ type afs_logfile_t, afs_cache_t, afs_files_t;
')
-- allow $1 afs_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, afs_t, afs_t)
+- allow $1 afs_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, afs_domain)
+ allow $1 afs_t:process signal_perms;
+ ps_process_pattern($1, afs_t)
+
@@ -1077,36 +1215,34 @@ index 8559cdc..641044e 100644
+ allow $1 afs_t:process ptrace;
+ ')
- # Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
+ domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
-index a496fde..8170a8c 100644
+index 6690cdf..7fefcf5 100644
--- a/afs.te
+++ b/afs.te
-@@ -71,6 +71,7 @@ role system_r types afs_vlserver_t;
- #
-
- allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
-+dontaudit afs_t self:capability dac_override;
- allow afs_t self:process { setsched signal };
- allow afs_t self:udp_socket create_socket_perms;
- allow afs_t self:fifo_file rw_file_perms;
-@@ -82,7 +83,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
+@@ -83,6 +83,15 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
--corenet_all_recvfrom_unlabeled(afs_t)
- corenet_all_recvfrom_netlabel(afs_t)
- corenet_tcp_sendrecv_generic_if(afs_t)
- corenet_udp_sendrecv_generic_if(afs_t)
-@@ -103,10 +103,12 @@ fs_read_nfs_symlinks(afs_t)
++corenet_all_recvfrom_netlabel(afs_t)
++corenet_tcp_sendrecv_generic_if(afs_t)
++corenet_udp_sendrecv_generic_if(afs_t)
++corenet_tcp_sendrecv_generic_node(afs_t)
++corenet_udp_sendrecv_generic_node(afs_t)
++corenet_tcp_sendrecv_all_ports(afs_t)
++corenet_udp_sendrecv_all_ports(afs_t)
++corenet_udp_bind_generic_node(afs_t)
++
+ files_mounton_mnt(afs_t)
+ files_read_usr_files(afs_t)
+ files_rw_etc_runtime_files(afs_t)
+@@ -93,6 +102,12 @@ fs_read_nfs_symlinks(afs_t)
logging_send_syslog_msg(afs_t)
--miscfiles_read_localization(afs_t)
--
- sysnet_dns_name_resolve(afs_t)
-
++sysnet_dns_name_resolve(afs_t)
++
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
@@ -1114,56 +1250,33 @@ index a496fde..8170a8c 100644
########################################
#
# AFS bossserver local policy
-@@ -140,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+@@ -125,7 +140,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
corenet_all_recvfrom_netlabel(afs_bosserver_t)
- corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
-@@ -156,7 +157,6 @@ files_read_etc_files(afs_bosserver_t)
- files_list_home(afs_bosserver_t)
- files_read_usr_files(afs_bosserver_t)
-
--miscfiles_read_localization(afs_bosserver_t)
-
- seutil_read_config(afs_bosserver_t)
-
-@@ -202,7 +202,6 @@ corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
+ corenet_udp_sendrecv_generic_node(afs_bosserver_t)
+@@ -179,6 +193,9 @@ corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+ corenet_udp_sendrecv_generic_if(afs_fsserver_t)
+ corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
- corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
- corenet_udp_sendrecv_all_ports(afs_fsserver_t)
--corenet_all_recvfrom_unlabeled(afs_fsserver_t)
- corenet_all_recvfrom_netlabel(afs_fsserver_t)
++corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
++corenet_udp_sendrecv_all_ports(afs_fsserver_t)
++corenet_all_recvfrom_netlabel(afs_fsserver_t)
corenet_tcp_bind_generic_node(afs_fsserver_t)
corenet_udp_bind_generic_node(afs_fsserver_t)
-@@ -225,8 +224,6 @@ init_dontaudit_use_script_fds(afs_fsserver_t)
- logging_send_syslog_msg(afs_fsserver_t)
-
--miscfiles_read_localization(afs_fsserver_t)
--
- seutil_read_config(afs_fsserver_t)
-
- sysnet_read_config(afs_fsserver_t)
-@@ -252,7 +249,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
corenet_all_recvfrom_netlabel(afs_kaserver_t)
- corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
-@@ -270,7 +266,6 @@ files_read_etc_files(afs_kaserver_t)
- files_list_home(afs_kaserver_t)
- files_read_usr_files(afs_kaserver_t)
-
--miscfiles_read_localization(afs_kaserver_t)
-
- seutil_read_config(afs_kaserver_t)
-
-@@ -296,7 +291,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+ corenet_udp_sendrecv_generic_node(afs_kaserver_t)
+@@ -262,7 +278,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
@@ -1171,15 +1284,16 @@ index a496fde..8170a8c 100644
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -310,7 +304,6 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
-
- files_read_etc_files(afs_ptserver_t)
+@@ -274,6 +289,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
+ corenet_udp_bind_afs_pt_port(afs_ptserver_t)
+ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
--miscfiles_read_localization(afs_ptserver_t)
-
- sysnet_read_config(afs_ptserver_t)
++sysnet_read_config(afs_ptserver_t)
++
+ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
-@@ -334,7 +327,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+ ########################################
+@@ -293,7 +310,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
@@ -1187,16 +1301,17 @@ index a496fde..8170a8c 100644
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -348,7 +340,6 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
-
- files_read_etc_files(afs_vlserver_t)
+@@ -314,8 +330,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
--miscfiles_read_localization(afs_vlserver_t)
-
- sysnet_read_config(afs_vlserver_t)
+ allow afs_domain self:udp_socket create_socket_perms;
+-files_read_etc_files(afs_domain)
+-
+-miscfiles_read_localization(afs_domain)
+-
+ sysnet_read_config(afs_domain)
diff --git a/aiccu.if b/aiccu.if
-index 184c9a8..8f77bf5 100644
+index 3b5dcb9..fbe187f 100644
--- a/aiccu.if
+++ b/aiccu.if
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
@@ -1215,23 +1330,18 @@ index 184c9a8..8f77bf5 100644
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff --git a/aiccu.te b/aiccu.te
-index 6d685ba..5a3021d 100644
+index 72c33c2..ca27918 100644
--- a/aiccu.te
+++ b/aiccu.te
-@@ -44,10 +44,11 @@ kernel_read_system_state(aiccu_t)
- corecmd_exec_shell(aiccu_t)
-
- corenet_all_recvfrom_netlabel(aiccu_t)
--corenet_all_recvfrom_unlabeled(aiccu_t)
-+corenet_tcp_bind_generic_node(aiccu_t)
+@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
+ corenet_tcp_bind_generic_node(aiccu_t)
corenet_tcp_sendrecv_generic_if(aiccu_t)
corenet_tcp_sendrecv_generic_node(aiccu_t)
- corenet_tcp_sendrecv_generic_port(aiccu_t)
-+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
- corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
- corenet_tcp_bind_generic_node(aiccu_t)
+-
+ corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
-@@ -62,9 +63,9 @@ dev_read_urand(aiccu_t)
+ corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+@@ -62,9 +61,9 @@ dev_read_urand(aiccu_t)
files_read_etc_files(aiccu_t)
@@ -1243,21 +1353,11 @@ index 6d685ba..5a3021d 100644
optional_policy(`
modutils_domtrans_insmod(aiccu_t)
-diff --git a/aide.fc b/aide.fc
-index 7798464..62ccdc6 100644
---- a/aide.fc
-+++ b/aide.fc
-@@ -3,4 +3,4 @@
- /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
-
- /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
--/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
-+/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/aide.if b/aide.if
-index 838d25b..33981e0 100644
+index 01cbb67..94a4a24 100644
--- a/aide.if
+++ b/aide.if
-@@ -60,9 +60,13 @@ interface(`aide_admin',`
+@@ -67,9 +67,13 @@ interface(`aide_admin',`
type aide_t, aide_db_t, aide_log_t;
')
@@ -1269,58 +1369,47 @@ index 838d25b..33981e0 100644
+ allow $1 aide_t:process ptrace;
+ ')
+
- files_list_etc($1)
- admin_pattern($1, aide_db_t)
+ aide_run($1, $2)
+ files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 2509dd2..88d5615 100644
+index 4b28ab3..2cc5904 100644
--- a/aide.te
+++ b/aide.te
-@@ -8,6 +8,7 @@ policy_module(aide, 1.6.0)
+@@ -10,6 +10,7 @@ attribute_role aide_roles;
type aide_t;
type aide_exec_t;
application_domain(aide_t, aide_exec_t)
+cron_system_entry(aide_t, aide_exec_t)
+ role aide_roles types aide_t;
- # log files
type aide_log_t;
-@@ -32,6 +33,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+@@ -33,12 +34,19 @@ setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
+files_read_boot_symlinks(aide_t)
-+files_read_all_symlinks(aide_t)
+ files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
+files_getattr_all_sockets(aide_t)
++files_read_all_symlinks(aide_t)
+
+mls_file_read_to_clearance(aide_t)
+mls_file_write_to_clearance(aide_t)
logging_send_audit_msgs(aide_t)
- # AIDE can be configured to log to syslog
-@@ -39,4 +47,4 @@ logging_send_syslog_msg(aide_t)
-
- seutil_use_newrole_fds(aide_t)
+ logging_send_syslog_msg(aide_t)
-userdom_use_user_terminals(aide_t)
+userdom_use_inherited_user_terminals(aide_t)
-diff --git a/aisexec.fc b/aisexec.fc
-index 7b4f4b9..9c2daa5 100644
---- a/aisexec.fc
-+++ b/aisexec.fc
-@@ -4,6 +4,6 @@
- /var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
-
--/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
-+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
-
- /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+ optional_policy(`
+ seutil_use_newrole_fds(aide_t)
diff --git a/aisexec.if b/aisexec.if
-index 0370dba..c2d68a4 100644
+index a2997fa..861cebd 100644
--- a/aisexec.if
+++ b/aisexec.if
-@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
+@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
type aisexec_initrc_exec_t;
')
@@ -1336,18 +1425,18 @@ index 0370dba..c2d68a4 100644
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/aisexec.te b/aisexec.te
-index 50b9b48..bd0ccb4 100644
+index 196f7cf..3b5354f 100644
--- a/aisexec.te
+++ b/aisexec.te
-@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
corecmd_exec_bin(aisexec_t)
+corecmd_exec_shell(aisexec_t)
- corenet_udp_bind_netsupport_port(aisexec_t)
- corenet_tcp_bind_reserved_port(aisexec_t)
-@@ -79,8 +80,6 @@ init_rw_script_tmp_files(aisexec_t)
+ corenet_all_recvfrom_unlabeled(aisexec_t)
+ corenet_all_recvfrom_netlabel(aisexec_t)
+@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
logging_send_syslog_msg(aisexec_t)
@@ -1356,7 +1445,7 @@ index 50b9b48..bd0ccb4 100644
userdom_rw_unpriv_user_semaphores(aisexec_t)
userdom_rw_unpriv_user_shared_mem(aisexec_t)
-@@ -89,6 +88,10 @@ optional_policy(`
+@@ -105,6 +104,11 @@ optional_policy(`
')
optional_policy(`
@@ -1364,9 +1453,10 @@ index 50b9b48..bd0ccb4 100644
+')
+
+optional_policy(`
- # to communication with RHCS
++ # to communication with RHCS
rhcs_rw_dlm_controld_semaphores(aisexec_t)
+ rhcs_rw_fenced_semaphores(aisexec_t)
diff --git a/ajaxterm.fc b/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
@@ -1477,7 +1567,7 @@ index 0000000..7abe946
+')
diff --git a/ajaxterm.te b/ajaxterm.te
new file mode 100644
-index 0000000..8ba128b
+index 0000000..84bba98
--- /dev/null
+++ b/ajaxterm.te
@@ -0,0 +1,62 @@
@@ -1523,7 +1613,7 @@ index 0000000..8ba128b
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
-+corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
++corenet_tcp_bind_oa_system_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
@@ -1544,29 +1634,22 @@ index 0000000..8ba128b
+')
+
diff --git a/alsa.fc b/alsa.fc
-index d362d9c..230a2f6 100644
+index 5de1e01..3aa9abb 100644
--- a/alsa.fc
+++ b/alsa.fc
-@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
- /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
-+/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-+/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
+@@ -19,4 +19,6 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
- /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
++/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/alsa.if b/alsa.if
-index 1392679..64e685f 100644
+index 708b743..a482fed 100644
--- a/alsa.if
+++ b/alsa.if
-@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
+@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
@@ -1574,7 +1657,7 @@ index 1392679..64e685f 100644
')
########################################
-@@ -206,3 +207,69 @@ interface(`alsa_read_lib',`
+@@ -256,3 +257,69 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
@@ -1645,10 +1728,10 @@ index 1392679..64e685f 100644
+ ps_process_pattern($1, alsa_t)
+')
diff --git a/alsa.te b/alsa.te
-index dc1b088..33678e4 100644
+index cda6d20..60c0649 100644
--- a/alsa.te
+++ b/alsa.te
-@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
+@@ -24,6 +24,9 @@ files_type(alsa_var_lib_t)
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
@@ -1658,15 +1741,16 @@ index dc1b088..33678e4 100644
########################################
#
# Local policy
-@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t)
+@@ -59,6 +62,8 @@ dev_read_sound(alsa_t)
+ dev_read_sysfs(alsa_t)
+ dev_write_sound(alsa_t)
- corecmd_exec_bin(alsa_t)
-
--files_read_etc_files(alsa_t)
++corecmd_exec_bin(alsa_t)
++
files_read_usr_files(alsa_t)
+ files_search_var_lib(alsa_t)
- term_dontaudit_use_console(alsa_t)
-@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +77,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -1676,18 +1760,18 @@ index dc1b088..33678e4 100644
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.te b/amanda.te
-index d8b5abe..a4f5d3a 100644
+index ed45974..ebba0d8 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -58,7 +58,7 @@ optional_policy(`
+@@ -60,7 +60,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
+allow amanda_t self:process { getsched setsched setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
- allow amanda_t self:unix_stream_socket create_stream_socket_perms;
- allow amanda_t self:unix_dgram_socket create_socket_perms;
+ allow amanda_t self:unix_stream_socket { accept listen };
+ allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1696,23 +1780,15 @@ index d8b5abe..a4f5d3a 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -101,7 +102,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,7 +101,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
-corenet_all_recvfrom_unlabeled(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
- corenet_udp_sendrecv_generic_if(amanda_t)
-@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
- dev_getattr_all_blk_files(amanda_t)
- dev_getattr_all_chr_files(amanda_t)
-
--files_read_etc_files(amanda_t)
- files_read_etc_runtime_files(amanda_t)
- files_list_all(amanda_t)
- files_read_all_files(amanda_t)
-@@ -177,7 +176,6 @@ kernel_read_kernel_sysctls(amanda_recover_t)
+ corenet_tcp_sendrecv_generic_node(amanda_t)
+@@ -170,7 +170,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1720,15 +1796,7 @@ index d8b5abe..a4f5d3a 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -193,7 +191,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t)
-
- domain_use_interactive_fds(amanda_recover_t)
-
--files_read_etc_files(amanda_recover_t)
- files_read_etc_runtime_files(amanda_recover_t)
- files_search_tmp(amanda_recover_t)
- files_search_pids(amanda_recover_t)
-@@ -205,7 +202,11 @@ fstools_signal(amanda_t)
+@@ -200,7 +199,11 @@ fstools_signal(amanda_t)
logging_search_logs(amanda_recover_t)
@@ -1743,31 +1811,23 @@ index d8b5abe..a4f5d3a 100644
+ fstools_signal(amanda_t)
+')
diff --git a/amavis.fc b/amavis.fc
-index 446ee16..2346f65 100644
+index 17689a7..8aa6849 100644
--- a/amavis.fc
+++ b/amavis.fc
-@@ -2,6 +2,7 @@
- /etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
- /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
- /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
-
- /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
- /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
-@@ -12,7 +13,7 @@ ifdef(`distro_debian',`
-
- /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
- /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
--/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
-+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0)
- /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
- /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
- /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
+@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
+ /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+ ')
+
+-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+-
+ /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+
+ /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
diff --git a/amavis.if b/amavis.if
-index e31d92a..5cb091a 100644
+index 60d4f8c..18ef077 100644
--- a/amavis.if
+++ b/amavis.if
-@@ -57,6 +57,7 @@ interface(`amavis_read_spool_files',`
+@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
files_search_spool($1)
read_files_pattern($1, amavis_spool_t, amavis_spool_t)
@@ -1775,7 +1835,7 @@ index e31d92a..5cb091a 100644
')
########################################
-@@ -150,6 +151,26 @@ interface(`amavis_read_lib_files',`
+@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
########################################
## <summary>
@@ -1802,16 +1862,8 @@ index e31d92a..5cb091a 100644
## Create, read, write, and delete
## amavis lib files.
## </summary>
-@@ -202,6 +223,7 @@ interface(`amavis_create_pid_files',`
- type amavis_var_run_t;
- ')
-
-+ allow $1 amavis_var_run_t:dir rw_dir_perms;
- allow $1 amavis_var_run_t:file create_file_perms;
- files_search_pids($1)
- ')
-@@ -231,9 +253,13 @@ interface(`amavis_admin',`
- type amavis_initrc_exec_t;
+@@ -234,9 +255,13 @@ interface(`amavis_admin',`
+ type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
')
- allow $1 amavis_t:process { ptrace signal_perms };
@@ -1826,24 +1878,10 @@ index e31d92a..5cb091a 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 505309b..58c37b3 100644
+index ab55ba7..3da45f7 100644
--- a/amavis.te
+++ b/amavis.te
-@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0)
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow amavis to use JIT compiler
-+## </p>
-+## </desc>
-+gen_tunable(amavis_use_jit, false)
-+
- type amavis_t;
- type amavis_exec_t;
- domain_type(amavis_t)
-@@ -38,7 +45,7 @@ type amavis_quarantine_t;
+@@ -39,7 +39,7 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
@@ -1852,19 +1890,11 @@ index 505309b..58c37b3 100644
########################################
#
-@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
- dontaudit amavis_t self:capability sys_tty_config;
- allow amavis_t self:process { signal sigchld sigkill signull };
- allow amavis_t self:fifo_file rw_fifo_file_perms;
--allow amavis_t self:unix_stream_socket create_stream_socket_perms;
-+allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow amavis_t self:unix_dgram_socket create_socket_perms;
- allow amavis_t self:tcp_socket { listen accept };
- allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
- files_search_spool(amavis_t)
+@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+ manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
- # tmp files
++# tmp files
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
@@ -1872,127 +1902,69 @@ index 505309b..58c37b3 100644
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
- # var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -98,16 +107,15 @@ manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
- files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
-
- kernel_read_kernel_sysctls(amavis_t)
-+kernel_read_system_state(amavis_t)
- # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
- kernel_dontaudit_list_proc(amavis_t)
- kernel_dontaudit_read_proc_symlinks(amavis_t)
--kernel_dontaudit_read_system_state(amavis_t)
-
- # find perl
+ manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
corecmd_exec_bin(amavis_t)
corecmd_exec_shell(amavis_t)
-corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_generic_if(amavis_t)
- corenet_tcp_sendrecv_generic_node(amavis_t)
-@@ -125,20 +133,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
- corenet_udp_bind_generic_port(amavis_t)
- corenet_dontaudit_udp_bind_all_ports(amavis_t)
+ corenet_udp_sendrecv_generic_if(amavis_t)
+@@ -118,10 +120,12 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+
+ corenet_sendrecv_razor_client_packets(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
+corenet_tcp_connect_agentx_port(amavis_t)
dev_read_rand(amavis_t)
+ dev_read_sysfs(amavis_t)
dev_read_urand(amavis_t)
+dev_read_sysfs(amavis_t)
domain_use_interactive_fds(amavis_t)
-+domain_dontaudit_read_all_domains_state(amavis_t)
+ domain_dontaudit_read_all_domains_state(amavis_t)
+@@ -141,14 +145,20 @@ init_stream_connect_script(amavis_t)
--files_read_etc_files(amavis_t)
- files_read_etc_runtime_files(amavis_t)
- files_read_usr_files(amavis_t)
-
- fs_getattr_xattr_fs(amavis_t)
-
-+auth_use_nsswitch(amavis_t)
- auth_dontaudit_read_shadow(amavis_t)
-
-+init_read_state(amavis_t)
- # uses uptime which reads utmp - redhat bug 561383
- init_read_utmp(amavis_t)
- init_stream_connect_script(amavis_t)
-@@ -146,23 +158,32 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
- miscfiles_read_generic_certs(amavis_t)
-miscfiles_read_localization(amavis_t)
-
--sysnet_dns_name_resolve(amavis_t)
- sysnet_use_ldap(amavis_t)
++miscfiles_read_generic_certs(amavis_t)
++
++sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
--# Cron handling
--cron_use_fds(amavis_t)
--cron_use_system_job_fds(amavis_t)
--cron_rw_pipes(amavis_t)
-+tunable_policy(`amavis_use_jit',`
+ tunable_policy(`amavis_use_jit',`
+- allow amavis_t self:process execmem;
+ allow amavis_t self:process execmem;
-+',`
+ ',`
+- dontaudit amavis_t self:process execmem;
+ dontaudit amavis_t self:process execmem;
+')
-
--mta_read_config(amavis_t)
-+optional_policy(`
-+ antivirus_domain_template(amavis_t)
-+')
-
- optional_policy(`
- clamav_stream_connect(amavis_t)
- clamav_domtrans_clamscan(amavis_t)
-+ clamav_read_state_clamd(amavis_t)
-+')
+
+optional_policy(`
-+ #Cron handling
-+ cron_use_fds(amavis_t)
-+ cron_use_system_job_fds(amavis_t)
-+ cron_rw_pipes(amavis_t)
++ antivirus_domain_template(amavis_t)
')
optional_policy(`
-@@ -171,11 +192,16 @@ optional_policy(`
+@@ -173,6 +183,10 @@ optional_policy(`
')
optional_policy(`
-+ mta_read_config(amavis_t)
++ nslcd_stream_connect(amavis_t)
+')
+
+optional_policy(`
- nslcd_stream_connect(amavis_t)
- ')
-
- optional_policy(`
postfix_read_config(amavis_t)
-+ postfix_list_spool(amavis_t)
- ')
-
- optional_policy(`
-@@ -188,6 +214,12 @@ optional_policy(`
+ postfix_list_spool(amavis_t)
')
-
- optional_policy(`
-+ snmp_manage_var_lib_files(amavis_t)
-+ snmp_manage_var_lib_dirs(amavis_t)
-+ snmp_stream_connect(amavis_t)
-+')
-+
-+optional_policy(`
- spamassassin_exec(amavis_t)
- spamassassin_exec_client(amavis_t)
- spamassassin_read_lib_files(amavis_t)
diff --git a/amtu.te b/amtu.te
-index 057abb0..c75e9e9 100644
+index c960f92..c291650 100644
--- a/amtu.te
+++ b/amtu.te
-@@ -23,7 +23,7 @@ files_read_etc_files(amtu_t)
+@@ -28,7 +28,7 @@ files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
@@ -2002,11 +1974,12 @@ index 057abb0..c75e9e9 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.te b/anaconda.te
-index e81bdbd..e3a396b 100644
+index 6f1384c..e9c715d 100644
--- a/anaconda.te
+++ b/anaconda.te
-@@ -1,5 +1,9 @@
- policy_module(anaconda, 1.6.0)
+@@ -4,6 +4,10 @@ gen_require(`
+ class passwd all_passwd_perms;
+ ')
+gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
@@ -2015,21 +1988,7 @@ index e81bdbd..e3a396b 100644
########################################
#
# Declarations
-@@ -17,27 +21,23 @@ role system_r types anaconda_t;
- #
-
- allow anaconda_t self:process execmem;
-+allow anaconda_t self:passwd { rootok passwd chfn chsh };
-
- kernel_domtrans_to(anaconda_t, anaconda_exec_t)
-
- init_domtrans_script(anaconda_t)
-
--libs_domtrans_ldconfig(anaconda_t)
--
- logging_send_syslog_msg(anaconda_t)
-
- modutils_domtrans_insmod(anaconda_t)
+@@ -34,6 +38,7 @@ modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
@@ -2037,25 +1996,6 @@ index e81bdbd..e3a396b 100644
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
- optional_policy(`
-- kudzu_domtrans(anaconda_t)
--')
--
--optional_policy(`
- rpm_domtrans(anaconda_t)
- rpm_domtrans_script(anaconda_t)
- ')
-@@ -51,9 +51,6 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain(anaconda_t)
-+ unconfined_domain_noaudit(anaconda_t)
- ')
-
--optional_policy(`
-- usermanage_domtrans_admin_passwd(anaconda_t)
--')
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
index 0000000..e9a09f0
@@ -2132,63 +2072,93 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..dcb9d6e 100644
+index 550a69e..dcb9d6e 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,20 +1,37 @@
- HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+@@ -1,161 +1,188 @@
+-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
++HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
-+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
-
- /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
--/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
+ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
+
+-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-
+-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
++/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
- /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
- /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
++/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
++/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
++/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
- /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
- /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
+
+-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-+
+
+-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
- /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -22,20 +39,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
- /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
- /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+
- /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
--/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
--/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
++/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -2197,109 +2167,211 @@ index fd9fa07..dcb9d6e 100644
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
- /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
- /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
- /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-
-@@ -43,8 +65,9 @@ ifdef(`distro_suse', `
- /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
- ')
++/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
++/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
--/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-ifdef(`distro_suse',`
+-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
++ifdef(`distro_suse', `
++/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ ')
+
+-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-
+-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
- /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +77,13 @@ ifdef(`distro_suse', `
- /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
- /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
- /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -69,35 +96,54 @@ ifdef(`distro_suse', `
- /var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
++
++/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
- /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
--/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+-
+-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
- /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
-
- /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
++
++/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
- /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
--/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
- /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-
+-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-
- /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--
++
++/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- ifdef(`distro_debian', `
- /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
- ')
-
++ifdef(`distro_debian', `
++/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++')
++
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
- /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
- /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
-
- /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
- /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +155,34 @@ ifdef(`distro_debian', `
- /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
-+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++
++/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+-
+-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+-
+-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
@@ -2330,47 +2402,74 @@ index fd9fa07..dcb9d6e 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 6480167..7b2ad39 100644
+index 83e899c..7b2ad39 100644
--- a/apache.if
+++ b/apache.if
-@@ -13,68 +13,55 @@
+@@ -1,9 +1,9 @@
+-## <summary>Various web servers.</summary>
++## <summary>Apache web server</summary>
+
+ ########################################
+ ## <summary>
+-## Create a set of derived types for
+-## httpd web content.
++## Create a set of derived types for apache
++## web content.
+ ## </summary>
+ ## <param name="prefix">
+ ## <summary>
+@@ -13,118 +13,100 @@
#
template(`apache_content_template',`
gen_require(`
-- attribute httpdcontent;
-- attribute httpd_exec_scripts;
-- attribute httpd_script_exec_type;
+- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
+- attribute httpd_script_domains, httpd_htaccess_type;
+- type httpd_t, httpd_suexec_t;
+- ')
+-
+- ########################################
+- #
+- # Declarations
+- #
+-
+- ## <desc>
+- ## <p>
+- ## Determine whether the script domain can
+- ## modify public files used for public file
+- ## transfer services. Directories/Files must
+- ## be labeled public_content_rw_t.
+- ## </p>
+- ## </desc>
+- gen_tunable(allow_httpd_$1_script_anon_write, false)
+-
+- type httpd_$1_content_t, httpdcontent; # customizable
+ attribute httpd_exec_scripts, httpd_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
+ attribute httpd_script_type, httpd_content_type;
- ')
-- # allow write access to public file transfer
-- # services files.
-- gen_tunable(allow_httpd_$1_script_anon_write, false)
-
- #This type is for webpages
-- type httpd_$1_content_t, httpdcontent; # customizable
++ ')
++
++ #This type is for webpages
+ type httpd_$1_content_t; # customizable;
+ typeattribute httpd_$1_content_t httpd_content_type;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
- # This type is used for .htaccess files
-- type httpd_$1_htaccess_t; # customizable;
+- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
++ # This type is used for .htaccess files
+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
+ typeattribute httpd_$1_htaccess_t httpd_content_type;
files_type(httpd_$1_htaccess_t)
- # Type that CGI scripts run as
-- type httpd_$1_script_t;
+- type httpd_$1_script_t, httpd_script_domains;
++ # Type that CGI scripts run as
+ type httpd_$1_script_t, httpd_script_type;
domain_type(httpd_$1_script_t)
role system_r types httpd_$1_script_t;
+ kernel_read_system_state(httpd_$1_script_t)
+
- # This type is used for executable scripts files
++ # This type is used for executable scripts files
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
- corecmd_shell_entry_type(httpd_$1_script_t)
+ typeattribute httpd_$1_script_exec_t httpd_content_type;
@@ -2388,153 +2487,113 @@ index 6480167..7b2ad39 100644
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
-- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
--
-- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
--
-- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
--
-- allow httpd_$1_script_t self:fifo_file rw_file_perms;
-- allow httpd_$1_script_t self:unix_stream_socket connectto;
--
-- allow httpd_$1_script_t httpd_t:fifo_file write;
-- # apache should set close-on-exec
-- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
--
- # Allow the script process to search the cgi directory, and users directory
- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+- ########################################
+- #
+- # Policy
+- #
++ # Allow the script process to search the cgi directory, and users directory
++ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
-- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
-- logging_search_logs(httpd_$1_script_t)
--
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
-
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
- read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
++ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
-@@ -86,40 +73,6 @@ template(`apache_content_template',`
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
+- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+
+ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
-
-- kernel_dontaudit_search_sysctl(httpd_$1_script_t)
-- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
--
-- dev_read_rand(httpd_$1_script_t)
-- dev_read_urand(httpd_$1_script_t)
--
-- corecmd_exec_all_executables(httpd_$1_script_t)
--
-- files_exec_etc_files(httpd_$1_script_t)
-- files_read_etc_files(httpd_$1_script_t)
-- files_search_home(httpd_$1_script_t)
--
-- libs_exec_ld_so(httpd_$1_script_t)
-- libs_exec_lib_files(httpd_$1_script_t)
--
-- miscfiles_read_fonts(httpd_$1_script_t)
-- miscfiles_read_public_files(httpd_$1_script_t)
--
-- seutil_dontaudit_search_config(httpd_$1_script_t)
--
-- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-- allow httpd_$1_script_t httpdcontent:file entrypoint;
--
-- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-- can_exec(httpd_$1_script_t, httpdcontent)
-- ')
+- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
+- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
+- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
- # Allow the web server to run scripts and serve pages
++ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
-@@ -128,68 +81,26 @@ template(`apache_content_template',`
+ manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
- rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
++ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
+- ')
+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
- read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
- read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
++ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
-- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
-- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
--
-- allow httpd_t httpd_$1_content_t:dir list_dir_perms;
-- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
+- can_exec(httpd_t, httpd_$1_rw_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
+- ')
+- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
+- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
+- ')
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-+
- # privileged users run the script:
- domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+- tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
+- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
+- ')
++ # privileged users run the script:
++ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
- # apache runs the script:
- domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
--
-- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
-- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
--
-- allow httpd_$1_script_t self:process { setsched signal_perms };
-- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
--
-- allow httpd_$1_script_t httpd_t:fd use;
-- allow httpd_$1_script_t httpd_t:process sigchld;
--
-- kernel_read_system_state(httpd_$1_script_t)
--
-- dev_read_urand(httpd_$1_script_t)
--
-- fs_getattr_xattr_fs(httpd_$1_script_t)
--
-- files_read_etc_runtime_files(httpd_$1_script_t)
-- files_read_usr_files(httpd_$1_script_t)
--
-- libs_read_lib_files(httpd_$1_script_t)
--
-- miscfiles_read_localization(httpd_$1_script_t)
-- ')
--
-- optional_policy(`
-- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
-- nis_use_ypbind_uncond(httpd_$1_script_t)
-- ')
-- ')
--
-- optional_policy(`
-- postgresql_unpriv_client(httpd_$1_script_t)
--
-- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-- postgresql_tcp_connect(httpd_$1_script_t)
-- ')
-- ')
--
-- optional_policy(`
-- nscd_socket_use(httpd_$1_script_t)
++ # apache runs the script:
++ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
')
')
-@@ -211,9 +122,8 @@ template(`apache_content_template',`
+ ########################################
+ ## <summary>
+-## Role access for apache.
++## Role access for apache
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+@@ -133,47 +115,61 @@ template(`apache_content_template',`
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
+ #
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
@@ -2546,10 +2605,34 @@ index 6480167..7b2ad39 100644
')
role $1 types httpd_user_script_t;
-@@ -234,6 +144,13 @@ interface(`apache_role',`
- relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
+-
+- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
+- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
+- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
+- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
+-
+- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
+- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
++
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
@@ -2557,46 +2640,145 @@ index 6480167..7b2ad39 100644
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
- manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
- manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -248,6 +165,9 @@ interface(`apache_role',`
- relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
- relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-
++ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
++
++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
++
++ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
++
++ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
++
+ apache_exec_modules($2)
+ apache_filetrans_home_content($2)
-+
+
tunable_policy(`httpd_enable_cgi',`
- # If a user starts a script by hand it gets the proper context
++ # If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +237,25 @@ interface(`apache_domtrans',`
+ ')
+
+@@ -184,7 +180,7 @@ interface(`apache_role',`
+
+ ########################################
+ ## <summary>
+-## Read user httpd script executable files.
++## Read httpd user scripts executables.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',`
+
+ ########################################
+ ## <summary>
+-## Read user httpd content.
++## Read user web content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -224,7 +220,7 @@ interface(`apache_read_user_content',`
+
+ ########################################
+ ## <summary>
+-## Execute httpd with a domain transition.
++## Transition to apache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -241,27 +237,28 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Execute httpd server in the httpd domain.
+## Allow the specified domain to execute apache
+## in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_initrc_domtrans',`
+interface(`apache_exec',`
-+ gen_require(`
+ gen_require(`
+- type httpd_initrc_exec_t;
+ type httpd_exec_t;
-+ ')
-+
+ ')
+
+- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ can_exec($1, httpd_exec_t)
-+')
-+
+ ')
+
#######################################
## <summary>
- ## Send a generic signal to apache.
-@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+-## Send generic signals to httpd.
++## Send a generic signal to apache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -279,7 +276,7 @@ interface(`apache_signal',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to httpd.
++## Send a null signal to apache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -297,7 +294,7 @@ interface(`apache_signull',`
+
+ ########################################
+ ## <summary>
+-## Send child terminated signals to httpd.
++## Send a SIGCHLD signal to apache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -315,8 +312,7 @@ interface(`apache_sigchld',`
+
+ ########################################
+ ## <summary>
+-## Inherit and use file descriptors
+-## from httpd.
++## Inherit and use file descriptors from Apache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -334,8 +330,8 @@ interface(`apache_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write httpd unnamed pipes.
++## Do not audit attempts to read and write Apache
++## unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -348,13 +344,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -2605,72 +2787,174 @@ index 6480167..7b2ad39 100644
')
########################################
-@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',`
- type httpd_cache_t;
- ')
+ ## <summary>
+-## Do not audit attempts to read and
+-## write httpd unix domain stream sockets.
++## Do not audit attempts to read and write Apache
++## unix domain stream sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -372,8 +368,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
-- allow $1 httpd_cache_t:dir setattr;
-+ allow $1 httpd_cache_t:dir setattr_dir_perms;
- ')
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write httpd TCP sockets.
++## Do not audit attempts to read and write Apache
++## TCP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -391,8 +387,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
########################################
-@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## all httpd content.
++## Create, read, write, and delete all web content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -417,7 +412,8 @@ interface(`apache_manage_all_content',`
+
########################################
## <summary>
- ## Allow the specified domain to delete
+-## Set attributes httpd cache directories.
++## Allow domain to set the attributes
++## of the APACHE cache directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -435,7 +431,8 @@ interface(`apache_setattr_cache_dirs',`
+
+ ########################################
+ ## <summary>
+-## List httpd cache directories.
++## Allow the specified domain to list
++## Apache cache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -453,7 +450,8 @@ interface(`apache_list_cache',`
+
+ ########################################
+ ## <summary>
+-## Read and write httpd cache files.
++## Allow the specified domain to read
++## and write Apache cache files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -471,7 +469,8 @@ interface(`apache_rw_cache_files',`
+
+ ########################################
+ ## <summary>
+-## Delete httpd cache directories.
++## Allow the specified domain to delete
+## Apache cache dirs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`apache_delete_cache_dirs',`
-+ gen_require(`
-+ type httpd_cache_t;
-+ ')
-+
-+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
-+')
-+
-+########################################
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -489,7 +488,8 @@ interface(`apache_delete_cache_dirs',`
+
+ ########################################
+ ## <summary>
+-## Delete httpd cache files.
+## Allow the specified domain to delete
- ## Apache cache.
++## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',`
+ ## <summary>
+@@ -507,49 +507,51 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
+-## Read httpd configuration files.
+## Allow the specified domain to search
+## apache configuration dirs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`apache_read_config',`
+interface(`apache_search_config',`
-+ gen_require(`
-+ type httpd_config_t;
-+ ')
-+
-+ files_search_etc($1)
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 httpd_config_t:dir list_dir_perms;
+- read_files_pattern($1, httpd_config_t, httpd_config_t)
+- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+ allow $1 httpd_config_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Allow the specified domain to read
- ## apache configuration files.
+ ')
+
+ ########################################
+ ## <summary>
+-## Search httpd configuration directories.
++## Allow the specified domain to read
++## apache configuration files.
## </summary>
-@@ -641,6 +619,27 @@ interface(`apache_run_helper',`
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`apache_search_config',`
++interface(`apache_read_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 httpd_config_t:dir search_dir_perms;
++ allow $1 httpd_config_t:dir list_dir_perms;
++ read_files_pattern($1, httpd_config_t, httpd_config_t)
++ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+ ')
########################################
## <summary>
+-## Create, read, write, and delete
+-## httpd configuration files.
++## Allow the specified domain to manage
++## apache configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -570,8 +572,8 @@ interface(`apache_manage_config',`
+
+ ########################################
+ ## <summary>
+-## Execute the Apache helper program
+-## with a domain transition.
++## Execute the Apache helper program with
++## a domain transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -608,16 +610,38 @@ interface(`apache_domtrans_helper',`
+ #
+ interface(`apache_run_helper',`
+ gen_require(`
+- attribute_role httpd_helper_roles;
++ type httpd_helper_t;
+ ')
+
+ apache_domtrans_helper($1)
+- roleattribute $2 httpd_helper_roles;
++ role $2 types httpd_helper_t;
++')
++
++########################################
++## <summary>
+## dontaudit attempts to read
+## apache log files.
+## </summary>
@@ -2688,14 +2972,27 @@ index 6480167..7b2ad39 100644
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Allow the specified domain to read
- ## apache log files.
+ ')
+
+ ########################################
+ ## <summary>
+-## Read httpd log files.
++## Allow the specified domain to read
++## apache log files.
## </summary>
-@@ -683,6 +682,25 @@ interface(`apache_append_log',`
+ ## <param name="domain">
+ ## <summary>
+@@ -639,7 +663,8 @@ interface(`apache_read_log',`
+
+ ########################################
+ ## <summary>
+-## Append httpd log files.
++## Allow the specified domain to append
++## to apache log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -657,10 +682,29 @@ interface(`apache_append_log',`
append_files_pattern($1, httpd_log_t, httpd_log_t)
')
@@ -2720,43 +3017,88 @@ index 6480167..7b2ad39 100644
+
########################################
## <summary>
- ## Do not audit attempts to append to the
-@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',`
- type httpd_log_t;
- ')
+-## Do not audit attempts to append
+-## httpd log files.
++## Do not audit attempts to append to the
++## Apache logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -678,8 +722,8 @@ interface(`apache_dontaudit_append_log',`
-- dontaudit $1 httpd_log_t:file { getattr append };
-+ dontaudit $1 httpd_log_t:file append_file_perms;
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## httpd log files.
++## Allow the specified domain to manage
++## to apache log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -698,47 +742,49 @@ interface(`apache_manage_log',`
+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
')
- ########################################
-@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',`
+-#######################################
++########################################
+ ## <summary>
+-## Write apache log files.
++## Do not audit attempts to search Apache
++## module directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_write_log',`
++interface(`apache_dontaudit_search_modules',`
+ gen_require(`
+- type httpd_log_t;
++ type httpd_modules_t;
+ ')
+
+- logging_search_logs($1)
+- write_files_pattern($1, httpd_log_t, httpd_log_t)
++ dontaudit $1 httpd_modules_t:dir search_dir_perms;
+ ')
########################################
## <summary>
+-## Do not audit attempts to search
+-## httpd module directories.
+## Allow the specified domain to read
+## the apache module directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_dontaudit_search_modules',`
+interface(`apache_read_modules',`
-+ gen_require(`
-+ type httpd_modules_t;
-+ ')
-+
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+- dontaudit $1 httpd_modules_t:dir search_dir_perms;
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+')
-+
-+########################################
-+## <summary>
- ## Allow the specified domain to list
- ## the contents of the apache modules
- ## directory.
-@@ -761,6 +798,7 @@ interface(`apache_list_modules',`
+ ')
+
+ ########################################
+ ## <summary>
+-## List httpd module directories.
++## Allow the specified domain to list
++## the contents of the apache modules
++## directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -752,11 +798,13 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -2764,20 +3106,56 @@ index 6480167..7b2ad39 100644
')
########################################
-@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',`
- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ## <summary>
+-## Execute httpd module files.
++## Allow the specified domain to execute
++## apache modules.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -776,46 +824,63 @@ interface(`apache_exec_modules',`
+
+ ########################################
+ ## <summary>
+-## Read httpd module files.
++## Execute a domain transition to run httpd_rotatelogs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`apache_read_module_files',`
++interface(`apache_domtrans_rotatelogs',`
+ gen_require(`
+- type httpd_modules_t;
++ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+- libs_search_lib($1)
+- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
++ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Execute a domain transition to
+-## run httpd_rotatelogs.
+## Execute httpd_rotatelogs in the caller domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`apache_domtrans_rotatelogs',`
+interface(`apache_exec_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_exec_t;
@@ -2797,18 +3175,26 @@ index 6480167..7b2ad39 100644
+## </param>
+#
+interface(`apache_exec_sys_script',`
-+ gen_require(`
+ gen_require(`
+- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ type httpd_sys_script_exec_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_sys_script_exec_t)
-+')
-+
+ ')
+
########################################
## <summary>
- ## Allow the specified domain to list
-@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',`
+-## List httpd system content directories.
++## Allow the specified domain to list
++## apache system content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -829,13 +894,14 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -2816,10 +3202,28 @@ index 6480167..7b2ad39 100644
files_search_var($1)
')
-@@ -846,6 +922,74 @@ interface(`apache_manage_sys_content',`
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## httpd system content files.
++## Allow the specified domain to manage
++## apache system content files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -844,6 +910,7 @@ interface(`apache_list_sys_content',`
+ ## </param>
+ ## <rolecap/>
+ #
++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+ interface(`apache_manage_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
+-########################################
+######################################
+## <summary>
+## Allow the specified domain to read
@@ -2841,30 +3245,37 @@ index 6480167..7b2ad39 100644
+')
+
+######################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## httpd system rw content.
+## Allow the specified domain to manage
+## apache system content rw files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
+interface(`apache_manage_sys_content_rw',`
-+ gen_require(`
-+ type httpd_sys_rw_content_t;
-+ ')
-+
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+- apache_search_sys_content($1)
+ files_search_var($1)
-+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-+')
-+
-+########################################
-+## <summary>
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute all httpd scripts in the
+-## system script domain.
+## Allow the specified domain to delete
+## apache system content rw files.
+## </summary>
@@ -2888,10 +3299,19 @@ index 6480167..7b2ad39 100644
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
- ########################################
- ## <summary>
- ## Execute all web scripts in the system
-@@ -862,7 +1006,12 @@ interface(`apache_manage_sys_content',`
++########################################
++## <summary>
++## Execute all web scripts in the system
++## script domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',`
+ ## </summary>
+ ## </param>
+ #
++# cjp: this interface specifically added to allow
++# sysadm_t to run scripts
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -2905,19 +3325,46 @@ index 6480167..7b2ad39 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
- ## </param>
- ## <param name="role">
+@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write httpd system script unix
+-## domain stream sockets.
++## Do not audit attempts to read and write Apache
++## system script unix domain stream sockets.
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## Role allowed access..
-+## Role allowed access.
+@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',`
+ ########################################
+ ## <summary>
+ ## Execute all user scripts in the user
+-## script domain. Add user script domains
++## script domain. Add user script domains
+ ## to the specified role.
+ ## </summary>
+ ## <param name="domain">
+@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',`
+ ## Role allowed access.
## </summary>
## </param>
+## <rolecap/>
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',`
+
+ ########################################
+ ## <summary>
+-## Read httpd squirrelmail data files.
++## Allow the specified domain to read
++## apache squirrelmail data.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -2926,7 +3373,93 @@ index 6480167..7b2ad39 100644
')
########################################
-@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
+ ## <summary>
+-## Append httpd squirrelmail data files.
++## Allow the specified domain to append
++## apache squirrelmail data.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',`
+
+ ########################################
+ ## <summary>
+-## Search httpd system content.
++## Search apache system content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',`
+ type httpd_sys_content_t;
+ ')
+
+- files_search_var($1)
+ allow $1 httpd_sys_content_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read httpd system content.
++## Read apache system content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',`
+
+ ########################################
+ ## <summary>
+-## Search httpd system CGI directories.
++## Search apache system CGI directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete all
+-## user httpd content.
++## Create, read, write, and delete all user web content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',`
+ ## <rolecap/>
+ #
+ interface(`apache_manage_all_user_content',`
+- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
+- apache_manage_all_content($1)
++ gen_require(`
++ attribute httpd_user_content_type, httpd_user_script_exec_type;
++ ')
++
++ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
++ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
++ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
++
++ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
++ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
++ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search system script state directories.
++## Search system script state directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',`
+
+ ########################################
+ ## <summary>
+-## Read httpd tmp files.
++## Allow the specified domain to read
++## apache tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -2951,8 +3484,14 @@ index 6480167..7b2ad39 100644
+
########################################
## <summary>
- ## Dontaudit attempts to write
-@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+-## Do not audit attempts to write
+-## httpd tmp files.
++## Dontaudit attempts to write
++## apache tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -2961,21 +3500,29 @@ index 6480167..7b2ad39 100644
')
########################################
-@@ -1148,14 +1317,31 @@ interface(`apache_cgi_domain',`
+@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+ ## </summary>
+ ## <desc>
+ ## <p>
++## Execute CGI in the specified domain.
++## </p>
++## <p>
+ ## This is an interface to support third party modules
+ ## and its use is not allowed in upstream reference
+ ## policy.
+@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
--## All of the rules required to administrate an apache environment
+-## All of the rules required to
+-## administrate an apache environment.
+## Execute httpd server in the httpd domain.
- ## </summary>
--## <param name="prefix">
++## </summary>
+## <param name="domain">
- ## <summary>
--## Prefix of the domain. Example, user would be
--## the prefix for the uder_t domain.
++## <summary>
+## Domain allowed to transition.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`apache_systemctl',`
+ gen_require(`
@@ -2993,70 +3540,67 @@ index 6480167..7b2ad39 100644
+########################################
+## <summary>
+## All of the rules required to administrate an apache environment
-+## </summary>
+ ## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
-@@ -1170,19 +1356,21 @@ interface(`apache_cgi_domain',`
- #
+@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
-- attribute httpdcontent;
-- attribute httpd_script_exec_type;
--
-+ attribute httpdcontent, httpd_script_exec_type;
+ attribute httpdcontent, httpd_script_exec_type;
+- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
-- type httpd_modules_t, httpd_lock_t;
-- type httpd_var_run_t, httpd_php_tmp_t;
+- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
+- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
+- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
+- type httpd_initrc_exec_t, httpd_suexec_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
- type httpd_suexec_tmp_t, httpd_tmp_t;
-- type httpd_initrc_exec_t;
++ type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_unit_file_t;
')
-- allow $1 httpd_t:process { getattr ptrace signal_perms };
+- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
+- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
+- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+ allow $1 httpd_t:process signal_perms;
- ps_process_pattern($1, httpd_t)
-
++ ps_process_pattern($1, httpd_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_t:process ptrace;
+ ')
-+
+
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1379,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1379,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
+- admin_pattern($1, { httpd_config_t httpd_keytab_t })
+ files_list_etc($1)
- admin_pattern($1, httpd_config_t)
++ admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1393,106 @@ interface(`apache_admin',`
+@@ -1218,9 +1393,106 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
-- kernel_search_proc($1)
-- allow $1 httpd_t:dir list_dir_perms;
--
-- read_lnk_files_pattern($1, httpd_t, httpd_t)
--
- admin_pattern($1, httpdcontent)
- admin_pattern($1, httpd_script_exec_type)
+- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
+- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
++ admin_pattern($1, httpdcontent)
++ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
- admin_pattern($1, httpd_tmp_t)
- admin_pattern($1, httpd_php_tmp_t)
- admin_pattern($1, httpd_suexec_tmp_t)
++ admin_pattern($1, httpd_tmp_t)
++ admin_pattern($1, httpd_php_tmp_t)
++ admin_pattern($1, httpd_suexec_tmp_t)
+
+ apache_systemctl($1)
+ admin_pattern($1, httpd_unit_file_t)
@@ -3143,7 +3687,9 @@ index 6480167..7b2ad39 100644
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
-+
+
+- apache_run_all_scripts($1, $2)
+- apache_run_helper($1, $2)
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
@@ -3152,101 +3698,180 @@ index 6480167..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..2864927 100644
+index 1a82e29..44dae79 100644
--- a/apache.te
+++ b/apache.te
-@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
+@@ -1,297 +1,353 @@
+-policy_module(apache, 2.6.10)
++policy_module(apache, 2.4.0)
++
++#
++# NOTES:
++# This policy will work with SUEXEC enabled as part of the Apache
++# configuration. However, the user CGI scripts will run under the
++# system_u:system_r:httpd_user_script_t.
++#
++# The user CGI scripts must be labeled with the httpd_user_script_exec_t
++# type, and the directory containing the scripts should also be labeled
++# with these types. This policy allows the user role to perform that
++# relabeling. If it is desired that only admin role should be able to relabel
++# the user CGI scripts, then relabel rule for user roles should be removed.
++#
+
+ ########################################
+ #
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
## <desc>
- ## <p>
- ## Allow Apache to modify public files
-@@ -25,14 +27,35 @@ policy_module(apache, 2.4.0)
- ## be labeled public_content_rw_t.
- ## </p>
+-## <p>
+-## Determine whether httpd can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
++## <p>
++## Allow Apache to modify public files
++## used for public file transfer services. Directories/Files must
++## be labeled public_content_rw_t.
++## </p>
## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
## <desc>
- ## <p>
- ## Allow Apache to use mod_auth_pam
- ## </p>
+-## <p>
+-## Determine whether httpd can use mod_auth_pam.
+-## </p>
++## <p>
++## Allow Apache to use mod_auth_pam
++## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_mod_auth_pam, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can use built in scripting.
+-## </p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can check spam.
+-## </p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_execmem, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd scripts and modules
+-## can connect to the network using TCP.
+-## </p>
+## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
+gen_tunable(httpd_manage_ipa, false)
-
- ## <desc>
- ## <p>
-@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false)
-
- ## <desc>
- ## <p>
-+## Allow HTTPD scripts and modules to connect to cobbler over the network.
++
++## <desc>
++## <p>
++## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
-+gen_tunable(httpd_can_network_connect_cobbler, false)
++gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
++## Allow HTTPD scripts and modules to connect to the network using TCP.
++## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_connect, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd scripts and modules
+-## can connect to cobbler over the network.
+-## </p>
++## <p>
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_connect_cobbler, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether scripts and modules can
+-## connect to databases over the network.
+-## </p>
++## <p>
+## Allow HTTPD to connect to port 80 for graceful shutdown
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_graceful_shutdown, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can connect to
+-## ldap over the network.
+-## </p>
+## <p>
- ## Allow HTTPD scripts and modules to connect to databases over the network.
- ## </p>
++## Allow HTTPD scripts and modules to connect to databases over the network.
++## </p>
## </desc>
-@@ -57,12 +94,33 @@ gen_tunable(httpd_can_network_connect_db, false)
+-gen_tunable(httpd_can_network_connect_ldap, false)
++gen_tunable(httpd_can_network_connect_db, false)
## <desc>
- ## <p>
+-## <p>
+-## Determine whether httpd can connect
+-## to memcache server over the network.
+-## </p>
++## <p>
+## Allow httpd to connect to memcache server
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_memcache, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can act as a relay.
+-## </p>
+## <p>
- ## Allow httpd to act as a relay
- ## </p>
++## Allow httpd to act as a relay
++## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
+-## <p>
+-## Determine whether httpd daemon can
+-## connect to zabbix over the network.
+-## </p>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_connect_zabbix, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can send mail.
+-## </p>
+## <p>
+## Allow http daemon to check spam
+## </p>
@@ -3254,101 +3879,233 @@ index 0833afb..2864927 100644
+gen_tunable(httpd_can_check_spam, false)
+
+## <desc>
- ## <p>
- ## Allow http daemon to send mail
- ## </p>
-@@ -93,6 +151,21 @@ gen_tunable(httpd_enable_ftp_server, false)
++## <p>
++## Allow http daemon to send mail
++## </p>
+ ## </desc>
+ gen_tunable(httpd_can_sendmail, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can communicate
+-## with avahi service via dbus.
+-## </p>
++## <p>
++## Allow Apache to communicate with avahi service via dbus
++## </p>
+ ## </desc>
+ gen_tunable(httpd_dbus_avahi, false)
+
+ ## <desc>
+-## <p>
+-## Determine wether httpd can use support.
+-## </p>
++## <p>
++## Allow httpd cgi support
++## </p>
+ ## </desc>
+ gen_tunable(httpd_enable_cgi, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can act as a
+-## FTP server by listening on the ftp port.
+-## </p>
++## <p>
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++## </p>
+ ## </desc>
+ gen_tunable(httpd_enable_ftp_server, false)
## <desc>
- ## <p>
+-## <p>
+-## Determine whether httpd can traverse
+-## user home directories.
+-## </p>
++## <p>
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_can_connect_ftp, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd gpg can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
+## <p>
+## Allow httpd to connect to the ldap port
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_can_connect_ldap, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can execute
+-## its temporary content.
+-## </p>
+## <p>
- ## Allow httpd to read home directories
- ## </p>
++## Allow httpd to read home directories
++## </p>
## </desc>
-@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false)
+-gen_tunable(httpd_tmp_exec, false)
++gen_tunable(httpd_enable_homedirs, false)
## <desc>
- ## <p>
+-## <p>
+-## Determine whether httpd scripts and
+-## modules can use execmem and execstack.
+-## </p>
++## <p>
+## Allow httpd to read user content
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_read_user_content, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can connect
+-## to port 80 for graceful shutdown.
+-## </p>
+## <p>
+## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_run_stickshift, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can
+-## manage IPA content files.
+-## </p>
+## <p>
+## Allow Apache to query NS records
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_verify_dns, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can use mod_auth_ntlm_winbind.
+-## </p>
+## <p>
- ## Allow httpd daemon to change its resource limits
- ## </p>
++## Allow httpd daemon to change its resource limits
++## </p>
+ ## </desc>
+-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_setrlimit, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can read
+-## generic user home content files.
+-## </p>
++## <p>
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++## </p>
## </desc>
-@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false)
+-gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_ssi_exec, false)
## <desc>
- ## <p>
+-## <p>
+-## Determine whether httpd can change
+-## its resource limits.
+-## </p>
++## <p>
+## Allow Apache to execute tmp content.
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_setrlimit, false)
+gen_tunable(httpd_tmp_exec, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can run
+-## SSI executables in the same domain
+-## as system CGI scripts.
+-## </p>
++## <p>
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
++## </p>
+ ## </desc>
+-gen_tunable(httpd_ssi_exec, false)
++gen_tunable(httpd_tty_comm, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can communicate
+-## with the terminal. Needed for entering the
+-## passphrase for certificates at the terminal.
+-## </p>
+## <p>
- ## Unify HTTPD to communicate with the terminal.
- ## Needed for entering the passphrase for certificates at
- ## the terminal.
-@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false)
++## Unify HTTPD handling of all content files.
++## </p>
+ ## </desc>
+-gen_tunable(httpd_tty_comm, false)
++gen_tunable(httpd_unified, false)
## <desc>
- ## <p>
+-## <p>
+-## Determine whether httpd can have full access
+-## to its content types.
+-## </p>
++## <p>
+## Allow httpd to access openstack ports
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(httpd_unified, false)
+gen_tunable(httpd_use_openstack, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can use
+-## cifs file systems.
+-## </p>
+## <p>
- ## Allow httpd to access cifs file systems
- ## </p>
++## Allow httpd to access cifs file systems
++## </p>
## </desc>
gen_tunable(httpd_use_cifs, false)
## <desc>
-+## <p>
+ ## <p>
+-## Determine whether httpd can
+-## use fuse file systems.
+## Allow httpd to access FUSE file systems
-+## </p>
-+## </desc>
-+gen_tunable(httpd_use_fusefs, false)
-+
-+## <desc>
- ## <p>
- ## Allow httpd to run gpg
- ## </p>
-@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false)
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_use_fusefs, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can use gpg.
+-## </p>
++## <p>
++## Allow httpd to run gpg
++## </p>
+ ## </desc>
+ gen_tunable(httpd_use_gpg, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether httpd can use
+-## nfs file systems.
+-## </p>
++## <p>
++## Allow httpd to access nfs file systems
++## </p>
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -3367,18 +4124,25 @@ index 0833afb..2864927 100644
+gen_tunable(httpd_use_oddjob, false)
+
attribute httpdcontent;
- attribute httpd_user_content_type;
+-attribute httpd_htaccess_type;
++attribute httpd_user_content_type;
+attribute httpd_content_type;
- # domains that can exec all users scripts
+-# domains that can exec all scripts
++# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_type;
attribute httpd_script_exec_type;
- attribute httpd_user_script_exec_type;
++attribute httpd_user_script_exec_type;
-@@ -163,6 +294,10 @@ attribute httpd_script_domains;
+-# all script domains
++# user script domains
+ attribute httpd_script_domains;
+-attribute_role httpd_helper_roles;
+-roleattribute system_r httpd_helper_roles;
+-
type httpd_t;
type httpd_exec_t;
+ifdef(`distro_redhat',`
@@ -3386,18 +4150,25 @@ index 0833afb..2864927 100644
+ typealias httpd_exec_t alias phpfpm_exec_t;
+')
init_daemon_domain(httpd_t, httpd_exec_t)
- role system_r types httpd_t;
++role system_r types httpd_t;
-@@ -173,7 +308,7 @@ files_type(httpd_cache_t)
++# httpd_cache_t is the type given to the /var/cache/httpd
++# directory and the files under that directory
+ type httpd_cache_t;
+ files_type(httpd_cache_t)
- # httpd_config_t is the type given to the configuration files
++# httpd_config_t is the type given to the configuration files
type httpd_config_t;
--files_type(httpd_config_t)
-+files_config_file(httpd_config_t)
+ files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -184,10 +319,19 @@ role system_r types httpd_helper_t;
+-application_domain(httpd_helper_t, httpd_helper_exec_t)
+-role httpd_helper_roles types httpd_helper_t;
++domain_type(httpd_helper_t)
++domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
++role system_r types httpd_helper_t;
+
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -3416,11 +4187,43 @@ index 0833afb..2864927 100644
+')
logging_log_file(httpd_log_t)
- # httpd_modules_t is the type given to module files (libraries)
-@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t)
-
- # setup the system domain for system CGI scripts
++# httpd_modules_t is the type given to module files (libraries)
++# that come with Apache /etc/httpd/modules and /usr/lib/apache
+ type httpd_modules_t;
+ files_type(httpd_modules_t)
+
++type httpd_php_t;
++type httpd_php_exec_t;
++domain_type(httpd_php_t)
++domain_entry_file(httpd_php_t, httpd_php_exec_t)
++role system_r types httpd_php_t;
++
++type httpd_php_tmp_t;
++files_tmp_file(httpd_php_tmp_t)
++
+ type httpd_rotatelogs_t;
+ type httpd_rotatelogs_exec_t;
+ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +355,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+ type httpd_squirrelmail_t;
+ files_type(httpd_squirrelmail_t)
+
+-type squirrelmail_spool_t;
+-files_tmp_file(squirrelmail_spool_t)
+-
+-type httpd_suexec_t;
++# SUEXEC runs user scripts as their own user ID
++type httpd_suexec_t; #, daemon;
+ type httpd_suexec_exec_t;
+ domain_type(httpd_suexec_t)
+ domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
+@@ -311,9 +365,23 @@ role system_r types httpd_suexec_t;
+ type httpd_suexec_tmp_t;
+ files_tmp_file(httpd_suexec_tmp_t)
+
++# setup the system domain for system CGI scripts
apache_content_template(sys)
+-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+optional_policy(`
@@ -3440,7 +4243,7 @@ index 0833afb..2864927 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -3452,15 +4255,20 @@ index 0833afb..2864927 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
- typeattribute httpd_user_script_t httpd_script_domains;
++typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -259,16 +423,28 @@ type httpd_var_lib_t;
+@@ -343,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+ typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
+ typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+
++# for apache2 memory mapped files
+ type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
@@ -3469,12 +4277,20 @@ index 0833afb..2864927 100644
+')
files_pid_file(httpd_var_run_t)
+-type httpd_passwd_t;
+-type httpd_passwd_exec_t;
+-domain_type(httpd_passwd_t)
+-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
+-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-+
- # File Type of squirrelmail attachments
- type squirrelmail_spool_t;
- files_tmp_file(squirrelmail_spool_t)
+
+-type httpd_gpg_t;
+-domain_type(httpd_gpg_t)
+-role system_r types httpd_gpg_t;
++# File Type of squirrelmail attachments
++type squirrelmail_spool_t;
++files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
@@ -3488,118 +4304,172 @@ index 0833afb..2864927 100644
+
########################################
#
- # Apache server local policy
-@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow httpd_t self:tcp_socket create_stream_socket_perms;
- allow httpd_t self:udp_socket create_socket_perms;
+-# Local policy
++# Apache server local policy
+ #
+
+ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+-dontaudit httpd_t self:capability net_admin;
++dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow httpd_t self:fd use;
+ allow httpd_t self:sock_file read_sock_file_perms;
+@@ -378,28 +460,36 @@ allow httpd_t self:shm create_shm_perms;
+ allow httpd_t self:sem create_sem_perms;
+ allow httpd_t self:msgq create_msgq_perms;
+ allow httpd_t self:msg { send receive };
+-allow httpd_t self:unix_dgram_socket sendto;
+-allow httpd_t self:unix_stream_socket { accept connectto listen };
+-allow httpd_t self:tcp_socket { accept listen };
++allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow httpd_t self:tcp_socket create_stream_socket_perms;
++allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
- # Allow httpd_t to put files in /var/cache/httpd etc
++# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
- # Allow the httpd_t to read the web servers config files
++# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms;
+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+
++can_exec(httpd_t, httpd_exec_t)
++
+ allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
- allow httpd_t httpd_log_t:dir setattr;
-+create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+-allow httpd_t httpd_log_t:dir setattr_dir_perms;
++allow httpd_t httpd_log_t:dir setattr;
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
-@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++# cjp: need to refine create interfaces to
++# cut this back to add_name only
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
- manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-+manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
--files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
-+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
-+userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
-
- manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-+manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
- manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
--files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
-+files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
-
- setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
- manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
- kernel_read_kernel_sysctls(httpd_t)
- # for modules that want to access /proc/meminfo
- kernel_read_system_state(httpd_t)
-+kernel_read_network_state(httpd_t)
-+kernel_search_network_sysctl(httpd_t)
+ allow httpd_t httpd_modules_t:dir list_dir_perms;
+@@ -407,6 +497,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
--corenet_all_recvfrom_unlabeled(httpd_t)
++apache_domtrans_rotatelogs(httpd_t)
++# Apache-httpd needs to be able to send signals to the log rotate procs.
+ allow httpd_t httpd_rotatelogs_t:process signal_perms;
+
+ manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +507,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+
+ allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+
++allow httpd_t httpd_sys_content_t:dir list_dir_perms;
++read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++
+ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -445,140 +541,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+-can_exec(httpd_t, httpd_exec_t)
+-
+-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+-
+ kernel_read_kernel_sysctls(httpd_t)
+-kernel_read_network_state(httpd_t)
++# for modules that want to access /proc/meminfo
+ kernel_read_system_state(httpd_t)
++kernel_read_network_state(httpd_t)
+ kernel_search_network_sysctl(httpd_t)
+
+-corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
- corenet_udp_sendrecv_generic_if(httpd_t)
-@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
- corenet_tcp_sendrecv_all_ports(httpd_t)
- corenet_udp_sendrecv_all_ports(httpd_t)
++corenet_udp_sendrecv_generic_if(httpd_t)
+ corenet_tcp_sendrecv_generic_node(httpd_t)
++corenet_udp_sendrecv_generic_node(httpd_t)
++corenet_tcp_sendrecv_all_ports(httpd_t)
++corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+-
+-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
+-corenet_tcp_sendrecv_http_port(httpd_t)
+-
+-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+-corenet_tcp_sendrecv_http_cache_port(httpd_t)
+-
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
- corenet_sendrecv_http_server_packets(httpd_t)
++corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
- # Signal self for shutdown
--corenet_tcp_connect_http_port(httpd_t)
++# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+ corenet_tcp_connect_http_port(httpd_t)
+')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t)
+ dev_read_urand(httpd_t)
+ dev_rw_crypto(httpd_t)
+-domain_use_interactive_fds(httpd_t)
+-
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
-+fs_read_iso9660_files(httpd_t)
+-
+-fs_getattr_all_fs(httpd_t)
+-fs_read_anon_inodefs_files(httpd_t)
+ fs_read_iso9660_files(httpd_t)
+-fs_search_auto_mountpoints(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
-
- auth_use_nsswitch(httpd_t)
-
++
++auth_use_nsswitch(httpd_t)
++
+application_exec_all(httpd_t)
+
- # execute perl
- corecmd_exec_bin(httpd_t)
- corecmd_exec_shell(httpd_t)
-@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t)
++# execute perl
++corecmd_exec_bin(httpd_t)
++corecmd_exec_shell(httpd_t)
++
++domain_use_interactive_fds(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
-+files_read_var_symlinks(httpd_t)
+ files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
- # for modules that want to access /etc/mtab
++# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
- # Allow httpd_t to have access to files such as nisswitch.conf
--files_read_etc_files(httpd_t)
- # for tomcat
++# Allow httpd_t to have access to files such as nisswitch.conf
++# for tomcat
files_read_var_lib_symlinks(httpd_t)
- fs_search_auto_mountpoints(httpd_sys_script_t)
+-auth_use_nsswitch(httpd_t)
++fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
@@ -3620,33 +4490,38 @@ index 0833afb..2864927 100644
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
--
--seutil_dontaudit_search_config(httpd_t)
-+miscfiles_read_tetex_data(httpd_t)
+ miscfiles_read_tetex_data(httpd_t)
+-seutil_dontaudit_search_config(httpd_t)
+-
userdom_use_unpriv_users_fds(httpd_t)
--tunable_policy(`allow_httpd_anon_write',`
+-ifdef(`TODO',`
+- tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
-+
+
+- logging_send_audit_msgs(httpd_t)
+- ')
+tunable_policy(`httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
++ miscfiles_manage_public_files(httpd_t)
')
--ifdef(`TODO', `
- #
- # We need optionals to be able to be within booleans to make this work
- #
--tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
+-ifdef(`hide_broken_symptoms',`
+- libs_exec_lib_files(httpd_t)
++#
++# We need optionals to be able to be within booleans to make this work
++#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
-+
+
+-tunable_policy(`allow_httpd_anon_write',`
+- miscfiles_manage_public_files(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
@@ -3654,12 +4529,21 @@ index 0833afb..2864927 100644
')
tunable_policy(`httpd_can_network_connect',`
+- corenet_sendrecv_all_client_packets(httpd_t)
corenet_tcp_connect_all_ports(httpd_t)
+- corenet_tcp_sendrecv_all_ports(httpd_t)
')
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_firebird_port(httpd_t)
-+ corenet_tcp_connect_mssql_port(httpd_t)
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_sendrecv_gds_db_client_packets(httpd_t)
+ corenet_tcp_connect_gds_db_port(httpd_t)
+- corenet_tcp_sendrecv_gds_db_port(httpd_t)
+- corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_t)
+- corenet_tcp_sendrecv_mssql_port(httpd_t)
+- corenet_sendrecv_oracledb_client_packets(httpd_t)
+- corenet_tcp_connect_oracledb_port(httpd_t)
+- corenet_tcp_sendrecv_oracledb_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
@@ -3667,49 +4551,70 @@ index 0833afb..2864927 100644
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
-+')
-+
+ ')
+
tunable_policy(`httpd_can_network_relay',`
- # allow httpd to work as a relay
+- corenet_sendrecv_gopher_client_packets(httpd_t)
++ # allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
+- corenet_tcp_sendrecv_gopher_port(httpd_t)
+- corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
+- corenet_tcp_sendrecv_ftp_port(httpd_t)
+- corenet_sendrecv_http_client_packets(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
+- corenet_tcp_sendrecv_http_port(httpd_t)
+- corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
-+ corenet_tcp_connect_squid_port(httpd_t)
- corenet_tcp_connect_memcache_port(httpd_t)
- corenet_sendrecv_gopher_client_packets(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
+- corenet_tcp_sendrecv_http_cache_port(httpd_t)
+- corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_squid_port(httpd_t)
+- corenet_tcp_sendrecv_squid_port(httpd_t)
++ corenet_tcp_connect_memcache_port(httpd_t)
++ corenet_sendrecv_gopher_client_packets(httpd_t)
++ corenet_sendrecv_ftp_client_packets(httpd_t)
++ corenet_sendrecv_http_client_packets(httpd_t)
++ corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
-+')
-+
+ ')
+
+-tunable_policy(`httpd_builtin_scripting',`
+- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
-+
+
+- allow httpd_t httpdcontent:dir list_dir_perms;
+- allow httpd_t httpdcontent:file read_file_perms;
+- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
-+')
-+
+ ')
+
+-tunable_policy(`httpd_enable_cgi',`
+- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
+- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +708,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
+-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
-+
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -3719,9 +4624,11 @@ index 0833afb..2864927 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
- ')
-
+- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
++')
++
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
@@ -3733,15 +4640,17 @@ index 0833afb..2864927 100644
+
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
-+')
-+
+ ')
+
tunable_policy(`httpd_enable_ftp_server',`
+- corenet_sendrecv_ftp_server_packets(httpd_t)
corenet_tcp_bind_ftp_port(httpd_t)
+- corenet_tcp_sendrecv_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_t)
+- userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
@@ -3751,37 +4660,84 @@ index 0833afb..2864927 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(httpd_t)
- fs_read_nfs_files(httpd_t)
+@@ -619,68 +756,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
-+')
-+
+ ')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+- fs_list_auto_mountpoints(httpd_t)
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',`
- # allow httpd to connect to mail servers
+ ')
+
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_t)
+-')
+-
+-tunable_policy(`httpd_execmem',`
+- allow httpd_t self:process { execmem execstack };
+-')
+-
+ tunable_policy(`httpd_can_sendmail',`
+- corenet_sendrecv_smtp_client_packets(httpd_t)
++ # allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
- corenet_sendrecv_smtp_client_packets(httpd_t)
-+ corenet_tcp_connect_pop_port(httpd_t)
+- corenet_tcp_sendrecv_smtp_port(httpd_t)
+- corenet_sendrecv_pop_client_packets(httpd_t)
++ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+- corenet_tcp_sendrecv_pop_port(httpd_t)
+-
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
-+ mta_signal_system_mail(httpd_t)
-+')
-+
+ mta_signal_system_mail(httpd_t)
+ ')
+
+-optional_policy(`
+- tunable_policy(`httpd_can_network_connect_zabbix',`
+- zabbix_tcp_connect(httpd_t)
+- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
-+')
-+
+ ')
+
+-optional_policy(`
+- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+- spamassassin_domtrans_client(httpd_t)
+- ')
+-')
+-
+-tunable_policy(`httpd_graceful_shutdown',`
+- corenet_sendrecv_http_client_packets(httpd_t)
+- corenet_tcp_connect_http_port(httpd_t)
+- corenet_tcp_sendrecv_http_port(httpd_t)
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
+- ')
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+- samba_domtrans_winbind_helper(httpd_t)
+- ')
+-')
+-
+-tunable_policy(`httpd_read_user_content',`
+- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+ fs_manage_fusefs_dirs(httpd_t)
+ fs_manage_fusefs_files(httpd_t)
@@ -3789,9 +4745,23 @@ index 0833afb..2864927 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',`
- # to run correctly without this permission, so the permission
- # are dontaudited here.
+@@ -690,49 +797,29 @@ tunable_policy(`httpd_setrlimit',`
+
+ tunable_policy(`httpd_ssi_exec',`
+ corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
++ allow httpd_sys_script_t httpd_t:fd use;
++ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
++ allow httpd_sys_script_t httpd_t:process sigchld;
+ ')
+
+-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+- can_exec(httpd_t, httpd_tmp_t)
+-')
+-
++# When the admin starts the server, the server wants to access
++# the TTY or PTY associated with the session. The httpd appears
++# to run correctly without this permission, so the permission
++# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
@@ -3799,8 +4769,39 @@ index 0833afb..2864927 100644
',`
userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-+')
-+
+ ')
+
+-tunable_policy(`httpd_use_cifs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_cifs_dirs(httpd_t)
+- fs_manage_cifs_files(httpd_t)
+- fs_manage_cifs_symlinks(httpd_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_t)
+-')
+-
+-tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_fusefs_dirs(httpd_t)
+- fs_manage_fusefs_files(httpd_t)
+- fs_read_fusefs_symlinks(httpd_t)
+-')
+-
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+-')
+-
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
+-')
+-
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_t)
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
@@ -3810,21 +4811,25 @@ index 0833afb..2864927 100644
')
optional_policy(`
-@@ -525,6 +831,9 @@ optional_policy(`
+@@ -744,12 +831,10 @@ optional_policy(`
')
optional_policy(`
+- clamav_domtrans_clamscan(httpd_t)
+-')
+-
+-optional_policy(`
+ cobbler_list_config(httpd_t)
-+ cobbler_read_config(httpd_t)
-+ cobbler_read_lib_files(httpd_t)
- cobbler_search_lib(httpd_t)
+ cobbler_read_config(httpd_t)
+ cobbler_read_lib_files(httpd_t)
++ cobbler_search_lib(httpd_t)
')
-@@ -540,6 +849,24 @@ optional_policy(`
- daemontools_service_domain(httpd_t, httpd_exec_t)
+ optional_policy(`
+@@ -765,6 +850,24 @@ optional_policy(`
')
-+optional_policy(`
+ optional_policy(`
+ # needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
+ ldap_stream_connect(httpd_t)
@@ -3842,58 +4847,76 @@ index 0833afb..2864927 100644
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
+')
+
- optional_policy(`
++ optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +876,24 @@ optional_policy(`
+ tunable_policy(`httpd_dbus_avahi',`
+@@ -781,34 +884,42 @@ optional_policy(`
')
optional_policy(`
-+ git_read_generic_system_content_files(httpd_t)
-+ gitosis_read_lib_files(httpd_t)
++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
++ gpg_domtrans_web(httpd_t)
++ ')
+')
+
+optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-- gpg_domtrans(httpd_t)
-+ gpg_domtrans_web(httpd_t)
- ')
- ')
-
- optional_policy(`
+ jetty_admin(httpd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
+- kerberos_manage_host_rcache(httpd_t)
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
')
optional_policy(`
-@@ -573,7 +911,21 @@ optional_policy(`
++ # needed by FreeIPA
+ ldap_stream_connect(httpd_t)
+-
+- tunable_policy(`httpd_can_network_connect_ldap',`
+- ldap_tcp_connect(httpd_t)
+- ')
+ ')
+
+ optional_policy(`
+ mailman_signal_cgi(httpd_t)
+ mailman_domtrans_cgi(httpd_t)
+ mailman_read_data_files(httpd_t)
++ # should have separate types for public and private archives
+ mailman_search_data(httpd_t)
+ mailman_read_archive(httpd_t)
')
optional_policy(`
+- memcached_stream_connect(httpd_t)
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
-+
+
+- tunable_policy(`httpd_can_network_connect_memcache',`
+- memcached_tcp_connect(httpd_t)
+- ')
+optional_policy(`
+ memcached_stream_connect(httpd_t)
-+
-+ tunable_policy(`httpd_manage_ipa',`
-+ memcached_manage_pid_files(httpd_t)
-+ ')
-+')
-+
-+optional_policy(`
- # Allow httpd to work with mysql
-+ mysql_read_config(httpd_t)
+
+ tunable_policy(`httpd_manage_ipa',`
+ memcached_manage_pid_files(httpd_t)
+@@ -816,8 +927,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
- mysql_rw_db_sockets(httpd_t)
++ mysql_rw_db_sockets(httpd_t)
-@@ -584,6 +936,7 @@ optional_policy(`
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_t)
+@@ -826,6 +939,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3901,25 +4924,32 @@ index 0833afb..2864927 100644
')
optional_policy(`
-@@ -594,6 +947,42 @@ optional_policy(`
+@@ -836,20 +950,35 @@ optional_policy(`
')
optional_policy(`
+- pcscd_read_pid_files(httpd_t)
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- postgresql_stream_connect(httpd_t)
+- postgresql_unpriv_client(httpd_t)
+ passenger_exec(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
-+
+
+- tunable_policy(`httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_t)
+- ')
+optional_policy(`
+ pcscd_read_pub_files(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- puppet_read_lib_files(httpd_t)
+ pki_apache_domain_signal(httpd_t)
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_run(httpd_t)
@@ -3934,29 +4964,35 @@ index 0833afb..2864927 100644
+
+optional_policy(`
+ pwauth_domtrans(httpd_t)
-+')
+ ')
+
+ optional_policy(`
+@@ -857,6 +986,16 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Allow httpd to work with postgresql
++ postgresql_stream_connect(httpd_t)
++ postgresql_unpriv_client(httpd_t)
+
-+optional_policy(`
-+ rpc_search_nfs_state_data(httpd_t)
++ tunable_policy(`httpd_can_network_connect_db',`
++ postgresql_tcp_connect(httpd_t)
++ ')
+')
+
+optional_policy(`
- # Allow httpd to work with postgresql
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
-@@ -608,6 +997,11 @@ optional_policy(`
+ seutil_sigchld_newrole(httpd_t)
+ ')
+
+@@ -865,6 +1004,7 @@ optional_policy(`
')
optional_policy(`
-+ smokeping_read_lib_files(httpd_t)
-+')
-+
-+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1014,12 @@ optional_policy(`
+@@ -877,64 +1017,168 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3968,12 +5004,23 @@ index 0833afb..2864927 100644
+
########################################
#
- # Apache helper local policy
-@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+-# Helper local policy
++# Apache helper local policy
+ #
+
+-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
++domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+
+-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
++allow httpd_helper_t httpd_config_t:file read_file_perms;
+-files_search_etc(httpd_helper_t)
++allow httpd_helper_t httpd_log_t:file append_file_perms;
+
+-logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
--userdom_use_user_terminals(httpd_helper_t)
+userdom_use_inherited_user_terminals(httpd_helper_t)
+
+tunable_policy(`httpd_verify_dns',`
@@ -4008,48 +5055,68 @@ index 0833afb..2864927 100644
+ ')
+')
+
-+tunable_policy(`httpd_tty_comm',`
+ tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_helper_t)
+-',`
+- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
+')
-
- ########################################
- #
-@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t)
- userdom_use_unpriv_users_fds(httpd_php_t)
-
- tunable_policy(`httpd_can_network_connect_db',`
-- corenet_tcp_connect_mysqld_port(httpd_t)
-- corenet_sendrecv_mysqld_client_packets(httpd_t)
-- corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
-- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
-- corenet_tcp_connect_mysqld_port(httpd_suexec_t)
-- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
--
-- corenet_tcp_connect_mssql_port(httpd_t)
-- corenet_sendrecv_mssql_client_packets(httpd_t)
-- corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-- corenet_tcp_connect_mssql_port(httpd_suexec_t)
-- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_firebird_port(httpd_php_t)
++
++########################################
++#
++# Apache PHP script local policy
++#
++
++allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow httpd_php_t self:fd use;
++allow httpd_php_t self:fifo_file rw_fifo_file_perms;
++allow httpd_php_t self:sock_file read_sock_file_perms;
++allow httpd_php_t self:unix_dgram_socket create_socket_perms;
++allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
++allow httpd_php_t self:unix_dgram_socket sendto;
++allow httpd_php_t self:unix_stream_socket connectto;
++allow httpd_php_t self:shm create_shm_perms;
++allow httpd_php_t self:sem create_sem_perms;
++allow httpd_php_t self:msgq create_msgq_perms;
++allow httpd_php_t self:msg { send receive };
++
++domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
++
++# allow php to read and append to apache logfiles
++allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
++
++manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
++manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
++files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
++
++fs_search_auto_mountpoints(httpd_php_t)
++
++auth_use_nsswitch(httpd_php_t)
++
++libs_exec_lib_files(httpd_php_t)
++
++userdom_use_unpriv_users_fds(httpd_php_t)
++
++tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_gds_db_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
- ')
-
- optional_policy(`
- mysql_stream_connect(httpd_php_t)
++')
++
++optional_policy(`
++ mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
- mysql_read_config(httpd_php_t)
++ mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- optional_policy(`
- postgresql_stream_connect(httpd_php_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
@@ -4058,15 +5125,28 @@ index 0833afb..2864927 100644
')
########################################
-@@ -702,6 +1140,7 @@ optional_policy(`
+ #
+-# Suexec local policy
++# Apache suexec local policy
+ #
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
-+allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
- allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
+-allow httpd_suexec_t self:tcp_socket { accept listen };
+-allow httpd_suexec_t self:unix_stream_socket { accept listen };
++allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
++
++domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+
+ create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
++
++allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
- domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4080,61 +5160,100 @@ index 0833afb..2864927 100644
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
+-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+-corenet_all_recvfrom_netlabel(httpd_suexec_t)
+-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+-
+-corecmd_exec_bin(httpd_suexec_t)
+-corecmd_exec_shell(httpd_suexec_t)
+-
dev_read_urand(httpd_suexec_t)
-+fs_read_iso9660_files(httpd_suexec_t)
+ fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
- # for shell scripts
- corecmd_exec_bin(httpd_suexec_t)
- corecmd_exec_shell(httpd_suexec_t)
-
--files_read_etc_files(httpd_suexec_t)
++# for shell scripts
++corecmd_exec_bin(httpd_suexec_t)
++corecmd_exec_shell(httpd_suexec_t)
++
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1188,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
-miscfiles_read_localization(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)
+-tunable_policy(`httpd_builtin_scripting',`
+- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
+-
+- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
+- allow httpd_suexec_t httpdcontent:file read_file_perms;
+- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
+-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
-+
+
tunable_policy(`httpd_can_network_connect',`
- allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
- allow httpd_suexec_t self:udp_socket create_socket_perms;
-
-- corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-- corenet_all_recvfrom_netlabel(httpd_suexec_t)
- corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
- corenet_udp_sendrecv_generic_if(httpd_suexec_t)
- corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',`
++ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_suexec_t self:udp_socket create_socket_perms;
++
++ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
++ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
++ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
++ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
++ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
++ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
+- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
')
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_firebird_port(httpd_suexec_t)
-+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ tunable_policy(`httpd_can_network_connect_db',`
+- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_gds_db_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
+- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
+- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
+- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
-+')
-+
+ ')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
-+tunable_policy(`httpd_can_sendmail',`
-+ mta_send_mail(httpd_suexec_t)
-+')
-+
+ tunable_policy(`httpd_can_sendmail',`
+- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
+- corenet_tcp_connect_smtp_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
+- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
+- corenet_tcp_connect_pop_port(httpd_suexec_t)
+- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
+ mta_send_mail(httpd_suexec_t)
+- mta_signal_system_mail(httpd_suexec_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_sys_script_t httpdcontent:file entrypoint;
++ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_read_cifs_files(httpd_suexec_t)
+- fs_read_cifs_symlinks(httpd_suexec_t)
+-')
-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_suexec_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
@@ -4142,164 +5261,372 @@ index 0833afb..2864927 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1250,25 @@ optional_policy(`
- dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
+-tunable_policy(`httpd_execmem',`
+- allow httpd_suexec_t self:process { execmem execstack };
+-')
+-
+-tunable_policy(`httpd_tmp_exec',`
+- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
+-')
+-
+-tunable_policy(`httpd_tty_comm',`
+- userdom_use_user_terminals(httpd_suexec_t)
+-',`
+- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_manage_cifs_dirs(httpd_suexec_t)
+- fs_manage_cifs_files(httpd_suexec_t)
+- fs_manage_cifs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_suexec_t)
++ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+ ')
+
+-tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_manage_fusefs_dirs(httpd_suexec_t)
+- fs_manage_fusefs_files(httpd_suexec_t)
+- fs_read_fusefs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_suexec_t)
+- fs_manage_nfs_dirs(httpd_suexec_t)
+- fs_manage_nfs_files(httpd_suexec_t)
+- fs_manage_nfs_symlinks(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
-+ mysql_stream_connect(httpd_suexec_t)
-+ mysql_rw_db_sockets(httpd_suexec_t)
-+ mysql_read_config(httpd_suexec_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ mysql_tcp_connect(httpd_suexec_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(httpd_suexec_t)
-+ postgresql_unpriv_client(httpd_suexec_t)
-+
-+ tunable_policy(`httpd_can_network_connect_db',`
-+ postgresql_tcp_connect(httpd_suexec_t)
-+ ')
-+')
++ mailman_domtrans_cgi(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+- mailman_domtrans_cgi(httpd_suexec_t)
++ mta_stub(httpd_suexec_t)
+
++ # apache should set close-on-exec
++ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+@@ -1077,172 +1272,103 @@ optional_policy(`
+ ')
+ ')
+
+-tunable_policy(`httpd_read_user_content',`
+- userdom_read_user_home_content_files(httpd_suexec_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_suexec_t)
+-')
+-
########################################
#
- # Apache system script local policy
-@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+-# Common script local policy
++# Apache system script local policy
+ #
+
+-allow httpd_script_domains self:fifo_file rw_file_perms;
+-allow httpd_script_domains self:unix_stream_socket connectto;
+-
+-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+-
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
+-kernel_dontaudit_search_sysctl(httpd_script_domains)
+-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
++allow httpd_sys_script_t self:process getsched;
+
+-corenet_all_recvfrom_unlabeled(httpd_script_domains)
+-corenet_all_recvfrom_netlabel(httpd_script_domains)
+-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
+-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+-
+-corecmd_exec_all_executables(httpd_script_domains)
++allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
++allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+-dev_read_rand(httpd_script_domains)
+-dev_read_urand(httpd_script_domains)
++dontaudit httpd_sys_script_t httpd_config_t:dir search;
- kernel_read_kernel_sysctls(httpd_sys_script_t)
+-files_exec_etc_files(httpd_script_domains)
+-files_read_etc_files(httpd_script_domains)
+-files_search_home(httpd_script_domains)
++allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+-libs_exec_ld_so(httpd_script_domains)
+-libs_exec_lib_files(httpd_script_domains)
++allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
++read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
++read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+-logging_search_logs(httpd_script_domains)
++kernel_read_kernel_sysctls(httpd_sys_script_t)
+
+-miscfiles_read_fonts(httpd_script_domains)
+-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
- files_search_var_lib(httpd_sys_script_t)
- files_search_spool(httpd_sys_script_t)
++files_search_var_lib(httpd_sys_script_t)
++files_search_spool(httpd_sys_script_t)
+-seutil_dontaudit_search_config(httpd_script_domains)
+logging_inherit_append_all_logs(httpd_sys_script_t)
-+
- # Should we add a boolean?
- apache_domtrans_rotatelogs(httpd_sys_script_t)
+-tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_script_domains httpdcontent:file entrypoint;
++# Should we add a boolean?
++apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
-+
- ifdef(`distro_redhat',`
- allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+
+- can_exec(httpd_script_domains, httpdcontent)
++ifdef(`distro_redhat',`
++ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',`
- mta_send_mail(httpd_sys_script_t)
+
+-tunable_policy(`httpd_enable_cgi',`
+- allow httpd_script_domains self:process { setsched signal_perms };
+- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
+-
+- kernel_read_system_state(httpd_script_domains)
+-
+- fs_getattr_all_fs(httpd_script_domains)
+-
+- files_read_etc_runtime_files(httpd_script_domains)
+- files_read_usr_files(httpd_script_domains)
+-
+- libs_read_lib_files(httpd_script_domains)
+-
+- miscfiles_read_localization(httpd_script_domains)
++tunable_policy(`httpd_can_sendmail',`
++ mta_send_mail(httpd_sys_script_t)
')
-+optional_policy(`
+ optional_policy(`
+- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+- nis_use_ypbind_uncond(httpd_script_domains)
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
-+ ')
-+')
-+
+ ')
+ ')
+
+-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
+- corenet_tcp_connect_gds_db_port(httpd_script_domains)
+- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
+- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
+- corenet_tcp_connect_mssql_port(httpd_script_domains)
+- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
+- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
+- corenet_tcp_connect_oracledb_port(httpd_script_domains)
+- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
+-')
+-
+-optional_policy(`
+- mysql_read_config(httpd_script_domains)
+- mysql_stream_connect(httpd_script_domains)
+-
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- mysql_tcp_connect(httpd_script_domains)
+- ')
+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
++ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
-+')
-+
+ ')
+
+-optional_policy(`
+- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
-+
+
+- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+- postgresql_tcp_connect(httpd_script_domains)
+- ')
+-')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
-+
+
+-optional_policy(`
+- nscd_use(httpd_script_domains)
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
-+')
-+
+ ')
+
+-########################################
+-#
+-# System script local policy
+-#
+-
+-allow httpd_sys_script_t self:tcp_socket { accept listen };
+-
+-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+-
+-dontaudit httpd_sys_script_t httpd_config_t:dir search;
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
+-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+-
+-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
+-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
+-
+-kernel_read_kernel_sysctls(httpd_sys_script_t)
+-
+-fs_search_auto_mountpoints(httpd_sys_script_t)
+-
+-files_read_var_symlinks(httpd_sys_script_t)
+-files_search_var_lib(httpd_sys_script_t)
+-files_search_spool(httpd_sys_script_t)
+-
+-apache_domtrans_rotatelogs(httpd_sys_script_t)
+-
+-auth_use_nsswitch(httpd_sys_script_t)
+-
+-tunable_policy(`httpd_can_sendmail',`
+- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
+- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
+- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
+- corenet_tcp_connect_pop_port(httpd_sys_script_t)
+- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
+-
+- mta_send_mail(httpd_sys_script_t)
+- mta_signal_system_mail(httpd_sys_script_t)
++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_sys_script_t self:udp_socket create_socket_perms;
-
-- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
-- corenet_udp_bind_all_nodes(httpd_sys_script_t)
-- corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
-- corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
-- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
-- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
-- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
- corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_tcp_connect_all_ports(httpd_sys_script_t)
++ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_sys_script_t)
-+ userdom_search_user_home_dirs(httpd_sys_script_t)
+ userdom_search_user_home_dirs(httpd_sys_script_t)
')
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+- corenet_tcp_connect_all_ports(httpd_sys_script_t)
+- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_execmem',`
+- allow httpd_sys_script_t self:process { execmem execstack };
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
')
-+tunable_policy(`httpd_read_user_content',`
-+ userdom_read_user_home_content_files(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_sys_script_t)
-+ fs_manage_cifs_files(httpd_sys_script_t)
-+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1376,70 @@ tunable_policy(`httpd_read_user_content',`
+ ')
+
+ tunable_policy(`httpd_use_cifs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
-+')
-+
-+tunable_policy(`httpd_use_fusefs',`
-+ fs_manage_fusefs_dirs(httpd_sys_script_t)
-+ fs_manage_fusefs_files(httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_sys_script_t)
+ fs_manage_fusefs_files(httpd_sys_script_t)
+- fs_read_fusefs_symlinks(httpd_sys_script_t)
+-')
+-
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
+ fs_manage_fusefs_symlinks(httpd_suexec_t)
+ fs_exec_fusefs_files(httpd_suexec_t)
-+')
-+
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_read_cifs_files(httpd_sys_script_t)
- fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ ')
- optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+- fs_manage_nfs_dirs(httpd_sys_script_t)
+- fs_manage_nfs_files(httpd_sys_script_t)
+- fs_manage_nfs_symlinks(httpd_sys_script_t)
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_sys_script_t)
++ fs_read_cifs_symlinks(httpd_sys_script_t)
+ ')
+
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_sys_script_t)
++optional_policy(`
++ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
optional_policy(`
- mysql_stream_connect(httpd_sys_script_t)
- mysql_rw_db_sockets(httpd_sys_script_t)
+- clamav_domtrans_clamscan(httpd_sys_script_t)
++ mysql_stream_connect(httpd_sys_script_t)
++ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
@@ -4308,8 +5635,8 @@ index 0833afb..2864927 100644
')
optional_policy(`
- postgresql_stream_connect(httpd_sys_script_t)
-+ postgresql_unpriv_client(httpd_sys_script_t)
++ postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
@@ -4317,9 +5644,19 @@ index 0833afb..2864927 100644
')
########################################
-@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+ #
+-# Rotatelogs local policy
++# httpd_rotatelogs local policy
+ #
+
+ allow httpd_rotatelogs_t self:capability dac_override;
+
+ manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+
+ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
- kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
++kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-files_read_etc_files(httpd_rotatelogs_t)
@@ -4329,75 +5666,132 @@ index 0833afb..2864927 100644
########################################
#
-@@ -908,11 +1462,138 @@ optional_policy(`
+@@ -1315,8 +1447,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+ #
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_user_script_t httpdcontent:file entrypoint;
+ optional_policy(`
+- apache_content_template(unconfined)
++ type httpd_unconfined_script_t;
++ type httpd_unconfined_script_exec_t;
++ domain_type(httpd_unconfined_script_t)
++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
++
++ role system_r types httpd_unconfined_script_t;
++ allow httpd_t httpd_unconfined_script_t:process signal_perms;
+ ')
+
+ ########################################
+@@ -1324,49 +1463,36 @@ optional_policy(`
+ # User content local policy
+ #
+
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_user_home_dirs(httpd_user_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+- fs_list_auto_mountpoints(httpd_user_script_t)
+- fs_read_cifs_files(httpd_user_script_t)
+- fs_read_cifs_symlinks(httpd_user_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_user_script_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+- fs_list_auto_mountpoints(httpd_user_script_t)
+- fs_read_nfs_files(httpd_user_script_t)
+- fs_read_nfs_symlinks(httpd_user_script_t)
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
- # allow accessing files/dirs below the users home dir
- tunable_policy(`httpd_enable_homedirs',`
-- userdom_search_user_home_dirs(httpd_t)
-- userdom_search_user_home_dirs(httpd_suexec_t)
-- userdom_search_user_home_dirs(httpd_user_script_t)
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_user_script_t)
++# allow accessing files/dirs below the users home dir
++tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
-+
-+tunable_policy(`httpd_read_user_content',`
+ ')
+
+ tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
-+ userdom_read_user_home_content_files(httpd_user_script_t)
-+')
-+
-+########################################
-+#
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ ')
+
+-optional_policy(`
+- postgresql_unpriv_client(httpd_user_script_t)
+-')
+-
+ ########################################
+ #
+-# Passwd local policy
+# httpd_passwd local policy
-+#
-+
-+allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
-+allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
-+allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_read_system_state(httpd_passwd_t)
-+
-+corecmd_exec_bin(httpd_passwd_t)
-+corecmd_exec_shell(httpd_passwd_t)
-+
-+dev_read_urand(httpd_passwd_t)
-+
-+domain_use_interactive_fds(httpd_passwd_t)
-+
-+
-+auth_use_nsswitch(httpd_passwd_t)
+ #
+
+ allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
+ allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
+
+-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
+-
+ kernel_read_system_state(httpd_passwd_t)
+
+ corecmd_exec_bin(httpd_passwd_t)
+@@ -1376,38 +1502,101 @@ dev_read_urand(httpd_passwd_t)
+
+ domain_use_interactive_fds(httpd_passwd_t)
+
+
+ auth_use_nsswitch(httpd_passwd_t)
+
+-miscfiles_read_generic_certs(httpd_passwd_t)
+-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
-+
+
+-########################################
+-#
+-# GPG local policy
+-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-+
+
+-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
-+
+
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
-+
+
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
-+
+
+-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
-+
+
+-miscfiles_read_localization(httpd_gpg_t)
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
-+
+
+-tunable_policy(`httpd_gpg_anon_write',`
+- miscfiles_manage_public_files(httpd_gpg_t)
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
@@ -4445,12 +5839,16 @@ index 0833afb..2864927 100644
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+ nis_use_ypbind_uncond(httpd_script_type)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_manage_sys_rw_content(httpd_gpg_t)
+ nscd_socket_use(httpd_script_type)
-+')
-+
+ ')
+
+-optional_policy(`
+- gpg_entry_type(httpd_gpg_t)
+- gpg_exec(httpd_gpg_t)
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
@@ -4472,33 +5870,22 @@ index 0833afb..2864927 100644
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
-index cd07b96..f3506be 100644
+index 5ec0e13..2da2368 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
-@@ -1,9 +1,13 @@
+@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
- /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+ /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
- /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
-+/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
-+
- /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
- /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-
-@@ -13,3 +17,4 @@
- /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
- /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
- /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+ /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
-index e342775..1fedbe5 100644
+index f3c0aba..5189407 100644
--- a/apcupsd.if
+++ b/apcupsd.if
-@@ -123,6 +123,29 @@ interface(`apcupsd_cgi_script_domtrans',`
+@@ -125,6 +125,29 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
## <summary>
@@ -4525,13 +5912,13 @@ index e342775..1fedbe5 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an apcupsd environment
+ ## All of the rules required to
+ ## administrate an apcupsd environment.
## </summary>
@@ -144,11 +167,16 @@ interface(`apcupsd_admin',`
- type apcupsd_log_t, apcupsd_lock_t;
- type apcupsd_var_run_t;
- type apcupsd_initrc_exec_t;
+ gen_require(`
+ type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
+ type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
')
@@ -4556,7 +5943,7 @@ index e342775..1fedbe5 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index d052bf0..8f2695f 100644
+index b236327..febec9a 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -4568,8 +5955,8 @@ index d052bf0..8f2695f 100644
+
########################################
#
- # apcupsd local policy
-@@ -53,15 +56,16 @@ kernel_read_system_state(apcupsd_t)
+ # Local policy
+@@ -54,7 +57,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
@@ -4577,27 +5964,34 @@ index d052bf0..8f2695f 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
- corenet_tcp_sendrecv_all_ports(apcupsd_t)
- corenet_tcp_bind_generic_node(apcupsd_t)
+@@ -64,9 +66,11 @@ corenet_udp_sendrecv_generic_node(apcupsd_t)
+ corenet_udp_bind_generic_node(apcupsd_t)
+
corenet_tcp_bind_apcupsd_port(apcupsd_t)
+corenet_udp_bind_generic_node(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+ corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
+ corenet_udp_bind_snmp_port(apcupsd_t)
+ corenet_sendrecv_snmp_server_packets(apcupsd_t)
+@@ -74,25 +78,33 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+
dev_rw_generic_usb_dev(apcupsd_t)
-@@ -76,24 +80,29 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+-files_read_etc_files(apcupsd_t)
+ files_manage_etc_runtime_files(apcupsd_t)
+ files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
- # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
+term_use_usb_ttys(apcupsd_t)
- #apcupsd runs shutdown, probably need a shutdown domain
- init_rw_utmp(apcupsd_t)
- init_telinit(apcupsd_t)
-
-logging_send_syslog_msg(apcupsd_t)
++#apcupsd runs shutdown, probably need a shutdown domain
++init_rw_utmp(apcupsd_t)
++init_telinit(apcupsd_t)
++
+auth_read_passwd(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
@@ -4620,7 +6014,7 @@ index d052bf0..8f2695f 100644
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
-@@ -113,7 +122,6 @@ optional_policy(`
+@@ -112,7 +124,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -4629,46 +6023,22 @@ index d052bf0..8f2695f 100644
corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
diff --git a/apm.fc b/apm.fc
-index 0123777..5bfd421 100644
+index ce27d2f..d20377e 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
+ /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
- #
- # /usr
-@@ -14,6 +15,7 @@
- /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
-
- /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
-+/var/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
- /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
- /var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
- /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
diff --git a/apm.if b/apm.if
-index 1ea99b2..0b668ae 100644
+index 1a7a97e..1d29dce 100644
--- a/apm.if
+++ b/apm.if
-@@ -89,7 +89,7 @@ interface(`apm_append_log',`
- ')
-
- logging_search_logs($1)
-- allow $1 apmd_log_t:file append;
-+ allow $1 apmd_log_t:file append_file_perms;
- ')
+@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
########################################
-@@ -108,6 +108,28 @@ interface(`apm_stream_connect',`
- ')
-
- files_search_pids($1)
-- allow $1 apmd_var_run_t:sock_file write;
-- allow $1 apmd_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
-+')
-+
-+########################################
-+## <summary>
+ ## <summary>
+## Execute apmd server in the apmd domain.
+## </summary>
+## <param name="domain">
@@ -4688,30 +6058,43 @@ index 1ea99b2..0b668ae 100644
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apmd_t)
- ')
-diff --git a/apm.te b/apm.te
-index 1c8c27e..4c09721 100644
---- a/apm.te
-+++ b/apm.te
-@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
- #
- # Declarations
- #
++')
+
- type apmd_t;
- type apmd_exec_t;
- init_daemon_domain(apmd_t, apmd_exec_t)
-@@ -32,6 +33,9 @@ ifdef(`distro_suse',`
- files_type(apmd_var_lib_t)
- ')
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an apm environment.
+ ## </summary>
+@@ -163,9 +186,13 @@ interface(`apm_admin',`
+ type apmd_tmp_t;
+ ')
+
+- allow $1 apmd_t:process { ptrace signal_perms };
++ allow $1 apmd_t:process { signal_perms };
+ ps_process_pattern($1, apmd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 apmd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, apmd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apmd_initrc_exec_t system_r;
+diff --git a/apm.te b/apm.te
+index 3590e2f..29e3af5 100644
+--- a/apm.te
++++ b/apm.te
+@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
+ type apmd_var_run_t;
+ files_pid_file(apmd_var_run_t)
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
########################################
#
- # apm client Local policy
-@@ -45,7 +49,7 @@ dev_rw_apm_bios(apm_t)
+ # Client local policy
+@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
@@ -4720,48 +6103,36 @@ index 1c8c27e..4c09721 100644
domain_use_interactive_fds(apm_t)
-@@ -59,9 +63,10 @@ logging_send_syslog_msg(apm_t)
- # mknod: controlling an orderly resume of PCMCIA requires creating device
- # nodes 254,{0,1,2} for some reason.
+@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
+ #
+
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
-+allow apmd_t self:netlink_socket create_socket_perms;
- allow apmd_t self:unix_dgram_socket create_socket_perms;
- allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-
-@@ -81,6 +86,8 @@ kernel_rw_all_sysctls(apmd_t)
- kernel_read_system_state(apmd_t)
- kernel_write_proc_files(apmd_t)
-
-+dev_read_input(apmd_t)
-+dev_read_mouse(apmd_t)
- dev_read_realtime_clock(apmd_t)
- dev_read_urand(apmd_t)
- dev_rw_apm_bios(apmd_t)
-@@ -96,8 +103,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
- fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
- fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+ allow apmd_t self:netlink_socket create_socket_perms;
+@@ -115,8 +118,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t)
+ fs_dontaudit_getattr_all_pipes(apmd_t)
+ fs_dontaudit_getattr_all_sockets(apmd_t)
-selinux_search_fs(apmd_t)
-
corecmd_exec_all_executables(apmd_t)
domain_read_all_domains_state(apmd_t)
-@@ -114,6 +119,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
- files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
- files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+@@ -128,6 +129,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+
+ auth_use_nsswitch(apmd_t)
+auth_use_nsswitch(apmd_t)
+
init_domtrans_script(apmd_t)
- init_rw_utmp(apmd_t)
- init_telinit(apmd_t)
-@@ -124,13 +131,12 @@ libs_exec_lib_files(apmd_t)
- logging_send_syslog_msg(apmd_t)
+
+ libs_exec_ld_so(apmd_t)
+@@ -136,17 +139,54 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
+ logging_send_syslog_msg(apmd_t)
-miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -4774,21 +6145,27 @@ index 1c8c27e..4c09721 100644
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +148,8 @@ ifdef(`distro_redhat',`
-
- can_exec(apmd_t, apmd_var_run_t)
-
-- # ifconfig_exec_t needs to be run in its own domain for Red Hat
- optional_policy(`
-- sysnet_domtrans_ifconfig(apmd_t)
+-userdom_dontaudit_search_user_home_content(apmd_t)
++userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
++
++ifdef(`distro_redhat',`
++ allow apmd_t apmd_lock_t:file manage_file_perms;
++ files_lock_filetrans(apmd_t, apmd_lock_t, file)
++
++ can_exec(apmd_t, apmd_var_run_t)
++
++ optional_policy(`
+ fstools_domtrans(apmd_t)
- ')
-
- optional_policy(`
-@@ -155,6 +160,15 @@ ifdef(`distro_redhat',`
- netutils_domtrans(apmd_t)
- ')
-
++ ')
++
++ optional_policy(`
++ iptables_domtrans(apmd_t)
++ ')
++
++ optional_policy(`
++ netutils_domtrans(apmd_t)
++ ')
++
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+ sssd_search_lib(apmd_t)
@@ -4798,23 +6175,20 @@ index 1c8c27e..4c09721 100644
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
- ',`
- # for ifconfig which is run all the time
- kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +195,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ devicekit_manage_pid_files(apmd_t)
-+ devicekit_manage_log_files(apmd_t)
-+ devicekit_relabel_log_files(apmd_t)
++',`
++ # for ifconfig which is run all the time
++ kernel_dontaudit_search_sysctl(apmd_t)
+')
+
-+optional_policy(`
- dbus_system_bus_client(apmd_t)
++ifdef(`distro_suse',`
++ manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
++ manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
++ files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file)
++')
- optional_policy(`
-@@ -210,7 +230,11 @@ optional_policy(`
+ optional_policy(`
+ automount_domtrans(apmd_t)
+@@ -206,7 +246,11 @@ optional_policy(`
')
optional_policy(`
@@ -4828,18 +6202,18 @@ index 1c8c27e..4c09721 100644
optional_policy(`
diff --git a/apt.te b/apt.te
-index 8555315..af9bcbe 100644
+index e2d8d52..c6e62d7 100644
--- a/apt.te
+++ b/apt.te
-@@ -94,7 +94,6 @@ kernel_read_kernel_sysctls(apt_t)
+@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
- corenet_udp_sendrecv_generic_if(apt_t)
-@@ -121,20 +120,18 @@ fs_getattr_all_fs(apt_t)
+ corenet_tcp_sendrecv_generic_node(apt_t)
+@@ -105,20 +104,18 @@ fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
@@ -4860,25 +6234,25 @@ index 8555315..af9bcbe 100644
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
- # with boolean, for cron-apt and such?
- #optional_policy(`
+ optional_policy(`
+ cron_system_entry(apt_t, apt_exec_t)
diff --git a/arpwatch.fc b/arpwatch.fc
-index a86a6c7..ab50afe 100644
+index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
- #
- # /usr
- #
+ /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+ /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
-index c804110..06a516f 100644
+index 50c9b9c..51c8cc0 100644
--- a/arpwatch.if
+++ b/arpwatch.if
-@@ -115,6 +115,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
+@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
########################################
## <summary>
@@ -4905,17 +6279,17 @@ index c804110..06a516f 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an arpwatch environment
+ ## All of the rules required to
+ ## administrate an arpwatch environment.
## </summary>
-@@ -135,11 +158,16 @@ interface(`arpwatch_admin',`
- type arpwatch_t, arpwatch_tmp_t;
+@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
+ gen_require(`
+ type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
- type arpwatch_initrc_exec_t;
+ type arpwatch_unit_file_t;
')
-- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+- allow $1 arpwatch_t:process { ptrace signal_perms };
+ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
@@ -4926,7 +6300,7 @@ index c804110..06a516f 100644
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
-@@ -153,4 +181,8 @@ interface(`arpwatch_admin',`
+@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
@@ -4936,7 +6310,7 @@ index c804110..06a516f 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index 804135f..8d012f7 100644
+index fa18c76..ef976af 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -4949,38 +6323,40 @@ index 804135f..8d012f7 100644
########################################
#
# Local policy
-@@ -34,6 +37,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
- allow arpwatch_t self:udp_socket create_socket_perms;
+@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
+ allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -47,12 +51,12 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+-kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
+# meminfo
-+kernel_read_system_state(arpwatch_t)
- kernel_read_kernel_sysctls(arpwatch_t)
--kernel_list_proc(arpwatch_t)
- kernel_read_proc_symlinks(arpwatch_t)
+ kernel_read_system_state(arpwatch_t)
++kernel_read_kernel_sysctls(arpwatch_t)
++kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
--corenet_all_recvfrom_unlabeled(arpwatch_t)
- corenet_all_recvfrom_netlabel(arpwatch_t)
- corenet_tcp_sendrecv_generic_if(arpwatch_t)
- corenet_udp_sendrecv_generic_if(arpwatch_t)
-@@ -74,7 +78,6 @@ corecmd_read_bin_symlinks(arpwatch_t)
-
- domain_use_interactive_fds(arpwatch_t)
-
--files_read_etc_files(arpwatch_t)
- files_read_usr_files(arpwatch_t)
- files_search_var_lib(arpwatch_t)
-
-@@ -82,8 +85,6 @@ auth_use_nsswitch(arpwatch_t)
++corenet_all_recvfrom_netlabel(arpwatch_t)
++corenet_tcp_sendrecv_generic_if(arpwatch_t)
++corenet_udp_sendrecv_generic_if(arpwatch_t)
++corenet_raw_sendrecv_generic_if(arpwatch_t)
++corenet_tcp_sendrecv_generic_node(arpwatch_t)
++corenet_udp_sendrecv_generic_node(arpwatch_t)
++corenet_raw_sendrecv_generic_node(arpwatch_t)
++corenet_tcp_sendrecv_all_ports(arpwatch_t)
++corenet_udp_sendrecv_all_ports(arpwatch_t)
++
+ dev_read_sysfs(arpwatch_t)
+ dev_read_usbmon_dev(arpwatch_t)
+ dev_rw_generic_usb_dev(arpwatch_t)
+@@ -66,8 +82,6 @@ auth_use_nsswitch(arpwatch_t)
logging_send_syslog_msg(arpwatch_t)
@@ -4990,14 +6366,14 @@ index 804135f..8d012f7 100644
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
-index b6168fd..313c6e4 100644
+index 7268a04..3a5dc33 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -105,9 +105,13 @@ interface(`asterisk_admin',`
- type asterisk_initrc_exec_t;
+ type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
-- allow $1 asterisk_t:process { ptrace signal_perms getattr };
+- allow $1 asterisk_t:process { ptrace signal_perms };
+ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
@@ -5009,10 +6385,10 @@ index b6168fd..313c6e4 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 159610b..164b672 100644
+index 5439f1c..37841a1 100644
--- a/asterisk.te
+++ b/asterisk.te
-@@ -20,10 +20,11 @@ type asterisk_log_t;
+@@ -19,10 +19,11 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
type asterisk_spool_t;
@@ -5025,33 +6401,21 @@ index 159610b..164b672 100644
type asterisk_tmpfs_t;
files_tmpfs_file(asterisk_tmpfs_t)
-@@ -40,8 +41,8 @@ files_pid_file(asterisk_var_run_t)
- #
-
- # dac_override for /var/run/asterisk
--allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
--dontaudit asterisk_t self:capability sys_tty_config;
-+allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
-+dontaudit asterisk_t self:capability { sys_module sys_tty_config };
- allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
- allow asterisk_t self:fifo_file rw_fifo_file_perms;
- allow asterisk_t self:sem create_sem_perms;
-@@ -77,11 +78,13 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
- files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
+ can_exec(asterisk_t, asterisk_exec_t)
-+kernel_read_network_state(asterisk_t)
- kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
- kernel_request_load_module(asterisk_t)
-@@ -89,7 +92,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
@@ -5059,34 +6423,23 @@ index 159610b..164b672 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -109,9 +111,13 @@ corenet_tcp_bind_generic_port(asterisk_t)
- corenet_udp_bind_generic_port(asterisk_t)
- corenet_dontaudit_udp_bind_all_ports(asterisk_t)
- corenet_sendrecv_generic_server_packets(asterisk_t)
-+corenet_tcp_connect_festival_port(asterisk_t)
-+corenet_tcp_connect_jabber_client_port(asterisk_t)
-+corenet_tcp_connect_pktcable_port(asterisk_t)
- corenet_tcp_connect_postgresql_port(asterisk_t)
- corenet_tcp_connect_snmp_port(asterisk_t)
+@@ -125,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
+
+ corenet_sendrecv_sip_client_packets(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_jabber_client_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
-@@ -122,11 +128,11 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +136,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
--files_read_etc_files(asterisk_t)
+-files_read_usr_files(asterisk_t)
files_search_spool(asterisk_t)
- # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
- # are labeled usr_t
- files_read_usr_files(asterisk_t)
-+files_dontaudit_search_home(asterisk_t)
+ files_dontaudit_search_home(asterisk_t)
- fs_getattr_all_fs(asterisk_t)
- fs_list_inotifyfs(asterisk_t)
-@@ -137,12 +143,14 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
logging_send_syslog_msg(asterisk_t)
@@ -5095,14 +6448,6 @@ index 159610b..164b672 100644
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
- optional_policy(`
-+ alsa_read_rw_config(asterisk_t)
-+')
-+
-+optional_policy(`
- mysql_stream_connect(asterisk_t)
- ')
-
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..86bbf21
@@ -5290,20 +6635,20 @@ index 0000000..aeea7cf
+
+unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
-index f16ab68..e4178a4 100644
+index 92adb37..0a2ffc6 100644
--- a/automount.fc
+++ b/automount.fc
-@@ -4,6 +4,8 @@
- /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+@@ -1,6 +1,8 @@
+ /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
- #
- # /usr
- #
+ /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
+ /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index d80a16b..ef740ef 100644
+index 089430a..7cd037b 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -5314,16 +6659,10 @@ index d80a16b..ef740ef 100644
interface(`automount_signal',`
gen_require(`
type automount_t;
-@@ -123,7 +122,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
- type automount_tmp_t;
- ')
+@@ -134,6 +133,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
-- dontaudit $1 automount_tmp_t:dir getattr;
-+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+## Execute automount server in the automount domain.
+## </summary>
+## <param name="domain">
@@ -5343,17 +6682,21 @@ index d80a16b..ef740ef 100644
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, automount_t)
- ')
-
- ########################################
-@@ -147,11 +169,16 @@ interface(`automount_admin',`
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an automount environment.
+ ## </summary>
+@@ -153,11 +175,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
+ type automount_unit_file_t;
')
-- allow $1 automount_t:process { ptrace signal_perms getattr };
+- allow $1 automount_t:process { ptrace signal_perms };
+ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
@@ -5364,7 +6707,7 @@ index d80a16b..ef740ef 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
-@@ -165,4 +192,8 @@ interface(`automount_admin',`
+@@ -171,4 +198,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -5374,7 +6717,7 @@ index d80a16b..ef740ef 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 39799db..6264256 100644
+index a579c3b..9fdef3d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -5387,13 +6730,14 @@ index 39799db..6264256 100644
########################################
#
# Local policy
-@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+@@ -50,19 +53,20 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
kernel_read_kernel_sysctls(automount_t)
+kernel_read_vm_sysctls(automount_t)
kernel_read_irq_sysctls(automount_t)
kernel_read_fs_sysctls(automount_t)
+ kernel_read_vm_sysctls(automount_t)
kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_read_network_state(automount_t)
@@ -5401,11 +6745,6 @@ index 39799db..6264256 100644
kernel_list_proc(automount_t)
kernel_dontaudit_search_xen_state(automount_t)
-+files_read_usr_files(automount_t)
- files_search_boot(automount_t)
- # Automount is slowly adding all mount functionality internally
- files_search_all(automount_t)
-@@ -79,7 +85,6 @@ fs_search_all(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -5413,30 +6752,25 @@ index 39799db..6264256 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t)
- files_getattr_all_dirs(automount_t)
- files_list_mnt(automount_t)
- files_getattr_home_dir(automount_t)
--files_read_etc_files(automount_t)
+@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
+ files_mounton_all_mountpoints(automount_t)
+ files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
- # for if the mount point is not labelled
- files_getattr_isid_type_dirs(automount_t)
-@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t)
+-files_read_usr_files(automount_t)
+ files_search_boot(automount_t)
+ files_search_all(automount_t)
+ files_unmount_all_file_type_fs(automount_t)
+@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
-miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
--# Run mount in the mount_t domain.
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
userdom_dontaudit_use_unpriv_user_fds(automount_t)
- userdom_dontaudit_search_user_home_dirs(automount_t)
-
-@@ -155,6 +154,13 @@ optional_policy(`
- ')
optional_policy(`
+ # Run mount in the mount_t domain.
@@ -5450,7 +6784,7 @@ index 39799db..6264256 100644
')
diff --git a/avahi.fc b/avahi.fc
-index 7e36549..010b2bc 100644
+index e9fe2ca..4c2d076 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
@@ -5458,14 +6792,14 @@ index 7e36549..010b2bc 100644
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
- /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
- /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
- /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
-index 61c74bc..17b3ecc 100644
+index aebe7cb..3355ef9 100644
--- a/avahi.if
+++ b/avahi.if
-@@ -133,6 +133,29 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',`
########################################
## <summary>
@@ -5492,14 +6826,15 @@ index 61c74bc..17b3ecc 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an avahi environment
+ ## All of the rules required to
+ ## administrate an avahi environment.
## </summary>
-@@ -151,11 +174,16 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ type avahi_unit_file_t;
+ type avahi_var_lib_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
@@ -5513,17 +6848,17 @@ index 61c74bc..17b3ecc 100644
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
-@@ -163,4 +191,8 @@ interface(`avahi_admin',`
+@@ -169,4 +197,8 @@ interface(`avahi_admin',`
- files_list_pids($1)
- admin_pattern($1, avahi_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, avahi_var_lib_t)
+
+ avahi_systemctl($1)
+ admin_pattern($1, avahi_unit_file_t)
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index a7a0e71..34bc1be 100644
+index 60e76be..0f0891b 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -5537,12 +6872,7 @@ index a7a0e71..34bc1be 100644
########################################
#
-@@ -46,11 +50,11 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
- kernel_read_system_state(avahi_t)
- kernel_read_kernel_sysctls(avahi_t)
- kernel_read_network_state(avahi_t)
-+kernel_request_load_module(avahi_t)
-
+@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
@@ -5550,17 +6880,15 @@ index a7a0e71..34bc1be 100644
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
corenet_udp_sendrecv_generic_if(avahi_t)
-@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t)
+@@ -72,6 +75,7 @@ fs_search_auto_mountpoints(avahi_t)
fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
--files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
files_read_usr_files(avahi_t)
-
-@@ -85,13 +89,14 @@ init_signull_script(avahi_t)
+@@ -83,13 +87,14 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
@@ -5576,7 +6904,7 @@ index a7a0e71..34bc1be 100644
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
-@@ -104,6 +109,10 @@ optional_policy(`
+@@ -106,6 +111,10 @@ optional_policy(`
')
optional_policy(`
@@ -5587,64 +6915,11 @@ index a7a0e71..34bc1be 100644
seutil_sigchld_newrole(avahi_t)
')
-diff --git a/awstats.if b/awstats.if
-index 283ff0d..53f9ba1 100644
---- a/awstats.if
-+++ b/awstats.if
-@@ -5,6 +5,25 @@
-
- ########################################
- ## <summary>
-+## Execute the awstats program in the awstats domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`awstats_domtrans',`
-+ gen_require(`
-+ type awstats_t, awstats_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, awstats_exec_t, awstats_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write awstats unnamed pipes.
- ## </summary>
- ## <param name="domain">
diff --git a/awstats.te b/awstats.te
-index 6bd3ad3..9cd42eb 100644
+index d6ab824..eec2bdb 100644
--- a/awstats.te
+++ b/awstats.te
-@@ -5,6 +5,13 @@ policy_module(awstats, 1.4.0)
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow awstats to purge Apache logs
-+## </p>
-+## </desc>
-+gen_tunable(awstats_purge_apache_log, false)
-+
- type awstats_t;
- type awstats_exec_t;
- domain_type(awstats_t)
-@@ -17,8 +24,6 @@ files_tmp_file(awstats_tmp_t)
- type awstats_var_lib_t;
- files_type(awstats_var_lib_t)
-
--apache_content_template(awstats)
--
- ########################################
- #
- # awstats policy
-@@ -55,11 +60,15 @@ libs_read_lib_files(awstats_t)
+@@ -61,8 +61,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
@@ -5652,50 +6927,36 @@ index 6bd3ad3..9cd42eb 100644
-
sysnet_dns_name_resolve(awstats_t)
--apache_read_log(awstats_t)
-+tunable_policy(`awstats_purge_apache_log',`
-+ apache_write_log(awstats_t)
-+')
-+
-+optional_policy(`
-+ apache_read_log(awstats_t)
-+')
-
- optional_policy(`
- cron_system_entry(awstats_t, awstats_exec_t)
-@@ -79,7 +88,16 @@ optional_policy(`
- # awstats cgi script policy
+ tunable_policy(`awstats_purge_apache_log_files',`
+@@ -90,9 +88,13 @@ optional_policy(`
+ # CGI local policy
#
--allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
-+optional_policy(`
-+ apache_content_template(awstats)
-+ apache_read_log(httpd_awstats_script_t)
++apache_read_log(httpd_awstats_script_t)
+
-+ manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+ manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
-+ files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
-
--read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
--files_search_var_lib(httpd_awstats_script_t)
-+ allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
++manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
++files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
+
-+ read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
-+ files_search_var_lib(httpd_awstats_script_t)
-+')
+ allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+ read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+ files_search_var_lib(httpd_awstats_script_t)
+-
+-apache_read_log(httpd_awstats_script_t)
diff --git a/backup.te b/backup.te
-index 0bfc958..81fc8bd 100644
+index d6ceef4..c10d39c 100644
--- a/backup.te
+++ b/backup.te
-@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(backup_t)
+@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
-corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
- corenet_udp_sendrecv_generic_if(backup_t)
-@@ -70,7 +69,7 @@ logging_send_syslog_msg(backup_t)
+ corenet_tcp_sendrecv_generic_node(backup_t)
+@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
@@ -5705,10 +6966,10 @@ index 0bfc958..81fc8bd 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.te b/bacula.te
-index fc4ba2a..813e5c1 100644
+index 3beba2f..67e074e 100644
--- a/bacula.te
+++ b/bacula.te
-@@ -111,7 +111,6 @@ domain_use_interactive_fds(bacula_admin_t)
+@@ -150,7 +150,6 @@ domain_use_interactive_fds(bacula_admin_t)
files_read_etc_files(bacula_admin_t)
@@ -5717,22 +6978,22 @@ index fc4ba2a..813e5c1 100644
sysnet_dns_name_resolve(bacula_admin_t)
diff --git a/bcfg2.fc b/bcfg2.fc
-index f5413da..9e06a9d 100644
+index fb42e35..8af0e14 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
- /etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
- /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+ /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
- /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
+ /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
-index b289d93..070f22b 100644
+index ec95d36..7132e1e 100644
--- a/bcfg2.if
+++ b/bcfg2.if
-@@ -115,6 +115,31 @@ interface(`bcfg2_manage_lib_dirs',`
+@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
########################################
## <summary>
@@ -5761,18 +7022,28 @@ index b289d93..070f22b 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an bcfg2 environment
+ ## All of the rules required to
+ ## administrate an bcfg2 environment.
## </summary>
-@@ -135,6 +160,7 @@ interface(`bcfg2_admin',`
- type bcfg2_t;
- type bcfg2_initrc_exec_t;
- type bcfg2_var_lib_t;
-+ type bcfg2_unit_file_t;
+@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
+ gen_require(`
+ type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
+ type bcfg2_var_run_t;
++ type bcfg2_unit_file_t;
')
- allow $1 bcfg2_t:process { ptrace signal_perms };
-@@ -147,4 +173,13 @@ interface(`bcfg2_admin',`
+- allow $1 bcfg2_t:process { ptrace signal_perms };
++ allow $1 bcfg2_t:process { signal_perms };
+ ps_process_pattern($1, bcfg2_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 bcfg2_t:process ptrace;
++ ')
++
+ bcfg2_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 bcfg2_initrc_exec_t system_r;
+@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
@@ -5787,7 +7058,7 @@ index b289d93..070f22b 100644
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
-index cf8e59f..ad57d4a 100644
+index 536ec3c..2d04d51 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
@@ -5800,29 +7071,37 @@ index cf8e59f..ad57d4a 100644
type bcfg2_var_run_t;
files_pid_file(bcfg2_var_run_t)
-@@ -36,6 +39,8 @@ files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file )
-
- kernel_read_system_state(bcfg2_t)
-
-+corenet_tcp_bind_cyphesis_port(bcfg2_t)
-+
- corecmd_exec_bin(bcfg2_t)
-
- dev_read_urand(bcfg2_t)
-@@ -47,5 +52,3 @@ files_read_usr_files(bcfg2_t)
+@@ -57,5 +60,3 @@ files_read_usr_files(bcfg2_t)
auth_use_nsswitch(bcfg2_t)
logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 59aa54f..b01072c 100644
+index 2b9a3a1..005bb7e 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -4,6 +4,11 @@
- /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
- /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
- /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+@@ -1,54 +1,69 @@
+-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
@@ -5830,9 +7109,92 @@ index 59aa54f..b01072c 100644
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
- /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
++/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
++/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+ /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
+-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+
+-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
++ifdef(`distro_debian',`
++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++')
++
++ifdef(`distro_gentoo',`
++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++')
+
+-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++ifdef(`distro_redhat',`
++/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /var/named/chroot/proc(/.*)? <<none>>
+-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
++/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ /var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+ /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+-
+-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
++')
diff --git a/bind.if b/bind.if
-index 44a1e3d..bc50fd6 100644
+index 866a1e2..6c2dbe4 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -5865,7 +7227,7 @@ index 44a1e3d..bc50fd6 100644
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
-@@ -167,6 +190,7 @@ interface(`bind_read_config',`
+@@ -169,6 +192,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
@@ -5873,16 +7235,7 @@ index 44a1e3d..bc50fd6 100644
read_files_pattern($1, named_conf_t, named_conf_t)
')
-@@ -186,7 +210,7 @@ interface(`bind_write_config',`
- ')
-
- write_files_pattern($1, named_conf_t, named_conf_t)
-- allow $1 named_conf_t:file setattr;
-+ allow $1 named_conf_t:file setattr_file_perms;
- ')
-
- ########################################
-@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',`
+@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
########################################
## <summary>
@@ -5905,28 +7258,10 @@ index 44a1e3d..bc50fd6 100644
+
+########################################
+## <summary>
- ## Search the BIND cache directory.
+ ## Search bind cache directories.
## </summary>
## <param name="domain">
-@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',`
- type named_var_run_t;
- ')
-
-- allow $1 named_var_run_t:dir setattr;
-+ allow $1 named_var_run_t:dir setattr_dir_perms;
- ')
-
- ########################################
-@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',`
- type named_zone_t;
- ')
-
-- allow $1 named_zone_t:dir setattr;
-+ allow $1 named_zone_t:dir setattr_dir_perms;
- ')
-
- ########################################
-@@ -308,6 +351,27 @@ interface(`bind_read_zone',`
+@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -5951,93 +7286,65 @@ index 44a1e3d..bc50fd6 100644
+
+########################################
+## <summary>
- ## Manage BIND zone files.
+ ## Create, read, write, and delete
+ ## bind zone files.
## </summary>
- ## <param name="domain">
-@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',`
+@@ -362,12 +426,20 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
-- type named_conf_t, named_var_lib_t, named_var_run_t;
-- type named_cache_t, named_zone_t;
-- type dnssec_t, ndc_t;
-- type named_initrc_exec_t;
+- type named_cache_t, named_zone_t, named_initrc_exec_t;
+- type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
+ type named_unit_file_t;
')
-- allow $1 named_t:process { ptrace signal_perms };
+- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { named_t ndc_t })
+ allow $1 named_t:process signal_perms;
- ps_process_pattern($1, named_t)
-
-- allow $1 ndc_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 named_t:process ptrace;
-+ ')
++ ps_process_pattern($1, named_t)
+
-+ allow $1 ndc_t:process signal_perms;
- ps_process_pattern($1, ndc_t)
-
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ndc_t:process ptrace;
++ allow $1 named_t:process ptrace;
+ ')
+
- bind_run_ndc($1, $2)
++ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +463,12 @@ interface(`bind_admin',`
- admin_pattern($1, named_zone_t)
- admin_pattern($1, dnssec_t)
+ domain_system_change_exemption($1)
+@@ -383,11 +455,15 @@ interface(`bind_admin',`
+ files_list_etc($1)
+ admin_pattern($1, named_conf_t)
-- files_list_var_lib($1)
-- admin_pattern($1, named_var_lib_t)
+ admin_pattern($1, named_keytab_t)
++
+ files_list_var($1)
+ admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
files_list_pids($1)
admin_pattern($1, named_var_run_t)
-+
+
+- bind_run_ndc($1, $2)
+ admin_pattern($1, named_unit_file_t)
+ bind_systemctl($1)
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 0968cb4..70bebb1 100644
+index 076ffee..6a12335 100644
--- a/bind.te
+++ b/bind.te
-@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
- #
+@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
+ init_system_domain(named_t, named_checkconf_exec_t)
- ## <desc>
-+## <p>
-+## Allow BIND to bind apache port.
-+## </p>
-+## </desc>
-+gen_tunable(named_bind_http_port, false)
-+
-+## <desc>
- ## <p>
- ## Allow BIND to write the master zone files.
- ## Generally this is used for dynamic DNS or zone transfers.
-@@ -16,6 +23,7 @@ gen_tunable(named_write_master_zones, false)
- # for DNSSEC key files
- type dnssec_t;
- files_security_file(dnssec_t)
-+files_mountpoint(dnssec_t)
-
- type named_t;
- type named_exec_t;
-@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
-
- # A type for configuration files of named.
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -37,6 +45,9 @@ files_type(named_cache_t)
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
@@ -6047,19 +7354,7 @@ index 0968cb4..70bebb1 100644
type named_log_t;
logging_log_file(named_log_t)
-@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
- manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
- files_tmp_filetrans(named_t, named_tmp_t, { file dir })
-
-+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
- manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
- manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
--files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
-+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
-
- # read zone files
- allow named_t named_zone_t:dir list_dir_perms;
-@@ -104,7 +116,6 @@ kernel_read_network_state(named_t)
+@@ -110,7 +113,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
@@ -6067,32 +7362,7 @@ index 0968cb4..70bebb1 100644
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
-@@ -131,7 +142,6 @@ dev_read_urand(named_t)
-
- domain_use_interactive_fds(named_t)
-
--files_read_etc_files(named_t)
- files_read_etc_runtime_files(named_t)
-
- fs_getattr_all_fs(named_t)
-@@ -141,12 +151,15 @@ auth_use_nsswitch(named_t)
-
- logging_send_syslog_msg(named_t)
-
--miscfiles_read_localization(named_t)
- miscfiles_read_generic_certs(named_t)
-
- userdom_dontaudit_use_unpriv_user_fds(named_t)
- userdom_dontaudit_search_user_home_dirs(named_t)
-
-+tunable_policy(`named_bind_http_port',`
-+ corenet_tcp_bind_http_port(named_t)
-+')
-+
- tunable_policy(`named_write_master_zones',`
- manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
- manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -154,6 +167,12 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,12 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -6102,10 +7372,10 @@ index 0968cb4..70bebb1 100644
+')
+
+optional_policy(`
- init_dbus_chat_script(named_t)
+ dbus_system_domain(named_t, named_exec_t)
- sysnet_dbus_chat_dhcpc(named_t)
-@@ -168,6 +187,7 @@ optional_policy(`
+ init_dbus_chat_script(named_t)
+@@ -183,6 +191,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -6113,87 +7383,43 @@ index 0968cb4..70bebb1 100644
')
optional_policy(`
-@@ -199,6 +219,7 @@ optional_policy(`
+@@ -209,7 +218,8 @@ optional_policy(`
+ #
- # cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
+-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability2 block_suspend;
- allow ndc_t self:process { fork signal_perms };
++allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
- allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
-@@ -211,13 +232,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
- stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+ allow ndc_t self:unix_stream_socket { accept listen };
- allow ndc_t named_conf_t:file read_file_perms;
--allow ndc_t named_conf_t:lnk_file { getattr read };
-+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +233,10 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
+kernel_read_system_state(ndc_t)
kernel_read_kernel_sysctls(ndc_t)
+ kernel_read_system_state(ndc_t)
-corenet_all_recvfrom_unlabeled(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -228,28 +249,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
-
- domain_use_interactive_fds(ndc_t)
-
--files_read_etc_files(ndc_t)
- files_search_pids(ndc_t)
-
- fs_getattr_xattr_fs(ndc_t)
-
-+auth_use_nsswitch(ndc_t)
-+
- init_use_fds(ndc_t)
- init_use_script_ptys(ndc_t)
+@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
- sysnet_read_config(ndc_t)
--sysnet_dns_name_resolve(ndc_t)
--
--userdom_use_user_terminals(ndc_t)
+ userdom_use_user_terminals(ndc_t)
- term_dontaudit_use_console(ndc_t)
-
- # for /etc/rndc.key
- ifdef(`distro_redhat',`
-- allow ndc_t named_conf_t:dir search;
-+ allow ndc_t named_conf_t:dir search_dir_perms;
- ')
-
- optional_policy(`
-diff --git a/bitlbee.fc b/bitlbee.fc
-index 0197980..909ce04 100644
---- a/bitlbee.fc
-+++ b/bitlbee.fc
-@@ -1,6 +1,13 @@
- /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
- /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
-
-+/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
- /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
-
- /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
-+
-+/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
-+
-+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
-+/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/bitlbee.if b/bitlbee.if
-index de0bd67..1df2048 100644
+index e73fb79..2badfc0 100644
--- a/bitlbee.if
+++ b/bitlbee.if
-@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
- type bitlbee_initrc_exec_t;
+@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
+ type bitlbee_log_t, bitlbee_tmp_t;
')
- allow $1 bitlbee_t:process { ptrace signal_perms };
@@ -6208,46 +7434,25 @@ index de0bd67..1df2048 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index f4e7ad3..8e85e9d 100644
+index ac8c91e..5ca06bb 100644
--- a/bitlbee.te
+++ b/bitlbee.te
-@@ -22,36 +22,57 @@ files_tmp_file(bitlbee_tmp_t)
- type bitlbee_var_t;
- files_type(bitlbee_var_t)
+@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
-+type bitlbee_log_t;
-+logging_log_file(bitlbee_log_t)
-+
-+type bitlbee_var_run_t;
-+files_pid_file(bitlbee_var_run_t)
+ allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+ allow bitlbee_t self:process { setsched signal };
+
- ########################################
- #
- # Local policy
- #
-
--allow bitlbee_t self:capability { setgid setuid };
--allow bitlbee_t self:process signal;
-+allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
-+allow bitlbee_t self:process { setsched signal };
-+
-+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
- allow bitlbee_t self:udp_socket create_socket_perms;
- allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
- allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
--allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+ allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+-allow bitlbee_t self:tcp_socket { accept listen };
+-allow bitlbee_t self:unix_stream_socket { accept listen };
++allow bitlbee_t self:udp_socket create_socket_perms;
++allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
++allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
- bitlbee_read_config(bitlbee_t)
-
- # tmp files
- manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
--files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
-+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
-+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
-
- # user account information is read and edited at runtime; give the usual
- # r/w access to bitlbee_var_t
+ allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
+ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
+@@ -54,13 +57,17 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
@@ -6255,27 +7460,19 @@ index f4e7ad3..8e85e9d 100644
+manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+
-+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
-+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
-+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
-+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-+
+ manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
+
+-kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
--corenet_all_recvfrom_unlabeled(bitlbee_t)
- corenet_udp_sendrecv_generic_if(bitlbee_t)
- corenet_udp_sendrecv_generic_node(bitlbee_t)
- corenet_tcp_sendrecv_generic_if(bitlbee_t)
- corenet_tcp_sendrecv_generic_node(bitlbee_t)
-+corenet_tcp_bind_generic_node(bitlbee_t)
-+corenet_tcp_connect_gatekeeper_port(bitlbee_t)
-+corenet_tcp_connect_ircd_port(bitlbee_t)
- # Allow bitlbee to connect to jabber servers
- corenet_tcp_connect_jabber_client_port(bitlbee_t)
- corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
-@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t)
- corenet_tcp_sendrecv_http_port(bitlbee_t)
+ corenet_all_recvfrom_unlabeled(bitlbee_t)
+ corenet_all_recvfrom_netlabel(bitlbee_t)
+@@ -95,6 +102,11 @@ corenet_tcp_sendrecv_http_port(bitlbee_t)
+ corenet_sendrecv_http_cache_client_packets(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+corenet_tcp_bind_ircd_port(bitlbee_t)
@@ -6284,77 +7481,60 @@ index f4e7ad3..8e85e9d 100644
+corenet_tcp_bind_interwise_port(bitlbee_t)
+corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+ corenet_sendrecv_ircd_server_packets(bitlbee_t)
+ corenet_tcp_bind_ircd_port(bitlbee_t)
+@@ -109,16 +121,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
--files_read_etc_files(bitlbee_t)
- files_search_pids(bitlbee_t)
- # grant read-only access to the user help files
- files_read_usr_files(bitlbee_t)
-@@ -84,10 +109,6 @@ auth_use_nsswitch(bitlbee_t)
+-files_read_usr_files(bitlbee_t)
+-
+ libs_legacy_use_shared_libs(bitlbee_t)
+
+ auth_use_nsswitch(bitlbee_t)
logging_send_syslog_msg(bitlbee_t)
-miscfiles_read_localization(bitlbee_t)
-
--sysnet_dns_name_resolve(bitlbee_t)
--
optional_policy(`
- # normally started from inetd using tcpwrappers, so use those entry points
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+ ')
diff --git a/blueman.fc b/blueman.fc
-index 6355318..98ba16a 100644
+index c295d2e..4f84e9c 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
- /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
+ /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.te b/blueman.te
-index 70969fa..4d18e6e 100644
+index bc5c984..b0c90e9 100644
--- a/blueman.te
+++ b/blueman.te
-@@ -7,23 +7,35 @@ policy_module(blueman, 1.0.0)
+@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
type blueman_t;
type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
- init_daemon_domain(blueman_t, blueman_exec_t)
++init_daemon_domain(blueman_t, blueman_exec_t)
type blueman_var_lib_t;
files_type(blueman_var_lib_t)
-
-+type blueman_var_run_t;
-+files_pid_file(blueman_var_run_t)
-+
- ########################################
- #
- # blueman local policy
+@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
#
-+
-+allow blueman_t self:capability { net_admin sys_nice };
-+allow blueman_t self:process { signal_perms setsched };
+
+ allow blueman_t self:capability { net_admin sys_nice };
+-allow blueman_t self:process { signal_perms setsched };
++allow blueman_t self:process { execmem signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
- manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
- files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir)
-
-+manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
-+manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
-+files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-+
- kernel_read_system_state(blueman_t)
-+kernel_request_load_module(blueman_t)
-+kernel_read_net_sysctls(blueman_t)
-
- corecmd_exec_bin(blueman_t)
-
-@@ -34,13 +46,36 @@ dev_rw_wireless(blueman_t)
- domain_use_interactive_fds(blueman_t)
+@@ -46,12 +47,14 @@ domain_use_interactive_fds(blueman_t)
+ files_list_tmp(blueman_t)
files_read_usr_files(blueman_t)
+files_list_tmp(blueman_t)
@@ -6366,79 +7546,75 @@ index 70969fa..4d18e6e 100644
+sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
- optional_policy(`
- avahi_domtrans(blueman_t)
+ sysnet_domtrans_ifconfig(blueman_t)
+
+@@ -60,10 +63,22 @@ optional_policy(`
')
-+
-+optional_policy(`
+
+ optional_policy(`
+ dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
+optional_policy(`
-+ dnsmasq_domtrans(blueman_t)
-+ dnsmasq_read_pid_files(blueman_t)
-+')
-+
-+optional_policy(`
+ dnsmasq_domtrans(blueman_t)
+ dnsmasq_read_pid_files(blueman_t)
+ ')
+
+ optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
+optional_policy(`
-+ iptables_domtrans(blueman_t)
-+')
+ iptables_domtrans(blueman_t)
+ ')
+
+optional_policy(`
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
-index dc687e6..e0255eb 100644
+index 2b9c7f3..e1b7177 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
-@@ -7,6 +7,8 @@
+@@ -5,6 +5,8 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
- #
- # /usr
- #
+ /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+ /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
-index 3e45431..758bd64 100644
+index c723a0a..3e8a553 100644
--- a/bluetooth.if
+++ b/bluetooth.if
-@@ -27,7 +27,11 @@ interface(`bluetooth_role',`
+@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
+ domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
- # allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
-- allow $2 bluetooth_helper_t:process signal;
+- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
++
+ allow $2 bluetooth_helper_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 bluetooth_helper_t:process ptrace;
+ ')
- manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
- manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
-@@ -35,6 +39,8 @@ interface(`bluetooth_role',`
+ allow $2 bluetooth_t:socket rw_socket_perms;
- manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
- manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
-+
+@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
+ allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
++ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
++ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ bluetooth_stream_connect($2)
+ stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+- files_search_pids($2)
')
#####################################
-@@ -91,7 +97,7 @@ interface(`bluetooth_read_config',`
- type bluetooth_conf_t;
- ')
-
-- allow $1 bluetooth_conf_t:file { getattr read ioctl };
-+ allow $1 bluetooth_conf_t:file read_file_perms;
- ')
-
- ########################################
-@@ -117,6 +123,27 @@ interface(`bluetooth_dbus_chat',`
+@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
########################################
## <summary>
@@ -6466,27 +7642,10 @@ index 3e45431..758bd64 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
-@@ -157,7 +184,7 @@ interface(`bluetooth_run_helper',`
+@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
## <summary>
--## Read bluetooth helper state files.
-+## Do not audit attempts to read bluetooth helper state files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -170,8 +197,31 @@ interface(`bluetooth_dontaudit_read_helper_state',`
- type bluetooth_helper_t;
- ')
-
-- dontaudit $1 bluetooth_helper_t:dir search;
-- dontaudit $1 bluetooth_helper_t:file { read getattr };
-+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
-+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+## Execute bluetooth server in the bluetooth domain.
+## </summary>
+## <param name="domain">
@@ -6506,21 +7665,19 @@ index 3e45431..758bd64 100644
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bluetooth_t)
- ')
-
- ########################################
-@@ -193,15 +243,19 @@ interface(`bluetooth_dontaudit_read_helper_state',`
- #
- interface(`bluetooth_admin',`
- gen_require(`
-- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
-- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
-- type bluetooth_conf_t, bluetooth_conf_rw_t;
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an bluetooth environment.
+ ## </summary>
+@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
- type bluetooth_initrc_exec_t;
-+ type bluetooth_t, bluetooth_lock_t, bluetooth_spool_t;
-+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
-+ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_tmp_t;
-+ type bluetooth_unit_file_t;
++ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
@@ -6534,7 +7691,7 @@ index 3e45431..758bd64 100644
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -225,4 +279,8 @@ interface(`bluetooth_admin',`
+@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
@@ -6544,25 +7701,10 @@ index 3e45431..758bd64 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index d3019b3..aed14bb 100644
+index 6f09d24..0b43ce7 100644
--- a/bluetooth.te
+++ b/bluetooth.te
-@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0)
- #
- # Declarations
- #
-+
- type bluetooth_t;
- type bluetooth_exec_t;
- init_daemon_domain(bluetooth_t, bluetooth_exec_t)
-
- type bluetooth_conf_t;
--files_type(bluetooth_conf_t)
-+files_config_file(bluetooth_conf_t)
-
- type bluetooth_conf_rw_t;
- files_type(bluetooth_conf_rw_t)
-@@ -45,6 +46,9 @@ files_type(bluetooth_var_lib_t)
+@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -6571,24 +7713,43 @@ index d3019b3..aed14bb 100644
+
########################################
#
- # Bluetooth services local policy
-@@ -96,7 +100,6 @@ kernel_request_load_module(bluetooth_t)
- #search debugfs - redhat bug 548206
+ # Local policy
+@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+ can_exec(bluetooth_t, bluetooth_helper_exec_t)
+
++corecmd_exec_bin(bluetooth_t)
++corecmd_exec_shell(bluetooth_t)
++
+ kernel_read_kernel_sysctls(bluetooth_t)
+ kernel_read_system_state(bluetooth_t)
+ kernel_read_network_state(bluetooth_t)
+ kernel_request_load_module(bluetooth_t)
kernel_search_debugfs(bluetooth_t)
--corenet_all_recvfrom_unlabeled(bluetooth_t)
- corenet_all_recvfrom_netlabel(bluetooth_t)
- corenet_tcp_sendrecv_generic_if(bluetooth_t)
- corenet_udp_sendrecv_generic_if(bluetooth_t)
-@@ -127,7 +130,6 @@ corecmd_exec_shell(bluetooth_t)
- domain_use_interactive_fds(bluetooth_t)
+-corecmd_exec_bin(bluetooth_t)
+-corecmd_exec_shell(bluetooth_t)
++corenet_all_recvfrom_netlabel(bluetooth_t)
++corenet_tcp_sendrecv_generic_if(bluetooth_t)
++corenet_udp_sendrecv_generic_if(bluetooth_t)
++corenet_raw_sendrecv_generic_if(bluetooth_t)
++corenet_tcp_sendrecv_generic_node(bluetooth_t)
++corenet_udp_sendrecv_generic_node(bluetooth_t)
++corenet_raw_sendrecv_generic_node(bluetooth_t)
++corenet_tcp_sendrecv_all_ports(bluetooth_t)
++corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+ dev_read_sysfs(bluetooth_t)
+ dev_rw_usbfs(bluetooth_t)
+@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
--files_read_etc_files(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
- files_read_usr_files(bluetooth_t)
+-files_read_usr_files(bluetooth_t)
-@@ -135,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
@@ -6596,7 +7757,7 @@ index d3019b3..aed14bb 100644
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
-@@ -144,6 +145,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -131,6 +142,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
@@ -6605,39 +7766,24 @@ index d3019b3..aed14bb 100644
+
+optional_policy(`
dbus_system_bus_client(bluetooth_t)
- dbus_connect_system_bus(bluetooth_t)
-
-@@ -212,17 +217,16 @@ corecmd_exec_shell(bluetooth_helper_t)
-
- domain_read_all_domains_state(bluetooth_helper_t)
--files_read_etc_files(bluetooth_helper_t)
- files_read_etc_runtime_files(bluetooth_helper_t)
- files_read_usr_files(bluetooth_helper_t)
- files_dontaudit_list_default(bluetooth_helper_t)
-
-+auth_use_nsswitch(bluetooth_helper_t)
-+
- locallogin_dontaudit_use_fds(bluetooth_helper_t)
-
- logging_send_syslog_msg(bluetooth_helper_t)
-
--miscfiles_read_localization(bluetooth_helper_t)
--
- sysnet_read_config(bluetooth_helper_t)
-
- optional_policy(`
+ optional_policy(`
diff --git a/boinc.fc b/boinc.fc
-new file mode 100644
-index 0000000..bda740a
---- /dev/null
+index 6d3ccad..bda740a 100644
+--- a/boinc.fc
+++ b/boinc.fc
-@@ -0,0 +1,12 @@
-+
+@@ -1,9 +1,12 @@
+-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-+
+
+-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-+
+
+-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
@@ -6646,15 +7792,17 @@ index 0000000..bda740a
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
-new file mode 100644
-index 0000000..fbcef10
---- /dev/null
+index 02fefaa..fbcef10 100644
+--- a/boinc.if
+++ b/boinc.if
-@@ -0,0 +1,206 @@
+@@ -1,9 +1,165 @@
+-## <summary>Platform for computing using volunteered resources.</summary>
+## <summary>policy for boinc</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an boinc environment.
+## Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
@@ -6813,94 +7961,96 @@ index 0000000..fbcef10
+## <summary>
+## All of the rules required to administrate
+## an boinc environment.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`boinc_admin',`
-+ gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -19,26 +175,32 @@
+ #
+ interface(`boinc_admin',`
+ gen_require(`
+-
+- type boinc_t, boinc_project_t, boinc_log_t;
+- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
+- type boinc_project_var_lib_t, boinc_project_tmp_t;
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ type boinc_unit_file_t;
-+ ')
-+
+ ')
+
+- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { boinc_t boinc_project_t })
+ allow $1 boinc_t:process signal_perms;
+ ps_process_pattern($1, boinc_t)
-+
+
+- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 boinc_t:process ptrace;
+ ')
+
+ boinc_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 boinc_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- logging_search_logs($1)
+- admin_pattern($1, boinc_log_t)
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
-+
+
+- files_search_tmp($1)
+- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+ boinc_systemctl($1)
+ admin_pattern($1, boinc_unit_file_t)
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+ allow $1 boinc_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/boinc.te b/boinc.te
-new file mode 100644
-index 0000000..0a7e857
---- /dev/null
+index 7c92aa1..3dbacf3 100644
+--- a/boinc.te
+++ b/boinc.te
-@@ -0,0 +1,199 @@
+@@ -1,11 +1,13 @@
+-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-type boinc_t;
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
-+type boinc_exec_t;
-+init_daemon_domain(boinc_t, boinc_exec_t)
-+
-+type boinc_initrc_exec_t;
-+init_script_file(boinc_initrc_exec_t)
-+
-+type boinc_tmp_t;
-+files_tmp_file(boinc_tmp_t)
-+
-+type boinc_tmpfs_t;
-+files_tmpfs_file(boinc_tmpfs_t)
-+
-+type boinc_var_lib_t;
-+files_type(boinc_var_lib_t)
-+
-+type boinc_log_t;
-+logging_log_file(boinc_log_t)
-+
+ type boinc_exec_t;
+ init_daemon_domain(boinc_t, boinc_exec_t)
+
+@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
+ type boinc_var_lib_t;
+ files_type(boinc_var_lib_t)
+
+-type boinc_project_var_lib_t;
+-files_type(boinc_project_var_lib_t)
+-
+ type boinc_log_t;
+ logging_log_file(boinc_log_t)
+
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
-+type boinc_project_t;
-+domain_type(boinc_project_t)
-+role system_r types boinc_project_t;
-+
-+type boinc_project_tmp_t;
-+files_tmp_file(boinc_project_tmp_t)
-+
+ type boinc_project_t;
+ domain_type(boinc_project_t)
+-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
+ role system_r types boinc_project_t;
+
+ type boinc_project_tmp_t;
+ files_tmp_file(boinc_project_tmp_t)
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
@@ -6916,7 +8066,6 @@ index 0000000..0a7e857
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
-+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
@@ -6939,81 +8088,141 @@ index 0000000..0a7e857
+ sysnet_dns_name_resolve(boinc_domain)
+')
+
-+########################################
-+#
+ ########################################
+ #
+-# Local policy
+# boinc local policy
-+#
-+
-+allow boinc_t self:process { setsched setpgid signull sigkill };
+ #
+
+ allow boinc_t self:process { setsched setpgid signull sigkill };
+-allow boinc_t self:unix_stream_socket { accept listen };
+-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
-+allow boinc_t self:shm create_shm_perms;
-+
-+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
-+
-+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
-+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-+
+ allow boinc_t self:shm create_shm_perms;
+-allow boinc_t self:fifo_file rw_fifo_file_perms;
+-allow boinc_t self:sem create_sem_perms;
+
+ manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+ manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+ manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+ fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+-
+-# entry files to the boinc_project_t domain
+-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-+
+ filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
+ filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
+
+-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+-logging_log_filetrans(boinc_t, boinc_log_t, file)
+-
+-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+
+
+-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
-+
+
+# needs read /proc/interrupts
-+kernel_read_system_state(boinc_t)
-+kernel_search_vm_sysctl(boinc_t)
-+
+ kernel_read_system_state(boinc_t)
+ kernel_search_vm_sysctl(boinc_t)
+
+-corenet_all_recvfrom_unlabeled(boinc_t)
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
-+corenet_all_recvfrom_netlabel(boinc_t)
-+corenet_tcp_sendrecv_generic_if(boinc_t)
+ corenet_all_recvfrom_netlabel(boinc_t)
+ corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
-+corenet_tcp_sendrecv_generic_node(boinc_t)
+ corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
-+corenet_tcp_bind_generic_node(boinc_t)
+ corenet_tcp_bind_generic_node(boinc_t)
+-
+-corenet_sendrecv_boinc_client_packets(boinc_t)
+-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
-+corenet_tcp_bind_boinc_port(boinc_t)
-+corenet_tcp_bind_boinc_client_ctrl_port(boinc_t)
+ corenet_tcp_bind_boinc_port(boinc_t)
+-corenet_tcp_connect_boinc_port(boinc_t)
+-corenet_tcp_sendrecv_boinc_port(boinc_t)
+-
+-corenet_sendrecv_boinc_client_server_packets(boinc_t)
+ corenet_tcp_bind_boinc_client_port(boinc_t)
+-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
+-
+-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
-+corenet_tcp_connect_http_port(boinc_t)
-+corenet_tcp_connect_http_cache_port(boinc_t)
-+corenet_tcp_connect_squid_port(boinc_t)
-+
-+files_dontaudit_getattr_boot_dirs(boinc_t)
-+
+ corenet_tcp_connect_http_port(boinc_t)
+-corenet_tcp_sendrecv_http_port(boinc_t)
+-
+-corenet_sendrecv_http_cache_client_packets(boinc_t)
+ corenet_tcp_connect_http_cache_port(boinc_t)
+-corenet_tcp_sendrecv_http_cache_port(boinc_t)
+-
+-corenet_sendrecv_squid_client_packets(boinc_t)
+ corenet_tcp_connect_squid_port(boinc_t)
+-corenet_tcp_sendrecv_squid_port(boinc_t)
+-
+-corecmd_exec_bin(boinc_t)
+-corecmd_exec_shell(boinc_t)
+-
+-dev_read_rand(boinc_t)
+-dev_read_urand(boinc_t)
+-dev_read_sysfs(boinc_t)
+-dev_rw_xserver_misc(boinc_t)
+-
+-domain_read_all_domains_state(boinc_t)
+
+ files_dontaudit_getattr_boot_dirs(boinc_t)
+-files_getattr_all_dirs(boinc_t)
+-files_getattr_all_files(boinc_t)
+-files_read_etc_files(boinc_t)
+-files_read_etc_runtime_files(boinc_t)
+-files_read_usr_files(boinc_t)
+
+-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
-+
-+term_getattr_all_ptys(boinc_t)
-+term_getattr_unallocated_ttys(boinc_t)
-+
-+init_read_utmp(boinc_t)
-+
-+logging_send_syslog_msg(boinc_t)
-+
-+optional_policy(`
-+ mta_send_mail(boinc_t)
-+')
-+
-+########################################
-+#
+
+ term_getattr_all_ptys(boinc_t)
+ term_getattr_unallocated_ttys(boinc_t)
+@@ -130,55 +138,61 @@ init_read_utmp(boinc_t)
+
+ logging_send_syslog_msg(boinc_t)
+
+-miscfiles_read_fonts(boinc_t)
+-miscfiles_read_localization(boinc_t)
+-
+ optional_policy(`
+ mta_send_mail(boinc_t)
+ ')
+
+-optional_policy(`
+- sysnet_dns_name_resolve(boinc_t)
+-')
+-
+ ########################################
+ #
+-# Project local policy
+# boinc-projects local policy
-+#
-+
-+allow boinc_project_t self:capability { setuid setgid };
+ #
+
+ allow boinc_project_t self:capability { setuid setgid };
+-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
@@ -7021,32 +8230,43 @@ index 0000000..0a7e857
+
+allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
-+
-+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
-+
+
+ manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+ manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+ manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+ files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+ manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+ manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
-+
-+allow boinc_project_t boinc_project_var_lib_t:file execmod;
-+
-+allow boinc_project_t boinc_t:shm rw_shm_perms;
+
+ allow boinc_project_t boinc_project_var_lib_t:file execmod;
+-can_exec(boinc_project_t, boinc_project_var_lib_t)
+
+ allow boinc_project_t boinc_t:shm rw_shm_perms;
+-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
-+
-+kernel_read_kernel_sysctls(boinc_project_t)
-+kernel_search_vm_sysctl(boinc_project_t)
+
+ kernel_read_kernel_sysctls(boinc_project_t)
+-kernel_read_network_state(boinc_project_t)
+ kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
-+
-+corenet_tcp_connect_boinc_port(boinc_project_t)
-+
-+files_dontaudit_search_home(boinc_project_t)
-+
+
+-corenet_all_recvfrom_unlabeled(boinc_project_t)
+-corenet_all_recvfrom_netlabel(boinc_project_t)
+-corenet_tcp_sendrecv_generic_if(boinc_project_t)
+-corenet_tcp_sendrecv_generic_node(boinc_project_t)
+-corenet_tcp_bind_generic_node(boinc_project_t)
+-
+-corenet_sendrecv_boinc_client_packets(boinc_project_t)
+ corenet_tcp_connect_boinc_port(boinc_project_t)
+-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
+
+ files_dontaudit_search_home(boinc_project_t)
+
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
@@ -7054,70 +8274,38 @@ index 0000000..0a7e857
+ gnome_read_gconf_config(boinc_project_t)
+')
+
-+optional_policy(`
-+ java_exec(boinc_project_t)
-+')
+ optional_policy(`
+ java_exec(boinc_project_t)
+ ')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+ unconfined_domain(boinc_project_t)
+')
-diff --git a/brctl.if b/brctl.if
-index 2c2cdb6..73b3814 100644
---- a/brctl.if
-+++ b/brctl.if
-@@ -18,3 +18,28 @@ interface(`brctl_domtrans',`
- corecmd_search_bin($1)
- domtrans_pattern($1, brctl_exec_t, brctl_t)
- ')
-+
-+#####################################
-+## <summary>
-+## Execute brctl in the brctl domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`brctl_run',`
-+ gen_require(`
-+ type brctl_t, brctl_exec_t;
-+ ')
-+
-+ brctl_domtrans($1)
-+ role $2 types brctl_t;
-+')
diff --git a/brctl.te b/brctl.te
-index 9a62a1d..283f4fa 100644
+index bcd1e87..a2559fe 100644
--- a/brctl.te
+++ b/brctl.te
-@@ -36,7 +36,6 @@ files_read_etc_files(brctl_t)
+@@ -38,8 +38,6 @@ files_read_etc_files(brctl_t)
term_dontaudit_use_console(brctl_t)
-miscfiles_read_localization(brctl_t)
-
+-
optional_policy(`
xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/bugzilla.if b/bugzilla.if
-index de89d0f..86e4ee7 100644
+index 1b22262..bf0cefa 100644
--- a/bugzilla.if
+++ b/bugzilla.if
-@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
-## <summary>
--## The role to be allowed to manage the bugzilla domain.
+-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
@@ -7134,6 +8322,7 @@ index de89d0f..86e4ee7 100644
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
ps_process_pattern($1, httpd_bugzilla_script_t)
+- files_search_usr($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_bugzilla_script_t:process ptrace;
+ ')
@@ -7141,14 +8330,25 @@ index de89d0f..86e4ee7 100644
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
- files_list_var_lib(httpd_bugzilla_script_t)
++ files_list_var_lib(httpd_bugzilla_script_t)
++
+ admin_pattern($1, httpd_bugzilla_script_exec_t)
+ admin_pattern($1, httpd_bugzilla_script_t)
+ admin_pattern($1, httpd_bugzilla_content_t)
+@@ -76,5 +78,7 @@ interface(`bugzilla_admin',`
+ files_search_var_lib($1)
+ admin_pattern($1, httpd_bugzilla_rw_content_t)
- apache_list_sys_content($1)
+- apache_list_sys_content($1)
++ optional_policy(`
++ apache_list_sys_content($1)
++ ')
+ ')
diff --git a/bugzilla.te b/bugzilla.te
-index 048abbf..dece084 100644
+index 41f8251..e0449c8 100644
--- a/bugzilla.te
+++ b/bugzilla.te
-@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0)
+@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
apache_content_template(bugzilla)
@@ -7157,18 +8357,18 @@ index 048abbf..dece084 100644
+
########################################
#
- # bugzilla local policy
-@@ -16,7 +19,6 @@ allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
- allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+ # Local policy
+@@ -14,7 +17,6 @@ apache_content_template(bugzilla)
+
+ allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
- corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
-@@ -31,8 +33,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
+@@ -27,9 +29,15 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
+ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+ corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
@@ -7176,17 +8376,19 @@ index 048abbf..dece084 100644
+
files_search_var_lib(httpd_bugzilla_script_t)
+-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+auth_read_passwd(httpd_bugzilla_script_t)
+
- sysnet_read_config(httpd_bugzilla_script_t)
++sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
+ optional_policy(`
diff --git a/cachefilesd.fc b/cachefilesd.fc
-new file mode 100644
-index 0000000..aa03fc8
---- /dev/null
+index 648c790..aa03fc8 100644
+--- a/cachefilesd.fc
+++ b/cachefilesd.fc
-@@ -0,0 +1,34 @@
+@@ -1,9 +1,34 @@
+-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
@@ -7211,22 +8413,24 @@ index 0000000..aa03fc8
+# MCS categories: <none>
+
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
-+
-+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-+
-+/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-+
+
+ /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
+ /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+
+-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-+
+
+-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
-new file mode 100644
-index 0000000..3b41945
---- /dev/null
+index 8de2ab9..3b41945 100644
+--- a/cachefilesd.if
+++ b/cachefilesd.if
-@@ -0,0 +1,35 @@
+@@ -1,39 +1,35 @@
+-## <summary>CacheFiles user-space management daemon.</summary>
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
@@ -7244,30 +8448,55 @@ index 0000000..3b41945
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an cachefilesd environment.
+## Execute a domain transition to run cachefilesd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
+- type cachefilesd_var_run_t;
+ type cachefilesd_t, cachefilesd_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 cachefilesd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, cachefilesd_t)
+-
+- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 cachefilesd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_var($1)
+- admin_pattern($1, cachefilesd_cache_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, cachefilesd_var_run_t)
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
-+')
+ ')
diff --git a/cachefilesd.te b/cachefilesd.te
-new file mode 100644
-index 0000000..3eda1b1
---- /dev/null
+index 581c8ef..3eda1b1 100644
+--- a/cachefilesd.te
+++ b/cachefilesd.te
-@@ -0,0 +1,144 @@
+@@ -1,52 +1,144 @@
+-policy_module(cachefilesd, 1.0.1)
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -7280,7 +8509,8 @@ index 0000000..3eda1b1
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
-+
+
+-########################################
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
@@ -7290,10 +8520,10 @@ index 0000000..3eda1b1
+policy_module(cachefilesd, 1.0.17)
+
+###############################################################################
-+#
-+# Declarations
-+#
-+
+ #
+ # Declarations
+ #
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
@@ -7310,17 +8540,25 @@ index 0000000..3eda1b1
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
-+type cachefilesd_t;
-+type cachefilesd_exec_t;
-+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-+
+ type cachefilesd_t;
+ type cachefilesd_exec_t;
+ init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+-type cachefilesd_initrc_exec_t;
+-init_script_file(cachefilesd_initrc_exec_t)
+-
+-type cachefilesd_cache_t;
+-files_type(cachefilesd_cache_t)
+-
+#
+# The cachefilesd daemon pid file context
+#
-+type cachefilesd_var_run_t;
-+files_pid_file(cachefilesd_var_run_t)
-+
-+#
+ type cachefilesd_var_run_t;
+ files_pid_file(cachefilesd_var_run_t)
+
+-########################################
+ #
+-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
@@ -7332,11 +8570,11 @@ index 0000000..3eda1b1
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
-+#
+ #
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
-+
+
+###############################################################################
+#
+# cachefilesd local policy
@@ -7349,32 +8587,39 @@ index 0000000..3eda1b1
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
-+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
-+
+ allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
-+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+ manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
-+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+ files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
-+
+
+-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
+-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-+
+
+-dev_rw_cachefiles(cachefilesd_t)
+-
+-files_create_all_files_as(cachefilesd_t)
+-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
-+
+
+# Permit statfs on the backing filesystem
-+fs_getattr_xattr_fs(cachefilesd_t)
-+
+ fs_getattr_xattr_fs(cachefilesd_t)
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
-+term_dontaudit_use_generic_ptys(cachefilesd_t)
-+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-+
+ term_dontaudit_use_generic_ptys(cachefilesd_t)
+ term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
@@ -7387,14 +8632,16 @@ index 0000000..3eda1b1
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-+
+
+-miscfiles_read_localization(cachefilesd_t)
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-+
+
+-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
@@ -7403,7 +8650,10 @@ index 0000000..3eda1b1
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-+
+
+-optional_policy(`
+- rpm_use_script_fds(cachefilesd_t)
+-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
@@ -7413,26 +8663,30 @@ index 0000000..3eda1b1
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.te b/calamaris.te
-index b13fb66..8926e84 100644
+index f4f21d3..de28437 100644
--- a/calamaris.te
+++ b/calamaris.te
-@@ -39,7 +39,6 @@ kernel_read_system_state(calamaris_t)
+@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
--corenet_all_recvfrom_unlabeled(calamaris_t)
- corenet_all_recvfrom_netlabel(calamaris_t)
- corenet_tcp_sendrecv_generic_if(calamaris_t)
- corenet_udp_sendrecv_generic_if(calamaris_t)
-@@ -51,7 +50,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t)
++corenet_all_recvfrom_netlabel(calamaris_t)
++corenet_tcp_sendrecv_generic_if(calamaris_t)
++corenet_udp_sendrecv_generic_if(calamaris_t)
++corenet_tcp_sendrecv_generic_node(calamaris_t)
++corenet_udp_sendrecv_generic_node(calamaris_t)
++corenet_tcp_sendrecv_all_ports(calamaris_t)
++corenet_udp_sendrecv_all_ports(calamaris_t)
++
dev_read_urand(calamaris_t)
- files_search_pids(calamaris_t)
--files_read_etc_files(calamaris_t)
- files_read_usr_files(calamaris_t)
- files_read_var_files(calamaris_t)
+-files_read_usr_files(calamaris_t)
++files_search_pids(calamaris_t)
files_read_etc_runtime_files(calamaris_t)
-@@ -62,8 +60,6 @@ auth_use_nsswitch(calamaris_t)
+
+-libs_read_lib_files(calamaris_t)
+-
+ auth_use_nsswitch(calamaris_t)
logging_send_syslog_msg(calamaris_t)
@@ -7441,1041 +8695,1341 @@ index b13fb66..8926e84 100644
userdom_dontaudit_list_user_home_dirs(calamaris_t)
optional_policy(`
-diff --git a/callweaver.fc b/callweaver.fc
-new file mode 100644
-index 0000000..3e15c63
---- /dev/null
-+++ b/callweaver.fc
-@@ -0,0 +1,11 @@
-+/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
+diff --git a/callweaver.te b/callweaver.te
+index 528051e..44e5b7d 100644
+--- a/callweaver.te
++++ b/callweaver.te
+@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
+
+ auth_use_nsswitch(callweaver_t)
+
+-miscfiles_read_localization(callweaver_t)
+diff --git a/canna.if b/canna.if
+index 400db07..f416e22 100644
+--- a/canna.if
++++ b/canna.if
+@@ -43,9 +43,13 @@ interface(`canna_admin',`
+ type canna_var_run_t, canna_initrc_exec_t;
+ ')
+
+- allow $1 canna_t:process { ptrace signal_perms };
++ allow $1 canna_t:process signal_perms;
+ ps_process_pattern($1, canna_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 canna_t:process ptrace;
++ ')
+
-+/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
+ init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 canna_initrc_exec_t system_r;
+diff --git a/canna.te b/canna.te
+index 4ec0626..a209a9b 100644
+--- a/canna.te
++++ b/canna.te
+@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
+ kernel_read_kernel_sysctls(canna_t)
+ kernel_read_system_state(canna_t)
+
+-corenet_all_recvfrom_unlabeled(canna_t)
+ corenet_all_recvfrom_netlabel(canna_t)
+ corenet_tcp_sendrecv_generic_if(canna_t)
+ corenet_tcp_sendrecv_generic_node(canna_t)
+@@ -76,8 +75,6 @@ files_dontaudit_read_root_files(canna_t)
+
+ logging_send_syslog_msg(canna_t)
+
+-miscfiles_read_localization(canna_t)
+-
+ sysnet_read_config(canna_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(canna_t)
+diff --git a/ccs.if b/ccs.if
+index 5ded72d..f6b854c 100644
+--- a/ccs.if
++++ b/ccs.if
+@@ -102,9 +102,13 @@ interface(`ccs_admin',`
+ type ccs_var_run_t, ccs_tmp_t;
+ ')
+
+- allow $1 ccs_t:process { ptrace signal_perms };
++ allow $1 ccs_t:process { signal_perms };
+ ps_process_pattern($1, ccs_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ccs_t:process ptrace;
++ ')
+
-+/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
+ init_labeled_script_domtrans($1, ccs_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ccs_initrc_exec_t system_r;
+diff --git a/ccs.te b/ccs.te
+index b85b53b..619a4c5 100644
+--- a/ccs.te
++++ b/ccs.te
+@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
+
+ allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+ allow ccs_t self:process { signal setrlimit setsched };
+-dontaudit ccs_t self:process ptrace;
+
-+/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
+ allow ccs_t self:fifo_file rw_fifo_file_perms;
+ allow ccs_t self:unix_stream_socket { accept connectto listen };
+ allow ccs_t self:tcp_socket { accept listen };
+@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
+ corecmd_list_bin(ccs_t)
+ corecmd_exec_bin(ccs_t)
+
+-corenet_all_recvfrom_unlabeled(ccs_t)
+ corenet_all_recvfrom_netlabel(ccs_t)
+ corenet_tcp_sendrecv_generic_if(ccs_t)
+ corenet_udp_sendrecv_generic_if(ccs_t)
+@@ -99,11 +98,10 @@ files_read_etc_files(ccs_t)
+ files_read_etc_runtime_files(ccs_t)
+
+ init_rw_script_tmp_files(ccs_t)
++init_signal(ccs_t)
+
+ logging_send_syslog_msg(ccs_t)
+
+-miscfiles_read_localization(ccs_t)
+-
+ sysnet_dns_name_resolve(ccs_t)
+
+ userdom_manage_unpriv_user_shared_mem(ccs_t)
+diff --git a/cdrecord.te b/cdrecord.te
+index 55fb26a..e380b26 100644
+--- a/cdrecord.te
++++ b/cdrecord.te
+@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
+ domain_interactive_fd(cdrecord_t)
+ domain_use_interactive_fds(cdrecord_t)
+
+-files_read_etc_files(cdrecord_t)
+-
+ term_use_controlling_term(cdrecord_t)
+ term_list_ptys(cdrecord_t)
+
+@@ -52,8 +50,6 @@ storage_write_scsi_generic(cdrecord_t)
+
+ logging_send_syslog_msg(cdrecord_t)
+
+-miscfiles_read_localization(cdrecord_t)
+-
+ userdom_use_user_terminals(cdrecord_t)
+ userdom_read_user_home_content_files(cdrecord_t)
+
+@@ -104,11 +100,7 @@ tunable_policy(`cdrecord_read_content',`
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- files_search_mnt(cdrecord_t)
+- fs_read_nfs_files(cdrecord_t)
+- fs_read_nfs_symlinks(cdrecord_t)
+-')
++userdom_home_manager(cdrecord_t)
+
+ optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
+diff --git a/certmaster.if b/certmaster.if
+index 0c53b18..ef29f6e 100644
+--- a/certmaster.if
++++ b/certmaster.if
+@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
+ interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+- type certmaster_etc_rw_t, certmaster_var_log_t;
+- type certmaster_initrc_exec_t;
++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+- allow $1 certmaster_t:process { ptrace signal_perms };
++ allow $1 certmaster_t:process signal_perms;
+ ps_process_pattern($1, certmaster_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmaster_t:process ptrace;
++ ')
+
-+/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0)
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+diff --git a/certmaster.te b/certmaster.te
+index bf82163..5397bb9 100644
+--- a/certmaster.te
++++ b/certmaster.te
+@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
+ dev_read_urand(certmaster_t)
+
+ files_list_var(certmaster_t)
+-files_search_etc(certmaster_t)
+-files_read_usr_files(certmaster_t)
+
+ auth_use_nsswitch(certmaster_t)
+
+-miscfiles_read_localization(certmaster_t)
+ miscfiles_manage_generic_cert_dirs(certmaster_t)
+ miscfiles_manage_generic_cert_files(certmaster_t)
+diff --git a/certmonger.fc b/certmonger.fc
+index ed298d8..cd8eb4d 100644
+--- a/certmonger.fc
++++ b/certmonger.fc
+@@ -2,6 +2,8 @@
+
+ /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
-+/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
-diff --git a/callweaver.if b/callweaver.if
-new file mode 100644
-index 0000000..e07d3b8
---- /dev/null
-+++ b/callweaver.if
-@@ -0,0 +1,362 @@
-+## <summary>Open source PBX project.</summary>
+ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+
+ /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
+diff --git a/certmonger.if b/certmonger.if
+index 008f8ef..144c074 100644
+--- a/certmonger.if
++++ b/certmonger.if
+@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
+ ')
+
+ ps_process_pattern($1, certmonger_t)
+- allow $1 certmonger_t:process { ptrace signal_perms };
++ allow $1 certmonger_t:process signal_perms;
+
-+########################################
-+## <summary>
-+## Execute callweaver in the
-+## callweaver domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`callweaver_domtrans',`
-+ gen_require(`
-+ type callweaver_t, callweaver_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, callweaver_exec_t, callweaver_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute callweaver in the
-+## callers domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`callweaver_exec',`
-+ gen_require(`
-+ type callweaver_exec_t;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 certmonger_t:process ptrace;
+ ')
+
+ certmonger_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+ ')
+diff --git a/certmonger.te b/certmonger.te
+index 2354e21..1bb3f10 100644
+--- a/certmonger.te
++++ b/certmonger.te
+@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
+ type certmonger_var_run_t;
+ files_pid_file(certmonger_var_run_t)
+
++type certmonger_unconfined_exec_t;
++application_executable_file(certmonger_unconfined_exec_t)
+
-+ corecmd_search_bin($1)
-+ can_exec($1, callweaver_exec_t)
+ ########################################
+ #
+ # Local policy
+@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
+ allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+ dontaudit certmonger_t self:capability sys_tty_config;
+ allow certmonger_t self:capability2 block_suspend;
++
+ allow certmonger_t self:process { getsched setsched sigkill signal };
+-allow certmonger_t self:fifo_file rw_fifo_file_perms;
+-allow certmonger_t self:unix_stream_socket { accept listen };
+-allow certmonger_t self:tcp_socket { accept listen };
++allow certmonger_t self:fifo_file rw_file_perms;
++allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
++allow certmonger_t self:tcp_socket create_stream_socket_perms;
++allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+ manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+@@ -49,16 +54,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+
+ corenet_sendrecv_certmaster_client_packets(certmonger_t)
+ corenet_tcp_connect_certmaster_port(certmonger_t)
++
++corenet_tcp_connect_http_port(certmonger_t)
++corenet_tcp_connect_http_cache_port(certmonger_t)
++
++corenet_tcp_connect_pki_ca_port(certmonger_t)
+ corenet_tcp_sendrecv_certmaster_port(certmonger_t)
+
+ corecmd_exec_bin(certmonger_t)
+ corecmd_exec_shell(certmonger_t)
+
++dev_read_rand(certmonger_t)
+ dev_read_urand(certmonger_t)
+
+ domain_use_interactive_fds(certmonger_t)
+
+-files_read_usr_files(certmonger_t)
+ files_list_tmp(certmonger_t)
+
+ fs_search_cgroup_dirs(certmonger_t)
+@@ -70,16 +80,17 @@ init_getattr_all_script_files(certmonger_t)
+
+ logging_send_syslog_msg(certmonger_t)
+
+-miscfiles_read_localization(certmonger_t)
+ miscfiles_manage_generic_cert_files(certmonger_t)
+
++systemd_exec_systemctl(certmonger_t)
++
+ userdom_search_user_home_content(certmonger_t)
+
+ optional_policy(`
+- apache_initrc_domtrans(certmonger_t)
+ apache_search_config(certmonger_t)
+ apache_signal(certmonger_t)
+ apache_signull(certmonger_t)
++ apache_systemctl(certmonger_t)
+ ')
+
+ optional_policy(`
+@@ -92,11 +103,47 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_read_keytab(certmonger_t)
++ dirsrv_manage_config(certmonger_t)
++ dirsrv_signal(certmonger_t)
++ dirsrv_signull(certmonger_t)
+')
+
-+########################################
-+## <summary>
-+## Execute callweaver in the
-+## callweaver domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`callweaver_initrc_domtrans',`
-+ gen_require(`
-+ type callweaver_initrc_exec_t;
-+ ')
++optional_policy(`
+ kerberos_use(certmonger_t)
++ kerberos_read_keytab(certmonger_t)
+ ')
+
+ optional_policy(`
++ pcscd_read_pub_files(certmonger_t)
+ pcscd_read_pid_files(certmonger_t)
+ pcscd_stream_connect(certmonger_t)
+ ')
+
-+ init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
++optional_policy(`
++ pki_rw_tomcat_cert(certmonger_t)
+')
+
+########################################
-+## <summary>
-+## Read callweaver log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+#
-+interface(`callweaver_read_log',`
-+ gen_require(`
-+ type callweaver_log_t;
-+ ')
++# certmonger_unconfined_script_t local policy
++#
+
-+ logging_search_logs($1)
-+ read_files_pattern($1, callweaver_log_t, callweaver_log_t)
++optional_policy(`
++ type certmonger_unconfined_t;
++ domain_type(certmonger_unconfined_t)
++
++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
++ role system_r types certmonger_unconfined_t;
++
++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
++
++ unconfined_domain(certmonger_unconfined_t)
++
++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
++ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(certmonger_unconfined_t)
++
++ unconfined_domain(certmonger_unconfined_t)
+')
+diff --git a/certwatch.te b/certwatch.te
+index 403af41..fd3cbaf 100644
+--- a/certwatch.te
++++ b/certwatch.te
+@@ -21,25 +21,24 @@ role certwatch_roles types certwatch_t;
+ allow certwatch_t self:capability sys_nice;
+ allow certwatch_t self:process { setsched getsched };
+
++dev_read_rand(certwatch_t)
+ dev_read_urand(certwatch_t)
+
+-files_read_etc_files(certwatch_t)
+-files_read_usr_files(certwatch_t)
+ files_read_usr_symlinks(certwatch_t)
+ files_list_tmp(certwatch_t)
+
+ fs_list_inotifyfs(certwatch_t)
+
+ auth_manage_cache(certwatch_t)
++auth_read_passwd(certwatch_t)
+ auth_var_filetrans_cache(certwatch_t)
+
+ logging_send_syslog_msg(certwatch_t)
+
+ miscfiles_read_all_certs(certwatch_t)
+-miscfiles_read_localization(certwatch_t)
+
+-userdom_use_user_terminals(certwatch_t)
+-userdom_dontaudit_list_user_home_dirs(certwatch_t)
++userdom_use_inherited_user_terminals(certwatch_t)
++userdom_dontaudit_list_admin_dir(certwatch_t)
+
+ optional_policy(`
+ apache_exec_modules(certwatch_t)
+diff --git a/cfengine.if b/cfengine.if
+index a731122..5279d4e 100644
+--- a/cfengine.if
++++ b/cfengine.if
+@@ -13,7 +13,6 @@
+ template(`cfengine_domain_template',`
+ gen_require(`
+ attribute cfengine_domain;
+- type cfengine_log_t, cfengine_var_lib_t;
+ ')
+
+ ########################################
+@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
+ # Policy
+ #
+
++ kernel_read_system_state(cfengine_$1_t)
+
-+########################################
-+## <summary>
-+## Append to callweaver log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`callweaver_append_log',`
-+ gen_require(`
-+ type callweaver_log_t;
-+ ')
+ auth_use_nsswitch(cfengine_$1_t)
+
-+ logging_search_logs($1)
-+ append_files_pattern($1, callweaver_log_t, callweaver_log_t)
++ logging_send_syslog_msg(cfengine_$1_t)
+')
+
-+########################################
++######################################
+## <summary>
-+## Manage callweaver log files
++## Search cfengine lib files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`callweaver_manage_log',`
++interface(`cfengine_search_lib_files',`
+ gen_require(`
-+ type callweaver_log_t;
++ type cfengine_var_lib_t;
+ ')
+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
-+ manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
-+ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
-+')
-+
-+########################################
++ allow $1 cfengine_var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
+ dontaudit $1 cfengine_var_log_t:file write_file_perms;
+ ')
+
++#####################################
+## <summary>
-+## Search callweaver lib directories.
++## Allow the specified domain to append cfengine's log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`callweaver_search_lib',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
-+ ')
++interface(`cfengine_append_inherited_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
+
-+ allow $1 callweaver_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
++ cfengine_search_lib_files($1)
++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
-+########################################
++####################################
+## <summary>
-+## Read callweaver lib files.
++## Dontaudit the specified domain to write cfengine's log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`callweaver_read_lib_files',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
-+ ')
++interface(`cfengine_dontaudit_write_log',`
++ gen_require(`
++ type cfengine_var_log_t;
++ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++ dontaudit $1 cfengine_var_log_t:file write;
+')
+
-+########################################
-+## <summary>
-+## Manage callweaver lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`callweaver_manage_lib_files',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
+ ########################################
+ ## <summary>
+ ## All of the rules required to
+@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
+ type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
+ ')
+
+- allow $1 cfengine_domain:process { ptrace signal_perms };
++ allow $1 cfengine_domain:process { signal_perms };
+ ps_process_pattern($1, cfengine_domain)
+
+ init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
+@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
+ files_search_var_lib($1)
+ admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
+ ')
++
+diff --git a/cfengine.te b/cfengine.te
+index 8af5bbe..168f01f 100644
+--- a/cfengine.te
++++ b/cfengine.te
+@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
+ setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
+ logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
+
+-kernel_read_system_state(cfengine_domain)
+-
+ corecmd_exec_bin(cfengine_domain)
+ corecmd_exec_shell(cfengine_domain)
+
+ dev_read_urand(cfengine_domain)
+ dev_read_sysfs(cfengine_domain)
+
+-logging_send_syslog_msg(cfengine_domain)
+-
+-miscfiles_read_localization(cfengine_domain)
+-
++sysnet_dns_name_resolve(cfengine_domain)
+ sysnet_domtrans_ifconfig(cfengine_domain)
+
+ ########################################
+diff --git a/cgroup.if b/cgroup.if
+index 85ca63f..1d1c99c 100644
+--- a/cgroup.if
++++ b/cgroup.if
+@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
+ type cgrules_etc_t, cgclear_t;
+ ')
+
+- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
++ allow $1 cgclear_t:process signal_perms;
++ ps_process_pattern($1, cgclear_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgclear_t:process ptrace;
+ ')
+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
-+')
++ allow $1 cgconfig_t:process signal_perms;
++ ps_process_pattern($1, cgconfig_t)
+
-+########################################
-+## <summary>
-+## Manage callweaver lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`callweaver_manage_lib_dirs',`
-+ gen_require(`
-+ type callweaver_var_lib_t;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgconfig_t:process ptrace;
+ ')
+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
-+')
++ allow $1 cgred_t:process signal_perms;
++ ps_process_pattern($1, cgred_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cgred_t:process ptrace;
++ ')
+
+ admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
+ files_list_etc($1)
+diff --git a/cgroup.te b/cgroup.te
+index fdee107..18cf736 100644
+--- a/cgroup.te
++++ b/cgroup.te
+@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
+ type cgrules_etc_t;
+ files_config_file(cgrules_etc_t)
+
+-type cgconfig_t;
+-type cgconfig_exec_t;
++type cgconfig_t alias cgconfigparser_t;
++type cgconfig_exec_t alias cgconfigparser_exec_t;
+ init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+ type cgconfig_initrc_exec_t;
+@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
+
+ allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+
+-allow cgclear_t cgconfig_etc_t:file read_file_perms;
++read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
+
+ kernel_read_system_state(cgclear_t)
+
++auth_use_nsswitch(cgclear_t)
++
+ domain_setpriority_all_domains(cgclear_t)
+
+ fs_manage_cgroup_dirs(cgclear_t)
+@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+ kernel_list_unlabeled(cgconfig_t)
+ kernel_read_system_state(cgconfig_t)
+
+-files_read_etc_files(cgconfig_t)
+-
+ fs_manage_cgroup_dirs(cgconfig_t)
+ fs_manage_cgroup_files(cgconfig_t)
+ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
+ fs_unmount_cgroup(cgconfig_t)
+
++auth_use_nsswitch(cgconfig_t)
++
+ ########################################
+ #
+ # cgred local policy
+ #
+
+-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+
+@@ -92,6 +95,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
+
+ kernel_read_all_sysctls(cgred_t)
+ kernel_read_system_state(cgred_t)
++kernel_read_all_sysctls(cgred_t)
+
+ domain_read_all_domains_state(cgred_t)
+ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +103,9 @@ domain_setpriority_all_domains(cgred_t)
+ files_getattr_all_files(cgred_t)
+ files_getattr_all_sockets(cgred_t)
+ files_read_all_symlinks(cgred_t)
+-files_read_etc_files(cgred_t)
+
+ fs_write_cgroup_files(cgred_t)
+
+-logging_send_syslog_msg(cgred_t)
++auth_use_nsswitch(cgred_t)
+
+-miscfiles_read_localization(cgred_t)
++logging_send_syslog_msg(cgred_t)
+diff --git a/chrome.fc b/chrome.fc
+new file mode 100644
+index 0000000..88107d7
+--- /dev/null
++++ b/chrome.fc
+@@ -0,0 +1,6 @@
++/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+diff --git a/chrome.if b/chrome.if
+new file mode 100644
+index 0000000..efebae7
+--- /dev/null
++++ b/chrome.if
+@@ -0,0 +1,134 @@
++
++## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
-+## Read callweaver PID files.
++## Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+#
-+interface(`callweaver_read_pid_files',`
++interface(`chrome_domtrans_sandbox',`
+ gen_require(`
-+ type callweaver_var_run_t;
++ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 callweaver_var_run_t:file read_file_perms;
++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
++ ps_process_pattern(chrome_sandbox_t, $1)
++
++ allow $1 chrome_sandbox_t:fd use;
++
++ ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++ ')
+')
+
++
+########################################
+## <summary>
-+## Connect to callweaver over a unix stream socket.
++## Execute chrome_sandbox in the chrome_sandbox domain, and
++## allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed access
+## </summary>
+## </param>
-+#
-+interface(`callweaver_stream_connect',`
-+ gen_require(`
-+ type callweaver_t, callweaver_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search callweaver spool directories.
-+## </summary>
-+## <param name="domain">
++## <param name="role">
+## <summary>
-+## Domain allowed access.
++## The role to be allowed the chrome_sandbox domain.
+## </summary>
+## </param>
+#
-+interface(`callweaver_search_spool',`
++interface(`chrome_run_sandbox',`
+ gen_require(`
-+ type callweaver_spool_t;
++ type chrome_sandbox_t;
++ type chrome_sandbox_nacl_t;
+ ')
+
-+ allow $1 callweaver_spool_t:dir search_dir_perms;
-+ files_search_spool($1)
++ chrome_domtrans_sandbox($1)
++ role $2 types chrome_sandbox_t;
++ role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+## <summary>
-+## Read callweaver spool files.
++## Role access for chrome sandbox
+## </summary>
-+## <param name="domain">
++## <param name="role">
+## <summary>
-+## Domain allowed access.
++## Role allowed access
+## </summary>
+## </param>
-+#
-+interface(`callweaver_read_spool_files',`
-+ gen_require(`
-+ type callweaver_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage callweaver spool files.
-+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## User domain for the role
+## </summary>
+## </param>
+#
-+interface(`callweaver_manage_spool_files',`
++interface(`chrome_role_notrans',`
+ gen_require(`
-+ type callweaver_spool_t;
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
++ type chrome_sandbox_nacl_t;
+ ')
+
-+ files_search_spool($1)
-+ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
++ role $1 types chrome_sandbox_t;
++ role $1 types chrome_sandbox_nacl_t;
++
++ ps_process_pattern($2, chrome_sandbox_t)
++ allow $2 chrome_sandbox_t:process signal_perms;
++
++ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
++ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
++
++ allow $2 chrome_sandbox_t:shm rw_shm_perms;
++
++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
-+## Manage callweaver spool dirs.
++## Role access for chrome sandbox
+## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## User domain for the role
+## </summary>
+## </param>
+#
-+interface(`callweaver_manage_spool_dirs',`
-+ gen_require(`
-+ type callweaver_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
++interface(`chrome_role',`
++ chrome_role_notrans($1, $2)
++ chrome_domtrans_sandbox($2)
+')
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an callweaver environment
++## Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`callweaver_admin',`
++interface(`chrome_dontaudit_sandbox_leaks',`
+ gen_require(`
-+ type callweaver_t;
-+ type callweaver_initrc_exec_t;
-+ type callweaver_log_t;
-+ type callweaver_var_lib_t;
-+ type callweaver_var_run_t;
-+ type callweaver_spool_t;
-+ ')
-+
-+ allow $1 callweaver_t:process signal_perms;
-+ ps_process_pattern($1, callweaver_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 callweaver_t:process ptrace;
++ type chrome_sandbox_t;
+ ')
+
-+ callweaver_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 callweaver_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, callweaver_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, callweaver_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, callweaver_var_run_t)
-+
-+ files_search_spool($1)
-+ admin_pattern($1, callweaver_spool_t)
++ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
-diff --git a/callweaver.te b/callweaver.te
+diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..978f92f
+index 0000000..0ce7275
--- /dev/null
-+++ b/callweaver.te
-@@ -0,0 +1,75 @@
-+policy_module(callweaver,1.0.0)
++++ b/chrome.te
+@@ -0,0 +1,197 @@
++policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
-+type callweaver_t;
-+type callweaver_exec_t;
-+init_daemon_domain(callweaver_t, callweaver_exec_t)
-+
-+type callweaver_initrc_exec_t;
-+init_script_file(callweaver_initrc_exec_t)
-+
-+type callweaver_log_t;
-+logging_log_file(callweaver_log_t)
++type chrome_sandbox_t;
++type chrome_sandbox_exec_t;
++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
++role system_r types chrome_sandbox_t;
++ubac_constrained(chrome_sandbox_t)
+
-+type callweaver_var_lib_t;
-+files_type(callweaver_var_lib_t)
++type chrome_sandbox_tmp_t;
++files_tmp_file(chrome_sandbox_tmp_t)
+
-+type callweaver_var_run_t;
-+files_pid_file(callweaver_var_run_t)
++type chrome_sandbox_tmpfs_t;
++files_tmpfs_file(chrome_sandbox_tmpfs_t)
++ubac_constrained(chrome_sandbox_tmpfs_t)
+
-+type callweaver_spool_t;
-+files_spool_file(callweaver_spool_t)
++type chrome_sandbox_nacl_t;
++type chrome_sandbox_nacl_exec_t;
++application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
++role system_r types chrome_sandbox_nacl_t;
++ubac_constrained(chrome_sandbox_nacl_t)
+
+########################################
+#
-+# callweaver local policy
++# chrome_sandbox local policy
+#
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
++allow chrome_sandbox_t self:process setsched;
++allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_t self:shm create_shm_perms;
++allow chrome_sandbox_t self:sem create_sem_perms;
++allow chrome_sandbox_t self:msgq create_msgq_perms;
++allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
++dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
-+allow callweaver_t self:capability { setuid sys_nice setgid };
-+allow callweaver_t self:process { setsched signal };
-+allow callweaver_t self:fifo_file rw_fifo_file_perms;
-+allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-+manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
-+logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
-+
-+manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-+manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
-+files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
-+manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-+manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-+manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
-+files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
-+manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-+manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-+manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
-+files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
++kernel_read_system_state(chrome_sandbox_t)
++kernel_read_kernel_sysctls(chrome_sandbox_t)
+
-+allow callweaver_t self:tcp_socket create_stream_socket_perms;
-+allow callweaver_t self:udp_socket create_socket_perms;
++fs_manage_cgroup_dirs(chrome_sandbox_t)
++fs_manage_cgroup_files(chrome_sandbox_t)
++fs_read_dos_files(chrome_sandbox_t)
++fs_read_hugetlbfs_files(chrome_sandbox_t)
+
-+kernel_read_sysctl(callweaver_t)
-+kernel_read_kernel_sysctls(callweaver_t)
++corecmd_exec_bin(chrome_sandbox_t)
+
-+corenet_udp_bind_asterisk_port(callweaver_t)
-+corenet_udp_bind_generic_port(callweaver_t)
-+corenet_udp_bind_sip_port(callweaver_t)
++corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
++corenet_tcp_connect_flash_port(chrome_sandbox_t)
++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_msnp_port(chrome_sandbox_t)
++corenet_tcp_connect_squid_port(chrome_sandbox_t)
++corenet_tcp_connect_tor_port(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
+
-+dev_manage_generic_symlinks(callweaver_t)
++domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
-+domain_use_interactive_fds(callweaver_t)
++dev_read_urand(chrome_sandbox_t)
++dev_read_sysfs(chrome_sandbox_t)
++dev_rwx_zero(chrome_sandbox_t)
++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
++files_read_etc_files(chrome_sandbox_t)
++files_read_usr_files(chrome_sandbox_t)
+
-+term_getattr_pty_fs(callweaver_t)
-+term_use_generic_ptys(callweaver_t)
-+term_use_ptmx(callweaver_t)
++fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
-+auth_use_nsswitch(callweaver_t)
++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+
-diff --git a/canna.fc b/canna.fc
-index 5432d0e..f77df02 100644
---- a/canna.fc
-+++ b/canna.fc
-@@ -20,4 +20,4 @@
-
- /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
- /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
--/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
-+/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
-diff --git a/canna.if b/canna.if
-index 4a26b0c..00b64dc 100644
---- a/canna.if
-+++ b/canna.if
-@@ -42,9 +42,13 @@ interface(`canna_admin',`
- type canna_var_run_t, canna_initrc_exec_t;
- ')
-
-- allow $1 canna_t:process { ptrace signal_perms };
-+ allow $1 canna_t:process signal_perms;
- ps_process_pattern($1, canna_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 canna_t:process ptrace;
-+ ')
++userdom_use_user_ptys(chrome_sandbox_t)
++userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
++userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
++userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
++userdom_search_user_home_content(chrome_sandbox_t)
++# This one we should figure a way to make it more secure
++userdom_manage_home_certs(chrome_sandbox_t)
+
- init_labeled_script_domtrans($1, canna_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 canna_initrc_exec_t system_r;
-diff --git a/canna.te b/canna.te
-index 1d25efe..910b94c 100644
---- a/canna.te
-+++ b/canna.te
-@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
- allow canna_t self:tcp_socket create_stream_socket_perms;
-
- manage_files_pattern(canna_t, canna_log_t, canna_log_t)
--allow canna_t canna_log_t:dir setattr;
-+allow canna_t canna_log_t:dir setattr_dir_perms;
- logging_log_filetrans(canna_t, canna_log_t, { file dir })
-
- manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
-@@ -50,7 +50,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
- kernel_read_kernel_sysctls(canna_t)
- kernel_read_system_state(canna_t)
-
--corenet_all_recvfrom_unlabeled(canna_t)
- corenet_all_recvfrom_netlabel(canna_t)
- corenet_tcp_sendrecv_generic_if(canna_t)
- corenet_tcp_sendrecv_generic_node(canna_t)
-@@ -73,8 +72,6 @@ files_dontaudit_read_root_files(canna_t)
-
- logging_send_syslog_msg(canna_t)
-
--miscfiles_read_localization(canna_t)
--
- sysnet_read_config(canna_t)
-
- userdom_dontaudit_use_unpriv_user_fds(canna_t)
-diff --git a/ccs.fc b/ccs.fc
-index 8a7177d..bc4f6e7 100644
---- a/ccs.fc
-+++ b/ccs.fc
-@@ -2,5 +2,7 @@
-
- /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
-+/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
++miscfiles_read_fonts(chrome_sandbox_t)
+
- /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
- /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
-diff --git a/ccs.te b/ccs.te
-index 4c90b57..30265d4 100644
---- a/ccs.te
-+++ b/ccs.te
-@@ -10,7 +10,7 @@ type ccs_exec_t;
- init_daemon_domain(ccs_t, ccs_exec_t)
-
- type cluster_conf_t;
--files_type(cluster_conf_t)
-+files_config_file(cluster_conf_t)
-
- type ccs_tmp_t;
- files_tmp_file(ccs_tmp_t)
-@@ -34,7 +34,7 @@ files_pid_file(ccs_var_run_t)
-
- allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
- allow ccs_t self:process { signal setrlimit setsched };
--dontaudit ccs_t self:process ptrace;
++sysnet_dns_name_resolve(chrome_sandbox_t)
+
- allow ccs_t self:fifo_file rw_fifo_file_perms;
- allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow ccs_t self:unix_dgram_socket create_socket_perms;
-@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
- manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
- files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
-
--allow ccs_t ccs_var_log_t:dir setattr;
-+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
- manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
- manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
- logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
-@@ -77,7 +77,6 @@ kernel_read_kernel_sysctls(ccs_t)
- corecmd_list_bin(ccs_t)
- corecmd_exec_bin(ccs_t)
-
--corenet_all_recvfrom_unlabeled(ccs_t)
- corenet_all_recvfrom_netlabel(ccs_t)
- corenet_tcp_sendrecv_generic_if(ccs_t)
- corenet_udp_sendrecv_generic_if(ccs_t)
-@@ -97,11 +96,10 @@ files_read_etc_files(ccs_t)
- files_read_etc_runtime_files(ccs_t)
-
- init_rw_script_tmp_files(ccs_t)
-+init_signal(ccs_t)
-
- logging_send_syslog_msg(ccs_t)
-
--miscfiles_read_localization(ccs_t)
--
- sysnet_dns_name_resolve(ccs_t)
-
- userdom_manage_unpriv_user_shared_mem(ccs_t)
-@@ -118,5 +116,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ qpidd_rw_semaphores(ccs_t)
-+ qpidd_rw_shm(ccs_t)
++optional_policy(`
++ gnome_rw_inherited_config(chrome_sandbox_t)
++ gnome_read_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
- unconfined_use_fds(ccs_t)
- ')
-diff --git a/cdrecord.te b/cdrecord.te
-index 4626931..93e1495 100644
---- a/cdrecord.te
-+++ b/cdrecord.te
-@@ -52,10 +52,8 @@ storage_write_scsi_generic(cdrecord_t)
-
- logging_send_syslog_msg(cdrecord_t)
-
--miscfiles_read_localization(cdrecord_t)
--
- # write to the user domain tty.
--userdom_use_user_terminals(cdrecord_t)
-+userdom_use_inherited_user_terminals(cdrecord_t)
- userdom_read_user_home_content_files(cdrecord_t)
-
- # Handle nfs home dirs
-@@ -108,11 +106,7 @@ tunable_policy(`cdrecord_read_content',`
- userdom_dontaudit_read_user_home_content_files(cdrecord_t)
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- files_search_mnt(cdrecord_t)
-- fs_read_nfs_files(cdrecord_t)
-- fs_read_nfs_symlinks(cdrecord_t)
--')
-+userdom_home_manager(cdrecord_t)
-
- optional_policy(`
- resmgr_stream_connect(cdrecord_t)
-diff --git a/certmaster.if b/certmaster.if
-index fa62787..4230c25 100644
---- a/certmaster.if
-+++ b/certmaster.if
-@@ -116,19 +116,23 @@ interface(`certmaster_manage_log',`
- interface(`certmaster_admin',`
- gen_require(`
- type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
-- type certmaster_etc_rw_t, certmaster_var_log_t;
-- type certmaster_initrc_exec_t;
-+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
- ')
-
-- allow $1 certmaster_t:process { ptrace signal_perms };
-+ allow $1 certmaster_t:process signal_perms;
- ps_process_pattern($1, certmaster_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 certmaster_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 certmaster_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_list_etc($1)
-+
- miscfiles_manage_generic_cert_dirs($1)
- miscfiles_manage_generic_cert_files($1)
-
-diff --git a/certmaster.te b/certmaster.te
-index 3384132..e40c81c 100644
---- a/certmaster.te
-+++ b/certmaster.te
-@@ -53,19 +53,20 @@ files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file })
- # read meminfo
- kernel_read_system_state(certmaster_t)
-
--corecmd_search_bin(certmaster_t)
--corecmd_getattr_bin_files(certmaster_t)
-+corecmd_exec_bin(certmaster_t)
-
- corenet_tcp_bind_generic_node(certmaster_t)
- corenet_tcp_bind_certmaster_port(certmaster_t)
-
-+dev_read_urand(certmaster_t)
-+
- files_search_etc(certmaster_t)
-+files_read_usr_files(certmaster_t)
- files_list_var(certmaster_t)
- files_search_var_lib(certmaster_t)
-
- auth_use_nsswitch(certmaster_t)
-
--miscfiles_read_localization(certmaster_t)
-
- miscfiles_manage_generic_cert_dirs(certmaster_t)
- miscfiles_manage_generic_cert_files(certmaster_t)
-diff --git a/certmonger.fc b/certmonger.fc
-index 5ad1a52..e66fcf6 100644
---- a/certmonger.fc
-+++ b/certmonger.fc
-@@ -4,3 +4,5 @@
-
- /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
- /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
-+
-+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
-diff --git a/certmonger.if b/certmonger.if
-index 7a6e5ba..7475aa5 100644
---- a/certmonger.if
-+++ b/certmonger.if
-@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
- ')
-
- ps_process_pattern($1, certmonger_t)
-- allow $1 certmonger_t:process { ptrace signal_perms };
-+ allow $1 certmonger_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 certmonger_t:process ptrace;
-+ ')
-
- # Allow certmonger_t to restart the apache service
- certmonger_initrc_domtrans($1)
-@@ -166,9 +170,9 @@ interface(`certmonger_admin',`
- role_transition $2 certmonger_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, certmonger_var_lib_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, certmonger_var_run_t)
- ')
-diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..89db900 100644
---- a/certmonger.te
-+++ b/certmonger.te
-@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t)
- type certmonger_var_lib_t;
- files_type(certmonger_var_lib_t)
-
-+type certmonger_unconfined_exec_t;
-+application_executable_file(certmonger_unconfined_exec_t)
-+
- ########################################
- #
- # certmonger local policy
- #
-
--allow certmonger_t self:capability { kill sys_nice };
--allow certmonger_t self:process { getsched setsched sigkill };
-+allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
-+dontaudit certmonger_t self:capability sys_tty_config;
-+allow certmonger_t self:capability2 block_suspend;
-+
-+allow certmonger_t self:process { getsched setsched sigkill signal };
- allow certmonger_t self:fifo_file rw_file_perms;
- allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
- allow certmonger_t self:tcp_socket create_stream_socket_perms;
-@@ -38,25 +44,52 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
- manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
- files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
-
-+kernel_read_kernel_sysctls(certmonger_t)
-+kernel_read_system_state(certmonger_t)
-+
-+corecmd_exec_bin(certmonger_t)
-+corecmd_exec_shell(certmonger_t)
-+
- corenet_tcp_sendrecv_generic_if(certmonger_t)
- corenet_tcp_sendrecv_generic_node(certmonger_t)
- corenet_tcp_sendrecv_all_ports(certmonger_t)
- corenet_tcp_connect_certmaster_port(certmonger_t)
-+corenet_tcp_connect_http_port(certmonger_t)
-+corenet_tcp_connect_http_cache_port(certmonger_t)
-+corenet_tcp_connect_pki_ca_port(certmonger_t)
-
- dev_read_urand(certmonger_t)
-
- domain_use_interactive_fds(certmonger_t)
-
--files_read_etc_files(certmonger_t)
- files_read_usr_files(certmonger_t)
- files_list_tmp(certmonger_t)
-
-+fs_search_cgroup_dirs(certmonger_t)
-+
-+auth_use_nsswitch(certmonger_t)
-+auth_rw_cache(certmonger_t)
-+
-+init_getattr_all_script_files(certmonger_t)
-+
- logging_send_syslog_msg(certmonger_t)
-
--miscfiles_read_localization(certmonger_t)
- miscfiles_manage_generic_cert_files(certmonger_t)
-
--sysnet_dns_name_resolve(certmonger_t)
-+systemd_exec_systemctl(certmonger_t)
-+
-+userdom_search_user_home_content(certmonger_t)
++ mozilla_write_user_home_files(chrome_sandbox_t)
++')
+
+optional_policy(`
-+ apache_search_config(certmonger_t)
-+ apache_signal(certmonger_t)
-+ apache_signull(certmonger_t)
-+ apache_systemctl(certmonger_t)
++ xserver_use_user_fonts(chrome_sandbox_t)
++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
-+optional_policy(`
-+ bind_search_cache(certmonger_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs(chrome_sandbox_t)
++ fs_exec_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_files(chrome_sandbox_t)
++ fs_rw_inherited_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
-
- optional_policy(`
- dbus_system_bus_client(certmonger_t)
-@@ -64,9 +97,46 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dirsrv_manage_config(certmonger_t)
-+ dirsrv_signal(certmonger_t)
-+ dirsrv_signull(certmonger_t)
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(chrome_sandbox_t)
++ fs_exec_cifs_files(chrome_sandbox_t)
++ fs_rw_inherited_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
-+optional_policy(`
- kerberos_use(certmonger_t)
-+ kerberos_read_keytab(certmonger_t)
- ')
-
- optional_policy(`
-+ pcscd_read_pub_files(certmonger_t)
- pcscd_stream_connect(certmonger_t)
- ')
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(chrome_sandbox_t)
++ fs_read_fusefs_files(chrome_sandbox_t)
++ fs_exec_fusefs_files(chrome_sandbox_t)
++ fs_read_fusefs_symlinks(chrome_sandbox_t)
++')
+
+optional_policy(`
-+ pki_rw_tomcat_cert(certmonger_t)
++ sandbox_use_ptys(chrome_sandbox_t)
+')
+
++
+########################################
+#
-+# certmonger_unconfined_script_t local policy
++# chrome_sandbox_nacl local policy
+#
+
-+optional_policy(`
-+ type certmonger_unconfined_t;
-+ domain_type(certmonger_unconfined_t)
-+
-+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
-+ role system_r types certmonger_unconfined_t;
-+
-+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
-+
-+ unconfined_domain(certmonger_unconfined_t)
++allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
-+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
-+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
-+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
++allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
++allow chrome_sandbox_nacl_t self:shm create_shm_perms;
++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
-+ init_domtrans_script(certmonger_unconfined_t)
++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
-+ unconfined_domain(certmonger_unconfined_t)
-+')
-diff --git a/certwatch.te b/certwatch.te
-index e07cef5..55051ce 100644
---- a/certwatch.te
-+++ b/certwatch.te
-@@ -27,15 +27,15 @@ files_list_tmp(certwatch_t)
- fs_list_inotifyfs(certwatch_t)
-
- auth_manage_cache(certwatch_t)
-+auth_read_passwd(certwatch_t)
- auth_var_filetrans_cache(certwatch_t)
-
- logging_send_syslog_msg(certwatch_t)
-
- miscfiles_read_all_certs(certwatch_t)
--miscfiles_read_localization(certwatch_t)
-
--userdom_use_user_terminals(certwatch_t)
--userdom_dontaudit_list_user_home_dirs(certwatch_t)
-+userdom_use_inherited_user_terminals(certwatch_t)
-+userdom_dontaudit_list_admin_dir(certwatch_t)
-
- optional_policy(`
- apache_exec_modules(certwatch_t)
-diff --git a/cfengine.fc b/cfengine.fc
-new file mode 100644
-index 0000000..4c52fa3
---- /dev/null
-+++ b/cfengine.fc
-@@ -0,0 +1,12 @@
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
-+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0)
-+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0)
-+/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0)
++domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
-+/etc/rc\.d/init\.d/cf-serverd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/cf-monitord -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0)
++dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
-+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0)
-+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0)
++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+
-diff --git a/cfengine.if b/cfengine.if
-new file mode 100644
-index 0000000..f3c23e9
---- /dev/null
-+++ b/cfengine.if
-@@ -0,0 +1,146 @@
++kernel_read_state(chrome_sandbox_nacl_t)
++kernel_read_system_state(chrome_sandbox_nacl_t)
+
-+## <summary>policy for cfengine</summary>
++corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
+
-+######################################
-+## <summary>
-+## Creates types and rules for a basic
-+## cfengine init daemon domain.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## Prefix for the domain.
-+## </summary>
-+## </param>
-+#
-+template(`cfengine_domain_template',`
-+ gen_require(`
-+ attribute cfengine_domain;
-+ ')
++dev_read_urand(chrome_sandbox_nacl_t)
++dev_read_sysfs(chrome_sandbox_nacl_t)
+
-+ ##############################
-+ #
-+ # Declarations
-+ #
++files_read_etc_files(chrome_sandbox_nacl_t)
+
-+ type cfengine_$1_t, cfengine_domain;
-+ type cfengine_$1_exec_t;
-+ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
++init_read_state(chrome_sandbox_nacl_t)
+
-+ kernel_read_system_state(cfengine_$1_t)
++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+
-+ logging_send_syslog_msg(cfengine_$1_t)
++optional_policy(`
++ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
+diff --git a/chronyd.fc b/chronyd.fc
+index 4e4143e..a665b32 100644
+--- a/chronyd.fc
++++ b/chronyd.fc
+@@ -2,6 +2,8 @@
+
+ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
-+########################################
-+## <summary>
-+## Transition to cfengine.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`cfengine_domtrans_server',`
+ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+ /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+diff --git a/chronyd.if b/chronyd.if
+index 32e8265..0de4af3 100644
+--- a/chronyd.if
++++ b/chronyd.if
+@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
+
+ ########################################
+ ## <summary>
+-## Connect to chronyd using a unix
+-## domain stream socket.
++## Read chronyd keys files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`chronyd_stream_connect',`
++interface(`chronyd_read_keys',`
+ gen_require(`
+- type chronyd_t, chronyd_var_run_t;
++ type chronyd_keys_t;
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Send to chronyd using a unix domain
+-## datagram socket.
++## Append chronyd keys files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`chronyd_dgram_send',`
++interface(`chronyd_append_keys',`
+ gen_require(`
-+ type cfengine_server_t, cfengine_server_exec_t;
++ type chronyd_keys_t;
+ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Search cfengine lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cfengine_search_lib_files',`
-+ gen_require(`
-+ type cfengine_var_lib_t;
-+ ')
-+
-+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
-+## Read cfengine lib files.
++## Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`cfengine_read_lib_files',`
++interface(`chronyd_systemctl',`
+ gen_require(`
-+ type cfengine_var_lib_t;
++ type chronyd_t;
++ type chronyd_unit_file_t;
+ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
-+')
-+
-+######################################
-+## <summary>
-+## Allow the specified domain to read cfengine's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cfengine_read_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
++ systemd_exec_systemctl($1)
++ allow $1 chronyd_unit_file_t:file read_file_perms;
++ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
-+ logging_search_logs($1)
-+ files_search_var_lib($1)
-+ cfengine_search_lib_files($1)
-+ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t)
++ ps_process_pattern($1, chronyd_t)
+')
+
-+#####################################
++#######################################
+## <summary>
-+## Allow the specified domain to append cfengine's log files.
++## Connect to chronyd using a unix
++## domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`cfengine_append_inherited_log',`
-+ gen_require(`
-+ type cfengine_var_log_t;
-+ ')
-+
-+ cfengine_search_lib_files($1)
-+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
++interface(`chronyd_stream_connect',`
+ gen_require(`
+ type chronyd_t, chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read chronyd key files.
++## Send to chronyd using a unix domain
++## datagram socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`chronyd_read_key_files',`
++interface(`chronyd_dgram_send',`
+ gen_require(`
+- type chronyd_keys_t;
++ type chronyd_t, chronyd_var_run_t;
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++ files_search_pids($1)
++ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ ')
+
+ ####################################
+@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
+ #
+ interface(`chronyd_admin',`
+ gen_require(`
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t, chronyd_unit_file_t;
+ ')
+
+- allow $1 chronyd_t:process { ptrace signal_perms };
++ allow $1 chronyd_t:process signal_perms;
+ ps_process_pattern($1, chronyd_t)
+
+- chronyd_initrc_domtrans($1)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 chronyd_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
++ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+- files_search_pids($1)
++ files_list_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
++
++ admin_pattern($1, chronyd_tmpfs_t)
++
++ admin_pattern($1, chronyd_unit_file_t)
++ chronyd_systemctl($1)
++ allow $1 chronyd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/chronyd.te b/chronyd.te
+index 914ee2d..dac9e4c 100644
+--- a/chronyd.te
++++ b/chronyd.te
+@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
+ type chronyd_tmpfs_t;
+ files_tmpfs_file(chronyd_tmpfs_t)
+
++type chronyd_unit_file_t;
++systemd_unit_file(chronyd_unit_file_t)
++
+ type chronyd_var_lib_t;
+ files_type(chronyd_var_lib_t)
+
+@@ -35,6 +38,8 @@ files_pid_file(chronyd_var_run_t)
+ allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+ allow chronyd_t self:process { getcap setcap setrlimit signal };
+ allow chronyd_t self:shm create_shm_perms;
++allow chronyd_t self:udp_socket create_socket_perms;
++allow chronyd_t self:unix_dgram_socket create_socket_perms;
+ allow chronyd_t self:fifo_file rw_fifo_file_perms;
+
+ allow chronyd_t chronyd_keys_t:file read_file_perms;
+@@ -82,7 +87,7 @@ auth_use_nsswitch(chronyd_t)
+
+ logging_send_syslog_msg(chronyd_t)
+
+-miscfiles_read_localization(chronyd_t)
++mta_send_mail(chronyd_t)
+
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+diff --git a/cipe.te b/cipe.te
+index 28c8475..a53162d 100644
+--- a/cipe.te
++++ b/cipe.te
+@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
+ corecmd_exec_shell(ciped_t)
+ corecmd_exec_bin(ciped_t)
+
+-corenet_all_recvfrom_unlabeled(ciped_t)
+ corenet_all_recvfrom_netlabel(ciped_t)
+ corenet_udp_sendrecv_generic_if(ciped_t)
+ corenet_udp_sendrecv_generic_node(ciped_t)
+@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t)
+
+ logging_send_syslog_msg(ciped_t)
+
+-miscfiles_read_localization(ciped_t)
+-
+ sysnet_read_config(ciped_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ciped_t)
+diff --git a/clamav.fc b/clamav.fc
+index d72afcc..c53b80d 100644
+--- a/clamav.fc
++++ b/clamav.fc
+@@ -6,6 +6,8 @@
+ /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
++
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+ /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+diff --git a/clamav.if b/clamav.if
+index 4cc4a5c..99c5cca 100644
+--- a/clamav.if
++++ b/clamav.if
+@@ -1,4 +1,4 @@
+-## <summary>ClamAV Virus Scanner.</summary>
++## <summary>ClamAV Virus Scanner</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
+ type clamd_t, clamd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, clamd_exec_t, clamd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to clamd using a unix
+-## domain stream socket.
++## Connect to run clamd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## Append clamav log files.
++## Allow the specified domain to append
++## to clamav log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## clamav pid content.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`clamav_manage_pid_content',`
+- gen_require(`
+- type clamd_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Read clamav configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
+
+ ########################################
+ ## <summary>
+-## Search clamav library directories.
++## Search clamav libraries directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
+ type clamscan_t, clamscan_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, clamscan_exec_t, clamscan_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute clamscan in the caller domain.
++## Execute clamscan without a transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
+ type clamscan_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, clamscan_exec_t)
+ ')
+
+-#######################################
++########################################
+ ## <summary>
+-## Read clamd process state files.
++## Manage clamd pid content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`clamav_read_state_clamd',`
++interface(`clamav_manage_clamd_pid',`
+ gen_require(`
+- type clamd_t;
++ type clamd_var_run_t;
+ ')
+
+- kernel_search_proc($1)
+- allow $1 clamd_t:dir list_dir_perms;
+- read_files_pattern($1, clamd_t, clamd_t)
+- read_lnk_files_pattern($1, clamd_t, clamd_t)
++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
-+####################################
++#######################################
+## <summary>
-+## Dontaudit the specified domain to write cfengine's log files.
++## Read clamd state files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8483,674 +10037,751 @@ index 0000000..f3c23e9
+## </summary>
+## </param>
+#
-+interface(`cfengine_dontaudit_write_log',`
++interface(`clamav_read_state_clamd',`
+ gen_require(`
-+ type cfengine_var_log_t;
++ type clamd_t;
+ ')
+
-+ dontaudit $1 cfengine_var_log_t:file write;
++ kernel_search_proc($1)
++ ps_process_pattern($1, clamd_t)
+')
-diff --git a/cfengine.te b/cfengine.te
-new file mode 100644
-index 0000000..5b123e1
---- /dev/null
-+++ b/cfengine.te
-@@ -0,0 +1,94 @@
-+policy_module(cfengine, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute cfengine_domain;
-+
-+cfengine_domain_template(serverd)
-+cfengine_domain_template(execd)
-+cfengine_domain_template(monitord)
-+
-+type cfengine_initrc_exec_t;
-+init_script_file(cfengine_initrc_exec_t)
-+
-+type cfengine_var_lib_t;
-+files_type(cfengine_var_lib_t)
-+
-+type cfengine_var_log_t;
-+logging_log_file(cfengine_var_log_t)
+
+#######################################
++## <summary>
++## Execute clamd server in the clamd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
+#
-+# cfengine domain local policy
-+#
-+
-+allow cfengine_domain self:fifo_file rw_fifo_file_perms;
-+allow cfengine_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
-+manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t)
-+files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file })
-+
-+manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
-+manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t)
-+logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file })
-+
-+corecmd_exec_bin(cfengine_domain)
-+corecmd_exec_shell(cfengine_domain)
-+
-+dev_read_urand(cfengine_domain)
-+dev_read_sysfs(cfengine_domain)
++interface(`clamd_systemctl',`
++ gen_require(`
++ type clamd_t;
++ type clamd_unit_file_t;
++ ')
+
-+sysnet_dns_name_resolve(cfengine_domain)
-+sysnet_domtrans_ifconfig(cfengine_domain)
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 clamd_unit_file_t:file read_file_perms;
++ allow $1 clamd_unit_file_t:service manage_service_perms;
+
-+files_read_etc_files(cfengine_domain)
++ ps_process_pattern($1, clamd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an clamav environment.
++## All of the rules required to administrate
++## an clamav environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the clamav domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
+ interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
+- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
++ type clamd_unit_file_t;
+ ')
+
+- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
++ allow $1 clamd_t:process signal_perms;
++ ps_process_pattern($1, clamd_t)
+
-+########################################
-+#
-+# cfengine-server local policy
-+#
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 clamd_t:process ptrace;
++ allow $1 clamscan_t:process ptrace;
++ allow $1 freshclam_t:process ptrace;
++ ')
+
-+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_serverd_t self:process { fork setfscreate signal };
++ allow $1 clamscan_t:process signal_perms;
++ ps_process_pattern($1, clamscan_t)
+
-+domain_use_interactive_fds(cfengine_serverd_t)
++ allow $1 freshclam_t:process signal_perms;
++ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ clamd_systemctl($1)
++ admin_pattern($1, clamd_unit_file_t)
++ allow $1 clamd_unit_file_t:service all_service_perms;
+
-+auth_use_nsswitch(cfengine_serverd_t)
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+@@ -217,11 +251,21 @@ interface(`clamav_admin',`
+ admin_pattern($1, clamd_var_lib_t)
+
+ logging_list_logs($1)
+- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
++ admin_pattern($1, clamd_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, clamd_var_run_t)
+
+ files_list_tmp($1)
+- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
++ admin_pattern($1, clamd_tmp_t)
+
-+########################################
-+#
-+# cfengine_exec local policy
-+#
++ admin_pattern($1, clamscan_tmp_t)
+
-+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_execd_t self:process { fork setfscreate signal };
++ admin_pattern($1, freshclam_var_log_t)
+
-+kernel_read_sysctl(cfengine_execd_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+
-+domain_read_all_domains_state(cfengine_execd_t)
-+domain_use_interactive_fds(cfengine_execd_t)
+ ')
+diff --git a/clamav.te b/clamav.te
+index 8e1fef9..725029f 100644
+--- a/clamav.te
++++ b/clamav.te
+@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
+ type clamd_initrc_exec_t;
+ init_script_file(clamd_initrc_exec_t)
+
++type clamd_unit_file_t;
++systemd_unit_file(clamd_unit_file_t)
+
-+auth_use_nsswitch(cfengine_execd_t)
+ type clamd_tmp_t;
+ files_tmp_file(clamd_tmp_t)
+
+@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
+ allow clamd_t self:capability { kill setgid setuid dac_override };
+ dontaudit clamd_t self:capability sys_tty_config;
+ allow clamd_t self:process signal;
+
-+########################################
-+#
-+# cfengine_monitord local policy
-+#
+ allow clamd_t self:fifo_file rw_fifo_file_perms;
+ allow clamd_t self:unix_stream_socket { accept connectto listen };
+ allow clamd_t self:tcp_socket { listen accept };
+@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
+
+ corecmd_exec_shell(clamd_t)
+
+-corenet_all_recvfrom_unlabeled(clamd_t)
+ corenet_all_recvfrom_netlabel(clamd_t)
+ corenet_tcp_sendrecv_generic_if(clamd_t)
+ corenet_tcp_sendrecv_generic_node(clamd_t)
+@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
+
+ corenet_sendrecv_generic_client_packets(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
++corenet_tcp_connect_clamd_port(clamd_t)
+
+ corenet_sendrecv_clamd_server_packets(clamd_t)
+ corenet_tcp_bind_clamd_port(clamd_t)
+@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
+
+ logging_send_syslog_msg(clamd_t)
+
+-miscfiles_read_localization(clamd_t)
+-
+-tunable_policy(`clamd_use_jit',`
+- allow clamd_t self:process execmem;
+-',`
+- dontaudit clamd_t self:process execmem;
+-')
+-
+ optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
++ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
+ amavis_create_pid_files(clamd_t)
+ ')
+
+@@ -165,6 +161,31 @@ optional_policy(`
+ mta_send_mail(clamd_t)
+ ')
+
++optional_policy(`
++ spamd_stream_connect(clamd_t)
++ spamassassin_read_pid_files(clamd_t)
++')
+
-+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot };
-+allow cfengine_monitord_t self:process { fork setfscreate signal };
++tunable_policy(`clamd_use_jit',`
++ allow clamd_t self:process execmem;
++ allow clamscan_t self:process execmem;
++',`
++ dontaudit clamd_t self:process execmem;
++ dontaudit clamscan_t self:process execmem;
++')
+
-+kernel_read_hotplug_sysctls(cfengine_monitord_t)
-+kernel_read_network_state(cfengine_monitord_t)
++optional_policy(`
++ antivirus_domain_template(clamd_t)
++')
+
-+domain_read_all_domains_state(cfengine_monitord_t)
-+domain_use_interactive_fds(cfengine_monitord_t)
++optional_policy(`
++ antivirus_domain_template(clamscan_t)
++')
+
-+fs_getattr_xattr_fs(cfengine_monitord_t)
++optional_policy(`
++ antivirus_domain_template(freshclam_t)
++')
+
-+auth_use_nsswitch(cfengine_monitord_t)
-diff --git a/cgroup.fc b/cgroup.fc
-index b6bb46c..9a2bf65 100644
---- a/cgroup.fc
-+++ b/cgroup.fc
-@@ -11,5 +11,9 @@
- /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
- /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+ ########################################
+ #
+ # Freshclam local policy
+@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
--/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
-+/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
-+/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
-+/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
-+
-+/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0)
- /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
-diff --git a/cgroup.if b/cgroup.if
-index 33facaf..11700ae 100644
---- a/cgroup.if
-+++ b/cgroup.if
-@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
- type cgrules_etc_t, cgclear_t;
- ')
+ logging_send_syslog_msg(freshclam_t)
-- allow $1 cgclear_t:process { ptrace signal_perms };
-+ allow $1 cgclear_t:process signal_perms;
- ps_process_pattern($1, cgclear_t)
+-miscfiles_read_localization(freshclam_t)
-- allow $1 cgconfig_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgclear_t:process ptrace;
-+ ')
-+
-+ allow $1 cgconfig_t:process signal_perms;
- ps_process_pattern($1, cgconfig_t)
+ tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+@@ -244,6 +264,14 @@ optional_policy(`
+ cron_system_entry(freshclam_t, freshclam_exec_t)
+ ')
-- allow $1 cgred_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgconfig_t:process ptrace;
-+ ')
++optional_policy(`
++ clamd_systemctl(freshclam_t)
++')
+
-+ allow $1 cgred_t:process signal_perms;
- ps_process_pattern($1, cgred_t)
++optional_policy(`
++ cron_system_entry(freshclam_t, freshclam_exec_t)
++')
++
+ ########################################
+ #
+ # Clamscam local policy
+@@ -275,7 +303,12 @@ kernel_dontaudit_list_proc(clamscan_t)
+ kernel_read_kernel_sysctls(clamscan_t)
+ kernel_read_system_state(clamscan_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cgred_t:process ptrace;
-+ ')
+-corenet_all_recvfrom_unlabeled(clamscan_t)
++read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
++allow clamscan_t clamd_var_run_t:dir list_dir_perms;
+
- admin_pattern($1, cgconfig_etc_t)
- admin_pattern($1, cgrules_etc_t)
- files_list_etc($1)
-diff --git a/cgroup.te b/cgroup.te
-index 806191a..d962a82 100644
---- a/cgroup.te
-+++ b/cgroup.te
-@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
- type cgrules_etc_t;
- files_config_file(cgrules_etc_t)
++kernel_dontaudit_list_proc(clamscan_t)
++kernel_read_system_state(clamscan_t)
++
+ corenet_all_recvfrom_netlabel(clamscan_t)
+ corenet_tcp_sendrecv_generic_if(clamscan_t)
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+@@ -286,14 +319,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
--type cgconfig_t;
--type cgconfig_exec_t;
-+type cgconfig_t alias cgconfigparser_t;
-+type cgconfig_exec_t alias cgconfigparser_exec_t;
- init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+ corecmd_read_all_executables(clamscan_t)
- type cgconfig_initrc_exec_t;
-@@ -42,8 +42,12 @@ files_config_file(cgconfig_etc_t)
+-files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
+ files_search_var_lib(clamscan_t)
- allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+ init_read_utmp(clamscan_t)
+ init_dontaudit_write_utmp(clamscan_t)
-+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
-+
- kernel_read_system_state(cgclear_t)
+-miscfiles_read_localization(clamscan_t)
+ miscfiles_read_public_files(clamscan_t)
-+auth_use_nsswitch(cgclear_t)
-+
- domain_setpriority_all_domains(cgclear_t)
+ sysnet_dns_name_resolve(clamscan_t)
+@@ -310,10 +341,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
+ ')
- fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,7 +68,6 @@ kernel_list_unlabeled(cgconfig_t)
- kernel_read_system_state(cgconfig_t)
+ optional_policy(`
+- amavis_read_spool_files(clamscan_t)
+-')
+-
+-optional_policy(`
+ apache_read_sys_content(clamscan_t)
+ ')
- # /etc/nsswitch.conf, /etc/passwd
--files_read_etc_files(cgconfig_t)
+diff --git a/clockspeed.te b/clockspeed.te
+index b59c592..c21a405 100644
+--- a/clockspeed.te
++++ b/clockspeed.te
+@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
- fs_manage_cgroup_dirs(cgconfig_t)
- fs_manage_cgroup_files(cgconfig_t)
-@@ -72,12 +75,15 @@ fs_mount_cgroup(cgconfig_t)
- fs_mounton_cgroup(cgconfig_t)
- fs_unmount_cgroup(cgconfig_t)
+ read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-+auth_use_nsswitch(cgconfig_t)
-+
- ########################################
- #
- # cgred personal policy.
- #
+-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+ corenet_all_recvfrom_netlabel(clockspeed_cli_t)
+ corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+ corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+@@ -40,9 +39,8 @@ corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+ files_list_var_lib(clockspeed_cli_t)
+ files_read_etc_files(clockspeed_cli_t)
--allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
- allow cgred_t self:netlink_socket { write bind create read };
- allow cgred_t self:unix_dgram_socket { write create connect };
+-miscfiles_read_localization(clockspeed_cli_t)
-@@ -86,12 +92,16 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+-userdom_use_user_terminals(clockspeed_cli_t)
++userdom_use_inherited_user_terminals(clockspeed_cli_t)
- allow cgred_t cgrules_etc_t:file read_file_perms;
+ ########################################
+ #
+@@ -57,7 +55,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+ manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+ manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
-+logging_log_filetrans(cgred_t, cgred_log_t, file)
-+
- # rc script creates pid file
- manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
- manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
- files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
+-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+ corenet_all_recvfrom_netlabel(clockspeed_srv_t)
+ corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+ corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+@@ -70,7 +67,6 @@ corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
+ files_list_var_lib(clockspeed_srv_t)
+ files_read_etc_files(clockspeed_srv_t)
- kernel_read_system_state(cgred_t)
-+kernel_read_all_sysctls(cgred_t)
+-miscfiles_read_localization(clockspeed_srv_t)
- domain_read_all_domains_state(cgred_t)
- domain_setpriority_all_domains(cgred_t)
-@@ -100,10 +110,9 @@ files_getattr_all_files(cgred_t)
- files_getattr_all_sockets(cgred_t)
- files_read_all_symlinks(cgred_t)
- # /etc/group
--files_read_etc_files(cgred_t)
+ optional_policy(`
+ daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+diff --git a/clogd.te b/clogd.te
+index 29782b8..c614d47 100644
+--- a/clogd.te
++++ b/clogd.te
+@@ -41,8 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
- fs_write_cgroup_files(cgred_t)
+ logging_send_syslog_msg(clogd_t)
--logging_send_syslog_msg(cgred_t)
-+auth_use_nsswitch(cgred_t)
-
--miscfiles_read_localization(cgred_t)
-+logging_send_syslog_msg(cgred_t)
-diff --git a/chrome.fc b/chrome.fc
+-miscfiles_read_localization(clogd_t)
+-
+ optional_policy(`
+ aisexec_stream_connect(clogd_t)
+ corosync_stream_connect(clogd_t)
+diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..88107d7
+index 0000000..8a40857
--- /dev/null
-+++ b/chrome.fc
-@@ -0,0 +1,6 @@
-+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++++ b/cloudform.fc
+@@ -0,0 +1,22 @@
++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
-+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
-+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
-diff --git a/chrome.if b/chrome.if
++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++
++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++
++/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
++/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
++
++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
+diff --git a/cloudform.if b/cloudform.if
new file mode 100644
-index 0000000..efebae7
+index 0000000..8ac848b
--- /dev/null
-+++ b/chrome.if
-@@ -0,0 +1,134 @@
-+
-+## <summary>policy for chrome</summary>
++++ b/cloudform.if
+@@ -0,0 +1,42 @@
++## <summary>cloudform policy</summary>
+
-+########################################
-+## <summary>
-+## Execute a domain transition to run chrome_sandbox.
-+## </summary>
-+## <param name="domain">
++#######################################
+## <summary>
-+## Domain allowed to transition.
++## Creates types and rules for a basic
++## cloudform daemon domain.
+## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
+## </param>
+#
-+interface(`chrome_domtrans_sandbox',`
-+ gen_require(`
-+ type chrome_sandbox_t, chrome_sandbox_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
-+ ps_process_pattern(chrome_sandbox_t, $1)
++template(`cloudform_domain_template',`
++ gen_require(`
++ attribute cloudform_domain;
++ ')
+
-+ allow $1 chrome_sandbox_t:fd use;
++ type $1_t, cloudform_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
+
-+ ifdef(`hide_broken_symptoms',`
-+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
-+ ')
++ kernel_read_system_state($1_t)
+')
+
-+
-+########################################
++######################################
+## <summary>
-+## Execute chrome_sandbox in the chrome_sandbox domain, and
-+## allow the specified role the chrome_sandbox domain.
++## Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed the chrome_sandbox domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`chrome_run_sandbox',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_nacl_t;
-+ ')
++interface(`cloudform_exec_mongod',`
++ gen_require(`
++ type mongod_exec_t;
++ ')
+
-+ chrome_domtrans_sandbox($1)
-+ role $2 types chrome_sandbox_t;
-+ role $2 types chrome_sandbox_nacl_t;
++ can_exec($1, mongod_exec_t)
+')
-+
+diff --git a/cloudform.te b/cloudform.te
+new file mode 100644
+index 0000000..def8328
+--- /dev/null
++++ b/cloudform.te
+@@ -0,0 +1,195 @@
++policy_module(cloudform, 1.0)
+########################################
-+## <summary>
-+## Role access for chrome sandbox
-+## </summary>
-+## <param name="role">
-+## <summary>
-+## Role allowed access
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
-+## User domain for the role
-+## </summary>
-+## </param>
+#
-+interface(`chrome_role_notrans',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_tmpfs_t;
-+ type chrome_sandbox_nacl_t;
-+ ')
++# Declarations
++#
+
-+ role $1 types chrome_sandbox_t;
-+ role $1 types chrome_sandbox_nacl_t;
++attribute cloudform_domain;
+
-+ ps_process_pattern($2, chrome_sandbox_t)
-+ allow $2 chrome_sandbox_t:process signal_perms;
++cloudform_domain_template(deltacloudd)
++cloudform_domain_template(iwhd)
++cloudform_domain_template(mongod)
+
-+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
-+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
-+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
-+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
-+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
++type deltacloudd_log_t;
++logging_log_file(deltacloudd_log_t)
+
-+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
++type deltacloudd_var_run_t;
++files_pid_file(deltacloudd_var_run_t)
+
-+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
-+')
++type deltacloudd_tmp_t;
++files_tmp_file(deltacloudd_tmp_t)
+
-+########################################
-+## <summary>
-+## Role access for chrome sandbox
-+## </summary>
-+## <param name="role">
-+## <summary>
-+## Role allowed access
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
-+## User domain for the role
-+## </summary>
-+## </param>
-+#
-+interface(`chrome_role',`
-+ chrome_role_notrans($1, $2)
-+ chrome_domtrans_sandbox($2)
-+')
++type iwhd_initrc_exec_t;
++init_script_file(iwhd_initrc_exec_t)
+
-+########################################
-+## <summary>
-+## Dontaudit read/write to a chrome_sandbox leaks
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`chrome_dontaudit_sandbox_leaks',`
-+ gen_require(`
-+ type chrome_sandbox_t;
-+ ')
++type iwhd_var_lib_t;
++files_type(iwhd_var_lib_t)
+
-+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
-+')
-diff --git a/chrome.te b/chrome.te
-new file mode 100644
-index 0000000..32ff486
---- /dev/null
-+++ b/chrome.te
-@@ -0,0 +1,195 @@
-+policy_module(chrome,1.0.0)
++type iwhd_var_run_t;
++files_pid_file(iwhd_var_run_t)
++
++type mongod_initrc_exec_t;
++init_script_file(mongod_initrc_exec_t)
++
++type mongod_log_t;
++logging_log_file(mongod_log_t)
++
++type mongod_var_lib_t;
++files_type(mongod_var_lib_t)
++
++type mongod_tmp_t;
++files_tmp_file(mongod_tmp_t)
++
++type mongod_var_run_t;
++files_pid_file(mongod_var_run_t)
++
++type iwhd_log_t;
++logging_log_file(iwhd_log_t)
+
+########################################
+#
-+# Declarations
++# cloudform_domain local policy
+#
+
-+type chrome_sandbox_t;
-+type chrome_sandbox_exec_t;
-+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
-+role system_r types chrome_sandbox_t;
-+ubac_constrained(chrome_sandbox_t)
++allow cloudform_domain self:fifo_file rw_fifo_file_perms;
++allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
-+type chrome_sandbox_tmp_t;
-+files_tmp_file(chrome_sandbox_tmp_t)
++dev_read_rand(cloudform_domain)
++dev_read_urand(cloudform_domain)
++dev_read_sysfs(cloudform_domain)
+
-+type chrome_sandbox_tmpfs_t;
-+files_tmpfs_file(chrome_sandbox_tmpfs_t)
-+ubac_constrained(chrome_sandbox_tmpfs_t)
++auth_read_passwd(cloudform_domain)
+
-+type chrome_sandbox_nacl_t;
-+type chrome_sandbox_nacl_exec_t;
-+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
-+role system_r types chrome_sandbox_nacl_t;
-+ubac_constrained(chrome_sandbox_nacl_t)
++miscfiles_read_certs(cloudform_domain)
+
+########################################
+#
-+# chrome_sandbox local policy
++# deltacloudd local policy
+#
-+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
-+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
-+allow chrome_sandbox_t self:process setsched;
-+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
-+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
-+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow chrome_sandbox_t self:shm create_shm_perms;
-+allow chrome_sandbox_t self:sem create_sem_perms;
-+allow chrome_sandbox_t self:msgq create_msgq_perms;
-+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
-+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
-+
-+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
-+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
-+
-+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
-+kernel_read_system_state(chrome_sandbox_t)
-+kernel_read_kernel_sysctls(chrome_sandbox_t)
++allow deltacloudd_t self:capability { dac_override setuid setgid };
+
-+fs_manage_cgroup_dirs(chrome_sandbox_t)
-+fs_manage_cgroup_files(chrome_sandbox_t)
-+fs_read_dos_files(chrome_sandbox_t)
-+fs_read_hugetlbfs_files(chrome_sandbox_t)
++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
++allow deltacloudd_t self:udp_socket create_socket_perms;
+
-+corecmd_exec_bin(chrome_sandbox_t)
++allow deltacloudd_t self:process signal;
+
-+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
-+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
-+corenet_tcp_connect_flash_port(chrome_sandbox_t)
-+corenet_tcp_connect_streaming_port(chrome_sandbox_t)
-+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
-+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
-+corenet_tcp_connect_squid_port(chrome_sandbox_t)
-+corenet_tcp_connect_tor_socks_port(chrome_sandbox_t)
-+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
-+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-+corenet_tcp_connect_speech_port(chrome_sandbox_t)
++allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
++allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
-+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
-+dev_read_urand(chrome_sandbox_t)
-+dev_read_sysfs(chrome_sandbox_t)
-+dev_rwx_zero(chrome_sandbox_t)
-+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
-+files_read_etc_files(chrome_sandbox_t)
-+files_read_usr_files(chrome_sandbox_t)
++manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
-+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
++kernel_read_kernel_sysctls(deltacloudd_t)
++kernel_read_system_state(deltacloudd_t)
+
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
++corecmd_exec_bin(deltacloudd_t)
+
-+userdom_use_user_ptys(chrome_sandbox_t)
-+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
-+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
-+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
-+userdom_search_user_home_content(chrome_sandbox_t)
-+# This one we should figure a way to make it more secure
-+userdom_manage_home_certs(chrome_sandbox_t)
++corenet_tcp_bind_generic_node(deltacloudd_t)
++corenet_tcp_bind_generic_port(deltacloudd_t)
++corenet_tcp_connect_http_port(deltacloudd_t)
++corenet_tcp_connect_keystone_port(deltacloudd_t)
+
-+miscfiles_read_fonts(chrome_sandbox_t)
++auth_use_nsswitch(deltacloudd_t)
+
-+sysnet_dns_name_resolve(chrome_sandbox_t)
++logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
-+ gnome_rw_inherited_config(chrome_sandbox_t)
-+ gnome_read_home_config(chrome_sandbox_t)
++ sysnet_read_config(deltacloudd_t)
+')
+
-+optional_policy(`
-+ mozilla_write_user_home_files(chrome_sandbox_t)
-+')
++########################################
++#
++# iwhd local policy
++#
+
-+optional_policy(`
-+ xserver_use_user_fonts(chrome_sandbox_t)
-+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
-+')
++allow iwhd_t self:capability { chown kill };
++allow iwhd_t self:process { fork };
+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_search_nfs(chrome_sandbox_t)
-+ fs_exec_nfs_files(chrome_sandbox_t)
-+ fs_read_nfs_files(chrome_sandbox_t)
-+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
-+ fs_read_nfs_symlinks(chrome_sandbox_t)
-+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-+')
++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
++allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_search_cifs(chrome_sandbox_t)
-+ fs_exec_cifs_files(chrome_sandbox_t)
-+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
-+ fs_read_cifs_files(chrome_sandbox_t)
-+ fs_read_cifs_symlinks(chrome_sandbox_t)
-+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-+')
++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
-+tunable_policy(`use_fusefs_home_dirs',`
-+ fs_search_fusefs(chrome_sandbox_t)
-+ fs_read_fusefs_files(chrome_sandbox_t)
-+ fs_exec_fusefs_files(chrome_sandbox_t)
-+ fs_read_fusefs_symlinks(chrome_sandbox_t)
-+')
++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
++logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
-+optional_policy(`
-+ sandbox_use_ptys(chrome_sandbox_t)
-+')
++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
++
++kernel_read_system_state(iwhd_t)
++
++corenet_tcp_bind_generic_node(iwhd_t)
++corenet_tcp_bind_websm_port(iwhd_t)
++corenet_tcp_connect_all_ports(iwhd_t)
+
++dev_read_rand(iwhd_t)
++dev_read_urand(iwhd_t)
++
++userdom_home_manager(iwhd_t)
+
+########################################
+#
-+# chrome_sandbox_nacl local policy
++# mongod local policy
+#
+
-+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
-+
-+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
-+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
-+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
-+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
++allow mongod_t self:process { execmem setsched signal };
+
-+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
-+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
++allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
++allow mongod_t self:unix_stream_socket create_stream_socket_perms;
++allow mongod_t self:udp_socket create_socket_perms;
+
-+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
++logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
+
-+domain_use_interactive_fds(chrome_sandbox_nacl_t)
++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+
-+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
+
-+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
-+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++#needed by dbomatic
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
-+kernel_read_state(chrome_sandbox_nacl_t)
-+kernel_read_system_state(chrome_sandbox_nacl_t)
++corecmd_exec_bin(mongod_t)
++corecmd_exec_shell(mongod_t)
+
-+corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++corenet_tcp_bind_generic_node(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
++corenet_tcp_connect_postgresql_port(mongod_t)
+
-+dev_read_urand(chrome_sandbox_nacl_t)
-+dev_read_sysfs(chrome_sandbox_nacl_t)
++kernel_read_vm_sysctls(mongod_t)
++kernel_read_system_state(mongod_t)
+
-+files_read_etc_files(chrome_sandbox_nacl_t)
++fs_getattr_all_fs(mongod_t)
+
-+init_read_state(chrome_sandbox_nacl_t)
++optional_policy(`
++ mysql_stream_connect(mongod_t)
++')
+
-+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
-+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
++optional_policy(`
++ postgresql_stream_connect(mongod_t)
++')
+
+optional_policy(`
-+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
++ sysnet_dns_name_resolve(mongod_t)
+')
-diff --git a/chronyd.fc b/chronyd.fc
-index fd8cd0b..f33885f 100644
---- a/chronyd.fc
-+++ b/chronyd.fc
-@@ -2,8 +2,12 @@
-
- /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+diff --git a/cmirrord.if b/cmirrord.if
+index cc4e7cb..f348d27 100644
+--- a/cmirrord.if
++++ b/cmirrord.if
+@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
+ type cmirrord_t, cmirrord_tmpfs_t;
+ ')
-+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
-+
- /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+- allow $1 cmirrord_t:shm rw_shm_perms;
++ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
- /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
- /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
- /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
-+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
-diff --git a/chronyd.if b/chronyd.if
-index 9a0da94..113eae2 100644
---- a/chronyd.if
-+++ b/chronyd.if
-@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
- domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
')
+@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
-+########################################
-+## <summary>
-+## Execute chronyd server in the chronyd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`chronyd_initrc_domtrans',`
-+ gen_require(`
-+ type chronyd_initrc_exec_t;
+- allow $1 cmirrord_t:process { ptrace signal_perms };
++ allow $1 cmirrord_t:process signal_perms;
+ ps_process_pattern($1, cmirrord_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cmirrord_t:process ptrace;
+ ')
+
-+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
-+')
-+
- ####################################
- ## <summary>
- ## Execute chronyd
-@@ -56,6 +74,125 @@ interface(`chronyd_read_log',`
- read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
- ')
-
-+########################################
-+## <summary>
-+## Read and write chronyd shared memory.
-+## </summary>
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+diff --git a/cmirrord.te b/cmirrord.te
+index d8e9958..0046a69 100644
+--- a/cmirrord.te
++++ b/cmirrord.te
+@@ -42,16 +42,12 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+ domain_use_interactive_fds(cmirrord_t)
+ domain_obj_id_change_exemption(cmirrord_t)
+
+-files_read_etc_files(cmirrord_t)
+-
+ storage_create_fixed_disk_dev(cmirrord_t)
+
+ seutil_read_file_contexts(cmirrord_t)
+
+ logging_send_syslog_msg(cmirrord_t)
+
+-miscfiles_read_localization(cmirrord_t)
+-
+ optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+ ')
+diff --git a/cobbler.if b/cobbler.if
+index c223f81..1f3d0b7 100644
+--- a/cobbler.if
++++ b/cobbler.if
+@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+ ')
+
++
++
++########################################
++## <summary>
++## Read cobbler configuration dirs.
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`chronyd_rw_shm',`
++interface(`cobbler_list_config',`
+ gen_require(`
-+ type chronyd_t, chronyd_tmpfs_t;
++ type cobbler_etc_t;
+ ')
+
-+ allow $1 chronyd_t:shm rw_shm_perms;
-+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+ fs_search_tmpfs($1)
++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
++ files_search_etc($1)
++')
++
++
+ ########################################
+ ## <summary>
+ ## Read cobbler configuration files.
+diff --git a/cobbler.te b/cobbler.te
+index 2a71346..30c75af 100644
+--- a/cobbler.te
++++ b/cobbler.te
+@@ -193,12 +193,11 @@ optional_policy(`
+
+ optional_policy(`
+ rsync_read_config(cobblerd_t)
+- rsync_manage_config_files(cobblerd_t)
++ rsync_manage_config(cobblerd_t)
+ rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
+ ')
+
+ optional_policy(`
+- tftp_manage_config_files(cobblerd_t)
+- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
++ tftp_manage_config(cobblerd_t)
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
+ ')
+diff --git a/collectd.fc b/collectd.fc
+index 79a3abe..2e7d7ed 100644
+--- a/collectd.fc
++++ b/collectd.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
++
+ /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
+
+ /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
+diff --git a/collectd.if b/collectd.if
+index 954309e..f4db2ca 100644
+--- a/collectd.if
++++ b/collectd.if
+@@ -2,8 +2,144 @@
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an collectd environment.
++## Transition to collectd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`collectd_domtrans',`
++ gen_require(`
++ type collectd_t, collectd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+## <summary>
-+## Read chronyd keys files.
++## Execute collectd server in the collectd domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9158,17 +10789,17 @@ index 9a0da94..113eae2 100644
+## </summary>
+## </param>
+#
-+interface(`chronyd_read_keys',`
++interface(`collectd_initrc_domtrans',`
+ gen_require(`
-+ type chronyd_keys_t;
++ type collectd_initrc_exec_t;
+ ')
+
-+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+## <summary>
-+## Append chronyd keys files.
++## Search collectd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9176,40 +10807,37 @@ index 9a0da94..113eae2 100644
+## </summary>
+## </param>
+#
-+interface(`chronyd_append_keys',`
++interface(`collectd_search_lib',`
+ gen_require(`
-+ type chronyd_keys_t;
++ type collectd_var_lib_t;
+ ')
+
-+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
++ allow $1 collectd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
-+## Execute chronyd server in the chronyd domain.
++## Read collectd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`chronyd_systemctl',`
++interface(`collectd_read_lib_files',`
+ gen_require(`
-+ type chronyd_t;
-+ type chronyd_unit_file_t;
++ type collectd_var_lib_t;
+ ')
+
-+ systemd_exec_systemctl($1)
-+ allow $1 chronyd_unit_file_t:file read_file_perms;
-+ allow $1 chronyd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, chronyd_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Connect to chronyd over a unix stream socket.
++## Manage collectd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9217,19 +10845,18 @@ index 9a0da94..113eae2 100644
+## </summary>
+## </param>
+#
-+interface(`chronyd_stream_connect',`
++interface(`collectd_manage_lib_files',`
+ gen_require(`
-+ type chronyd_t, chronyd_var_run_t;
++ type collectd_var_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Send to chronyd over a unix domain
-+## datagram socket.
++## Manage collectd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9237,712 +10864,577 @@ index 9a0da94..113eae2 100644
+## </summary>
+## </param>
+#
-+interface(`chronyd_dgram_send',`
++interface(`collectd_manage_lib_dirs',`
+ gen_require(`
-+ type chronyd_t;
++ type collectd_var_lib_t;
+ ')
+
-+ allow $1 chronyd_t:unix_dgram_socket sendto;
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
- ####################################
- ## <summary>
- ## All of the rules required to administrate
-@@ -75,31 +212,38 @@ interface(`chronyd_read_log',`
- #
- interface(`chronyd_admin',`
++########################################
++## <summary>
++## Execute collectd server in the collectd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`collectd_systemctl',`
++ gen_require(`
++ type collectd_t;
++ type collectd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 collectd_unit_file_t:file read_file_perms;
++ allow $1 collectd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, collectd_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an collectd environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -20,13 +156,17 @@
+ interface(`collectd_admin',`
gen_require(`
-- type chronyd_t, chronyd_var_log_t;
-- type chronyd_var_run_t, chronyd_var_lib_t;
-- type chronyd_initrc_exec_t, chronyd_keys_t;
-+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
-+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
-+ type chronyd_keys_t, chronyd_unit_file_t;
+ type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
+- type collectd_var_lib_t;
++ type collectd_var_lib_t, collectd_unit_file_t;
')
-- allow $1 chronyd_t:process { ptrace signal_perms };
-+ allow $1 chronyd_t:process signal_perms;
- ps_process_pattern($1, chronyd_t)
+- allow $1 collectd_t:process { ptrace signal_perms };
++ allow $1 collectd_t:process signal_perms;
+ ps_process_pattern($1, collectd_t)
+- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 chronyd_t:process ptrace;
++ allow $1 collectd_t:process ptrace;
+ ')
+
- init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
++ collectd_initrc_domtrans($1)
domain_system_change_exemption($1)
- role_transition $2 chronyd_initrc_exec_t system_r;
+ role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
+@@ -36,4 +176,9 @@ interface(`collectd_admin',`
-- files_search_etc($1)
-+ files_list_etc($1)
- admin_pattern($1, chronyd_keys_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, chronyd_var_log_t)
-
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, chronyd_var_lib_t)
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, chronyd_var_run_t)
-
-- files_search_tmp($1)
-- admin_pattern($1, chronyd_tmp_t)
-+ admin_pattern($1, chronyd_tmpfs_t)
+ files_search_var_lib($1)
+ admin_pattern($1, collectd_var_lib_t)
+
-+ admin_pattern($1, chronyd_unit_file_t)
-+ chronyd_systemctl($1)
-+ allow $1 chronyd_unit_file_t:service all_service_perms;
++ collectd_systemctl($1)
++ admin_pattern($1, collectd_unit_file_t)
++ allow $1 collectd_unit_file_t:service all_service_perms;
')
-diff --git a/chronyd.te b/chronyd.te
-index fa82327..ab88d78 100644
---- a/chronyd.te
-+++ b/chronyd.te
-@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
- type chronyd_keys_t;
- files_type(chronyd_keys_t)
-
-+type chronyd_tmpfs_t;
-+files_tmpfs_file(chronyd_tmpfs_t)
-+
-+type chronyd_unit_file_t;
-+systemd_unit_file(chronyd_unit_file_t)
-+
- type chronyd_var_lib_t;
- files_type(chronyd_var_lib_t)
-
-@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t)
- #
-
- allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
--allow chronyd_t self:process { getcap setcap setrlimit };
-+allow chronyd_t self:process { getcap setcap setrlimit signal };
- allow chronyd_t self:shm create_shm_perms;
- allow chronyd_t self:udp_socket create_socket_perms;
- allow chronyd_t self:unix_dgram_socket create_socket_perms;
-+allow chronyd_t self:fifo_file rw_fifo_file_perms;
-
- allow chronyd_t chronyd_keys_t:file read_file_perms;
-
-+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
- manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
- manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
- manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+diff --git a/collectd.te b/collectd.te
+index 6471fa8..4704562 100644
+--- a/collectd.te
++++ b/collectd.te
+@@ -26,6 +26,9 @@ files_type(collectd_var_lib_t)
+ type collectd_var_run_t;
+ files_pid_file(collectd_var_run_t)
- manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
- manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
--files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
-+manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
-+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
-+
-+kernel_read_system_state(chronyd_t)
-+kernel_read_network_state(chronyd_t)
++type collectd_unit_file_t;
++systemd_unit_file(collectd_unit_file_t)
+
-+corecmd_exec_shell(chronyd_t)
-
-+corenet_udp_bind_generic_node(chronyd_t)
- corenet_udp_bind_ntp_port(chronyd_t)
- # bind to udp/323
- corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -61,7 +79,7 @@ auth_use_nsswitch(chronyd_t)
-
- logging_send_syslog_msg(chronyd_t)
+ apache_content_template(collectd)
--miscfiles_read_localization(chronyd_t)
-+mta_send_mail(chronyd_t)
-
- optional_policy(`
- gpsd_rw_shm(chronyd_t)
-diff --git a/cipe.te b/cipe.te
-index 8e1ef38..08b238c 100644
---- a/cipe.te
-+++ b/cipe.te
-@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t)
- corecmd_exec_shell(ciped_t)
- corecmd_exec_bin(ciped_t)
+ ########################################
+@@ -57,13 +60,9 @@ dev_read_sysfs(collectd_t)
+ dev_read_urand(collectd_t)
--corenet_all_recvfrom_unlabeled(ciped_t)
- corenet_all_recvfrom_netlabel(ciped_t)
- corenet_udp_sendrecv_generic_if(ciped_t)
- corenet_udp_sendrecv_generic_node(ciped_t)
-@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t)
+ files_getattr_all_dirs(collectd_t)
+-files_read_etc_files(collectd_t)
+-files_read_usr_files(collectd_t)
- logging_send_syslog_msg(ciped_t)
+ fs_getattr_all_fs(collectd_t)
--miscfiles_read_localization(ciped_t)
+-miscfiles_read_localization(collectd_t)
-
- sysnet_read_config(ciped_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-diff --git a/clamav.fc b/clamav.fc
-index e8e9a21..9c47777 100644
---- a/clamav.fc
-+++ b/clamav.fc
-@@ -1,5 +1,5 @@
- /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
--/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+ logging_send_syslog_msg(collectd_t)
- /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
- /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
-@@ -8,9 +8,13 @@
- /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
- /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+ sysnet_dns_name_resolve(collectd_t)
+@@ -88,3 +87,4 @@ optional_policy(`
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+ ')
++
+diff --git a/colord.fc b/colord.fc
+index 717ea0b..22e0385 100644
+--- a/colord.fc
++++ b/colord.fc
+@@ -4,5 +4,7 @@
+ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+ /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
++/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
- /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
- /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-+/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0)
- /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
-+/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
- /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
- /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
- /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
-diff --git a/clamav.if b/clamav.if
-index bbac14a..99c5cca 100644
---- a/clamav.if
-+++ b/clamav.if
-@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
- type clamd_t, clamd_var_run_t;
+ /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+ /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+diff --git a/colord.if b/colord.if
+index 8e27a37..fa2c3cb 100644
+--- a/colord.if
++++ b/colord.if
+@@ -1,4 +1,4 @@
+-## <summary>GNOME color manager.</summary>
++## <summary>GNOME color manager</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
+ type colord_t, colord_exec_t;
')
-+ files_search_pids($1)
- stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+- corecmd_search_bin($1)
+ domtrans_pattern($1, colord_exec_t, colord_t)
')
-@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',`
-
- ########################################
- ## <summary>
-+## Manage clamd pid content.
+@@ -58,3 +57,26 @@ interface(`colord_read_lib_files',`
+ files_search_var_lib($1)
+ read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
+ ')
++
++########################################
++## <summary>
++## Execute colord server in the colord domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`clamav_manage_clamd_pid',`
++interface(`colord_systemctl',`
+ gen_require(`
-+ type clamd_var_run_t;
++ type colord_t;
++ type colord_unit_file_t;
+ ')
+
-+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
-+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Read clamd state files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`clamav_read_state_clamd',`
-+ gen_require(`
-+ type clamd_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, clamd_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Execute clamd server in the clamd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`clamd_systemctl',`
-+ gen_require(`
-+ type clamd_t;
-+ type clamd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 clamd_unit_file_t:file read_file_perms;
-+ allow $1 clamd_unit_file_t:service manage_service_perms;
++ systemd_exec_systemctl($1)
++ allow $1 colord_unit_file_t:file read_file_perms;
++ allow $1 colord_unit_file_t:service manage_service_perms;
+
-+ ps_process_pattern($1, clamd_t)
++ ps_process_pattern($1, colord_t)
+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an clamav environment
- ## </summary>
-@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',`
- interface(`clamav_admin',`
- gen_require(`
- type clamd_t, clamd_etc_t, clamd_tmp_t;
-- type clamd_var_log_t, clamd_var_lib_t;
-- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
-- type clamd_initrc_exec_t;
-+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
-+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
- type freshclam_t, freshclam_var_log_t;
-+ type clamd_unit_file_t;
- ')
+diff --git a/colord.te b/colord.te
+index 09f18e2..5c8bb84 100644
+--- a/colord.te
++++ b/colord.te
+@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
+ type colord_t;
+ type colord_exec_t;
+ dbus_system_domain(colord_t, colord_exec_t)
++init_daemon_domain(colord_t, colord_exec_t)
-- allow $1 clamd_t:process { ptrace signal_perms };
-+ allow $1 clamd_t:process signal_perms;
- ps_process_pattern($1, clamd_t)
+ type colord_tmp_t;
+ files_tmp_file(colord_tmp_t)
+@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
+ type colord_var_lib_t;
+ files_type(colord_var_lib_t)
-- allow $1 clamscan_t:process { ptrace signal_perms };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 clamd_t:process ptrace;
-+ allow $1 clamscan_t:process ptrace;
-+ allow $1 freshclam_t:process ptrace;
-+ ')
++type colord_unit_file_t;
++systemd_unit_file(colord_unit_file_t)
+
-+ allow $1 clamscan_t:process signal_perms;
- ps_process_pattern($1, clamscan_t)
-
-- allow $1 freshclam_t:process { ptrace signal_perms };
-+ allow $1 freshclam_t:process signal_perms;
- ps_process_pattern($1, freshclam_t)
-
- init_labeled_script_domtrans($1, clamd_initrc_exec_t)
-@@ -171,6 +240,10 @@ interface(`clamav_admin',`
- role_transition $2 clamd_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ clamd_systemctl($1)
-+ admin_pattern($1, clamd_unit_file_t)
-+ allow $1 clamd_unit_file_t:service all_service_perms;
+ ########################################
+ #
+ # Local policy
+@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
+ allow colord_t self:capability { dac_read_search dac_override };
+ dontaudit colord_t self:capability sys_admin;
+ allow colord_t self:process signal;
+
- files_list_etc($1)
- admin_pattern($1, clamd_etc_t)
-
-@@ -189,4 +262,10 @@ interface(`clamav_admin',`
- admin_pattern($1, clamscan_tmp_t)
+ allow colord_t self:fifo_file rw_fifo_file_perms;
+ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+-allow colord_t self:tcp_socket { accept listen };
++allow colord_t self:tcp_socket create_stream_socket_perms;
+ allow colord_t self:shm create_shm_perms;
++allow colord_t self:udp_socket create_socket_perms;
++allow colord_t self:unix_dgram_socket create_socket_perms;
- admin_pattern($1, freshclam_var_log_t)
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+
- ')
-diff --git a/clamav.te b/clamav.te
-index a10350e..a28f16e 100644
---- a/clamav.te
-+++ b/clamav.te
-@@ -1,9 +1,23 @@
- policy_module(clamav, 1.10.0)
+ manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+ manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+@@ -74,9 +81,8 @@ dev_read_video_dev(colord_t)
+ dev_write_video_dev(colord_t)
+ dev_rw_printer(colord_t)
+ dev_read_rand(colord_t)
+-dev_read_sysfs(colord_t)
+ dev_read_urand(colord_t)
+-dev_list_sysfs(colord_t)
++dev_read_sysfs(colord_t)
+ dev_rw_generic_usb_dev(colord_t)
- ## <desc>
--## <p>
--## Allow clamd to use JIT compiler
--## </p>
-+## <p>
-+## Allow clamscan to read user content
-+## </p>
-+## </desc>
-+gen_tunable(clamscan_read_user_content, false)
-+
-+## <desc>
-+## <p>
-+## Allow clamscan to non security files on a system
-+## </p>
-+## </desc>
-+gen_tunable(clamscan_can_scan_system, false)
-+
-+## <desc>
-+## <p>
-+## Allow clamd to use JIT compiler
-+## </p>
- ## </desc>
- gen_tunable(clamd_use_jit, false)
+ domain_use_interactive_fds(colord_t)
+@@ -84,8 +90,9 @@ domain_use_interactive_fds(colord_t)
+ files_list_mnt(colord_t)
+ files_read_usr_files(colord_t)
-@@ -24,6 +38,9 @@ files_config_file(clamd_etc_t)
- type clamd_initrc_exec_t;
- init_script_file(clamd_initrc_exec_t)
++fs_search_all(colord_t)
+ fs_getattr_noxattr_fs(colord_t)
+-fs_getattr_tmpfs(colord_t)
++fs_dontaudit_getattr_all_fs(colord_t)
+ fs_list_noxattr_fs(colord_t)
+ fs_read_noxattr_fs_files(colord_t)
+ fs_search_all(colord_t)
+@@ -100,7 +107,11 @@ auth_use_nsswitch(colord_t)
-+type clamd_unit_file_t;
-+systemd_unit_file(clamd_unit_file_t)
-+
- # tmp files
- type clamd_tmp_t;
- files_tmp_file(clamd_tmp_t)
-@@ -64,6 +81,8 @@ logging_log_file(freshclam_var_log_t)
+ logging_send_syslog_msg(colord_t)
- allow clamd_t self:capability { kill setgid setuid dac_override };
- dontaudit clamd_t self:capability sys_tty_config;
-+allow clamd_t self:process signal;
+-miscfiles_read_localization(colord_t)
++fs_getattr_tmpfs(colord_t)
++userdom_rw_user_tmpfs_files(colord_t)
+
- allow clamd_t self:fifo_file rw_fifo_file_perms;
- allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +99,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
- files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
-
- # var/lib files for clamd
-+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
- manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
- manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-
-@@ -89,9 +109,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
- logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
-
- # pid file
-+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
- manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
- manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
--files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
-+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
-
- kernel_dontaudit_list_proc(clamd_t)
- kernel_read_sysctl(clamd_t)
-@@ -100,7 +121,6 @@ kernel_read_system_state(clamd_t)
-
- corecmd_exec_shell(clamd_t)
-
--corenet_all_recvfrom_unlabeled(clamd_t)
- corenet_all_recvfrom_netlabel(clamd_t)
- corenet_tcp_sendrecv_generic_if(clamd_t)
- corenet_tcp_sendrecv_generic_node(clamd_t)
-@@ -110,6 +130,7 @@ corenet_tcp_bind_generic_node(clamd_t)
- corenet_tcp_bind_clamd_port(clamd_t)
- corenet_tcp_bind_generic_port(clamd_t)
- corenet_tcp_connect_generic_port(clamd_t)
-+corenet_tcp_connect_clamd_port(clamd_t)
- corenet_sendrecv_clamd_server_packets(clamd_t)
-
- dev_read_rand(clamd_t)
-@@ -117,7 +138,6 @@ dev_read_urand(clamd_t)
-
- domain_use_interactive_fds(clamd_t)
-
--files_read_etc_files(clamd_t)
- files_read_etc_runtime_files(clamd_t)
- files_search_spool(clamd_t)
-
-@@ -125,30 +145,51 @@ auth_use_nsswitch(clamd_t)
-
- logging_send_syslog_msg(clamd_t)
++userdom_home_reader(colord_t)
++userdom_read_inherited_user_home_content_files(colord_t)
--miscfiles_read_localization(clamd_t)
--
--cron_use_fds(clamd_t)
--cron_use_system_job_fds(clamd_t)
--cron_rw_pipes(clamd_t)
--
--mta_read_config(clamd_t)
--mta_send_mail(clamd_t)
--
- optional_policy(`
- amavis_read_lib_files(clamd_t)
- amavis_read_spool_files(clamd_t)
-- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
-+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
- amavis_create_pid_files(clamd_t)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(colord_t)
+@@ -120,6 +131,12 @@ optional_policy(`
')
optional_policy(`
-+ cron_use_fds(clamd_t)
-+ cron_use_system_job_fds(clamd_t)
-+ cron_rw_pipes(clamd_t)
++ gnome_read_home_icc_data_content(colord_t)
++ # Fixes lots of breakage in F16 on upgrade
++ gnome_read_generic_data_home_files(colord_t)
+')
+
+optional_policy(`
- exim_read_spool_files(clamd_t)
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
+@@ -133,3 +150,13 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(colord_t)
')
-
-+optional_policy(`
-+ mta_read_config(clamd_t)
-+ mta_send_mail(clamd_t)
-+')
-+
-+optional_policy(`
-+ spamd_stream_connect(clamd_t)
-+ spamassassin_read_pid_files(clamd_t)
-+')
-+
- tunable_policy(`clamd_use_jit',`
- allow clamd_t self:process execmem;
--', `
-+ allow clamscan_t self:process execmem;
-+',`
- dontaudit clamd_t self:process execmem;
-+ dontaudit clamscan_t self:process execmem;
-+')
+
+optional_policy(`
-+ antivirus_domain_template(clamd_t)
++ xserver_dbus_chat_xdm(colord_t)
++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
++ xserver_read_inherited_xdm_lib_files(colord_t)
+')
+
+optional_policy(`
-+ antivirus_domain_template(clamscan_t)
++ zoneminder_rw_tmpfs_files(colord_t)
+')
-+
-+optional_policy(`
-+ antivirus_domain_template(freshclam_t)
- ')
-
- ########################################
-@@ -178,17 +219,27 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
-
- # log files (own logfiles only)
- manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
--allow freshclam_t freshclam_var_log_t:dir setattr;
--allow freshclam_t clamd_var_log_t:dir search_dir_perms;
-+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
-+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
- logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+diff --git a/comsat.te b/comsat.te
+index 3f6e4dc..88c4f19 100644
+--- a/comsat.te
++++ b/comsat.te
+@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
+ kernel_read_network_state(comsat_t)
+ kernel_read_system_state(comsat_t)
--corenet_all_recvfrom_unlabeled(freshclam_t)
-+kernel_dontaudit_list_proc(freshclam_t)
-+kernel_read_kernel_sysctls(freshclam_t)
-+kernel_read_network_state(freshclam_t)
-+kernel_read_system_state(freshclam_t)
-+
-+corecmd_exec_shell(freshclam_t)
-+corecmd_exec_bin(freshclam_t)
++corenet_all_recvfrom_netlabel(comsat_t)
++corenet_tcp_sendrecv_generic_if(comsat_t)
++corenet_udp_sendrecv_generic_if(comsat_t)
++corenet_tcp_sendrecv_generic_node(comsat_t)
++corenet_udp_sendrecv_generic_node(comsat_t)
++corenet_udp_sendrecv_all_ports(comsat_t)
+
- corenet_all_recvfrom_netlabel(freshclam_t)
- corenet_tcp_sendrecv_generic_if(freshclam_t)
- corenet_tcp_sendrecv_generic_node(freshclam_t)
- corenet_tcp_sendrecv_all_ports(freshclam_t)
- corenet_tcp_sendrecv_clamd_port(freshclam_t)
- corenet_tcp_connect_http_port(freshclam_t)
-+corenet_tcp_connect_http_cache_port(freshclam_t)
-+corenet_tcp_connect_clamd_port(freshclam_t)
-+corenet_tcp_connect_squid_port(freshclam_t)
- corenet_sendrecv_http_client_packets(freshclam_t)
+ dev_read_urand(comsat_t)
- dev_read_rand(freshclam_t)
-@@ -196,27 +247,32 @@ dev_read_urand(freshclam_t)
-
- domain_use_interactive_fds(freshclam_t)
-
--files_read_etc_files(freshclam_t)
-+files_search_var_lib(freshclam_t)
- files_read_etc_runtime_files(freshclam_t)
-+files_read_usr_files(freshclam_t)
-
- auth_use_nsswitch(freshclam_t)
+ fs_getattr_xattr_fs(comsat_t)
+@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
- logging_send_syslog_msg(freshclam_t)
+ logging_send_syslog_msg(comsat_t)
--miscfiles_read_localization(freshclam_t)
+-miscfiles_read_localization(comsat_t)
-
- clamav_stream_connect(freshclam_t)
-
--optional_policy(`
-- cron_system_entry(freshclam_t, freshclam_exec_t)
--')
-+userdom_stream_connect(freshclam_t)
+ userdom_dontaudit_getattr_user_ttys(comsat_t)
- tunable_policy(`clamd_use_jit',`
- allow freshclam_t self:process execmem;
--', `
-+',`
- dontaudit freshclam_t self:process execmem;
- ')
+ mta_getattr_spool(comsat_t)
+diff --git a/condor.fc b/condor.fc
+index 23dc348..7cc536b 100644
+--- a/condor.fc
++++ b/condor.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
++/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
-+optional_policy(`
-+ clamd_systemctl(freshclam_t)
-+')
+ /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
+ /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
+diff --git a/condor.if b/condor.if
+index 3fe3cb8..684b700 100644
+--- a/condor.if
++++ b/condor.if
+@@ -1,81 +1,392 @@
+-## <summary>High-Throughput Computing System.</summary>
+
-+optional_policy(`
-+ cron_system_entry(freshclam_t, freshclam_exec_t)
++## <summary>policy for condor</summary>
++
++#####################################
++## <summary>
++## Creates types and rules for a basic
++## condor init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`condor_domain_template',`
++ gen_require(`
++ type condor_master_t;
++ attribute condor_domain;
++ ')
++
++ #############################
++ #
++ # Declarations
++ #
++
++ type condor_$1_t, condor_domain;
++ type condor_$1_exec_t;
++ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
++ role system_r types condor_$1_t;
++
++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
++ allow condor_master_t condor_$1_exec_t:file ioctl;
++
++ kernel_read_system_state(condor_$1_t)
++
++ corenet_all_recvfrom_netlabel(condor_$1_t)
++ corenet_all_recvfrom_unlabeled(condor_$1_t)
++
++ auth_use_nsswitch(condor_$1_t)
++
++ logging_send_syslog_msg(condor_$1_t)
+')
+
- ########################################
- #
- # clamscam local policy
-@@ -242,15 +298,39 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
- manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
- allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
++########################################
++## <summary>
++## Transition to condor.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`condor_domtrans',`
++ gen_require(`
++ type condor_t, condor_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, condor_exec_t, condor_t)
++')
--corenet_all_recvfrom_unlabeled(clamscan_t)
-+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
-+allow clamscan_t clamd_var_run_t:dir list_dir_perms;
+ #######################################
+ ## <summary>
+-## The template to define a condor domain.
++## Allows to start userland processes
++## by transitioning to the specified domain,
++## with a range transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## The process type entered by condor_startd.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## The executable type for the entrypoint.
++## </summary>
++## </param>
++## <param name="range">
++## <summary>
++## Range for the domain.
++## </summary>
++## </param>
++#
++interface(`condor_startd_ranged_domtrans_to',`
++ gen_require(`
++ type sshd_t;
++ ')
++ condor_startd_domtrans_to($1, $2)
+
-+kernel_dontaudit_list_proc(clamscan_t)
-+kernel_read_system_state(clamscan_t)
+
- corenet_all_recvfrom_netlabel(clamscan_t)
- corenet_tcp_sendrecv_generic_if(clamscan_t)
- corenet_tcp_sendrecv_generic_node(clamscan_t)
- corenet_tcp_sendrecv_all_ports(clamscan_t)
- corenet_tcp_sendrecv_clamd_port(clamscan_t)
-+corenet_tcp_bind_generic_node(clamscan_t)
- corenet_tcp_connect_clamd_port(clamscan_t)
-
-+corecmd_read_all_executables(clamscan_t)
++ ifdef(`enable_mcs',`
++ range_transition condor_startd_t $2:process $3;
++ ')
+
-+tunable_policy(`clamscan_read_user_content',`
-+ userdom_read_user_home_content_files(clamscan_t)
-+ userdom_dontaudit_read_user_home_content_files(clamscan_t)
+')
+
-+tunable_policy(`clamscan_can_scan_system',`
-+ files_read_non_security_files(clamscan_t)
-+ files_getattr_all_pipes(clamscan_t)
-+ files_getattr_all_sockets(clamscan_t)
++#######################################
++## <summary>
++## Allows to start userlandprocesses
++## by transitioning to the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The process type entered by condor_startd.
++## </summary>
++## </param>
++## <param name="entrypoint">
++## <summary>
++## The executable type for the entrypoint.
++## </summary>
++## </param>
++#
++interface(`condor_startd_domtrans_to',`
++ gen_require(`
++ type condor_startd_t;
++ ')
+
-+ files_read_non_security_files(clamd_t)
-+ files_getattr_all_pipes(clamd_t)
-+ files_getattr_all_sockets(clamd_t)
++ domtrans_pattern(condor_startd_t, $2, $1)
+')
+
- kernel_read_kernel_sysctls(clamscan_t)
-+kernel_read_system_state(clamscan_t)
++########################################
++## <summary>
++## Read condor's log files.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="domain">
+ ## <summary>
+-## Domain prefix to be used.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-template(`condor_domain_template',`
++interface(`condor_read_log',`
+ gen_require(`
+- attribute condor_domain;
+- type condor_master_t;
++ type condor_log_t;
+ ')
- files_read_etc_files(clamscan_t)
- files_read_etc_runtime_files(clamscan_t)
-@@ -259,15 +339,15 @@ files_search_var_lib(clamscan_t)
- init_read_utmp(clamscan_t)
- init_dontaudit_write_utmp(clamscan_t)
+- #############################
+- #
+- # Declarations
+- #
++ logging_search_logs($1)
++ read_files_pattern($1, condor_log_t, condor_log_t)
++')
--miscfiles_read_localization(clamscan_t)
- miscfiles_read_public_files(clamscan_t)
+- type condor_$1_t, condor_domain;
+- type condor_$1_exec_t;
+- domain_type(condor_$1_t)
+- domain_entry_file(condor_$1_t, condor_$1_exec_t)
+- role system_r types condor_$1_t;
++########################################
++## <summary>
++## Append to condor log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_append_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
- clamav_stream_connect(clamscan_t)
+- #############################
+- #
+- # Policy
+- #
++ logging_search_logs($1)
++ append_files_pattern($1, condor_log_t, condor_log_t)
++')
--mta_send_mail(clamscan_t)
-+sysnet_read_config(clamscan_t)
+- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+- allow condor_master_t condor_$1_exec_t:file ioctl;
++########################################
++## <summary>
++## Manage condor log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_manage_log',`
++ gen_require(`
++ type condor_log_t;
++ ')
- optional_policy(`
-- amavis_read_spool_files(clamscan_t)
-+ mta_send_mail(clamscan_t)
-+ mta_read_queue(clamscan_t)
+- auth_use_nsswitch(condor_$1_t)
++ logging_search_logs($1)
++ manage_dirs_pattern($1, condor_log_t, condor_log_t)
++ manage_files_pattern($1, condor_log_t, condor_log_t)
++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
')
- optional_policy(`
-diff --git a/clockspeed.te b/clockspeed.te
-index b40f3f7..e8c9c35 100644
---- a/clockspeed.te
-+++ b/clockspeed.te
-@@ -26,7 +26,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
-
- read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
--corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
- corenet_all_recvfrom_netlabel(clockspeed_cli_t)
- corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
- corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-@@ -36,9 +35,8 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
- files_list_var_lib(clockspeed_cli_t)
- files_read_etc_files(clockspeed_cli_t)
-
--miscfiles_read_localization(clockspeed_cli_t)
-
--userdom_use_user_terminals(clockspeed_cli_t)
-+userdom_use_inherited_user_terminals(clockspeed_cli_t)
-
########################################
- #
-@@ -53,7 +51,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
- manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
- manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-
--corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
- corenet_all_recvfrom_netlabel(clockspeed_srv_t)
- corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
- corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-@@ -65,7 +62,6 @@ corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
- files_read_etc_files(clockspeed_srv_t)
- files_list_var_lib(clockspeed_srv_t)
-
--miscfiles_read_localization(clockspeed_srv_t)
-
- optional_policy(`
- daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
-diff --git a/clogd.te b/clogd.te
-index 6077339..d44d33f 100644
---- a/clogd.te
-+++ b/clogd.te
-@@ -46,8 +46,6 @@ storage_raw_write_fixed_disk(clogd_t)
-
- logging_send_syslog_msg(clogd_t)
-
--miscfiles_read_localization(clogd_t)
--
- optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
-diff --git a/cloudform.fc b/cloudform.fc
-new file mode 100644
-index 0000000..8a40857
---- /dev/null
-+++ b/cloudform.fc
-@@ -0,0 +1,22 @@
-+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-+
-+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
-+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
-+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+
-+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+ ## <summary>
+-## All of the rules required to
+-## administrate an condor environment.
++## Search condor lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
++#
++interface(`condor_search_lib',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
+
-+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
++ allow $1 condor_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
+
-+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
-+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
-+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
++########################################
++## <summary>
++## Read condor lib files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`condor_admin',`
++interface(`condor_read_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
+
-+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
-+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
-+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
-diff --git a/cloudform.if b/cloudform.if
-new file mode 100644
-index 0000000..8ac848b
---- /dev/null
-+++ b/cloudform.if
-@@ -0,0 +1,42 @@
-+## <summary>cloudform policy</summary>
++ files_search_var_lib($1)
++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
+
-+#######################################
++######################################
+## <summary>
-+## Creates types and rules for a basic
-+## cloudform daemon domain.
++## Read and write condor lib files.
+## </summary>
-+## <param name="prefix">
++## <param name="domain">
+## <summary>
-+## Prefix for the domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+template(`cloudform_domain_template',`
++interface(`condor_rw_lib_files',`
+ gen_require(`
-+ attribute cloudform_domain;
++ type condor_var_lib_t;
+ ')
+
-+ type $1_t, cloudform_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
-+
-+ kernel_read_system_state($1_t)
++ files_search_var_lib($1)
++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
-+######################################
++########################################
+## <summary>
-+## Execute mongod in the caller domain.
++## Manage condor lib files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9950,432 +11442,294 @@ index 0000000..8ac848b
+## </summary>
+## </param>
+#
-+interface(`cloudform_exec_mongod',`
-+ gen_require(`
-+ type mongod_exec_t;
-+ ')
++interface(`condor_manage_lib_files',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
+
-+ can_exec($1, mongod_exec_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
-diff --git a/cloudform.te b/cloudform.te
-new file mode 100644
-index 0000000..b73fed6
---- /dev/null
-+++ b/cloudform.te
-@@ -0,0 +1,201 @@
-+policy_module(cloudform, 1.0)
++
+########################################
++## <summary>
++## Manage condor lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+# Declarations
-+#
-+
-+attribute cloudform_domain;
-+
-+cloudform_domain_template(deltacloudd)
-+cloudform_domain_template(iwhd)
-+cloudform_domain_template(mongod)
-+
-+type deltacloudd_log_t;
-+logging_log_file(deltacloudd_log_t)
-+
-+type deltacloudd_var_run_t;
-+files_pid_file(deltacloudd_var_run_t)
++interface(`condor_manage_lib_dirs',`
++ gen_require(`
++ type condor_var_lib_t;
++ ')
+
-+type deltacloudd_tmp_t;
-+files_tmp_file(deltacloudd_tmp_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
++')
+
-+type iwhd_initrc_exec_t;
-+init_script_file(iwhd_initrc_exec_t)
++########################################
++## <summary>
++## Read condor PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_read_pid_files',`
++ gen_require(`
++ type condor_var_run_t;
++ ')
+
-+type iwhd_var_lib_t;
-+files_type(iwhd_var_lib_t)
++ files_search_pids($1)
++ allow $1 condor_var_run_t:file read_file_perms;
++')
+
-+type iwhd_var_run_t;
-+files_pid_file(iwhd_var_run_t)
++########################################
++## <summary>
++## Execute condor server in the condor domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`condor_systemctl',`
++ gen_require(`
++ type condor_t;
++ type condor_unit_file_t;
++ ')
+
-+type mongod_initrc_exec_t;
-+init_script_file(mongod_initrc_exec_t)
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 condor_unit_file_t:file read_file_perms;
++ allow $1 condor_unit_file_t:service manage_service_perms;
+
-+type mongod_log_t;
-+logging_log_file(mongod_log_t)
++ ps_process_pattern($1, condor_t)
++')
+
-+type mongod_var_lib_t;
-+files_type(mongod_var_lib_t)
+
-+type mongod_tmp_t;
-+files_tmp_file(mongod_tmp_t)
++#######################################
++## <summary>
++## Read and write condor_startd server TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_startd',`
+ gen_require(`
+- attribute condor_domain;
+- type condor_initrc_exec_config_t, condor_log_t;
+- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+- type condor_var_run_t, condor_startd_tmp_t;
++ type condor_startd_t;
+ ')
+
+- allow $1 condor_domain:process { ptrace signal_perms };
++ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
++')
+
-+type mongod_var_run_t;
-+files_pid_file(mongod_var_run_t)
++######################################
++## <summary>
++## Read and write condor_schedd server TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_schedd',`
++ gen_require(`
++ type condor_schedd_t;
++ ')
+
-+type iwhd_log_t;
-+logging_log_file(iwhd_log_t)
++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
++')
+
+########################################
++## <summary>
++## All of the rules required to administrate
++## an condor environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+# cloudform_domain local policy
-+#
++interface(`condor_admin',`
++ gen_require(`
++ attribute condor_domain;
++ type condor_initrc_exec_config_t, condor_log_t;
++ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
++ type condor_var_run_t, condor_startd_tmp_t;
++ type condor_unit_file_t;
++ ')
+
-+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
-+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
++ allow $1 condor_domain:process { signal_perms };
+ ps_process_pattern($1, condor_domain)
+
+- init_labeled_script_domtrans($1, condor_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 condor_initrc_exec_t system_r;
+- allow $2 system_r;
++ init_labeled_script_domtrans($1, condor_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 condor_initrc_exec_t system_r;
++ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, condor_log_t)
+
+- files_search_locks($1)
+- admin_pattern($1, condor_var_lock_t)
++ files_search_locks($1)
++ admin_pattern($1, condor_var_lock_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, condor_var_lib_t)
+@@ -85,4 +396,13 @@ interface(`condor_admin',`
+
+ files_search_tmp($1)
+ admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
-+dev_read_rand(cloudform_domain)
-+dev_read_urand(cloudform_domain)
-+dev_read_sysfs(cloudform_domain)
++ condor_systemctl($1)
++ admin_pattern($1, condor_unit_file_t)
++ allow $1 condor_unit_file_t:service all_service_perms;
+
-+files_read_etc_files(cloudform_domain)
-+
-+auth_read_passwd(cloudform_domain)
-+
-+miscfiles_read_certs(cloudform_domain)
-+
-+########################################
-+#
-+# deltacloudd local policy
-+#
-+
-+allow deltacloudd_t self:capability { dac_override setuid setgid };
-+
-+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow deltacloudd_t self:udp_socket create_socket_perms;
-+
-+allow deltacloudd_t self:process signal;
-+
-+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
-+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
-+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
-+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
-+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
-+
-+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
-+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
-+
-+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
-+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
-+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
-+
-+kernel_read_kernel_sysctls(deltacloudd_t)
-+kernel_read_system_state(deltacloudd_t)
-+
-+corecmd_exec_bin(deltacloudd_t)
-+
-+corenet_tcp_bind_generic_node(deltacloudd_t)
-+corenet_tcp_bind_generic_port(deltacloudd_t)
-+corenet_tcp_connect_http_port(deltacloudd_t)
-+corenet_tcp_connect_keystone_port(deltacloudd_t)
-+
-+auth_use_nsswitch(deltacloudd_t)
-+
-+files_read_usr_files(deltacloudd_t)
-+
-+logging_send_syslog_msg(deltacloudd_t)
-+
-+optional_policy(`
-+ sysnet_read_config(deltacloudd_t)
-+')
-+
-+########################################
-+#
-+# iwhd local policy
-+#
-+
-+allow iwhd_t self:capability { chown kill };
-+allow iwhd_t self:process { fork };
-+
-+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
-+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
-+
-+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
-+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
-+
-+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
-+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
-+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
-+
-+kernel_read_system_state(iwhd_t)
-+
-+corenet_tcp_bind_generic_node(iwhd_t)
-+corenet_tcp_bind_websm_port(iwhd_t)
-+corenet_tcp_connect_all_ports(iwhd_t)
-+
-+dev_read_rand(iwhd_t)
-+dev_read_urand(iwhd_t)
-+
-+userdom_home_manager(iwhd_t)
-+
-+########################################
-+#
-+# mongod local policy
-+#
-+
-+allow mongod_t self:process { execmem setsched signal };
-+
-+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
-+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
-+allow mongod_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
-+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
-+
-+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
-+
-+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
-+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
-+
-+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
-+#needed by dbomatic
-+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
-+
-+corecmd_exec_bin(mongod_t)
-+corecmd_exec_shell(mongod_t)
-+
-+corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_mongod_port(mongod_t)
-+corenet_tcp_connect_postgresql_port(mongod_t)
-+
-+kernel_read_vm_sysctls(mongod_t)
-+kernel_read_system_state(mongod_t)
-+
-+files_read_usr_files(mongod_t)
-+
-+fs_getattr_all_fs(mongod_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+ postgresql_stream_connect(mongod_t)
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(mongod_t)
-+')
-diff --git a/cmirrord.if b/cmirrord.if
-index f8463c0..cc4d9ef 100644
---- a/cmirrord.if
-+++ b/cmirrord.if
-@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
- type cmirrord_t, cmirrord_tmpfs_t;
- ')
-
-- allow $1 cmirrord_t:shm rw_shm_perms;
-+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
-
- allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
- fs_search_tmpfs($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
')
-@@ -100,9 +101,13 @@ interface(`cmirrord_admin',`
- type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
- ')
-
-- allow $1 cmirrord_t:process { ptrace signal_perms };
-+ allow $1 cmirrord_t:process signal_perms;
- ps_process_pattern($1, cmirrord_t)
+diff --git a/condor.te b/condor.te
+index 3f2b672..a7aaf98 100644
+--- a/condor.te
++++ b/condor.te
+@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
+ type condor_var_run_t;
+ files_pid_file(condor_var_run_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cmirrord_t:process ptrace;
-+ ')
++type condor_unit_file_t;
++systemd_unit_file(condor_unit_file_t)
+
- cmirrord_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cmirrord_initrc_exec_t system_r;
-diff --git a/cmirrord.te b/cmirrord.te
-index 28fdd8a..5605ed7 100644
---- a/cmirrord.te
-+++ b/cmirrord.te
-@@ -51,8 +51,6 @@ seutil_read_file_contexts(cmirrord_t)
+ condor_domain_template(collector)
+ condor_domain_template(negotiator)
+ condor_domain_template(procd)
+@@ -59,8 +62,9 @@ condor_domain_template(startd)
- logging_send_syslog_msg(cmirrord_t)
+ allow condor_domain self:process signal_perms;
+ allow condor_domain self:fifo_file rw_fifo_file_perms;
+-allow condor_domain self:tcp_socket { accept listen };
+-allow condor_domain self:unix_stream_socket { accept listen };
++allow condor_domain self:tcp_socket create_stream_socket_perms;
++allow condor_domain self:udp_socket create_socket_perms;
++allow condor_domain self:unix_stream_socket create_stream_socket_perms;
--miscfiles_read_localization(cmirrord_t)
--
- optional_policy(`
- corosync_stream_connect(cmirrord_t)
- ')
-diff --git a/cobbler.fc b/cobbler.fc
-index 1cf6c4e..0858f92 100644
---- a/cobbler.fc
-+++ b/cobbler.fc
-@@ -1,7 +1,35 @@
--/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
--/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+ manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
+ append_files_pattern(condor_domain, condor_log_t, condor_log_t)
+@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
--/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
-+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0)
-+
-+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
-+
-+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+
-+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
-+
-+# This should removable when cobbler package installs /var/www/cobbler/rendered
-+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
-+
-+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+ kernel_read_kernel_sysctls(condor_domain)
+ kernel_read_network_state(condor_domain)
+-kernel_read_system_state(condor_domain)
--/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
--/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
-diff --git a/cobbler.if b/cobbler.if
-index 116d60f..e2c6ec6 100644
---- a/cobbler.if
-+++ b/cobbler.if
-@@ -1,12 +1,12 @@
- ## <summary>Cobbler installation server.</summary>
- ## <desc>
- ## <p>
--## Cobbler is a Linux installation server that allows for
--## rapid setup of network installation environments. It
--## glues together and automates many associated Linux
--## tasks so you do not have to hop between lots of various
--## commands and applications when rolling out new systems,
--## and, in some cases, changing existing ones.
-+## Cobbler is a Linux installation server that allows for
-+## rapid setup of network installation environments. It
-+## glues together and automates many associated Linux
-+## tasks so you do not have to hop between lots of various
-+## commands and applications when rolling out new systems,
-+## and, in some cases, changing existing ones.
- ## </p>
- ## </desc>
+ corecmd_exec_bin(condor_domain)
+ corecmd_exec_shell(condor_domain)
-@@ -15,9 +15,9 @@
- ## Execute a domain transition to run cobblerd.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`cobblerd_domtrans',`
-@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
- ')
+-corenet_all_recvfrom_netlabel(condor_domain)
+-corenet_all_recvfrom_unlabeled(condor_domain)
+ corenet_tcp_sendrecv_generic_if(condor_domain)
+ corenet_tcp_sendrecv_generic_node(condor_domain)
- domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
-+ corecmd_search_bin($1)
- ')
+@@ -106,10 +107,6 @@ dev_read_rand(condor_domain)
+ dev_read_sysfs(condor_domain)
+ dev_read_urand(condor_domain)
- ########################################
-@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
+-logging_send_syslog_msg(condor_domain)
+-
+-miscfiles_read_localization(condor_domain)
+-
+ tunable_policy(`condor_tcp_network_connect',`
+ corenet_sendrecv_all_client_packets(condor_domain)
+ corenet_tcp_connect_all_ports(condor_domain)
+@@ -150,8 +147,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
- ########################################
- ## <summary>
--## Read Cobbler content in /etc
-+## List Cobbler configuration.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
- ## </summary>
- ## </param>
- #
--interface(`cobbler_read_config',`
-+interface(`cobbler_list_config',`
- gen_require(`
- type cobbler_etc_t;
- ')
+ domain_read_all_domains_state(condor_master_t)
-- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
- files_search_etc($1)
- ')
+-auth_use_nsswitch(condor_master_t)
+-
+ optional_policy(`
+ mta_send_mail(condor_master_t)
+ mta_read_config(condor_master_t)
+@@ -178,6 +173,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+ allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
+ allow condor_negotiator_t condor_master_t:udp_socket getattr;
- ########################################
- ## <summary>
--## Do not audit attempts to read and write
--## Cobbler log files (leaked fd).
-+## Read Cobbler configuration files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
- ## </summary>
- ## </param>
++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
++
+ ######################################
#
--interface(`cobbler_dontaudit_rw_log',`
-+interface(`cobbler_read_config',`
- gen_require(`
-- type cobbler_var_log_t;
-+ type cobbler_etc_t;
- ')
+ # Procd local policy
+@@ -209,6 +206,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+ relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+ files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
-- dontaudit $1 cobbler_var_log_t:file rw_file_perms;
-+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
-+ files_search_etc($1)
- ')
++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
++
+ #####################################
+ #
+ # Startd local policy
+@@ -233,11 +232,10 @@ domain_read_all_domains_state(condor_startd_t)
+ mcs_process_set_categories(condor_startd_t)
- ########################################
-@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
- ')
+ init_domtrans_script(condor_startd_t)
++init_initrc_domain(condor_startd_t)
- search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
- ')
+ libs_exec_lib_files(condor_startd_t)
-@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
+-files_read_usr_files(condor_startd_t)
+-
+ optional_policy(`
+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
+ ssh_domtrans(condor_startd_t)
+@@ -249,3 +247,7 @@ optional_policy(`
+ kerberos_use(condor_startd_ssh_t)
')
-
- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
')
++
++optional_policy(`
++ unconfined_domain(condor_startd_t)
++')
+diff --git a/consolekit.fc b/consolekit.fc
+index 23c9558..29e5fd3 100644
+--- a/consolekit.fc
++++ b/consolekit.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
++
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
-@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',`
- type cobbler_var_lib_t;
- ')
-
-+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
- files_search_var_lib($1)
- ')
+ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+diff --git a/consolekit.if b/consolekit.if
+index 5b830ec..0647a3b 100644
+--- a/consolekit.if
++++ b/consolekit.if
+@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
########################################
## <summary>
-+## Do not audit attempts to read and write
-+## Cobbler log files (leaked fd).
++## dontaudit Send and receive messages from
++## consolekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10383,408 +11737,54 @@ index 116d60f..e2c6ec6 100644
+## </summary>
+## </param>
+#
-+interface(`cobbler_dontaudit_rw_log',`
++interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
-+ type cobbler_var_log_t;
++ type consolekit_t;
++ class dbus send_msg;
+ ')
+
-+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
-+## Execute cobblerd server in the cobblerd domain.
+ ## Send and receive messages from
+ ## consolekit over dbus.
+ ## </summary>
+@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`cobblerd_systemctl',`
++interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
-+ type cobblerd_t;
-+ type cobblerd_unit_file_t;
++ type consolekit_log_t;
+ ')
+
-+ systemd_exec_systemctl($1)
-+ allow $1 cobblerd_unit_file_t:file read_file_perms;
-+ allow $1 cobblerd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cobblerd_t)
++ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an cobblerd environment
+ ## Read consolekit log files.
## </summary>
-@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',`
- interface(`cobblerd_admin',`
- gen_require(`
- type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
-- type cobbler_etc_t, cobblerd_initrc_exec_t;
-+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
-+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
-+ type cobblerd_unit_file_t;
- ')
-
-- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, cobblerd_t, cobblerd_t)
-+ allow $1 cobblerd_t:process signal_perms;
-+ ps_process_pattern($1, cobblerd_t)
-
-- files_search_etc($1)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cobblerd_t:process ptrace;
-+ ')
-+
-+ files_list_etc($1)
- admin_pattern($1, cobbler_etc_t)
-
- files_list_var_lib($1)
- admin_pattern($1, cobbler_var_lib_t)
-
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, cobbler_var_log_t)
-
-+ apache_list_sys_content($1)
-+ admin_pattern($1, httpd_cobbler_content_t)
-+ admin_pattern($1, httpd_cobbler_content_ra_t)
- admin_pattern($1, httpd_cobbler_content_rw_t)
-
- cobblerd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 cobblerd_initrc_exec_t system_r;
- allow $2 system_r;
-+
-+ optional_policy(`
-+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
-+ tftp_search_rw_content($1)
-+ ')
-+
-+ cobblerd_systemctl($1)
-+ admin_pattern($1, cobblerd_unit_file_t)
-+ allow $1 cobblerd_unit_file_t:service all_service_perms;
- ')
-diff --git a/cobbler.te b/cobbler.te
-index 0258b48..c68160d 100644
---- a/cobbler.te
-+++ b/cobbler.te
-@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
- #
-
- ## <desc>
--## <p>
--## Allow Cobbler to modify public files
--## used for public file transfer services.
--## </p>
-+## <p>
-+## Allow Cobbler to modify public files
-+## used for public file transfer services.
-+## </p>
- ## </desc>
- gen_tunable(cobbler_anon_write, false)
-
-+## <desc>
-+## <p>
-+## Allow Cobbler to connect to the
-+## network using TCP.
-+## </p>
-+## </desc>
-+gen_tunable(cobbler_can_network_connect, false)
-+
-+## <desc>
-+## <p>
-+## Allow Cobbler to access cifs file systems.
-+## </p>
-+## </desc>
-+gen_tunable(cobbler_use_cifs, false)
-+
-+## <desc>
-+## <p>
-+## Allow Cobbler to access nfs file systems.
-+## </p>
-+## </desc>
-+gen_tunable(cobbler_use_nfs, false)
-+
- type cobblerd_t;
- type cobblerd_exec_t;
- init_daemon_domain(cobblerd_t, cobblerd_exec_t)
-@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t)
- type cobbler_var_log_t;
- logging_log_file(cobbler_var_log_t)
-
--type cobbler_var_lib_t;
-+type cobbler_var_lib_t alias cobbler_content_t;
- files_type(cobbler_var_lib_t)
-
-+type cobbler_tmp_t;
-+files_tmp_file(cobbler_tmp_t)
-+
-+type cobblerd_unit_file_t;
-+systemd_unit_file(cobblerd_unit_file_t)
-+
- ########################################
- #
- # Cobbler personal policy.
- #
-
--allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
-+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
-+dontaudit cobblerd_t self:capability sys_tty_config;
-+
- allow cobblerd_t self:process { getsched setsched signal };
- allow cobblerd_t self:fifo_file rw_fifo_file_perms;
-+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
- allow cobblerd_t self:tcp_socket create_stream_socket_perms;
-+allow cobblerd_t self:udp_socket create_socket_perms;
-+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
-
- list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
- read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
-
-+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
-+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
-+
- manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
- manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
--files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
-+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
-+
-+# Something really needs to write to cobbler.log. Ideally this should not be happening.
-+allow cobblerd_t cobbler_var_log_t:file write;
-
- append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,57 +92,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
- logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
-
-+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
-+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
-+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
-+
- kernel_read_system_state(cobblerd_t)
-+kernel_dontaudit_search_network_state(cobblerd_t)
-+
-+auth_read_passwd(cobblerd_t)
-
- corecmd_exec_bin(cobblerd_t)
- corecmd_exec_shell(cobblerd_t)
-
- corenet_all_recvfrom_netlabel(cobblerd_t)
--corenet_all_recvfrom_unlabeled(cobblerd_t)
- corenet_sendrecv_cobbler_server_packets(cobblerd_t)
- corenet_tcp_bind_cobbler_port(cobblerd_t)
- corenet_tcp_bind_generic_node(cobblerd_t)
- corenet_tcp_sendrecv_generic_if(cobblerd_t)
- corenet_tcp_sendrecv_generic_node(cobblerd_t)
- corenet_tcp_sendrecv_generic_port(cobblerd_t)
-+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
-+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
-+corenet_tcp_connect_ftp_port(cobblerd_t)
-+corenet_tcp_connect_all_ephemeral_ports(cobblerd_t)
-+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
-+corenet_sendrecv_ftp_client_packets(cobblerd_t)
-+corenet_tcp_connect_http_port(cobblerd_t)
-+corenet_tcp_sendrecv_http_port(cobblerd_t)
-+corenet_sendrecv_http_client_packets(cobblerd_t)
-
- dev_read_urand(cobblerd_t)
-
-+domain_dontaudit_exec_all_entry_files(cobblerd_t)
-+domain_dontaudit_read_all_domains_state(cobblerd_t)
-+
-+files_read_etc_files(cobblerd_t)
-+# mtab
-+files_read_etc_runtime_files(cobblerd_t)
- files_read_usr_files(cobblerd_t)
- files_list_boot(cobblerd_t)
-+files_read_boot_files(cobblerd_t)
- files_list_tmp(cobblerd_t)
--# read /etc/nsswitch.conf
--files_read_etc_files(cobblerd_t)
-
--miscfiles_read_localization(cobblerd_t)
-+# read from mounted images (install media)
-+fs_read_iso9660_files(cobblerd_t)
-+
-+auth_read_passwd(cobblerd_t)
-+
-+init_dontaudit_read_all_script_files(cobblerd_t)
-+
-+term_use_console(cobblerd_t)
-+
-+logging_send_syslog_msg(cobblerd_t)
-+
- miscfiles_read_public_files(cobblerd_t)
-
-+selinux_get_enforce_mode(cobblerd_t)
-+
- sysnet_read_config(cobblerd_t)
- sysnet_rw_dhcp_config(cobblerd_t)
- sysnet_write_config(cobblerd_t)
-
-+userdom_dontaudit_use_user_terminals(cobblerd_t)
-+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
-+userdom_dontaudit_search_admin_dir(cobblerd_t)
-+
- tunable_policy(`cobbler_anon_write',`
- miscfiles_manage_public_files(cobblerd_t)
- ')
-
-+tunable_policy(`cobbler_can_network_connect',`
-+ corenet_tcp_connect_all_ports(cobblerd_t)
-+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
-+ corenet_sendrecv_all_client_packets(cobblerd_t)
-+')
-+
-+tunable_policy(`cobbler_use_cifs',`
-+ fs_manage_cifs_dirs(cobblerd_t)
-+ fs_manage_cifs_files(cobblerd_t)
-+ fs_manage_cifs_symlinks(cobblerd_t)
-+')
-+
-+tunable_policy(`cobbler_use_nfs',`
-+ fs_manage_nfs_dirs(cobblerd_t)
-+ fs_manage_nfs_files(cobblerd_t)
-+ fs_manage_nfs_symlinks(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
-+ apache_search_sys_content(cobblerd_t)
-+')
-+
- optional_policy(`
- bind_read_config(cobblerd_t)
- bind_write_config(cobblerd_t)
- bind_domtrans_ndc(cobblerd_t)
- bind_domtrans(cobblerd_t)
- bind_initrc_domtrans(cobblerd_t)
-+ bind_systemctl(cobblerd_t)
- bind_manage_zone(cobblerd_t)
- ')
-
- optional_policy(`
-+ certmaster_exec(cobblerd_t)
-+')
-+
-+optional_policy(`
- dhcpd_domtrans(cobblerd_t)
- dhcpd_initrc_domtrans(cobblerd_t)
-+ dhcpd_systemctl(cobblerd_t)
- ')
-
- optional_policy(`
- dnsmasq_domtrans(cobblerd_t)
- dnsmasq_initrc_domtrans(cobblerd_t)
- dnsmasq_write_config(cobblerd_t)
-+ dnsmasq_systemctl(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(cobblerd_t)
-+')
-+
-+optional_policy(`
-+ puppet_domtrans_puppetca(cobblerd_t)
- ')
-
- optional_policy(`
-@@ -110,12 +224,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-- rsync_read_config(cobblerd_t)
-- rsync_write_config(cobblerd_t)
-+ rsync_exec(cobblerd_t)
-+ rsync_manage_config(cobblerd_t)
-+ # cobbler creates /etc/rsync.conf if its not there.
-+ rsync_filetrans_config(cobblerd_t, file)
- ')
-
- optional_policy(`
-- tftp_manage_rw_content(cobblerd_t)
-+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
-+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
-+ # 1. cobbler package installs /var/lib/tftpdir/images.
-+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
-+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
-+ # are any of those hard linked?
-+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
-+ tftp_manage_config(cobblerd_t)
+ ## <param name="domain">
+@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
-
- ########################################
-@@ -123,6 +246,10 @@ optional_policy(`
- # Cobbler web local policy.
- #
-
--apache_content_template(cobbler)
--manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
--manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+optional_policy(`
-+ apache_content_template(cobbler)
-+
-+ list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
-+ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-+')
-diff --git a/collectd.fc b/collectd.fc
-new file mode 100644
-index 0000000..2e1007b
---- /dev/null
-+++ b/collectd.fc
-@@ -0,0 +1,13 @@
-+
-+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
-+
-+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
-+
-+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
-+
-+/var/run/collectd\.pid gen_context(system_u:object_r:collectd_var_run_t,s0)
-+
-+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
-+
-diff --git a/collectd.if b/collectd.if
-new file mode 100644
-index 0000000..40415f8
---- /dev/null
-+++ b/collectd.if
-@@ -0,0 +1,186 @@
-+
-+## <summary>policy for collectd</summary>
-+
-+########################################
-+## <summary>
-+## Transition to collectd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`collectd_domtrans',`
-+ gen_require(`
-+ type collectd_t, collectd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, collectd_exec_t, collectd_t)
-+')
-+
+
+########################################
+## <summary>
-+## Execute collectd server in the collectd domain.
++## List consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10792,18 +11792,18 @@ index 0000000..40415f8
+## </summary>
+## </param>
+#
-+interface(`collectd_initrc_domtrans',`
++interface(`consolekit_list_pid_files',`
+ gen_require(`
-+ type collectd_initrc_exec_t;
++ type consolekit_var_run_t;
+ ')
+
-+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
++ files_search_pids($1)
++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-+
+########################################
+## <summary>
-+## Search collectd lib directories.
++## Allow the domain to read consolekit state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10811,56 +11811,340 @@ index 0000000..40415f8
+## </summary>
+## </param>
+#
-+interface(`collectd_search_lib',`
++interface(`consolekit_read_state',`
+ gen_require(`
-+ type collectd_var_lib_t;
++ type consolekit_t;
+ ')
+
-+ allow $1 collectd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
++ kernel_search_proc($1)
++ ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+## <summary>
-+## Read collectd lib files.
++## Execute consolekit server in the consolekit domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`collectd_read_lib_files',`
++interface(`consolekit_systemctl',`
+ gen_require(`
-+ type collectd_var_lib_t;
++ type consolekit_t;
++ type consolekit_unit_file_t;
+ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++ systemd_exec_systemctl($1)
++ allow $1 consolekit_unit_file_t:file read_file_perms;
++ allow $1 consolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, consolekit_t)
+')
+diff --git a/consolekit.te b/consolekit.te
+index 5f0c793..7d6c470 100644
+--- a/consolekit.te
++++ b/consolekit.te
+@@ -19,12 +19,16 @@ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+ init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+
++type consolekit_unit_file_t;
++systemd_unit_file(consolekit_unit_file_t)
+
-+########################################
-+## <summary>
-+## Manage collectd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++
+ allow consolekit_t self:process { getsched signal };
+ allow consolekit_t self:fifo_file rw_fifo_file_perms;
+ allow consolekit_t self:unix_stream_socket { accept listen };
+@@ -54,7 +58,6 @@ dev_read_sysfs(consolekit_t)
+
+ domain_read_all_domains_state(consolekit_t)
+ domain_use_interactive_fds(consolekit_t)
+-domain_dontaudit_ptrace_all_domains(consolekit_t)
+
+ files_read_usr_files(consolekit_t)
+ # needs to read /var/lib/dbus/machine-id
+@@ -74,17 +77,17 @@ auth_write_login_records(consolekit_t)
+ logging_send_syslog_msg(consolekit_t)
+ logging_send_audit_msgs(consolekit_t)
+
+-miscfiles_read_localization(consolekit_t)
++systemd_exec_systemctl(consolekit_t)
+
++userdom_read_all_users_state(consolekit_t)
+ userdom_dontaudit_read_user_home_content_files(consolekit_t)
++userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(consolekit_t)
+-')
++userdom_home_reader(consolekit_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(consolekit_t)
++optional_policy(`
++ cron_read_system_job_lib_files(consolekit_t)
+ ')
+
+ ifdef(`distro_debian',`
+@@ -113,7 +116,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- hal_ptrace(consolekit_t)
++ networkmanager_append_log(consolekit_t)
+ ')
+
+ optional_policy(`
+diff --git a/corosync.fc b/corosync.fc
+index da39f0f..6a96733 100644
+--- a/corosync.fc
++++ b/corosync.fc
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
++
+ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+ /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+diff --git a/corosync.if b/corosync.if
+index 694a037..283cf03 100644
+--- a/corosync.if
++++ b/corosync.if
+@@ -91,29 +91,54 @@ interface(`corosync_read_log',`
+ interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
++ type corosync_var_lib_t;
+ ')
+
+ files_search_pids($1)
++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+ ')
+
+ ######################################
+ ## <summary>
+-## Read and write corosync tmpfs files.
++## Allow the specified domain to read/write corosync's tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`collectd_manage_lib_files',`
++interface(`corosync_rw_tmpfs',`
++ gen_require(`
++ type corosync_tmpfs_t;
++ ')
++
++ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
++
++')
++
++########################################
++## <summary>
++## Execute corosync server in the corosync domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`corosync_rw_tmpfs',`
++interface(`corosync_systemctl',`
+ gen_require(`
+- type corosync_tmpfs_t;
++ type corosync_t;
++ type corosync_unit_file_t;
+ ')
+
+- fs_search_tmpfs($1)
+- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
++ systemd_exec_systemctl($1)
++ allow $1 corosync_unit_file_t:file read_file_perms;
++ allow $1 corosync_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, corosync_t)
+ ')
+
+ ######################################
+@@ -160,12 +185,17 @@ interface(`corosync_admin',`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+ type corosync_initrc_exec_t;
++ type corosync_unit_file_t;
+ ')
+
+- allow $1 corosync_t:process { ptrace signal_perms };
++ allow $1 corosync_t:process signal_perms;
+ ps_process_pattern($1, corosync_t)
+
+- corosync_initrc_domtrans($1)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 corosync_t:process ptrace;
++ ')
++
++ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -183,4 +213,8 @@ interface(`corosync_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
++
++ corosync_systemctl($1)
++ admin_pattern($1, corosync_unit_file_t)
++ allow $1 corosync_unit_file_t:service all_service_perms;
+ ')
+diff --git a/corosync.te b/corosync.te
+index eeea48d..dc3795e 100644
+--- a/corosync.te
++++ b/corosync.te
+@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
+ type corosync_var_run_t;
+ files_pid_file(corosync_var_run_t)
+
++type corosync_unit_file_t;
++systemd_unit_file(corosync_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -43,6 +46,8 @@ allow corosync_t self:shm create_shm_perms;
+ allow corosync_t self:unix_dgram_socket sendto;
+ allow corosync_t self:unix_stream_socket { accept connectto listen };
+
++can_exec(corosync_t, corosync_exec_t)
++
+ manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+ relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+@@ -73,6 +78,8 @@ can_exec(corosync_t, corosync_exec_t)
+ kernel_read_all_sysctls(corosync_t)
+ kernel_read_network_state(corosync_t)
+ kernel_read_system_state(corosync_t)
++kernel_read_network_state(corosync_t)
++kernel_read_all_sysctls(corosync_t)
+
+ corecmd_exec_bin(corosync_t)
+ corecmd_exec_shell(corosync_t)
+@@ -89,6 +96,7 @@ corenet_udp_sendrecv_netsupport_port(corosync_t)
+
+ dev_read_sysfs(corosync_t)
+ dev_read_urand(corosync_t)
++dev_read_sysfs(corosync_t)
+
+ domain_read_all_domains_state(corosync_t)
+
+@@ -106,7 +114,13 @@ logging_send_syslog_msg(corosync_t)
+ miscfiles_read_localization(corosync_t)
+
+ userdom_read_user_tmp_files(corosync_t)
+-userdom_manage_user_tmpfs_files(corosync_t)
++userdom_delete_user_tmpfs_files(corosync_t)
++userdom_rw_user_tmpfs_files(corosync_t)
++
++optional_policy(`
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
++')
+
+ optional_policy(`
+ ccs_read_config(corosync_t)
+@@ -133,16 +147,44 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- rhcs_getattr_fenced_exec_files(corosync_t)
++ rhcs_getattr_fenced(corosync_t)
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ ')
+
+ optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++ lvm_delete_clvmd_tmpfs_files(corosync_t)
++')
++
++optional_policy(`
++ qpidd_rw_shm(corosync_t)
++')
++
++optional_policy(`
++ rhcs_getattr_fenced(corosync_t)
++ # to communication with RHCS
++ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
++ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
++ rhcs_manage_cluster_lib_files(corosync_t)
++ rhcs_relabel_cluster_lib_files(corosync_t)
++')
++
++optional_policy(`
++ # should be removed in F19
++ # workaround because we switch hearbeat from corosync to rgmanager
++ rgmanager_manage_files(corosync_t)
++
+ rgmanager_manage_tmpfs_files(corosync_t)
+ ')
+
+ optional_policy(`
+ rpc_search_nfs_state_data(corosync_t)
+-')
+\ No newline at end of file
++')
++
++optional_policy(`
++ wdmd_rw_tmpfs(corosync_t)
++')
+diff --git a/couchdb.fc b/couchdb.fc
+index c086302..4f33119 100644
+--- a/couchdb.fc
++++ b/couchdb.fc
+@@ -1,3 +1,6 @@
++
++/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
++
+ /etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
+
+ /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
+diff --git a/couchdb.if b/couchdb.if
+index 83d6744..627ab43 100644
+--- a/couchdb.if
++++ b/couchdb.if
+@@ -10,6 +10,89 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
++interface(`couchdb_manage_lib_files',`
+ gen_require(`
-+ type collectd_var_lib_t;
++ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Manage collectd lib directories.
++## Manage couchdb lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10868,5132 +12152,1433 @@ index 0000000..40415f8
+## </summary>
+## </param>
+#
-+interface(`collectd_manage_lib_dirs',`
++interface(`couchdb_manage_lib_dirs',`
+ gen_require(`
-+ type collectd_var_lib_t;
++ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Execute collectd server in the collectd domain.
++## Read couchdb PID files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`collectd_systemctl',`
++interface(`couchdb_read_pid_files',`
+ gen_require(`
-+ type collectd_t;
-+ type collectd_unit_file_t;
++ type couchdb_var_run_t;
+ ')
+
-+ systemd_exec_systemctl($1)
-+ allow $1 collectd_unit_file_t:file read_file_perms;
-+ allow $1 collectd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, collectd_t)
++ files_search_pids($1)
++ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an collectd environment
++## Execute couchdb server in the couchdb domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`collectd_admin',`
++interface(`couchdb_systemctl',`
+ gen_require(`
-+ type collectd_t;
-+ type collectd_initrc_exec_t;
-+ type collectd_var_lib_t;
-+ type collectd_unit_file_t;
-+ ')
-+
-+ allow $1 collectd_t:process signal_perms;
-+ ps_process_pattern($1, collectd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 collectd_t:process ptrace;
++ type couchdb_t;
++ type couchdb_unit_file_t;
+ ')
+
-+ collectd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 collectd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, collectd_var_lib_t)
-+
-+ collectd_systemctl($1)
-+ admin_pattern($1, collectd_unit_file_t)
-+ allow $1 collectd_unit_file_t:service all_service_perms;
-+')
-+
-diff --git a/collectd.te b/collectd.te
-new file mode 100644
-index 0000000..cb6dbe6
---- /dev/null
-+++ b/collectd.te
-@@ -0,0 +1,89 @@
-+policy_module(collectd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+## <desc>
-+## <p>
-+## Allow collectd to connect to the
-+## network using TCP.
-+## </p>
-+## </desc>
-+gen_tunable(collectd_can_network_connect, false)
-+
-+type collectd_t;
-+type collectd_exec_t;
-+init_daemon_domain(collectd_t, collectd_exec_t)
-+
-+type collectd_initrc_exec_t;
-+init_script_file(collectd_initrc_exec_t)
-+
-+type collectd_var_lib_t;
-+files_type(collectd_var_lib_t)
-+
-+type collectd_var_run_t;
-+files_pid_file(collectd_var_run_t)
-+
-+type collectd_unit_file_t;
-+systemd_unit_file(collectd_unit_file_t)
-+
-+########################################
-+#
-+# collectd local policy
-+#
-+
-+allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:process { getsched setsched signal fork };
-+
-+allow collectd_t self:fifo_file rw_fifo_file_perms;
-+allow collectd_t self:packet_socket create_socket_perms;
-+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-+manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-+files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
-+
-+domain_use_interactive_fds(collectd_t)
-+
-+kernel_read_network_state(collectd_t)
-+kernel_read_net_sysctls(collectd_t)
-+kernel_read_system_state(collectd_t)
-+
-+dev_read_sysfs(collectd_t)
-+dev_read_urand(collectd_t)
-+dev_read_rand(collectd_t)
-+
-+files_getattr_all_dirs(collectd_t)
-+files_read_etc_files(collectd_t)
-+files_read_usr_files(collectd_t)
-+
-+fs_getattr_all_fs(collectd_t)
-+
-+logging_send_syslog_msg(collectd_t)
-+
-+sysnet_dns_name_resolve(collectd_t)
-+
-+tunable_policy(`collectd_can_network_connect',`
-+ corenet_tcp_connect_all_ports(collectd_t)
-+ corenet_tcp_sendrecv_all_ports(collectd_t)
-+ corenet_sendrecv_all_client_packets(collectd_t)
-+')
-+
-+optional_policy(`
-+ apache_content_template(collectd)
-+
-+ files_search_var_lib(httpd_collectd_script_t)
-+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-+')
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 couchdb_unit_file_t:file read_file_perms;
++ allow $1 couchdb_unit_file_t:service manage_service_perms;
+
-+optional_policy(`
-+ virt_read_config(collectd_t)
++ ps_process_pattern($1, couchdb_t)
+')
-diff --git a/colord.fc b/colord.fc
-index 78b2fea..ef975ac 100644
---- a/colord.fc
-+++ b/colord.fc
-@@ -1,4 +1,7 @@
- /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
-+/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+
-+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
-
- /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
- /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
-diff --git a/colord.if b/colord.if
-index 733e4e6..fa2c3cb 100644
---- a/colord.if
-+++ b/colord.if
-@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',`
- files_search_var_lib($1)
- read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
- ')
+
+########################################
+## <summary>
-+## Execute colord server in the colord domain.
++## All of the rules required to administrate
++## an couchdb environment
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+#
-+interface(`colord_systemctl',`
-+ gen_require(`
-+ type colord_t;
-+ type colord_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 colord_unit_file_t:file read_file_perms;
-+ allow $1 colord_unit_file_t:service manage_service_perms;
+ ## <param name="role">
+ ## <summary>
+ ## Role allowed access.
+@@ -19,14 +102,19 @@
+ #
+ interface(`couchdb_admin',`
+ gen_require(`
++ type couchdb_unit_file_t;
+ type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
+ type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
+ type couchdb_tmp_t;
+ ')
+
+- allow $1 couchdb_t:process { ptrace signal_perms };
++ allow $1 couchdb_t:process { signal_perms };
+ ps_process_pattern($1, couchdb_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 couchdb_t:process ptrace;
++ ')
+
-+ ps_process_pattern($1, colord_t)
-+')
-diff --git a/colord.te b/colord.te
-index 74505cc..10d9a27 100644
---- a/colord.te
-+++ b/colord.te
-@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
- type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
-+init_daemon_domain(colord_t, colord_exec_t)
+ init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 couchdb_initrc_exec_t system_r;
+@@ -46,4 +134,13 @@ interface(`couchdb_admin',`
- type colord_tmp_t;
- files_tmp_file(colord_tmp_t)
-@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t)
- type colord_var_lib_t;
- files_type(colord_var_lib_t)
+ files_search_pids($1)
+ admin_pattern($1, couchdb_var_run_t)
++
++ admin_pattern($1, couchdb_unit_file_t)
++ couchdb_systemctl($1)
++ allow $1 couchdb_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+ ')
+diff --git a/couchdb.te b/couchdb.te
+index 503adab..046fe9b 100644
+--- a/couchdb.te
++++ b/couchdb.te
+@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
+ type couchdb_var_run_t;
+ files_pid_file(couchdb_var_run_t)
-+type colord_unit_file_t;
-+systemd_unit_file(colord_unit_file_t)
++type couchdb_unit_file_t;
++systemd_unit_file(couchdb_unit_file_t)
+
########################################
#
- # colord local policy
- #
- allow colord_t self:capability { dac_read_search dac_override };
-+dontaudit colord_t self:capability sys_admin;
- allow colord_t self:process signal;
- allow colord_t self:fifo_file rw_fifo_file_perms;
- allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-+allow colord_t self:tcp_socket create_stream_socket_perms;
-+allow colord_t self:shm create_shm_perms;
- allow colord_t self:udp_socket create_socket_perms;
- allow colord_t self:unix_dgram_socket create_socket_perms;
-
-@@ -41,15 +48,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
- manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
- files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
-
--kernel_getattr_proc_files(colord_t)
-+kernel_read_network_state(colord_t)
-+kernel_read_system_state(colord_t)
- kernel_read_device_sysctls(colord_t)
-+kernel_request_load_module(colord_t)
-+
-+# reads *.ini files
-+corecmd_exec_bin(colord_t)
-+corecmd_exec_shell(colord_t)
-
--corenet_all_recvfrom_unlabeled(colord_t)
- corenet_all_recvfrom_netlabel(colord_t)
- corenet_udp_bind_generic_node(colord_t)
- corenet_udp_bind_ipp_port(colord_t)
- corenet_tcp_connect_ipp_port(colord_t)
-
-+dev_read_raw_memory(colord_t)
-+dev_write_raw_memory(colord_t)
- dev_read_video_dev(colord_t)
- dev_write_video_dev(colord_t)
- dev_rw_printer(colord_t)
-@@ -62,22 +76,36 @@ dev_rw_generic_usb_dev(colord_t)
- domain_use_interactive_fds(colord_t)
+ # Local policy
+@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t)
+ dev_read_sysfs(couchdb_t)
+ dev_read_urand(couchdb_t)
- files_list_mnt(colord_t)
--files_read_etc_files(colord_t)
- files_read_usr_files(colord_t)
+-files_read_usr_files(couchdb_t)
+-
+ fs_getattr_xattr_fs(couchdb_t)
-+fs_search_all(colord_t)
-+fs_getattr_noxattr_fs(colord_t)
-+fs_dontaudit_getattr_all_fs(colord_t)
-+fs_list_noxattr_fs(colord_t)
- fs_read_noxattr_fs_files(colord_t)
+ auth_use_nsswitch(couchdb_t)
-+storage_getattr_fixed_disk_dev(colord_t)
-+storage_getattr_removable_dev(colord_t)
-+storage_read_scsi_generic(colord_t)
-+storage_write_scsi_generic(colord_t)
-+
-+auth_use_nsswitch(colord_t)
-+
- logging_send_syslog_msg(colord_t)
+-miscfiles_read_localization(couchdb_t)
+diff --git a/courier.fc b/courier.fc
+index 8a4b596..cbecde8 100644
+--- a/courier.fc
++++ b/courier.fc
+@@ -9,17 +9,18 @@
+ /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
--miscfiles_read_localization(colord_t)
-+fs_getattr_tmpfs(colord_t)
-+userdom_rw_user_tmpfs_files(colord_t)
+ /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+ /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+ /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
--sysnet_dns_name_resolve(colord_t)
-+userdom_home_reader(colord_t)
-+userdom_read_inherited_user_home_content_files(colord_t)
++ifdef(`distro_gentoo',`
++/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++')
- tunable_policy(`use_nfs_home_dirs',`
-+ fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
- ')
+ /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
+ /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
+diff --git a/courier.if b/courier.if
+index 10f820f..4040ec2 100644
+--- a/courier.if
++++ b/courier.if
+@@ -1,41 +1,50 @@
+-## <summary>Courier IMAP and POP3 email servers.</summary>
++## <summary>Courier IMAP and POP3 email servers</summary>
- tunable_policy(`use_samba_home_dirs',`
-+ fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
- ')
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a courier domain.
++## Template for creating courier server processes.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix name of the server process.
+ ## </summary>
+ ## </param>
+ #
+ template(`courier_domain_template',`
+- gen_require(`
+- attribute courier_domain;
+- ')
-@@ -89,6 +117,12 @@ optional_policy(`
- ')
+- ########################################
++ ##############################
+ #
+ # Declarations
+ #
- optional_policy(`
-+ gnome_read_home_icc_data_content(colord_t)
-+ # Fixes lots of breakage in F16 on upgrade
-+ gnome_read_generic_data_home_files(colord_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(colord_t)
- policykit_domtrans_auth(colord_t)
- policykit_read_lib(colord_t)
-@@ -96,5 +130,19 @@ optional_policy(`
- ')
+- type courier_$1_t, courier_domain;
++ type courier_$1_t;
+ type courier_$1_exec_t;
+ init_daemon_domain(courier_$1_t, courier_$1_exec_t)
- optional_policy(`
-+ sysnet_exec_ifconfig(colord_t)
-+')
+- ########################################
++ ##############################
+ #
+- # Policy
++ # Declarations
+ #
+
+ can_exec(courier_$1_t, courier_$1_exec_t)
+
-+optional_policy(`
- udev_read_db(colord_t)
- ')
++ kernel_read_system_state(courier_$1_t)
+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(colord_t)
-+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
-+ xserver_read_inherited_xdm_lib_files(colord_t)
-+')
++ corenet_all_recvfrom_netlabel(courier_$1_t)
++ corenet_tcp_sendrecv_generic_if(courier_$1_t)
++ corenet_udp_sendrecv_generic_if(courier_$1_t)
++ corenet_tcp_sendrecv_generic_node(courier_$1_t)
++ corenet_udp_sendrecv_generic_node(courier_$1_t)
++ corenet_tcp_sendrecv_all_ports(courier_$1_t)
++ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
-+optional_policy(`
-+ zoneminder_rw_tmpfs_files(colord_t)
-+')
-diff --git a/comsat.te b/comsat.te
-index 3d121fd..b64c98c 100644
---- a/comsat.te
-+++ b/comsat.te
-@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(comsat_t)
- kernel_read_network_state(comsat_t)
- kernel_read_system_state(comsat_t)
-
--corenet_all_recvfrom_unlabeled(comsat_t)
- corenet_all_recvfrom_netlabel(comsat_t)
- corenet_tcp_sendrecv_generic_if(comsat_t)
- corenet_udp_sendrecv_generic_if(comsat_t)
-@@ -51,7 +50,6 @@ dev_read_urand(comsat_t)
-
- fs_getattr_xattr_fs(comsat_t)
-
--files_read_etc_files(comsat_t)
- files_list_usr(comsat_t)
- files_search_spool(comsat_t)
- files_search_home(comsat_t)
-@@ -63,8 +61,6 @@ init_dontaudit_write_utmp(comsat_t)
-
- logging_send_syslog_msg(comsat_t)
-
--miscfiles_read_localization(comsat_t)
--
- userdom_dontaudit_getattr_user_ttys(comsat_t)
-
- mta_getattr_spool(comsat_t)
-diff --git a/condor.fc b/condor.fc
-new file mode 100644
-index 0000000..b3a5b51
---- /dev/null
-+++ b/condor.fc
-@@ -0,0 +1,21 @@
-+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
-+
-+/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
-+/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
-+/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
-+/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0)
-+/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
-+/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
-+/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0)
-+
-+/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
-+
-+/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
-+
-+/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
-+
-+/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0)
-+
-+/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0)
-+
-+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0)
-diff --git a/condor.if b/condor.if
-new file mode 100644
-index 0000000..8424fdb
---- /dev/null
-+++ b/condor.if
-@@ -0,0 +1,393 @@
-+
-+## <summary>policy for condor</summary>
-+
-+#####################################
-+## <summary>
-+## Creates types and rules for a basic
-+## condor init daemon domain.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## Prefix for the domain.
-+## </summary>
-+## </param>
-+#
-+template(`condor_domain_template',`
-+ gen_require(`
-+ type condor_master_t;
-+ attribute condor_domain;
-+ ')
-+
-+ #############################
-+ #
-+ # Declarations
-+ #
-+
-+ type condor_$1_t, condor_domain;
-+ type condor_$1_exec_t;
-+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
-+ role system_r types condor_$1_t;
-+
-+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
-+ allow condor_master_t condor_$1_exec_t:file ioctl;
-+
-+ kernel_read_system_state(condor_$1_t)
-+
-+ auth_use_nsswitch(condor_$1_t)
-+
-+ logging_send_syslog_msg(condor_$1_t)
-+')
-+
-+########################################
-+## <summary>
-+## Transition to condor.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_domtrans',`
-+ gen_require(`
-+ type condor_t, condor_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, condor_exec_t, condor_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Allows to start userland processes
-+## by transitioning to the specified domain,
-+## with a range transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The process type entered by condor_startd.
-+## </summary>
-+## </param>
-+## <param name="entrypoint">
-+## <summary>
-+## The executable type for the entrypoint.
-+## </summary>
-+## </param>
-+## <param name="range">
-+## <summary>
-+## Range for the domain.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_startd_ranged_domtrans_to',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+ condor_startd_domtrans_to($1, $2)
-+
-+
-+ ifdef(`enable_mcs',`
-+ range_transition condor_startd_t $2:process $3;
-+ ')
-+
-+')
-+
-+#######################################
-+## <summary>
-+## Allows to start userlandprocesses
-+## by transitioning to the specified domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The process type entered by condor_startd.
-+## </summary>
-+## </param>
-+## <param name="entrypoint">
-+## <summary>
-+## The executable type for the entrypoint.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_startd_domtrans_to',`
-+ gen_require(`
-+ type condor_startd_t;
-+ ')
-+
-+ domtrans_pattern(condor_startd_t, $2, $1)
-+')
-+
-+########################################
-+## <summary>
-+## Read condor's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`condor_read_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, condor_log_t, condor_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Append to condor log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_append_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, condor_log_t, condor_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage condor log files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_manage_log',`
-+ gen_require(`
-+ type condor_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
-+ manage_files_pattern($1, condor_log_t, condor_log_t)
-+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search condor lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_search_lib',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ allow $1 condor_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read condor lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_read_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+######################################
-+## <summary>
-+## Read and write condor lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_rw_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage condor lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_manage_lib_files',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage condor lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_manage_lib_dirs',`
-+ gen_require(`
-+ type condor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read condor PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_read_pid_files',`
-+ gen_require(`
-+ type condor_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 condor_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Execute condor server in the condor domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_systemctl',`
-+ gen_require(`
-+ type condor_t;
-+ type condor_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 condor_unit_file_t:file read_file_perms;
-+ allow $1 condor_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, condor_t)
-+')
-+
-+
-+#######################################
-+## <summary>
-+## Read and write condor_startd server TCP sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_rw_tcp_sockets_startd',`
-+ gen_require(`
-+ type condor_startd_t;
-+ ')
-+
-+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
-+')
-+
-+######################################
-+## <summary>
-+## Read and write condor_schedd server TCP sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_rw_tcp_sockets_schedd',`
-+ gen_require(`
-+ type condor_schedd_t;
-+ ')
-+
-+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an condor environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`condor_admin',`
-+ gen_require(`
-+ type condor_t;
-+ type condor_log_t;
-+ type condor_var_lib_t;
-+ type condor_var_run_t;
-+ type condor_unit_file_t;
-+ ')
-+
-+ allow $1 condor_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, condor_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, condor_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, condor_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, condor_var_run_t)
-+
-+ condor_systemctl($1)
-+ admin_pattern($1, condor_unit_file_t)
-+ allow $1 condor_unit_file_t:service all_service_perms;
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/condor.te b/condor.te
-new file mode 100644
-index 0000000..c2bc300
---- /dev/null
-+++ b/condor.te
-@@ -0,0 +1,240 @@
-+policy_module(condor, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+## <desc>
-+## <p>
-+## Allow codnor domain to connect to the network using TCP.
-+## </p>
-+## </desc>
-+gen_tunable(condor_domain_can_network_connect, false)
-+
-+attribute condor_domain;
-+
-+type condor_master_t, condor_domain;
-+type condor_master_exec_t;
-+init_daemon_domain(condor_master_t, condor_master_exec_t)
-+
-+condor_domain_template(collector)
-+condor_domain_template(negotiator)
-+condor_domain_template(schedd)
-+condor_domain_template(startd)
-+condor_domain_template(procd)
-+
-+type condor_master_tmp_t;
-+files_tmp_file(condor_master_tmp_t)
-+
-+type condor_schedd_tmp_t;
-+files_tmp_file(condor_schedd_tmp_t)
-+
-+type condor_startd_tmp_t;
-+files_tmp_file(condor_startd_tmp_t)
-+
-+type condor_startd_tmpfs_t;
-+files_tmpfs_file(condor_startd_tmpfs_t)
-+
-+type condor_log_t;
-+logging_log_file(condor_log_t)
-+
-+type condor_var_lib_t;
-+files_type(condor_var_lib_t)
-+
-+type condor_var_lock_t;
-+files_lock_file(condor_var_lock_t)
-+
-+type condor_var_run_t;
-+files_pid_file(condor_var_run_t)
-+
-+type condor_unit_file_t;
-+systemd_unit_file(condor_unit_file_t)
-+
-+########################################
-+#
-+# condor domain local policy
-+#
-+
-+allow condor_domain self:process signal_perms;
-+allow condor_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow condor_domain self:tcp_socket create_stream_socket_perms;
-+allow condor_domain self:udp_socket create_socket_perms;
-+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
-+
-+allow condor_domain condor_master_t:process signull;
-+allow condor_domain condor_master_t:tcp_socket getattr;
-+
-+manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
-+logging_log_filetrans(condor_domain, condor_log_t, { dir file })
-+
-+manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-+manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-+files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
-+manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t)
-+files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file })
-+
-+manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
-+manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
-+manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t)
-+files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
-+
-+kernel_read_network_state(condor_domain)
-+kernel_read_kernel_sysctls(condor_domain)
-+
-+corecmd_exec_bin(condor_domain)
-+corecmd_exec_shell(condor_domain)
-+
-+corenet_tcp_connect_condor_port(condor_domain)
-+corenet_tcp_connect_all_ephemeral_ports(condor_domain)
-+
-+domain_use_interactive_fds(condor_domain)
-+
-+dev_read_rand(condor_domain)
-+dev_read_urand(condor_domain)
-+dev_read_sysfs(condor_domain)
-+
-+files_read_etc_files(condor_domain)
-+
-+tunable_policy(`condor_domain_can_network_connect',`
-+ corenet_tcp_connect_all_ports(condor_domain)
-+')
-+
-+optional_policy(`
-+ rhcs_stream_connect_cluster(condor_domain)
-+')
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(condor_domain)
-+')
-+
-+#####################################
-+#
-+# condor master local policy
-+#
-+
-+allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
-+
-+allow condor_master_t condor_domain:process { sigkill signal };
-+
-+manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
-+manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
-+files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
-+
-+corenet_tcp_bind_condor_port(condor_master_t)
-+corenet_udp_bind_condor_port(condor_master_t)
-+corenet_tcp_connect_amqp_port(condor_master_t)
-+
-+domain_read_all_domains_state(condor_master_t)
-+
-+optional_policy(`
-+ mta_send_mail(condor_master_t)
-+ mta_read_config(condor_master_t)
-+')
-+
-+######################################
-+#
-+# condor collector local policy
-+#
-+
-+allow condor_collector_t self:capability { setuid setgid };
-+
-+allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms;
-+allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
-+
-+kernel_read_network_state(condor_collector_t)
-+
-+#####################################
-+#
-+# condor negotiator local policy
-+#
-+allow condor_negotiator_t self:capability { setuid setgid };
-+allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
-+allow condor_negotiator_t condor_master_t:udp_socket getattr;
-+
-+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
-+
-+######################################
-+#
-+# condor procd local policy
-+#
-+
-+allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace };
-+
-+allow condor_procd_t self:capability kill;
-+allow condor_procd_t condor_startd_t:process sigkill;
-+
-+domain_read_all_domains_state(condor_procd_t)
-+
-+#######################################
-+#
-+# condor schedd local policy
-+#
-+
-+domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
-+domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-+
-+# dac_override because of /var/log/condor
-+allow condor_schedd_t self:capability { setuid chown setgid dac_override };
-+allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
-+allow condor_schedd_t condor_master_t:udp_socket getattr;
-+
-+allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
-+
-+manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
-+manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
-+files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
-+allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto };
-+
-+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
-+
-+#####################################
-+#
-+# condor startd local policy
-+#
-+
-+# also needed by java
-+allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
-+allow condor_startd_t self:process execmem;
-+
-+manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
-+manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
-+files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir })
-+allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto };
-+
-+manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
-+manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
-+fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
-+
-+can_exec(condor_startd_t, condor_startd_exec_t)
-+
-+domain_read_all_domains_state(condor_startd_t)
-+
-+mcs_process_set_categories(condor_startd_t)
-+
-+init_domtrans_script(condor_startd_t)
-+init_initrc_domain(condor_startd_t)
-+
-+libs_exec_lib_files(condor_startd_t)
-+
-+files_read_usr_files(condor_startd_t)
-+
-+optional_policy(`
-+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
-+ ssh_domtrans(condor_startd_t)
-+
-+ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
-+ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
-+
-+ optional_policy(`
-+ kerberos_use(condor_startd_ssh_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ unconfined_domain(condor_startd_t)
-+')
-diff --git a/consolekit.fc b/consolekit.fc
-index 32233ab..7058d21 100644
---- a/consolekit.fc
-+++ b/consolekit.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-+
- /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
-
- /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
-diff --git a/consolekit.if b/consolekit.if
-index fd15dfe..aac1e5d 100644
---- a/consolekit.if
-+++ b/consolekit.if
-@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
-
- ########################################
- ## <summary>
-+## dontaudit Send and receive messages from
-+## consolekit over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`consolekit_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type consolekit_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 consolekit_t:dbus send_msg;
-+ dontaudit consolekit_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
- ## Send and receive messages from
- ## consolekit over dbus.
- ## </summary>
-@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
-
- ########################################
- ## <summary>
-+## Dontaudit attempts to read consolekit log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`consolekit_dontaudit_read_log',`
-+ gen_require(`
-+ type consolekit_log_t;
-+ ')
-+
-+ dontaudit $1 consolekit_log_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Read consolekit log files.
- ## </summary>
- ## <param name="domain">
-@@ -96,3 +135,64 @@ interface(`consolekit_read_pid_files',`
- allow $1 consolekit_var_run_t:dir list_dir_perms;
- read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
- ')
-+
-+########################################
-+## <summary>
-+## List consolekit PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`consolekit_list_pid_files',`
-+ gen_require(`
-+ type consolekit_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Allow the domain to read consolekit state files in /proc.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`consolekit_read_state',`
-+ gen_require(`
-+ type consolekit_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, consolekit_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute consolekit server in the consolekit domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`consolekit_systemctl',`
-+ gen_require(`
-+ type consolekit_t;
-+ type consolekit_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 consolekit_unit_file_t:file read_file_perms;
-+ allow $1 consolekit_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, consolekit_t)
-+')
-diff --git a/consolekit.te b/consolekit.te
-index 6f2896d..ca0b28a 100644
---- a/consolekit.te
-+++ b/consolekit.te
-@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
- type consolekit_var_run_t;
- files_pid_file(consolekit_var_run_t)
-
-+type consolekit_tmpfs_t;
-+files_tmpfs_file(consolekit_tmpfs_t)
-+
-+type consolekit_unit_file_t;
-+systemd_unit_file(consolekit_unit_file_t)
-+
- ########################################
- #
- # consolekit local policy
- #
-
- allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-+
- allow consolekit_t self:process { getsched signal };
- allow consolekit_t self:fifo_file rw_fifo_file_perms;
- allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,9 +50,7 @@ dev_read_sysfs(consolekit_t)
-
- domain_read_all_domains_state(consolekit_t)
- domain_use_interactive_fds(consolekit_t)
--domain_dontaudit_ptrace_all_domains(consolekit_t)
-
--files_read_etc_files(consolekit_t)
- files_read_usr_files(consolekit_t)
- # needs to read /var/lib/dbus/machine-id
- files_read_var_lib_files(consolekit_t)
-@@ -67,17 +72,17 @@ init_rw_utmp(consolekit_t)
- logging_send_syslog_msg(consolekit_t)
- logging_send_audit_msgs(consolekit_t)
-
--miscfiles_read_localization(consolekit_t)
-+systemd_exec_systemctl(consolekit_t)
-
-+userdom_read_all_users_state(consolekit_t)
- userdom_dontaudit_read_user_home_content_files(consolekit_t)
-+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
- userdom_read_user_tmp_files(consolekit_t)
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_read_nfs_files(consolekit_t)
--')
-+userdom_home_reader(consolekit_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_read_cifs_files(consolekit_t)
-+optional_policy(`
-+ cron_read_system_job_lib_files(consolekit_t)
- ')
-
- optional_policy(`
-@@ -97,7 +102,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- hal_ptrace(consolekit_t)
-+ networkmanager_append_log(consolekit_t)
- ')
-
- optional_policy(`
-@@ -108,9 +113,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-- type consolekit_tmpfs_t;
-- files_tmpfs_file(consolekit_tmpfs_t)
-+ shutdown_domtrans(consolekit_t)
-+')
-
-+optional_policy(`
- xserver_read_xdm_pid(consolekit_t)
- xserver_read_user_xauth(consolekit_t)
- xserver_non_drawing_client(consolekit_t)
-@@ -126,6 +132,5 @@ optional_policy(`
- ')
-
- optional_policy(`
-- #reading .Xauthity
- unconfined_stream_connect(consolekit_t)
- ')
-diff --git a/corosync.fc b/corosync.fc
-index 3a6d7eb..1bb208a 100644
---- a/corosync.fc
-+++ b/corosync.fc
-@@ -1,12 +1,14 @@
- /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
-
--/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
-
--/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
-+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
-
- /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
-
--/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
-+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0)
-
- /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
- /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
-diff --git a/corosync.if b/corosync.if
-index 5220c9d..33df583 100644
---- a/corosync.if
-+++ b/corosync.if
-@@ -20,6 +20,43 @@ interface(`corosync_domtrans',`
-
- #######################################
- ## <summary>
-+## Execute a domain transition to run corosync.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`corosync_initrc_domtrans',`
-+ gen_require(`
-+ type corosync_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
-+')
-+
-+######################################
-+## <summary>
-+## Execute corosync in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`corosync_exec',`
-+ gen_require(`
-+ type corosync_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ can_exec($1, corosync_exec_t)
-+')
-+
-+#######################################
-+## <summary>
- ## Allow the specified domain to read corosync's log files.
- ## </summary>
- ## <param name="domain">
-@@ -52,14 +89,58 @@ interface(`corosync_read_log',`
- interface(`corosync_stream_connect',`
- gen_require(`
- type corosync_t, corosync_var_run_t;
-+ type corosync_var_lib_t;
- ')
-
- files_search_pids($1)
-+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
- stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
- ')
-
- ######################################
- ## <summary>
-+## Allow the specified domain to read/write corosync's tmpfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`corosync_rw_tmpfs',`
-+ gen_require(`
-+ type corosync_tmpfs_t;
-+ ')
-+
-+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
-+
-+')
-+
-+########################################
-+## <summary>
-+## Execute corosync server in the corosync domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`corosync_systemctl',`
-+ gen_require(`
-+ type corosync_t;
-+ type corosync_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 corosync_unit_file_t:file read_file_perms;
-+ allow $1 corosync_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, corosync_t)
-+')
-+
-+######################################
-+## <summary>
- ## All of the rules required to administrate
- ## an corosync environment
- ## </summary>
-@@ -80,11 +161,16 @@ interface(`corosyncd_admin',`
- type corosync_t, corosync_var_lib_t, corosync_var_log_t;
- type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
- type corosync_initrc_exec_t;
-+ type corosync_unit_file_t;
- ')
-
-- allow $1 corosync_t:process { ptrace signal_perms };
-+ allow $1 corosync_t:process signal_perms;
- ps_process_pattern($1, corosync_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 corosync_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, corosync_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 corosync_initrc_exec_t system_r;
-@@ -103,4 +189,8 @@ interface(`corosyncd_admin',`
-
- files_list_pids($1)
- admin_pattern($1, corosync_var_run_t)
-+
-+ corosync_systemctl($1)
-+ admin_pattern($1, corosync_unit_file_t)
-+ allow $1 corosync_unit_file_t:service all_service_perms;
- ')
-diff --git a/corosync.te b/corosync.te
-index 04969e5..1d60d9f 100644
---- a/corosync.te
-+++ b/corosync.te
-@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
- type corosync_t;
- type corosync_exec_t;
- init_daemon_domain(corosync_t, corosync_exec_t)
-+domain_obj_id_change_exemption(corosync_t)
-
- type corosync_initrc_exec_t;
- init_script_file(corosync_initrc_exec_t)
-@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t)
- type corosync_var_run_t;
- files_pid_file(corosync_var_run_t)
-
-+type corosync_unit_file_t;
-+systemd_unit_file(corosync_unit_file_t)
-+
- ########################################
- #
- # corosync local policy
- #
-
--allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
--allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
-+# for hearbeat
-+allow corosync_t self:capability { net_raw chown };
-+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
-
- allow corosync_t self:fifo_file rw_fifo_file_perms;
- allow corosync_t self:sem create_sem_perms;
-+allow corosync_t self:shm create_shm_perms;
- allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow corosync_t self:unix_dgram_socket create_socket_perms;
-+allow corosync_t self:unix_dgram_socket { create_socket_perms sendto };
- allow corosync_t self:udp_socket create_socket_perms;
-
-+can_exec(corosync_t, corosync_exec_t)
-+
- manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
-+allow corosync_t corosync_tmp_t:file { relabelfrom relabelto };
-
- manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
- manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
-@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
- manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
- manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
- manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
--files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
-+manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
-+files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file })
-
- manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
- manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
-@@ -60,44 +71,96 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
-
- manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
- manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
--files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
-+manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
-+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir })
-
- kernel_read_system_state(corosync_t)
-+kernel_read_network_state(corosync_t)
-+kernel_read_all_sysctls(corosync_t)
-
- corecmd_exec_bin(corosync_t)
-+corecmd_exec_shell(corosync_t)
-
- corenet_udp_bind_netsupport_port(corosync_t)
-+corenet_tcp_connect_saphostctrl_port(corosync_t)
-
- dev_read_urand(corosync_t)
-+dev_read_sysfs(corosync_t)
-
- domain_read_all_domains_state(corosync_t)
-
- files_manage_mounttab(corosync_t)
-+files_read_usr_files(corosync_t)
-
- auth_use_nsswitch(corosync_t)
-
-+init_domtrans_script(corosync_t)
- init_read_script_state(corosync_t)
- init_rw_script_tmp_files(corosync_t)
-
- logging_send_syslog_msg(corosync_t)
-
--miscfiles_read_localization(corosync_t)
--
-+userdom_read_user_tmp_files(corosync_t)
-+userdom_delete_user_tmpfs_files(corosync_t)
- userdom_rw_user_tmpfs_files(corosync_t)
-
- optional_policy(`
-+ fs_manage_tmpfs_files(corosync_t)
-+ init_manage_script_status_files(corosync_t)
-+')
-+
-+optional_policy(`
- ccs_read_config(corosync_t)
- ')
-
- optional_policy(`
-- # to communication with RHCS
-- rhcs_rw_dlm_controld_semaphores(corosync_t)
-+ cmirrord_rw_shm(corosync_t)
-+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
-+optional_policy(`
-+ consoletype_exec(corosync_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(corosync_t)
-+')
-
-- rhcs_rw_gfs_controld_semaphores(corosync_t)
-+optional_policy(`
-+ drbd_domtrans(corosync_t)
- ')
-
- optional_policy(`
-+ lvm_rw_clvmd_tmpfs_files(corosync_t)
-+ lvm_delete_clvmd_tmpfs_files(corosync_t)
-+')
-+
-+optional_policy(`
-+ qpidd_rw_shm(corosync_t)
-+')
-+
-+optional_policy(`
-+ rhcs_getattr_fenced(corosync_t)
-+ # to communication with RHCS
-+ rhcs_rw_cluster_shm(corosync_t)
-+ rhcs_rw_cluster_semaphores(corosync_t)
-+ rhcs_stream_connect_cluster(corosync_t)
-+ rhcs_read_cluster_lib_files(corosync_t)
-+ rhcs_manage_cluster_lib_files(corosync_t)
-+ rhcs_relabel_cluster_lib_files(corosync_t)
-+')
-+
-+optional_policy(`
-+ # should be removed in F19
-+ # workaround because we switch hearbeat from corosync to rgmanager
-+ rgmanager_manage_files(corosync_t)
-+
- rgmanager_manage_tmpfs_files(corosync_t)
- ')
-+
-+optional_policy(`
-+ rpc_search_nfs_state_data(corosync_t)
-+')
-+
-+optional_policy(`
-+ wdmd_rw_tmpfs(corosync_t)
-+')
-diff --git a/couchdb.fc b/couchdb.fc
-new file mode 100644
-index 0000000..196461b
---- /dev/null
-+++ b/couchdb.fc
-@@ -0,0 +1,11 @@
-+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_etc_t,s0)
-+
-+/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
-+
-+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
-+
-+/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0)
-+
-+/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0)
-+
-+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
-diff --git a/couchdb.if b/couchdb.if
-new file mode 100644
-index 0000000..3e17383
---- /dev/null
-+++ b/couchdb.if
-@@ -0,0 +1,244 @@
-+
-+## <summary>policy for couchdb</summary>
-+
-+########################################
-+## <summary>
-+## Transition to couchdb.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_domtrans',`
-+ gen_require(`
-+ type couchdb_t, couchdb_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, couchdb_exec_t, couchdb_t)
-+')
-+########################################
-+## <summary>
-+## Read couchdb's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`couchdb_read_log',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Append to couchdb log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_append_log',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage couchdb log files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_manage_log',`
-+ gen_require(`
-+ type couchdb_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t)
-+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+ manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search couchdb lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_search_lib',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ allow $1 couchdb_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read couchdb lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_read_lib_files',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage couchdb lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_manage_lib_files',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage couchdb lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_manage_lib_dirs',`
-+ gen_require(`
-+ type couchdb_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read couchdb PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_read_pid_files',`
-+ gen_require(`
-+ type couchdb_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 couchdb_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Execute couchdb server in the couchdb domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`couchdb_systemctl',`
-+ gen_require(`
-+ type couchdb_t;
-+ type couchdb_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ allow $1 couchdb_unit_file_t:file read_file_perms;
-+ allow $1 couchdb_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, couchdb_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an couchdb environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`couchdb_admin',`
-+ gen_require(`
-+ type couchdb_t, couchdb_etc_t, couchdb_log_t;
-+ type couchdb_var_lib_t, couchdb_var_run_t;
-+ type couchdb_unit_file_t;
-+ ')
-+
-+ allow $1 couchdb_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, couchdb_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, couchdb_log_t)
-+
-+ files_search_etc($1)
-+ admin_pattern($1, couchdb_etc_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, couchdb_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, couchdb_var_run_t)
-+
-+ admin_pattern($1, couchdb_unit_file_t)
-+ couchdb_systemctl($1)
-+ allow $1 couchdb_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/couchdb.te b/couchdb.te
-new file mode 100644
-index 0000000..4b0535f
---- /dev/null
-+++ b/couchdb.te
-@@ -0,0 +1,83 @@
-+policy_module(couchdb, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type couchdb_t;
-+type couchdb_exec_t;
-+init_daemon_domain(couchdb_t, couchdb_exec_t)
-+
-+type couchdb_etc_t;
-+files_config_file(couchdb_etc_t)
-+
-+type couchdb_tmp_t;
-+files_tmp_file(couchdb_tmp_t)
-+
-+type couchdb_log_t;
-+logging_log_file(couchdb_log_t)
-+
-+type couchdb_var_lib_t;
-+files_type(couchdb_var_lib_t)
-+
-+type couchdb_var_run_t;
-+files_pid_file(couchdb_var_run_t)
-+
-+type couchdb_unit_file_t;
-+systemd_unit_file(couchdb_unit_file_t)
-+
-+########################################
-+#
-+# couchdb local policy
-+#
-+allow couchdb_t self:process { setsched signal signull sigkill };
-+allow couchdb_t self:fifo_file rw_fifo_file_perms;
-+allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
-+allow couchdb_t self:tcp_socket create_stream_socket_perms;
-+allow couchdb_t self:udp_socket create_socket_perms;
-+
-+allow couchdb_t couchdb_etc_t:dir list_dir_perms;
-+read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
-+
-+manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-+manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-+logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
-+
-+manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
-+manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
-+files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
-+
-+manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
-+manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t)
-+files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-+manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
-+files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file })
-+
-+can_exec(couchdb_t, couchdb_exec_t)
-+
-+kernel_read_system_state(couchdb_t)
-+
-+corecmd_exec_bin(couchdb_t)
-+corecmd_exec_shell(couchdb_t)
-+
-+corenet_tcp_bind_generic_node(couchdb_t)
-+corenet_udp_bind_generic_node(couchdb_t)
-+corenet_tcp_bind_couchdb_port(couchdb_t)
-+
-+dev_list_sysfs(couchdb_t)
-+dev_read_sysfs(couchdb_t)
-+dev_read_urand(couchdb_t)
-+
-+domain_use_interactive_fds(couchdb_t)
-+
-+files_read_usr_files(couchdb_t)
-+
-+fs_getattr_xattr_fs(couchdb_t)
-+
-+auth_use_nsswitch(couchdb_t)
-+
-+libs_exec_lib_files(couchdb_t)
-+
-diff --git a/courier.fc b/courier.fc
-index 47dfa07..1beadbd 100644
---- a/courier.fc
-+++ b/courier.fc
-@@ -8,15 +8,15 @@
- /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
- /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-
--/usr/lib/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
--/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
--/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
--/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
--/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-+/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
- /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
--/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-
- ifdef(`distro_gentoo',`
- /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-diff --git a/courier.if b/courier.if
-index 9971337..4078c26 100644
---- a/courier.if
-+++ b/courier.if
-@@ -50,7 +50,6 @@ template(`courier_domain_template',`
-
- corecmd_exec_bin(courier_$1_t)
-
-- corenet_all_recvfrom_unlabeled(courier_$1_t)
- corenet_all_recvfrom_netlabel(courier_$1_t)
- corenet_tcp_sendrecv_generic_if(courier_$1_t)
- corenet_udp_sendrecv_generic_if(courier_$1_t)
-@@ -90,7 +89,7 @@ template(`courier_domain_template',`
- ## Execute the courier authentication daemon with
- ## a domain transition.
- ## </summary>
--## <param name="prefix">
-+## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
-@@ -104,12 +103,31 @@ interface(`courier_domtrans_authdaemon',`
- domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
- ')
-
-+#######################################
-+## <summary>
-+## Connect to courier-authdaemon over a unix stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`courier_stream_connect_authdaemon',`
-+ gen_require(`
-+ type courier_authdaemon_t, courier_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
-+')
-+
- ########################################
- ## <summary>
- ## Execute the courier POP3 and IMAP server with
- ## a domain transition.
- ## </summary>
--## <param name="prefix">
-+## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
-@@ -127,7 +145,7 @@ interface(`courier_domtrans_pop',`
- ## <summary>
- ## Read courier config files
- ## </summary>
--## <param name="prefix">
-+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
-@@ -138,6 +156,7 @@ interface(`courier_read_config',`
- type courier_etc_t;
- ')
-
-+ files_search_etc($1)
- read_files_pattern($1, courier_etc_t, courier_etc_t)
- ')
-
-@@ -146,7 +165,7 @@ interface(`courier_read_config',`
- ## Create, read, write, and delete courier
- ## spool directories.
- ## </summary>
--## <param name="prefix">
-+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
-@@ -157,6 +176,7 @@ interface(`courier_manage_spool_dirs',`
- type courier_spool_t;
- ')
-
-+ files_search_spool($1)
- manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-@@ -165,7 +185,7 @@ interface(`courier_manage_spool_dirs',`
- ## Create, read, write, and delete courier
- ## spool files.
- ## </summary>
--## <param name="prefix">
-+## <param name="domains">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
-@@ -176,6 +196,7 @@ interface(`courier_manage_spool_files',`
- type courier_spool_t;
- ')
-
-+ files_search_spool($1)
- manage_files_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-@@ -183,7 +204,7 @@ interface(`courier_manage_spool_files',`
- ## <summary>
- ## Read courier spool files.
- ## </summary>
--## <param name="prefix">
-+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
-@@ -194,6 +215,7 @@ interface(`courier_read_spool',`
- type courier_spool_t;
- ')
-
-+ files_search_spool($1)
- read_files_pattern($1, courier_spool_t, courier_spool_t)
- ')
-
-diff --git a/courier.te b/courier.te
-index d034450..820c10b 100644
---- a/courier.te
-+++ b/courier.te
-@@ -15,7 +15,7 @@ courier_domain_template(pcp)
- courier_domain_template(pop)
-
- type courier_spool_t;
--files_type(courier_spool_t)
-+files_spool_file(courier_spool_t)
-
- courier_domain_template(tcpd)
-
-@@ -68,7 +68,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
-
- libs_read_lib_files(courier_authdaemon_t)
-
--miscfiles_read_localization(courier_authdaemon_t)
-
- # should not be needed!
- userdom_search_user_home_dirs(courier_authdaemon_t)
-@@ -95,9 +94,8 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
- allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-
- # inherits file handle - should it?
--allow courier_pop_t courier_var_lib_t:file { read write };
-+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
-
--miscfiles_read_localization(courier_pop_t)
-
- courier_domtrans_authdaemon(courier_pop_t)
-
-@@ -132,7 +130,6 @@ corenet_sendrecv_pop_server_packets(courier_tcpd_t)
- dev_read_rand(courier_tcpd_t)
- dev_read_urand(courier_tcpd_t)
-
--miscfiles_read_localization(courier_tcpd_t)
-
- courier_domtrans_pop(courier_tcpd_t)
-
-diff --git a/cpucontrol.fc b/cpucontrol.fc
-index 789c8c7..d1723f5 100644
---- a/cpucontrol.fc
-+++ b/cpucontrol.fc
-@@ -3,6 +3,7 @@
-
- /sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
-
-+/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
- /usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
- /usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
- /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
-diff --git a/cpucontrol.te b/cpucontrol.te
-index 13d2f63..1a00094 100644
---- a/cpucontrol.te
-+++ b/cpucontrol.te
-@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
- init_system_domain(cpucontrol_t, cpucontrol_exec_t)
-
- type cpucontrol_conf_t;
--files_type(cpucontrol_conf_t)
-+files_config_file(cpucontrol_conf_t)
-
- type cpuspeed_t;
- type cpuspeed_exec_t;
-@@ -105,8 +105,6 @@ init_use_script_ptys(cpuspeed_t)
-
- logging_send_syslog_msg(cpuspeed_t)
-
--miscfiles_read_localization(cpuspeed_t)
--
- userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
-
- optional_policy(`
-diff --git a/cpufreqselector.te b/cpufreqselector.te
-index f77d58a..f3d98a9 100644
---- a/cpufreqselector.te
-+++ b/cpufreqselector.te
-@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
- # cpufreq-selector local policy
- #
-
--allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
-+allow cpufreqselector_t self:capability sys_nice;
- allow cpufreqselector_t self:process getsched;
- allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
-+allow cpufreqselector_t self:process getsched;
-
- kernel_read_system_state(cpufreqselector_t)
-
-@@ -27,13 +28,15 @@ corecmd_search_bin(cpufreqselector_t)
-
- dev_rw_sysfs(cpufreqselector_t)
-
--miscfiles_read_localization(cpufreqselector_t)
-+kernel_read_system_state(cpufreqselector_t)
-+
-
- userdom_read_all_users_state(cpufreqselector_t)
--userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
-+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
-
- optional_policy(`
- dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-+ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
-
- optional_policy(`
- consolekit_dbus_chat(cpufreqselector_t)
-@@ -53,3 +56,7 @@ optional_policy(`
- policykit_read_lib(cpufreqselector_t)
- policykit_read_reload(cpufreqselector_t)
- ')
-+
-+optional_policy(`
-+ xserver_dbus_chat_xdm(cpufreqselector_t)
-+')
-diff --git a/cron.fc b/cron.fc
-index 3559a05..224142a 100644
---- a/cron.fc
-+++ b/cron.fc
-@@ -3,6 +3,9 @@
- /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
-+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
-+
- /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
- /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
-@@ -12,20 +15,34 @@
- /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
- /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-
-+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
-+
- /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
--/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
-
- /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-
--/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
-+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
- #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
- /var/spool/cron/[^/]* -- <<none>>
-
-+ifdef(`distro_gentoo',`
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun/[^/]* -- <<none>>
-+')
-+
-+ifdef(`distro_suse', `
-+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
-+/var/spool/cron/lastrun/[^/]* -- <<none>>
-+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-+')
-+
- /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/crontabs/.* -- <<none>>
- #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -36,8 +53,10 @@
- /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-
-+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
- ifdef(`distro_debian',`
--/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0)
-+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
-
- /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/atjobs/[^/]* -- <<none>>
-diff --git a/cron.if b/cron.if
-index 6e12dc7..b006818 100644
---- a/cron.if
-+++ b/cron.if
-@@ -12,12 +12,17 @@
- ## </param>
- #
- template(`cron_common_crontab_template',`
-+ gen_require(`
-+ attribute crontab_domain;
-+ type crontab_exec_t;
-+ ')
-+
- ##############################
- #
- # Declarations
- #
-
-- type $1_t;
-+ type $1_t, crontab_domain;
- userdom_user_application_domain($1_t, crontab_exec_t)
-
- type $1_tmp_t;
-@@ -28,63 +33,19 @@ template(`cron_common_crontab_template',`
- # Local policy
- #
-
-- # dac_override is to create the file in the directory under /tmp
-- allow $1_t self:capability { fowner setuid setgid chown dac_override };
-- allow $1_t self:process { setsched signal_perms };
-- allow $1_t self:fifo_file rw_fifo_file_perms;
--
-- allow $1_t $1_tmp_t:file manage_file_perms;
-- files_tmp_filetrans($1_t, $1_tmp_t, file)
--
-- # create files in /var/spool/cron
-- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
-- files_list_spool($1_t)
--
-- # crontab signals crond by updating the mtime on the spooldir
-- allow $1_t cron_spool_t:dir setattr;
-+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
-
- kernel_read_system_state($1_t)
-
-- # for the checks used by crontab -u
-- selinux_dontaudit_search_fs($1_t)
--
-- fs_getattr_xattr_fs($1_t)
--
-- domain_use_interactive_fds($1_t)
--
-- files_read_etc_files($1_t)
-- files_read_usr_files($1_t)
-- files_dontaudit_search_pids($1_t)
--
- auth_domtrans_chk_passwd($1_t)
-+ auth_use_nsswitch($1_t)
-
- logging_send_syslog_msg($1_t)
-- logging_send_audit_msgs($1_t)
--
-- init_dontaudit_write_utmp($1_t)
-- init_read_utmp($1_t)
--
-- miscfiles_read_localization($1_t)
-
-- seutil_read_config($1_t)
-+ userdom_home_reader($1_t)
-
-- userdom_manage_user_tmp_dirs($1_t)
-- userdom_manage_user_tmp_files($1_t)
-- # Access terminals.
-- userdom_use_user_terminals($1_t)
-- # Read user crontabs
-- userdom_read_user_home_content_files($1_t)
--
-- tunable_policy(`fcron_crond',`
-- # fcron wants an instant update of a crontab change for the administrator
-- # also crontab does a security check for crontab -u
-- dontaudit $1_t crond_t:process signal;
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1_t)
-- ')
- ')
-
- ########################################
-@@ -101,10 +62,12 @@ template(`cron_common_crontab_template',`
- ## User domain for the role
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
- interface(`cron_role',`
- gen_require(`
- type cronjob_t, crontab_t, crontab_exec_t;
-+ type user_cron_spool_t, crond_t;
- ')
-
- role $1 types { cronjob_t crontab_t };
-@@ -115,9 +78,20 @@ interface(`cron_role',`
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-+ allow crond_t $2:process transition;
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-+ allow $2 crond_t:process sigchld;
-+
-+ # needs to be authorized SELinux context for cron
-+ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
-+
- # crontab shows up in user ps
- ps_process_pattern($2, crontab_t)
-- allow $2 crontab_t:process signal;
-+ allow $2 crontab_t:process signal_perms;
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 crontab_t:process ptrace;
-+ ')
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(crontab_t, $2)
-@@ -150,29 +124,21 @@ interface(`cron_role',`
- ## User domain for the role
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
- interface(`cron_unconfined_role',`
- gen_require(`
-- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
-+ type unconfined_cronjob_t;
- ')
-
-- role $1 types { unconfined_cronjob_t crontab_t };
-+ role $1 types unconfined_cronjob_t;
-
- # cronjob shows up in user ps
- ps_process_pattern($2, unconfined_cronjob_t)
--
-- # Transition from the user domain to the derived domain.
-- domtrans_pattern($2, crontab_exec_t, crontab_t)
--
-- # crontab shows up in user ps
-- ps_process_pattern($2, crontab_t)
-- allow $2 crontab_t:process signal;
--
-- # Run helper programs as the user domain
-- #corecmd_bin_domtrans(crontab_t, $2)
-- #corecmd_shell_domtrans(crontab_t, $2)
-- corecmd_exec_bin(crontab_t)
-- corecmd_exec_shell(crontab_t)
-+ allow $2 unconfined_cronjob_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 unconfined_cronjob_t:process ptrace;
-+ ')
-
- optional_policy(`
- gen_require(`
-@@ -180,9 +146,8 @@ interface(`cron_unconfined_role',`
- ')
-
- dbus_stub(unconfined_cronjob_t)
--
- allow unconfined_cronjob_t $2:dbus send_msg;
-- ')
-+ ')
- ')
-
- ########################################
-@@ -199,10 +164,12 @@ interface(`cron_unconfined_role',`
- ## User domain for the role
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
- interface(`cron_admin_role',`
- gen_require(`
- type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
-+ type user_cron_spool_t, crond_t;
- class passwd crontab;
- ')
-
-@@ -219,7 +186,18 @@ interface(`cron_admin_role',`
-
- # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
-- allow $2 admin_crontab_t:process signal;
-+ allow $2 admin_crontab_t:process signal_perms;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 admin_crontab_t:process ptrace;
-+ ')
-+
-+ allow $2 crond_t:process sigchld;
-+ allow crond_t $2:process transition;
-+
-+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
-+
-+ # needs to be authorized SELinux context for cron
-+ allow $2 user_cron_spool_t:file entrypoint;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -263,6 +241,9 @@ interface(`cron_system_entry',`
- domtrans_pattern(crond_t, $2, $1)
-
- role system_r types $1;
-+
-+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
-+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
- ')
-
- ########################################
-@@ -303,7 +284,7 @@ interface(`cron_exec',`
-
- ########################################
- ## <summary>
--## Execute crond server in the nscd domain.
-+## Execute crond server in the crond domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -321,6 +302,29 @@ interface(`cron_initrc_domtrans',`
-
- ########################################
- ## <summary>
-+## Execute crond server in the crond domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_systemctl',`
-+ gen_require(`
-+ type crond_unit_file_t;
-+ type crond_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 crond_unit_file_t:file read_file_perms;
-+ allow $1 crond_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, crond_t)
-+')
-+
-+########################################
-+## <summary>
- ## Inherit and use a file descriptor
- ## from the cron daemon.
- ## </summary>
-@@ -358,6 +362,24 @@ interface(`cron_sigchld',`
-
- ########################################
- ## <summary>
-+## Send a generic signal to cron daemon.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_signal',`
-+ gen_require(`
-+ type crond_t;
-+ ')
-+
-+ allow $1 crond_t:process signal;
-+')
-+
-+########################################
-+## <summary>
- ## Read a cron daemon unnamed pipe.
- ## </summary>
- ## <param name="domain">
-@@ -376,6 +398,47 @@ interface(`cron_read_pipes',`
-
- ########################################
- ## <summary>
-+## Read crond state files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_read_state_crond',`
-+ gen_require(`
-+ type crond_t;
-+ ')
-+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, crond_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## crond over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_dbus_chat_crond',`
-+ gen_require(`
-+ type crond_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 crond_t:dbus send_msg;
-+ allow crond_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to write cron daemon unnamed pipes.
- ## </summary>
- ## <param name="domain">
-@@ -407,7 +470,43 @@ interface(`cron_rw_pipes',`
- type crond_t;
- ')
-
-- allow $1 crond_t:fifo_file { getattr read write };
-+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write inherited user spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_rw_inherited_user_spool_files',`
-+ gen_require(`
-+ type user_cron_spool_t;
-+ ')
-+
-+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write inherited spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_rw_inherited_spool_files',`
-+ gen_require(`
-+ type cron_spool_t;
-+ ')
-+
-+ allow $1 cron_spool_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -467,6 +566,25 @@ interface(`cron_search_spool',`
-
- ########################################
- ## <summary>
-+## Search the directory containing user cron tables.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_manage_system_spool',`
-+ gen_require(`
-+ type cron_system_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
-+')
-+
-+########################################
-+## <summary>
- ## Manage pid files used by cron
- ## </summary>
- ## <param name="domain">
-@@ -480,6 +598,7 @@ interface(`cron_manage_pid_files',`
- type crond_var_run_t;
- ')
-
-+ files_search_pids($1)
- manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
- ')
-
-@@ -535,7 +654,7 @@ interface(`cron_write_system_job_pipes',`
- type system_cronjob_t;
- ')
-
-- allow $1 system_cronjob_t:file write;
-+ allow $1 system_cronjob_t:fifo_file write;
- ')
-
- ########################################
-@@ -553,7 +672,7 @@ interface(`cron_rw_system_job_pipes',`
- type system_cronjob_t;
- ')
-
-- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
-+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -586,11 +705,14 @@ interface(`cron_rw_system_job_stream_sockets',`
- #
- interface(`cron_read_system_job_tmp_files',`
- gen_require(`
-- type system_cronjob_tmp_t;
-+ type system_cronjob_tmp_t, cron_var_run_t;
- ')
-
- files_search_tmp($1)
- allow $1 system_cronjob_tmp_t:file read_file_perms;
-+
-+ files_search_pids($1)
-+ allow $1 cron_var_run_t:file read_file_perms;
- ')
-
- ########################################
-@@ -626,7 +748,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
- interface(`cron_dontaudit_write_system_job_tmp_files',`
- gen_require(`
- type system_cronjob_tmp_t;
-+ type cron_var_run_t;
- ')
-
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
-+ dontaudit $1 cron_var_run_t:file write_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read temporary files from the system cron jobs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_read_system_job_lib_files',`
-+ gen_require(`
-+ type system_cronjob_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage files from the system cron jobs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cron_manage_system_job_lib_files',`
-+ gen_require(`
-+ type system_cronjob_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
- ')
-diff --git a/cron.te b/cron.te
-index b357856..28ae123 100644
---- a/cron.te
-+++ b/cron.te
-@@ -1,4 +1,4 @@
--policy_module(cron, 2.4.0)
-+policy_module(cron, 2.2.1)
-
- gen_require(`
- class passwd rootok;
-@@ -10,35 +10,36 @@ gen_require(`
- #
-
- ## <desc>
--## <p>
--## Allow system cron jobs to relabel filesystem
--## for restoring file contexts.
--## </p>
-+## <p>
-+## Allow system cron jobs to relabel filesystem
-+## for restoring file contexts.
-+## </p>
- ## </desc>
- gen_tunable(cron_can_relabel, false)
-
- ## <desc>
--## <p>
--## Enable extra rules in the cron domain
--## to support fcron.
--## </p>
-+## <p>
-+## Enable extra rules in the cron domain
-+## to support fcron.
-+## </p>
- ## </desc>
- gen_tunable(fcron_crond, false)
-
-+attribute crontab_domain;
- attribute cron_spool_type;
-
- type anacron_exec_t;
- application_executable_file(anacron_exec_t)
-
- type cron_spool_t;
--files_type(cron_spool_t)
-+files_spool_file(cron_spool_t)
-
- # var/lib files
- type cron_var_lib_t;
- files_type(cron_var_lib_t)
-
- type cron_var_run_t;
--files_type(cron_var_run_t)
-+files_pid_file(cron_var_run_t)
-
- # var/log files
- type cron_log_t;
-@@ -61,11 +62,17 @@ domain_cron_exemption_source(crond_t)
- type crond_initrc_exec_t;
- init_script_file(crond_initrc_exec_t)
-
-+type crond_unit_file_t;
-+systemd_unit_file(crond_unit_file_t)
-+
- type crond_tmp_t;
- files_tmp_file(crond_tmp_t)
-+files_poly_parent(crond_tmp_t)
-+mta_system_content(crond_tmp_t)
-
- type crond_var_run_t;
- files_pid_file(crond_var_run_t)
-+mta_system_content(crond_var_run_t)
-
- type crontab_exec_t;
- application_executable_file(crontab_exec_t)
-@@ -79,14 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
- typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
- typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
- typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
-+allow admin_crontab_t crond_t:process signal;
-
- type system_cron_spool_t, cron_spool_type;
--files_type(system_cron_spool_t)
-+files_spool_file(system_cron_spool_t)
-
- type system_cronjob_t alias system_crond_t;
- init_daemon_domain(system_cronjob_t, anacron_exec_t)
- corecmd_shell_entry_type(system_cronjob_t)
- role system_r types system_cronjob_t;
-+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
-
- type system_cronjob_lock_t alias system_crond_lock_t;
- files_lock_file(system_cronjob_lock_t)
-@@ -94,10 +103,6 @@ files_lock_file(system_cronjob_lock_t)
- type system_cronjob_tmp_t alias system_crond_tmp_t;
- files_tmp_file(system_cronjob_tmp_t)
-
--ifdef(`enable_mcs',`
-- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
--')
--
- type unconfined_cronjob_t;
- domain_type(unconfined_cronjob_t)
- domain_cron_exemption_target(unconfined_cronjob_t)
-@@ -106,8 +111,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
- type user_cron_spool_t, cron_spool_type;
- typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
- typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
--files_type(user_cron_spool_t)
-+files_spool_file(user_cron_spool_t)
- ubac_constrained(user_cron_spool_t)
-+mta_system_content(user_cron_spool_t)
-+
-+type system_cronjob_var_lib_t;
-+files_type(system_cronjob_var_lib_t)
-+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
-+
-+type system_cronjob_var_run_t;
-+files_pid_file(system_cronjob_var_run_t)
-+
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
-+')
-
- ########################################
- #
-@@ -115,7 +132,7 @@ ubac_constrained(user_cron_spool_t)
- #
-
- # Allow our crontab domain to unlink a user cron spool file.
--allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
-+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
-
- # Manipulate other users crontab.
- selinux_get_fs_mount(admin_crontab_t)
-@@ -125,7 +142,7 @@ selinux_compute_create_context(admin_crontab_t)
- selinux_compute_relabel_context(admin_crontab_t)
- selinux_compute_user_contexts(admin_crontab_t)
-
--tunable_policy(`fcron_crond', `
-+tunable_policy(`fcron_crond',`
- # fcron wants an instant update of a crontab change for the administrator
- # also crontab does a security check for crontab -u
- allow admin_crontab_t self:process setfscreate;
-@@ -136,9 +153,9 @@ tunable_policy(`fcron_crond', `
- # Cron daemon local policy
- #
-
--allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
-+allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
- dontaudit crond_t self:capability { sys_resource sys_tty_config };
--allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
- allow crond_t self:process { setexec setfscreate };
- allow crond_t self:fd use;
- allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -151,6 +168,7 @@ allow crond_t self:sem create_sem_perms;
- allow crond_t self:msgq create_msgq_perms;
- allow crond_t self:msg { send receive };
- allow crond_t self:key { search write link };
-+dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-
- manage_files_pattern(crond_t, cron_log_t, cron_log_t)
- logging_log_filetrans(crond_t, cron_log_t, file)
-@@ -187,27 +205,47 @@ fs_list_inotifyfs(crond_t)
-
- # need auth_chkpwd to check for locked accounts.
- auth_domtrans_chk_passwd(crond_t)
-+auth_manage_var_auth(crond_t)
-
- corecmd_exec_shell(crond_t)
- corecmd_list_bin(crond_t)
-+corecmd_exec_bin(crond_t)
- corecmd_read_bin_symlinks(crond_t)
-
- domain_use_interactive_fds(crond_t)
-+domain_subj_id_change_exemption(crond_t)
-+domain_role_change_exemption(crond_t)
-
- files_read_usr_files(crond_t)
- files_read_etc_runtime_files(crond_t)
--files_read_etc_files(crond_t)
- files_read_generic_spool(crond_t)
- files_list_usr(crond_t)
- # Read from /var/spool/cron.
- files_search_var_lib(crond_t)
- files_search_default(crond_t)
-
-+fs_manage_cgroup_dirs(crond_t)
-+fs_manage_cgroup_files(crond_t)
-+
-+# needed by "crontab -e"
-+mls_file_read_all_levels(crond_t)
-+mls_file_write_all_levels(crond_t)
-+
-+# needed because of kernel check of transition
-+mls_process_set_level(crond_t)
-+
-+# to make cronjob working
-+mls_fd_share_all_levels(crond_t)
-+mls_trusted_object(crond_t)
-+
-+init_read_state(crond_t)
- init_rw_utmp(crond_t)
- init_spec_domtrans_script(crond_t)
-
-+auth_manage_var_auth(crond_t)
- auth_use_nsswitch(crond_t)
-
-+logging_send_audit_msgs(crond_t)
- logging_send_syslog_msg(crond_t)
- logging_set_loginuid(crond_t)
-
-@@ -215,25 +253,27 @@ seutil_read_config(crond_t)
- seutil_read_default_contexts(crond_t)
- seutil_sigchld_newrole(crond_t)
-
--miscfiles_read_localization(crond_t)
-
- userdom_use_unpriv_users_fds(crond_t)
- # Not sure why this is needed
- userdom_list_user_home_dirs(crond_t)
-+userdom_list_admin_dir(crond_t)
-+userdom_manage_all_users_keys(crond_t)
-
- mta_send_mail(crond_t)
-+mta_system_content(cron_spool_t)
-
- ifdef(`distro_debian',`
- # pam_limits is used
- allow crond_t self:process setrlimit;
-
-- optional_policy(`
-- # Debian logcheck has the home dir set to its cache
-- logwatch_search_cache_dir(crond_t)
-- ')
- ')
-
--ifdef(`distro_redhat', `
-+optional_policy(`
-+ logwatch_search_cache_dir(crond_t)
-+')
-+
-+ifdef(`distro_redhat',`
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
- # via redirection of standard out.
- optional_policy(`
-@@ -241,7 +281,7 @@ ifdef(`distro_redhat', `
- ')
- ')
-
--tunable_policy(`allow_polyinstantiation',`
-+tunable_policy(`polyinstantiation_enabled',`
- files_polyinstantiate_all(crond_t)
- ')
-
-@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
- ')
-
- optional_policy(`
-+ apache_search_sys_content(crond_t)
-+')
-+
-+optional_policy(`
-+ djbdns_search_tinydns_keys(crond_t)
-+ djbdns_link_tinydns_keys(crond_t)
-+')
-+
-+optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
- ')
-
- optional_policy(`
-+ # these should probably be unconfined_crond_t
-+ dbus_system_bus_client(crond_t)
-+ init_dbus_send_script(crond_t)
-+ init_dbus_chat(crond_t)
-+')
-+
-+optional_policy(`
- amanda_search_var_lib(crond_t)
- ')
-
-@@ -264,6 +320,8 @@ optional_policy(`
-
- optional_policy(`
- hal_dbus_chat(crond_t)
-+ hal_write_log(crond_t)
-+ hal_dbus_chat(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -286,15 +344,25 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_use_fds_logind(crond_t)
-+ systemd_write_inherited_logind_sessions_pipes(crond_t)
-+')
-+
-+optional_policy(`
- udev_read_db(crond_t)
- ')
-
-+optional_policy(`
-+ vnstatd_search_lib(crond_t)
-+')
-+
- ########################################
- #
- # System cron process domain
- #
-
- allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
-+
- allow system_cronjob_t self:process { signal_perms getsched setsched };
- allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
- allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
-
- # This is to handle /var/lib/misc directory. Used currently
- # by prelink var/lib files for cron
--allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
-+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
- files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
-
-+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
-+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
-+
- allow system_cronjob_t system_cron_spool_t:file read_file_perms;
-+
-+mls_file_read_to_clearance(system_cronjob_t)
-+
-+# anacron forces the following
-+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
-+
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
-@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
- allow system_cronjob_t crond_t:fd use;
- allow system_cronjob_t crond_t:fifo_file rw_file_perms;
- allow system_cronjob_t crond_t:process sigchld;
-+allow crond_t system_cronjob_t:key manage_key_perms;
-
- # Write /var/lock/makewhatis.lock.
- allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
- filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
- files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
-
-+# var/lib files for system_crond
-+files_search_var_lib(system_cronjob_t)
-+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-+
- # Read from /var/spool/cron.
- allow system_cronjob_t cron_spool_t:dir list_dir_perms;
--allow system_cronjob_t cron_spool_t:file read_file_perms;
-+allow system_cronjob_t cron_spool_t:file rw_file_perms;
-
- kernel_read_kernel_sysctls(system_cronjob_t)
-+kernel_read_network_state(system_cronjob_t)
- kernel_read_system_state(system_cronjob_t)
- kernel_read_software_raid_state(system_cronjob_t)
-
-@@ -353,7 +436,6 @@ files_dontaudit_search_boot(system_cronjob_t)
-
- corecmd_exec_all_executables(system_cronjob_t)
-
--corenet_all_recvfrom_unlabeled(system_cronjob_t)
- corenet_all_recvfrom_netlabel(system_cronjob_t)
- corenet_tcp_sendrecv_generic_if(system_cronjob_t)
- corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
- dev_getattr_all_blk_files(system_cronjob_t)
- dev_getattr_all_chr_files(system_cronjob_t)
- dev_read_urand(system_cronjob_t)
-+dev_read_sysfs(system_cronjob_t)
-
- fs_getattr_all_fs(system_cronjob_t)
- fs_getattr_all_files(system_cronjob_t)
-@@ -376,7 +459,6 @@ fs_getattr_all_sockets(system_cronjob_t)
- domain_dontaudit_read_all_domains_state(system_cronjob_t)
-
- files_exec_etc_files(system_cronjob_t)
--files_read_etc_files(system_cronjob_t)
- files_read_etc_runtime_files(system_cronjob_t)
- files_list_all(system_cronjob_t)
- files_getattr_all_dirs(system_cronjob_t)
-@@ -391,6 +473,7 @@ files_dontaudit_search_pids(system_cronjob_t)
- # Access other spool directories like
- # /var/spool/anacron and /var/spool/slrnpull.
- files_manage_generic_spool(system_cronjob_t)
-+files_create_boot_flag(system_cronjob_t)
-
- init_use_script_fds(system_cronjob_t)
- init_read_utmp(system_cronjob_t)
-@@ -408,23 +491,23 @@ logging_read_generic_logs(system_cronjob_t)
- logging_send_audit_msgs(system_cronjob_t)
- logging_send_syslog_msg(system_cronjob_t)
-
--miscfiles_read_localization(system_cronjob_t)
--miscfiles_manage_man_pages(system_cronjob_t)
--
- seutil_read_config(system_cronjob_t)
-
--ifdef(`distro_redhat', `
-+ifdef(`distro_redhat',`
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-+ allow crond_t system_cron_spool_t:file manage_file_perms;
-+
- # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(system_cronjob_t)
- ')
- ')
-
-+selinux_get_fs_mount(system_cronjob_t)
-+
- tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_cronjob_t)
- ',`
-- selinux_get_fs_mount(system_cronjob_t)
- selinux_validate_context(system_cronjob_t)
- selinux_compute_access_vector(system_cronjob_t)
- selinux_compute_create_context(system_cronjob_t)
-@@ -439,6 +522,12 @@ optional_policy(`
- apache_read_config(system_cronjob_t)
- apache_read_log(system_cronjob_t)
- apache_read_sys_content(system_cronjob_t)
-+ apache_delete_cache_dirs(system_cronjob_t)
-+ apache_delete_cache_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -446,6 +535,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dbus_system_bus_client(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ exim_read_spool_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
- ftp_read_log(system_cronjob_t)
- ')
-
-@@ -456,6 +553,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ livecd_read_tmp_files(system_cronjob_t)
-+')
-+
-+optional_policy(`
- lpd_list_spool(system_cronjob_t)
- ')
-
-@@ -464,7 +565,9 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mta_read_config(system_cronjob_t)
- mta_send_mail(system_cronjob_t)
-+ mta_system_content(system_cron_spool_t)
- ')
-
- optional_policy(`
-@@ -472,6 +575,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ networkmanager_dbus_chat(system_cronjob_t)
-+')
-+
-+optional_policy(`
- postfix_read_config(system_cronjob_t)
- ')
-
-@@ -480,7 +587,7 @@ optional_policy(`
- prelink_manage_lib(system_cronjob_t)
- prelink_manage_log(system_cronjob_t)
- prelink_read_cache(system_cronjob_t)
-- prelink_relabelfrom_lib(system_cronjob_t)
-+ prelink_relabel_lib(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -495,6 +602,7 @@ optional_policy(`
-
- optional_policy(`
- spamassassin_manage_lib_files(system_cronjob_t)
-+ spamassassin_manage_home_client(system_cronjob_t)
- ')
-
- optional_policy(`
-@@ -502,7 +610,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ systemd_dbus_chat_logind(system_cronjob_t)
-+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(crond_t)
- unconfined_domain(system_cronjob_t)
-+')
-+
-+optional_policy(`
-+ unconfined_shell_domtrans(crond_t)
-+ unconfined_dbus_send(crond_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
++ logging_send_syslog_msg(courier_$1_t)
')
-@@ -542,7 +661,6 @@ kernel_read_kernel_sysctls(cronjob_t)
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(cronjob_t)
-
--corenet_all_recvfrom_unlabeled(cronjob_t)
- corenet_all_recvfrom_netlabel(cronjob_t)
- corenet_tcp_sendrecv_generic_if(cronjob_t)
- corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -579,7 +697,6 @@ logging_search_logs(cronjob_t)
-
- seutil_read_config(cronjob_t)
-
--miscfiles_read_localization(cronjob_t)
-
- userdom_manage_user_tmp_files(cronjob_t)
- userdom_manage_user_tmp_symlinks(cronjob_t)
-@@ -595,9 +712,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
- #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
-
- list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
- read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
+ ########################################
+ ## <summary>
+-## Execute the courier authentication
+-## daemon with a domain transition.
++## Execute the courier authentication daemon with
++## a domain transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -48,34 +57,32 @@ interface(`courier_domtrans_authdaemon',`
+ type courier_authdaemon_t, courier_authdaemon_exec_t;
+ ')
--tunable_policy(`fcron_crond', `
-+tunable_policy(`fcron_crond',`
- allow crond_t user_cron_spool_t:file manage_file_perms;
+- corecmd_search_bin($1)
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
-@@ -626,3 +746,74 @@ optional_policy(`
-
- unconfined_domain(unconfined_cronjob_t)
- ')
-+
-+##############################
-+#
-+# crontab common policy
-+#
-+
-+# dac_override is to create the file in the directory under /tmp
-+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-+allow crontab_domain self:process { getcap setsched signal_perms };
-+allow crontab_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow crontab_domain crond_t:process signal;
-+allow crontab_domain crond_var_run_t:file read_file_perms;
-+
-+# create files in /var/spool/cron
-+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-+files_list_spool(crontab_domain)
-+
-+# crontab signals crond by updating the mtime on the spooldir
-+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-+
-+# for the checks used by crontab -u
-+selinux_dontaudit_search_fs(crontab_domain)
-+
-+fs_getattr_xattr_fs(crontab_domain)
-+fs_manage_cgroup_dirs(crontab_domain)
-+fs_manage_cgroup_files(crontab_domain)
-+
-+domain_use_interactive_fds(crontab_domain)
-+
-+files_read_etc_files(crontab_domain)
-+files_read_usr_files(crontab_domain)
-+files_dontaudit_search_pids(crontab_domain)
-+
-+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-+
-+auth_rw_var_auth(crontab_domain)
-+
-+logging_send_audit_msgs(crontab_domain)
-+logging_set_loginuid(crontab_domain)
-+
-+init_dontaudit_write_utmp(crontab_domain)
-+init_read_utmp(crontab_domain)
-+init_read_state(crontab_domain)
-+
-+
-+seutil_read_config(crontab_domain)
-+
-+userdom_manage_user_tmp_dirs(crontab_domain)
-+userdom_manage_user_tmp_files(crontab_domain)
-+# Access terminals.
-+userdom_use_inherited_user_terminals(crontab_domain)
-+# Read user crontabs
-+userdom_read_user_home_content_files(crontab_domain)
-+userdom_read_user_home_content_symlinks(crontab_domain)
-+
-+tunable_policy(`fcron_crond',`
-+ # fcron wants an instant update of a crontab change for the administrator
-+ # also crontab does a security check for crontab -u
-+ dontaudit crontab_domain crond_t:process signal;
-+')
-+
-+optional_policy(`
-+ ssh_dontaudit_use_ptys(crontab_domain)
-+')
-+
-+optional_policy(`
-+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
-+ openshift_transition(system_cronjob_t)
-+')
-diff --git a/ctdbd.fc b/ctdbd.fc
-new file mode 100644
-index 0000000..255568d
---- /dev/null
-+++ b/ctdbd.fc
-@@ -0,0 +1,19 @@
-+
-+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
-+
-+/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+
-+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
-+
-+/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
-+/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
-+
-+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
-+
-+/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
-+
-+
-+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+
-diff --git a/ctdbd.if b/ctdbd.if
-new file mode 100644
-index 0000000..4f7d237
---- /dev/null
-+++ b/ctdbd.if
-@@ -0,0 +1,259 @@
-+
-+## <summary>policy for ctdbd</summary>
-+
-+########################################
-+## <summary>
-+## Transition to ctdbd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_domtrans',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute ctdbd server in the ctdbd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_initrc_domtrans',`
-+ gen_require(`
-+ type ctdbd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read ctdbd's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`ctdbd_read_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Append to ctdbd log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_append_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage ctdbd log files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_manage_log',`
-+ gen_require(`
-+ type ctdbd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search ctdbd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_search_lib',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read ctdbd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_read_lib_files',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage ctdbd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_manage_lib_files',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage ctdbd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_manage_lib_dirs',`
-+ gen_require(`
-+ type ctdbd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read ctdbd PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_read_pid_files',`
-+ gen_require(`
-+ type ctdbd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 ctdbd_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Connect to ctdbd over a unix stream socket.
-+## </summary>
-+## <param name="domain">
+ #######################################
+ ## <summary>
+-## Connect to courier-authdaemon over
+-## a unix stream socket.
++## Connect to courier-authdaemon over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`ctdbd_stream_connect',`
+ ## </param>
+ #
+ interface(`courier_stream_connect_authdaemon',`
+- gen_require(`
+- type courier_authdaemon_t, courier_spool_t;
+- ')
+ gen_require(`
-+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ type courier_authdaemon_t, courier_spool_t;
+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
-+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an ctdbd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`ctdbd_admin',`
-+ gen_require(`
-+ type ctdbd_t, ctdbd_initrc_exec_t;
-+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
-+ ')
-+
-+ allow $1 ctdbd_t:process signal_perms;
-+ ps_process_pattern($1, ctdbd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ctdbd_t:process ptrace;
-+ ')
-+
-+ ctdbd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ctdbd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, ctdbd_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, ctdbd_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, ctdbd_var_run_t)
-+')
-+
-diff --git a/ctdbd.te b/ctdbd.te
-new file mode 100644
-index 0000000..33656de
---- /dev/null
-+++ b/ctdbd.te
-@@ -0,0 +1,114 @@
-+policy_module(ctdbd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type ctdbd_t;
-+type ctdbd_exec_t;
-+init_daemon_domain(ctdbd_t, ctdbd_exec_t)
-+
-+type ctdbd_initrc_exec_t;
-+init_script_file(ctdbd_initrc_exec_t)
-+
-+type ctdbd_log_t;
-+logging_log_file(ctdbd_log_t)
-+
-+type ctdbd_spool_t;
-+files_type(ctdbd_spool_t)
-+#files_spool_file(ctdbd_spool_t)
-+
-+type ctdbd_tmp_t;
-+files_tmp_file(ctdbd_tmp_t)
-+
-+type ctdbd_var_lib_t;
-+files_type(ctdbd_var_lib_t)
-+
-+type ctdbd_var_run_t;
-+files_pid_file(ctdbd_var_run_t)
-+
-+########################################
-+#
-+# ctdbd local policy
-+#
-+
-+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-+allow ctdbd_t self:process { setpgid signal_perms setsched };
-+
-+allow ctdbd_t self:fifo_file rw_fifo_file_perms;
-+allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow ctdbd_t self:packet_socket create_socket_perms;
-+allow ctdbd_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-+manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-+logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } )
-+
-+manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-+manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file})
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-+manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-+manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
-+files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file })
-+
-+exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } )
-+
-+manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-+manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
-+files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file })
-+
-+kernel_read_network_state(ctdbd_t)
-+kernel_rw_net_sysctls(ctdbd_t)
-+kernel_read_system_state(ctdbd_t)
-+
-+corenet_tcp_bind_generic_node(ctdbd_t)
-+corenet_tcp_bind_ctdb_port(ctdbd_t)
-+corenet_tcp_connect_ctdb_port(ctdbd_t)
-+
-+corecmd_exec_bin(ctdbd_t)
-+corecmd_exec_shell(ctdbd_t)
-+
-+dev_read_sysfs(ctdbd_t)
-+dev_read_urand(ctdbd_t)
-+
-+domain_use_interactive_fds(ctdbd_t)
-+domain_dontaudit_read_all_domains_state(ctdbd_t)
-+
-+files_read_etc_files(ctdbd_t)
-+files_search_all_mountpoints(ctdbd_t)
-+
-+auth_use_nsswitch(ctdbd_t)
-+
-+logging_send_syslog_msg(ctdbd_t)
-+
-+miscfiles_read_public_files(ctdbd_t)
-+
-+optional_policy(`
-+ consoletype_exec(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ iptables_domtrans(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ samba_initrc_domtrans(ctdbd_t)
-+ samba_domtrans_net(ctdbd_t)
-+ samba_rw_var_files(ctdbd_t)
-+ samba_systemctl(ctdbd_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(ctdbd_t)
-+')
-diff --git a/cups.fc b/cups.fc
-index 848bb92..600efa5 100644
---- a/cups.fc
-+++ b/cups.fc
-@@ -19,7 +19,10 @@
-
- /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-+
- /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
- /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ files_search_spool($1)
+- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ ')
-@@ -52,18 +55,32 @@
+ ########################################
+ ## <summary>
+-## Execute the courier POP3 and IMAP
+-## server with a domain transition.
++## Execute the courier POP3 and IMAP server with
++## a domain transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -88,13 +95,12 @@ interface(`courier_domtrans_pop',`
+ type courier_pop_t, courier_pop_exec_t;
+ ')
- /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+- corecmd_search_bin($1)
+ domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
+ ')
- /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ ########################################
+ ## <summary>
+-## Read courier config files.
++## Read courier config files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -127,7 +133,7 @@ interface(`courier_manage_spool_dirs',`
+ type courier_spool_t;
+ ')
- /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
- /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+- files_search_var($1)
++ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+ ')
-+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
-+
- /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
--/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
- /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
- /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
- /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
- /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+
-+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --git a/cups.if b/cups.if
-index 305ddf4..f3cd95f 100644
---- a/cups.if
-+++ b/cups.if
-@@ -9,6 +9,11 @@
+@@ -136,7 +142,7 @@ interface(`courier_manage_spool_dirs',`
+ ## Create, read, write, and delete courier
+ ## spool files.
+ ## </summary>
+-## <param name="domain">
++## <param name="domains">
+ ## <summary>
## Domain allowed access.
## </summary>
- ## </param>
-+## <param name="entry_file">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- #
- interface(`cups_backend',`
- gen_require(`
-@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',`
- interface(`cups_read_config',`
- gen_require(`
- type cupsd_etc_t, cupsd_rw_etc_t;
-+ type hplip_etc_t;
+@@ -147,7 +153,7 @@ interface(`courier_manage_spool_files',`
+ type courier_spool_t;
')
- files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
-+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
- read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+- files_search_var($1)
++ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',`
+@@ -166,13 +172,13 @@ interface(`courier_read_spool',`
+ type courier_spool_t;
+ ')
+
+- files_search_var($1)
++ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+ ')
########################################
## <summary>
-+## Execute cupsd server in the cupsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`cupsd_systemctl',`
-+ gen_require(`
-+ type cupsd_t;
-+ type cupsd_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 cupsd_unit_file_t:file read_file_perms;
-+ allow $1 cupsd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, cupsd_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an cups environment
+-## Read and write courier spool pipes.
++## Read and write to courier spool pipes.
## </summary>
-@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',`
- interface(`cups_admin',`
- gen_require(`
- type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-- type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
-- type cupsd_var_run_t, ptal_etc_t;
-- type ptal_var_run_t, hplip_var_run_t;
-- type cupsd_initrc_exec_t;
-+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
-+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
-+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
-+ type ptal_var_run_t;
-+ type cupsd_unit_file_t;
+ ## <param name="domain">
+ ## <summary>
+@@ -185,6 +191,5 @@ interface(`courier_rw_spool_pipes',`
+ type courier_spool_t;
')
-- allow $1 cupsd_t:process { ptrace signal_perms };
-+ allow $1 cupsd_t:process signal_perms;
- ps_process_pattern($1, cupsd_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cupsd_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +375,53 @@ interface(`cups_admin',`
-
- admin_pattern($1, cupsd_lpd_var_run_t)
+- files_search_var($1)
+ allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+ ')
+diff --git a/courier.te b/courier.te
+index 77bb077..76b93d2 100644
+--- a/courier.te
++++ b/courier.te
+@@ -18,7 +18,7 @@ type courier_etc_t;
+ files_config_file(courier_etc_t)
-- admin_pattern($1, cupsd_spool_t)
-- files_list_spool($1)
--
- admin_pattern($1, cupsd_tmp_t)
- files_list_tmp($1)
+ type courier_spool_t;
+-files_type(courier_spool_t)
++files_spool_file(courier_spool_t)
- admin_pattern($1, cupsd_var_run_t)
- files_list_pids($1)
+ type courier_var_lib_t;
+ files_type(courier_var_lib_t)
+@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
+ files_pid_filetrans(courier_domain, courier_var_run_t, dir)
-+ admin_pattern($1, hplip_etc_t)
-+
- admin_pattern($1, hplip_var_run_t)
+ kernel_read_kernel_sysctls(courier_domain)
+-kernel_read_system_state(courier_domain)
- admin_pattern($1, ptal_etc_t)
+ corecmd_exec_bin(courier_domain)
- admin_pattern($1, ptal_var_run_t)
-+
-+ cupsd_systemctl($1)
-+ admin_pattern($1, cupsd_unit_file_t)
-+ allow $1 cupsd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Transition to cups named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cups_filetrans_named_content',`
-+ gen_require(`
-+ type cupsd_rw_etc_t;
-+ type cupsd_etc_t;
-+ ')
-+
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
-+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
-+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
- ')
-diff --git a/cups.te b/cups.te
-index e5a8924..e12c890 100644
---- a/cups.te
-+++ b/cups.te
-@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
- type cupsd_t;
- type cupsd_exec_t;
- init_daemon_domain(cupsd_t, cupsd_exec_t)
-+mls_trusted_object(cupsd_t)
-
- type cupsd_etc_t;
- files_config_file(cupsd_etc_t)
-@@ -60,6 +61,9 @@ type cupsd_var_run_t;
- files_pid_file(cupsd_var_run_t)
- mls_trusted_object(cupsd_var_run_t)
+@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
-+type cupsd_unit_file_t;
-+systemd_unit_file(cupsd_unit_file_t)
-+
- type hplip_t;
- type hplip_exec_t;
- init_daemon_domain(hplip_t, hplip_exec_t)
-@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
- type hplip_var_lib_t;
- files_type(hplip_var_lib_t)
+ domain_use_interactive_fds(courier_domain)
-+type hplip_var_log_t;
-+logging_log_file(hplip_var_log_t)
-+
- type hplip_var_run_t;
- files_pid_file(hplip_var_run_t)
+-files_read_etc_files(courier_domain)
+ files_read_etc_runtime_files(courier_domain)
+-files_read_usr_files(courier_domain)
-@@ -104,6 +111,7 @@ ifdef(`enable_mls',`
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
- allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-+allow cupsd_t self:capability2 { block_suspend };
- allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
- allow cupsd_t self:fifo_file rw_fifo_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
- files_search_etc(cupsd_t)
+ fs_getattr_xattr_fs(courier_domain)
+ fs_search_auto_mountpoints(courier_domain)
- manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
-+can_exec(cupsd_t, cupsd_interface_t)
+-logging_send_syslog_msg(courier_domain)
+-
+ sysnet_read_config(courier_domain)
- manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
- manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
- allow cupsd_t cupsd_lock_t:file manage_file_perms;
- files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
-
-+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- allow cupsd_t cupsd_log_t:dir setattr;
- logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
-@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+ userdom_dontaudit_use_unpriv_user_fds(courier_domain)
+@@ -112,7 +107,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
--allow cupsd_t cupsd_var_run_t:dir setattr;
-+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
-+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
--files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
-+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
+ libs_read_lib_files(courier_authdaemon_t)
- allow cupsd_t hplip_t:process { signal sigkill };
+-miscfiles_read_localization(courier_authdaemon_t)
-@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
- allow cupsd_t hplip_var_run_t:file read_file_perms;
+ userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
- stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
--allow cupsd_t ptal_var_run_t : sock_file setattr;
-+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -135,7 +129,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
- kernel_read_system_state(cupsd_t)
- kernel_read_network_state(cupsd_t)
- kernel_read_all_sysctls(cupsd_t)
- kernel_request_load_module(cupsd_t)
+ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
--corenet_all_recvfrom_unlabeled(cupsd_t)
- corenet_all_recvfrom_netlabel(cupsd_t)
- corenet_tcp_sendrecv_generic_if(cupsd_t)
- corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t)
- mls_socket_write_all_levels(cupsd_t)
- mls_fd_use_all_levels(cupsd_t)
+-allow courier_pop_t courier_var_lib_t:file { read write };
++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
-+term_use_usb_ttys(cupsd_t)
- term_use_unallocated_ttys(cupsd_t)
- term_search_ptys(cupsd_t)
+ domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
-@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t)
+@@ -172,7 +166,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
+ dev_read_rand(courier_tcpd_t)
+ dev_read_urand(courier_tcpd_t)
- domain_use_interactive_fds(cupsd_t)
+-miscfiles_read_localization(courier_tcpd_t)
-+files_getattr_boot_dirs(cupsd_t)
- files_list_spool(cupsd_t)
--files_read_etc_files(cupsd_t)
- files_read_etc_runtime_files(cupsd_t)
- # read python modules
- files_read_usr_files(cupsd_t)
-+files_exec_usr_files(cupsd_t)
- # for /var/lib/defoma
- files_read_var_lib_files(cupsd_t)
- files_list_world_readable(cupsd_t)
-@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t)
- logging_send_audit_msgs(cupsd_t)
- logging_send_syslog_msg(cupsd_t)
+ ########################################
+ #
+diff --git a/cpucontrol.te b/cpucontrol.te
+index 2f1aad6..155a337 100644
+--- a/cpucontrol.te
++++ b/cpucontrol.te
+@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
+ init_use_fds(cpucontrol_domain)
+ init_use_script_ptys(cpucontrol_domain)
--miscfiles_read_localization(cupsd_t)
- # invoking ghostscript needs to read fonts
- miscfiles_read_fonts(cupsd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t)
- files_dontaudit_list_home(cupsd_t)
- userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
+-logging_send_syslog_msg(cpucontrol_domain)
-
--# Write to /var/spool/cups.
--lpd_manage_spool(cupsd_t)
--lpd_read_config(cupsd_t)
--lpd_exec_lpr(cupsd_t)
--lpd_relabel_spool(cupsd_t)
-+userdom_search_admin_dir(cupsd_t)
+ userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
optional_policy(`
- apm_domtrans_client(cupsd_t)
-@@ -287,6 +293,8 @@ optional_policy(`
- optional_policy(`
- dbus_system_bus_client(cupsd_t)
-
-+ init_dbus_chat(cupsd_t)
-+
- userdom_dbus_send_all_users(cupsd_t)
-
- optional_policy(`
-@@ -297,8 +305,10 @@ optional_policy(`
- hal_dbus_chat(cupsd_t)
- ')
+@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
+ read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+ read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
-+ # talk to processes that do not have policy
- optional_policy(`
- unconfined_dbus_chat(cupsd_t)
-+ files_write_generic_pid_pipes(cupsd_t)
- ')
- ')
+-kernel_list_proc(cpucontrol_t)
+ kernel_read_proc_symlinks(cpucontrol_t)
-@@ -311,10 +321,23 @@ optional_policy(`
- ')
+ dev_read_sysfs(cpucontrol_t)
+ dev_rw_cpu_microcode(cpucontrol_t)
- optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
-+ kerberos_manage_host_rcache(cupsd_t)
-+')
++logging_send_syslog_msg(cpucontrol_t)
+
-+optional_policy(`
- logrotate_domtrans(cupsd_t)
- ')
-
optional_policy(`
-+ # Write to /var/spool/cups.
-+ lpd_manage_spool(cupsd_t)
-+ lpd_read_config(cupsd_t)
-+ lpd_exec_lpr(cupsd_t)
-+ lpd_relabel_spool(cupsd_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(cupsd_t)
+ rhgb_use_ptys(cpucontrol_t)
')
+@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
-@@ -322,6 +345,8 @@ optional_policy(`
- # cups execs smbtool which reads samba_etc_t files
- samba_read_config(cupsd_t)
- samba_rw_var_files(cupsd_t)
-+ # needed by smbspool
-+ samba_stream_connect_nmbd(cupsd_t)
- ')
+ domain_read_all_domains_state(cpuspeed_t)
- optional_policy(`
-@@ -336,12 +361,16 @@ optional_policy(`
- udev_read_db(cupsd_t)
- ')
+-files_read_etc_files(cpuspeed_t)
+ files_read_etc_runtime_files(cpuspeed_t)
-+optional_policy(`
-+ virt_rw_chr_files(cupsd_t)
-+')
-+
- ########################################
- #
- # Cups configuration daemon local policy
+-miscfiles_read_localization(cpuspeed_t)
++logging_send_syslog_msg(cpuspeed_t)
+diff --git a/cpufreqselector.te b/cpufreqselector.te
+index a3bbc21..5bf715c 100644
+--- a/cpufreqselector.te
++++ b/cpufreqselector.te
+@@ -14,24 +14,21 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+ # Local policy
#
--allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
-+allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config };
- dontaudit cupsd_config_t self:capability sys_tty_config;
- allow cupsd_config_t self:process { getsched signal_perms };
- allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
-
- allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
-
-+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
- manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
--files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
-+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-
- domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-
-@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
- kernel_read_system_state(cupsd_config_t)
- kernel_read_all_sysctls(cupsd_config_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_config_t)
- corenet_all_recvfrom_netlabel(cupsd_config_t)
- corenet_tcp_sendrecv_generic_if(cupsd_config_t)
- corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t)
- domain_dontaudit_search_all_domains_state(cupsd_config_t)
-
- files_read_usr_files(cupsd_config_t)
--files_read_etc_files(cupsd_config_t)
- files_read_etc_runtime_files(cupsd_config_t)
- files_read_var_symlinks(cupsd_config_t)
-
-@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t)
+-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:capability sys_nice;
+ allow cpufreqselector_t self:process getsched;
+ allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
++allow cpufreqselector_t self:process getsched;
- logging_send_syslog_msg(cupsd_config_t)
+ kernel_read_system_state(cpufreqselector_t)
--miscfiles_read_localization(cupsd_config_t)
- miscfiles_read_hwdata(cupsd_config_t)
+-files_read_etc_files(cpufreqselector_t)
+-files_read_usr_files(cpufreqselector_t)
+-
+ dev_rw_sysfs(cpufreqselector_t)
--seutil_dontaudit_search_config(cupsd_config_t)
+-miscfiles_read_localization(cpufreqselector_t)
-
- userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
- userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
-+userdom_rw_user_tmp_files(cupsd_config_t)
-+userdom_read_user_tmp_symlinks(cupsd_config_t)
+ userdom_read_all_users_state(cpufreqselector_t)
+-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
++userdom_dontaudit_search_admin_dir(cpufreqselector_t)
- cups_stream_connect(cupsd_config_t)
+ optional_policy(`
+ dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
++ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
--lpd_read_config(cupsd_config_t)
--
- ifdef(`distro_redhat',`
optional_policy(`
- rpm_read_db(cupsd_config_t)
-@@ -453,6 +478,10 @@ optional_policy(`
+ consolekit_dbus_chat(cpufreqselector_t)
+@@ -51,3 +48,7 @@ optional_policy(`
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
')
-
- optional_policy(`
-+ gnome_dontaudit_search_config(cupsd_config_t)
-+')
+
+optional_policy(`
- hal_domtrans(cupsd_config_t)
- hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +496,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ lpd_read_config(cupsd_config_t)
++ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
-+
-+optional_policy(`
- policykit_dbus_chat(cupsd_config_t)
- userdom_read_all_users_state(cupsd_config_t)
- ')
-@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
- kernel_read_system_state(cupsd_lpd_t)
- kernel_read_network_state(cupsd_lpd_t)
-
--corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
- corenet_all_recvfrom_netlabel(cupsd_lpd_t)
- corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
- corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
- corenet_tcp_bind_generic_node(cupsd_lpd_t)
- corenet_udp_bind_generic_node(cupsd_lpd_t)
- corenet_tcp_connect_ipp_port(cupsd_lpd_t)
-+corenet_tcp_connect_printer_port(cupsd_lpd_t)
-
- dev_read_urand(cupsd_lpd_t)
- dev_read_rand(cupsd_lpd_t)
-
- fs_getattr_xattr_fs(cupsd_lpd_t)
-
--files_read_etc_files(cupsd_lpd_t)
-
- auth_use_nsswitch(cupsd_lpd_t)
+diff --git a/cron.fc b/cron.fc
+index 6e76215..224142a 100644
+--- a/cron.fc
++++ b/cron.fc
+@@ -3,6 +3,9 @@
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- logging_send_syslog_msg(cupsd_lpd_t)
++/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++
+ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+ /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
--miscfiles_read_localization(cupsd_lpd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+@@ -12,9 +15,6 @@
+ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
- cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +608,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+-
+-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+ /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
- kernel_read_system_state(cups_pdf_t)
+ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+@@ -27,13 +27,23 @@
--files_read_etc_files(cups_pdf_t)
- files_read_usr_files(cups_pdf_t)
+ /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
- corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +615,23 @@ corecmd_exec_bin(cups_pdf_t)
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]* -- <<none>>
- auth_use_nsswitch(cups_pdf_t)
+-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++ifdef(`distro_gentoo',`
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun/[^/]* -- <<none>>
++')
++
++ifdef(`distro_suse', `
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun/[^/]* -- <<none>>
++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++')
++
++/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/crontabs/.* -- <<none>>
+ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
--miscfiles_read_localization(cups_pdf_t)
- miscfiles_read_fonts(cups_pdf_t)
-+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+@@ -43,19 +53,23 @@
+ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- userdom_home_filetrans_user_home_dir(cups_pdf_t)
-+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
- userdom_manage_user_home_content_dirs(cups_pdf_t)
- userdom_manage_user_home_content_files(cups_pdf_t)
-+userdom_dontaudit_search_admin_dir(cups_pdf_t)
++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++
+ ifdef(`distro_debian',`
+-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
++
++/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/atjobs/[^/]* -- <<none>>
+-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+ ')
--lpd_manage_spool(cups_pdf_t)
--
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_search_auto_mountpoints(cups_pdf_t)
-- fs_manage_nfs_dirs(cups_pdf_t)
-- fs_manage_nfs_files(cups_pdf_t)
-+optional_policy(`
-+ lpd_manage_spool(cups_pdf_t)
+ ifdef(`distro_gentoo',`
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ /var/spool/cron/lastrun/[^/]* -- <<none>>
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(cups_pdf_t)
-- fs_manage_cifs_files(cups_pdf_t)
-+userdom_home_manager(cups_pdf_t)
-+
-+optional_policy(`
-+ gnome_read_config(cups_pdf_t)
+-ifdef(`distro_suse',`
+-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
++ifdef(`distro_suse', `
++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ /var/spool/cron/lastrun/[^/]* -- <<none>>
+-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
+diff --git a/cron.if b/cron.if
+index 1303b30..058864e 100644
+--- a/cron.if
++++ b/cron.if
+@@ -2,11 +2,12 @@
- ########################################
-@@ -635,9 +663,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- files_search_etc(hplip_t)
+ #######################################
+ ## <summary>
+-## The template to define a crontab domain.
++## The common rules for a crontab domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="userdomain_prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
+ ## </summary>
+ ## </param>
+ #
+@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
-+allow hplip_t cupsd_unit_file_t:file read_file_perms;
++ kernel_read_system_state($1_t)
+
- manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
- manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
+ auth_domtrans_chk_passwd($1_t)
+ auth_use_nsswitch($1_t)
+
- manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
- files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-
-@@ -647,7 +682,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
- kernel_read_system_state(hplip_t)
- kernel_read_kernel_sysctls(hplip_t)
-
--corenet_all_recvfrom_unlabeled(hplip_t)
-+# for python
-+corecmd_exec_bin(hplip_t)
++ logging_send_syslog_msg($1_t)
+
- corenet_all_recvfrom_netlabel(hplip_t)
- corenet_tcp_sendrecv_generic_if(hplip_t)
- corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +698,10 @@ corenet_tcp_bind_generic_node(hplip_t)
- corenet_udp_bind_generic_node(hplip_t)
- corenet_tcp_bind_hplip_port(hplip_t)
- corenet_tcp_connect_hplip_port(hplip_t)
--corenet_tcp_connect_ipp_port(hplip_t)
--corenet_sendrecv_hplip_client_packets(hplip_t)
--corenet_receive_hplip_server_packets(hplip_t)
-+corenet_tcp_bind_glance_port(hplip_t)
-+corenet_tcp_connect_glance_port(hplip_t)
- corenet_udp_bind_howl_port(hplip_t)
-+corenet_tcp_connect_ipp_port(hplip_t)
++ userdom_home_reader($1_t)
++
+ ')
- dev_read_sysfs(hplip_t)
- dev_rw_printer(hplip_t)
-@@ -673,31 +710,34 @@ dev_read_rand(hplip_t)
- dev_rw_generic_usb_dev(hplip_t)
- dev_rw_usbfs(hplip_t)
+ ########################################
+ ## <summary>
+-## Role access for cron.
++## Role access for cron
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -60,57 +68,37 @@ interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t, crond_t;
+- bool cron_userdomain_transition;
+ ')
--fs_getattr_all_fs(hplip_t)
--fs_search_auto_mountpoints(hplip_t)
--fs_rw_anon_inodefs_files(hplip_t)
--
--# for python
--corecmd_exec_bin(hplip_t)
+- ##############################
+- #
+- # Declarations
+- #
-
- domain_use_interactive_fds(hplip_t)
+ role $1 types { cronjob_t crontab_t };
- files_read_etc_files(hplip_t)
- files_read_etc_runtime_files(hplip_t)
- files_read_usr_files(hplip_t)
-+files_dontaudit_write_usr_dirs(hplip_t)
+- ##############################
+- #
+- # Local policy
+- #
++ # cronjob shows up in user ps
++ ps_process_pattern($2, cronjob_t)
--logging_send_syslog_msg(hplip_t)
-+fs_getattr_all_fs(hplip_t)
-+fs_search_auto_mountpoints(hplip_t)
-+fs_rw_anon_inodefs_files(hplip_t)
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
--miscfiles_read_localization(hplip_t)
-+term_use_ptmx(hplip_t)
-+
-+auth_read_passwd(hplip_t)
-+
-+logging_send_syslog_msg(hplip_t)
++ allow crond_t $2:process transition;
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
- sysnet_read_config(hplip_t)
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
- userdom_dontaudit_use_unpriv_user_fds(hplip_t)
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
-+userdom_dbus_send_all_users(hplip_t)
+- allow $2 crontab_t:process { ptrace signal_perms };
++ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
++ allow $2 crontab_t:process signal_perms;
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 crontab_t:process ptrace;
++ ')
--lpd_read_config(hplip_t)
--lpd_manage_spool(hplip_t)
-+optional_policy(`
-+ lpd_read_config(hplip_t)
-+ lpd_manage_spool(hplip_t)
-+')
++ # Run helper programs as the user domain
++ #corecmd_bin_domtrans(crontab_t, $2)
++ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
- optional_policy(`
- dbus_system_bus_client(hplip_t)
-@@ -743,7 +783,6 @@ kernel_read_kernel_sysctls(ptal_t)
- kernel_list_proc(ptal_t)
- kernel_read_proc_symlinks(ptal_t)
+- tunable_policy(`cron_userdomain_transition',`
+- allow crond_t $2:process transition;
+- allow crond_t $2:fd use;
+- allow crond_t $2:key manage_key_perms;
+-
+- allow $2 user_cron_spool_t:file entrypoint;
+-
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- allow $2 cronjob_t:process { ptrace signal_perms };
+- ps_process_pattern($2, cronjob_t)
+- ',`
+- dontaudit crond_t $2:process transition;
+- dontaudit crond_t $2:fd use;
+- dontaudit crond_t $2:key manage_key_perms;
+-
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
+- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- dontaudit $2 cronjob_t:process { ptrace signal_perms };
+- ')
+-
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+@@ -119,78 +107,38 @@ interface(`cron_role',`
+ dbus_stub(cronjob_t)
--corenet_all_recvfrom_unlabeled(ptal_t)
- corenet_all_recvfrom_netlabel(ptal_t)
- corenet_tcp_sendrecv_generic_if(ptal_t)
- corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +799,10 @@ fs_search_auto_mountpoints(ptal_t)
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
+ ')
- domain_use_interactive_fds(ptal_t)
+ ########################################
+ ## <summary>
+-## Role access for unconfined cron.
++## Role access for unconfined cronjobs
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`cron_unconfined_role',`
+ gen_require(`
+- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+- type crond_t, user_cron_spool_t;
+- bool cron_userdomain_transition;
++ type unconfined_cronjob_t;
+ ')
--files_read_etc_files(ptal_t)
- files_read_etc_runtime_files(ptal_t)
+- ##############################
+- #
+- # Declarations
+- #
+-
+- role $1 types { unconfined_cronjob_t crontab_t };
++ role $1 types unconfined_cronjob_t;
+
+- ##############################
+- #
+- # Local policy
+- #
+-
+- domtrans_pattern($2, crontab_exec_t, crontab_t)
+-
+- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
+-
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+-
+- allow $2 crontab_t:process { ptrace signal_perms };
+- ps_process_pattern($2, crontab_t)
+-
+- corecmd_exec_bin(crontab_t)
+- corecmd_exec_shell(crontab_t)
+-
+- tunable_policy(`cron_userdomain_transition',`
+- allow crond_t $2:process transition;
+- allow crond_t $2:fd use;
+- allow crond_t $2:key manage_key_perms;
+-
+- allow $2 user_cron_spool_t:file entrypoint;
+-
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+- ps_process_pattern($2, unconfined_cronjob_t)
+- ',`
+- dontaudit crond_t $2:process transition;
+- dontaudit crond_t $2:fd use;
+- dontaudit crond_t $2:key manage_key_perms;
+-
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
+- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
+-')
++ # cronjob shows up in user ps
++ ps_process_pattern($2, unconfined_cronjob_t)
++ allow $2 unconfined_cronjob_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 unconfined_cronjob_t:process ptrace;
++ ')
- logging_send_syslog_msg(ptal_t)
+ optional_policy(`
+ gen_require(`
+@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',`
+ ')
--miscfiles_read_localization(ptal_t)
+ dbus_stub(unconfined_cronjob_t)
-
- sysnet_read_config(ptal_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-diff --git a/cvs.if b/cvs.if
-index c43ff4c..5da88b5 100644
---- a/cvs.if
-+++ b/cvs.if
-@@ -1,5 +1,23 @@
- ## <summary>Concurrent versions system</summary>
+ allow unconfined_cronjob_t $2:dbus send_msg;
+ ')
+ ')
-+######################################
-+## <summary>
-+## Dontaudit Attempts to list the CVS data and metadata.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`cvs_dontaudit_list_data',`
-+ gen_require(`
-+ type cvs_data_t;
-+ ')
-+
-+ dontaudit $1 cvs_data_t:dir list_dir_perms;
-+')
-+
########################################
## <summary>
- ## Read the CVS data and metadata.
-@@ -58,14 +76,17 @@ interface(`cvs_exec',`
+-## Role access for admin cron.
++## Role access for cron
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
++## <rolecap/>
#
- interface(`cvs_admin',`
+ interface(`cron_admin_role',`
gen_require(`
-- type cvs_t, cvs_tmp_t;
-+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
- type cvs_data_t, cvs_var_run_t;
-- type cvs_initrc_exec_t;
+- type cronjob_t, crontab_exec_t, admin_crontab_t;
++ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
++ type user_cron_spool_t, crond_t;
+ class passwd crontab;
+- type crond_t, user_cron_spool_t;
+- bool cron_userdomain_transition;
')
-- allow $1 cvs_t:process { ptrace signal_perms };
-+ allow $1 cvs_t:process signal_perms;
- ps_process_pattern($1, cvs_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cvs_t:process ptrace;
-+ ')
-+
- # Allow cvs_t to restart the apache service
- init_labeled_script_domtrans($1, cvs_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/cvs.te b/cvs.te
-index 88e7e97..b475317 100644
---- a/cvs.te
-+++ b/cvs.te
-@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
- ## Allow cvs daemon to read shadow
- ## </p>
- ## </desc>
--gen_tunable(allow_cvs_read_shadow, false)
-+gen_tunable(cvs_read_shadow, false)
+- ##############################
+- #
+- # Declarations
+- #
++ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
- type cvs_t;
- type cvs_exec_t;
-@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
- # Local policy
- #
+- role $1 types { cronjob_t admin_crontab_t };
++ # cronjob shows up in user ps
++ ps_process_pattern($2, cronjob_t)
-+allow cvs_t self:capability { setuid setgid };
- allow cvs_t self:process signal_perms;
- allow cvs_t self:fifo_file rw_fifo_file_perms;
- allow cvs_t self:tcp_socket connected_stream_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow cvs_t self:capability { setuid setgid };
-
- manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
- manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
-@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(cvs_t)
- kernel_read_system_state(cvs_t)
- kernel_read_network_state(cvs_t)
-
--corenet_all_recvfrom_unlabeled(cvs_t)
- corenet_all_recvfrom_netlabel(cvs_t)
- corenet_tcp_sendrecv_generic_if(cvs_t)
- corenet_udp_sendrecv_generic_if(cvs_t)
-@@ -76,21 +75,22 @@ auth_use_nsswitch(cvs_t)
- corecmd_exec_bin(cvs_t)
- corecmd_exec_shell(cvs_t)
+- ##############################
+- #
+- # Local policy
+- #
++ # Manipulate other users crontab.
++ allow $2 self:passwd crontab;
--files_read_etc_files(cvs_t)
- files_read_etc_runtime_files(cvs_t)
- # for identd; cjp: this should probably only be inetd_child rules?
- files_search_home(cvs_t)
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-+init_dontaudit_read_utmp(cvs_t)
-+
- logging_send_syslog_msg(cvs_t)
- logging_send_audit_msgs(cvs_t)
+- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+- allow $2 crond_t:process sigchld;
++ # crontab shows up in user ps
++ ps_process_pattern($2, admin_crontab_t)
++ allow $2 admin_crontab_t:process signal_perms;
++ tunable_policy(`deny_ptrace',`',`
++ allow $2 admin_crontab_t:process ptrace;
++ ')
--miscfiles_read_localization(cvs_t)
--
- mta_send_mail(cvs_t)
+- allow $2 user_cron_spool_t:file { getattr read write ioctl };
++ allow $2 crond_t:process sigchld;
++ allow crond_t $2:process transition;
-+userdom_dontaudit_search_user_home_dirs(cvs_t)
-+
- # cjp: typeattribute doesnt work in conditionals yet
- auth_can_read_shadow_passwords(cvs_t)
--tunable_policy(`allow_cvs_read_shadow',`
-+tunable_policy(`cvs_read_shadow',`
- allow cvs_t self:capability dac_override;
- auth_tunable_read_shadow(cvs_t)
- ')
-@@ -112,4 +112,5 @@ optional_policy(`
- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
-+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
- ')
-diff --git a/cyphesis.te b/cyphesis.te
-index 25897c9..814bdae 100644
---- a/cyphesis.te
-+++ b/cyphesis.te
-@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
- corecmd_search_bin(cyphesis_t)
- corecmd_getattr_bin_files(cyphesis_t)
+- allow $2 admin_crontab_t:process { ptrace signal_perms };
+- ps_process_pattern($2, admin_crontab_t)
++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
--corenet_all_recvfrom_unlabeled(cyphesis_t)
- corenet_tcp_sendrecv_generic_if(cyphesis_t)
- corenet_tcp_sendrecv_generic_node(cyphesis_t)
- corenet_tcp_sendrecv_all_ports(cyphesis_t)
-@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t)
+- # Manipulate other users crontab.
+- allow $2 self:passwd crontab;
++ # needs to be authorized SELinux context for cron
++ allow $2 user_cron_spool_t:file entrypoint;
- logging_send_syslog_msg(cyphesis_t)
++ # Run helper programs as the user domain
++ #corecmd_bin_domtrans(admin_crontab_t, $2)
++ #corecmd_shell_domtrans(admin_crontab_t, $2)
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
--miscfiles_read_localization(cyphesis_t)
+- tunable_policy(`cron_userdomain_transition',`
+- allow crond_t $2:process transition;
+- allow crond_t $2:fd use;
+- allow crond_t $2:key manage_key_perms;
-
- sysnet_dns_name_resolve(cyphesis_t)
+- allow $2 user_cron_spool_t:file entrypoint;
+-
+- allow $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- allow $2 cronjob_t:process { ptrace signal_perms };
+- ps_process_pattern($2, cronjob_t)
+- ',`
+- dontaudit crond_t $2:process transition;
+- dontaudit crond_t $2:fd use;
+- dontaudit crond_t $2:key manage_key_perms;
+-
+- dontaudit $2 user_cron_spool_t:file entrypoint;
+-
+- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+-
+- dontaudit $2 cronjob_t:process { ptrace signal_perms };
+- ')
+-
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+@@ -285,13 +213,13 @@ interface(`cron_admin_role',`
+ dbus_stub(admin_cronjob_t)
- # cyphesis wants to talk to avahi via dbus
-diff --git a/cyrus.if b/cyrus.if
-index e4e86d0..4203ea9 100644
---- a/cyrus.if
-+++ b/cyrus.if
-@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
- manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+ allow cronjob_t $2:dbus send_msg;
+- ')
++ ')
')
-+#######################################
-+## <summary>
-+## Allow write cyrus data files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cyrus_write_data',`
-+ gen_require(`
-+ type cyrus_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
-+')
-+
########################################
## <summary>
- ## Connect to Cyrus using a unix domain stream socket.
-@@ -62,9 +81,13 @@ interface(`cyrus_admin',`
- type cyrus_var_run_t, cyrus_initrc_exec_t;
+-## Make the specified program domain
+-## accessable from the system cron jobs.
++## Make the specified program domain accessable
++## from the system cron jobs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -307,15 +235,15 @@ interface(`cron_admin_role',`
+ interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_cronjob_t;
+- type user_cron_spool_log_t;
')
-- allow $1 cyrus_t:process { ptrace signal_perms };
-+ allow $1 cyrus_t:process signal_perms;
- ps_process_pattern($1, cyrus_t)
-
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cyrus_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cyrus_initrc_exec_t system_r;
-diff --git a/cyrus.te b/cyrus.te
-index 097fdcc..fb6e6da 100644
---- a/cyrus.te
-+++ b/cyrus.te
-@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
- # Local policy
- #
-
--allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
- dontaudit cyrus_t self:capability sys_tty_config;
- allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow cyrus_t self:process setrlimit;
-@@ -62,7 +62,6 @@ kernel_read_kernel_sysctls(cyrus_t)
- kernel_read_system_state(cyrus_t)
- kernel_read_all_sysctls(cyrus_t)
-
--corenet_all_recvfrom_unlabeled(cyrus_t)
- corenet_all_recvfrom_netlabel(cyrus_t)
- corenet_tcp_sendrecv_generic_if(cyrus_t)
- corenet_udp_sendrecv_generic_if(cyrus_t)
-@@ -73,6 +72,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t)
- corenet_tcp_bind_generic_node(cyrus_t)
- corenet_tcp_bind_mail_port(cyrus_t)
- corenet_tcp_bind_lmtp_port(cyrus_t)
-+corenet_tcp_bind_innd_port(cyrus_t)
- corenet_tcp_bind_pop_port(cyrus_t)
- corenet_tcp_bind_sieve_port(cyrus_t)
- corenet_tcp_connect_all_ports(cyrus_t)
-@@ -93,7 +93,6 @@ corecmd_exec_bin(cyrus_t)
- domain_use_interactive_fds(cyrus_t)
-
- files_list_var_lib(cyrus_t)
--files_read_etc_files(cyrus_t)
- files_read_etc_runtime_files(cyrus_t)
- files_read_usr_files(cyrus_t)
-
-@@ -103,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
-
- logging_send_syslog_msg(cyrus_t)
-
--miscfiles_read_localization(cyrus_t)
- miscfiles_read_generic_certs(cyrus_t)
-
- sysnet_read_config(cyrus_t)
-@@ -119,6 +117,10 @@ optional_policy(`
- ')
+- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
+-
+ domtrans_pattern(system_cronjob_t, $2, $1)
+ domtrans_pattern(crond_t, $2, $1)
- optional_policy(`
-+ dirsrv_stream_connect(cyrus_t)
-+')
+ role system_r types $1;
+
-+optional_policy(`
- kerberos_keytab_template(cyrus, cyrus_t)
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')
-@@ -135,6 +137,7 @@ optional_policy(`
- ')
+ ########################################
+@@ -333,13 +261,12 @@ interface(`cron_domtrans',`
+ type system_cronjob_t, crond_exec_t;
+ ')
- optional_policy(`
-+ files_dontaudit_write_usr_dirs(cyrus_t)
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
- snmp_stream_connect(cyrus_t)
-diff --git a/daemontools.if b/daemontools.if
-index ce3e676..0158314 100644
---- a/daemontools.if
-+++ b/daemontools.if
-@@ -210,3 +210,4 @@ interface(`daemontools_manage_svc',`
- allow $1 svc_svc_t:file manage_file_perms;
- allow $1 svc_svc_t:lnk_file { read create };
+- corecmd_search_bin($1)
+ domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')
-+
-diff --git a/daemontools.te b/daemontools.te
-index dcc5f1c..c6fa5c0 100644
---- a/daemontools.te
-+++ b/daemontools.te
-@@ -38,7 +38,10 @@ files_type(svc_svc_t)
- # multilog creates /service/*/log/status
- manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
-
-+term_write_console(svc_multilog_t)
-+
- init_use_fds(svc_multilog_t)
-+init_dontaudit_use_script_fds(svc_multilog_t)
- # writes to /var/log/*/*
- logging_manage_generic_logs(svc_multilog_t)
-@@ -69,6 +72,8 @@ dev_read_urand(svc_run_t)
- corecmd_exec_bin(svc_run_t)
- corecmd_exec_shell(svc_run_t)
+ ########################################
+ ## <summary>
+-## Execute crond in the caller domain.
++## Execute crond_exec_t
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -352,7 +279,6 @@ interface(`cron_exec',`
+ type crond_exec_t;
+ ')
-+term_write_console(svc_run_t)
-+
- files_read_etc_files(svc_run_t)
- files_read_etc_runtime_files(svc_run_t)
- files_search_pids(svc_run_t)
-@@ -99,12 +104,19 @@ allow svc_start_t self:unix_stream_socket create_socket_perms;
+- corecmd_search_bin($1)
+ can_exec($1, crond_exec_t)
+ ')
- can_exec(svc_start_t, svc_start_exec_t)
+@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',`
-+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+ ########################################
+ ## <summary>
+-## Use crond file descriptors.
++## Execute crond server in the crond domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cron_systemctl',`
++ gen_require(`
++ type crond_unit_file_t;
++ type crond_t;
++ ')
+
- kernel_read_kernel_sysctls(svc_start_t)
- kernel_read_system_state(svc_start_t)
-
- corecmd_exec_bin(svc_start_t)
- corecmd_exec_shell(svc_start_t)
-
-+corenet_tcp_bind_generic_node(svc_start_t)
-+corenet_tcp_bind_generic_port(svc_start_t)
++ systemd_exec_systemctl($1)
++ allow $1 crond_unit_file_t:file read_file_perms;
++ allow $1 crond_unit_file_t:service manage_service_perms;
+
-+term_write_console(svc_start_t)
++ ps_process_pattern($1, crond_t)
++')
+
- files_read_etc_files(svc_start_t)
- files_read_etc_runtime_files(svc_start_t)
- files_search_var(svc_start_t)
-@@ -114,5 +126,3 @@ daemontools_domtrans_run(svc_start_t)
- daemontools_manage_svc(svc_start_t)
-
- logging_send_syslog_msg(svc_start_t)
--
--miscfiles_read_localization(svc_start_t)
-diff --git a/dante.te b/dante.te
-index 9636326..637fc71 100644
---- a/dante.te
-+++ b/dante.te
-@@ -10,7 +10,7 @@ type dante_exec_t;
- init_daemon_domain(dante_t, dante_exec_t)
-
- type dante_conf_t;
--files_type(dante_conf_t)
-+files_config_file(dante_conf_t)
-
- type dante_var_run_t;
- files_pid_file(dante_var_run_t)
-@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(dante_t)
- kernel_list_proc(dante_t)
- kernel_read_proc_symlinks(dante_t)
-
--corenet_all_recvfrom_unlabeled(dante_t)
- corenet_all_recvfrom_netlabel(dante_t)
- corenet_tcp_sendrecv_generic_if(dante_t)
- corenet_udp_sendrecv_generic_if(dante_t)
-@@ -46,7 +45,6 @@ corenet_udp_sendrecv_generic_node(dante_t)
- corenet_tcp_sendrecv_all_ports(dante_t)
- corenet_udp_sendrecv_all_ports(dante_t)
- corenet_tcp_bind_generic_node(dante_t)
--corenet_tcp_bind_socks_port(dante_t)
-
- dev_read_sysfs(dante_t)
-
-@@ -62,8 +60,6 @@ init_write_utmp(dante_t)
-
- logging_send_syslog_msg(dante_t)
++########################################
++## <summary>
++## Inherit and use a file descriptor
++## from the cron daemon.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -394,7 +344,7 @@ interface(`cron_use_fds',`
--miscfiles_read_localization(dante_t)
--
- sysnet_read_config(dante_t)
+ ########################################
+ ## <summary>
+-## Send child terminated signals to crond.
++## Send a SIGCHLD signal to the cron daemon.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -412,7 +362,7 @@ interface(`cron_sigchld',`
- userdom_dontaudit_use_unpriv_user_fds(dante_t)
-diff --git a/dbadm.te b/dbadm.te
-index 1875064..2adc35f 100644
---- a/dbadm.te
-+++ b/dbadm.te
-@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
- # database admin local policy
+ ########################################
+ ## <summary>
+-## Set the attributes of cron log files.
++## Send a generic signal to cron daemon.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -420,17 +370,17 @@ interface(`cron_sigchld',`
+ ## </summary>
+ ## </param>
#
+-interface(`cron_setattr_log_files',`
++interface(`cron_signal',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
--allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
-+allow dbadm_t self:capability { dac_override dac_read_search };
-
- files_dontaudit_search_all_dirs(dbadm_t)
- files_delete_generic_locks(dbadm_t)
-@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
- selinux_get_enforce_mode(dbadm_t)
-
- logging_send_syslog_msg(dbadm_t)
-+logging_send_audit_msgs(dbadm_t)
+- allow $1 cron_log_t:file setattr_file_perms;
++ allow $1 crond_t:process signal;
+ ')
- userdom_dontaudit_search_user_home_dirs(dbadm_t)
+ ########################################
+ ## <summary>
+-## Create cron log files.
++## Read a cron daemon unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_create_log_files',`
++interface(`cron_read_pipes',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
-@@ -58,3 +59,7 @@ optional_policy(`
- optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
+- create_files_pattern($1, cron_log_t, cron_log_t)
++ allow $1 crond_t:fifo_file read_fifo_file_perms;
')
-+
-+optional_policy(`
-+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
-+')
-diff --git a/dbskk.te b/dbskk.te
-index 1445f97..8ca064c 100644
---- a/dbskk.te
-+++ b/dbskk.te
-@@ -47,7 +47,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
- kernel_read_system_state(dbskkd_t)
- kernel_read_network_state(dbskkd_t)
-
--corenet_all_recvfrom_unlabeled(dbskkd_t)
- corenet_all_recvfrom_netlabel(dbskkd_t)
- corenet_tcp_sendrecv_generic_if(dbskkd_t)
- corenet_udp_sendrecv_generic_if(dbskkd_t)
-@@ -60,10 +59,7 @@ dev_read_urand(dbskkd_t)
- fs_getattr_xattr_fs(dbskkd_t)
+ ########################################
+ ## <summary>
+-## Write to cron log files.
++## Read crond state files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -456,18 +406,20 @@ interface(`cron_create_log_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_write_log_files',`
++interface(`cron_read_state_crond',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
+ ')
--files_read_etc_files(dbskkd_t)
+- allow $1 cron_log_t:file write_file_perms;
++ kernel_search_proc($1)
++ ps_process_pattern($1, crond_t)
+ ')
- auth_use_nsswitch(dbskkd_t)
++
+ ########################################
+ ## <summary>
+-## Create, read, write and delete
+-## cron log files.
++## Send and receive messages from
++## crond over dbus.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -475,48 +427,37 @@ interface(`cron_write_log_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_manage_log_files',`
++interface(`cron_dbus_chat_crond',`
+ gen_require(`
+- type cron_log_t;
++ type crond_t;
++ class dbus send_msg;
+ ')
- logging_send_syslog_msg(dbskkd_t)
+- manage_files_pattern($1, cron_log_t, cron_log_t)
-
--miscfiles_read_localization(dbskkd_t)
-diff --git a/dbus.fc b/dbus.fc
-index e6345ce..31f269b 100644
---- a/dbus.fc
-+++ b/dbus.fc
-@@ -4,6 +4,7 @@
-
- ifdef(`distro_redhat',`
- /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+- logging_search_logs($1)
++ allow $1 crond_t:dbus send_msg;
++ allow crond_t $1:dbus send_msg;
')
- /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-diff --git a/dbus.if b/dbus.if
-index fb4bf82..126d543 100644
---- a/dbus.if
-+++ b/dbus.if
-@@ -41,9 +41,9 @@ interface(`dbus_stub',`
- template(`dbus_role_template',`
+ ########################################
+ ## <summary>
+-## Create specified objects in generic
+-## log directories with the cron log file type.
++## Do not audit attempts to write cron daemon unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_generic_log_filetrans_log',`
++interface(`cron_dontaudit_write_pipes',`
gen_require(`
- class dbus { send_msg acquire_svc };
--
-- attribute session_bus_type;
-+ attribute dbusd_unconfined, session_bus_type;
- type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
-+ type $1_t;
+- type cron_log_t;
++ type crond_t;
')
- ##############################
-@@ -52,117 +52,47 @@ template(`dbus_role_template',`
- #
-
- type $1_dbusd_t, session_bus_type;
-- domain_type($1_dbusd_t)
-- domain_entry_file($1_dbusd_t, dbusd_exec_t)
-+ application_domain($1_dbusd_t, dbusd_exec_t)
- ubac_constrained($1_dbusd_t)
- role $2 types $1_dbusd_t;
-
-+ kernel_read_system_state($1_dbusd_t)
-+
-+ selinux_get_fs_mount($1_dbusd_t)
-+
-+ userdom_home_manager($1_dbusd_t)
-+
- ##############################
- #
- # Local policy
- #
-
-- allow $1_dbusd_t self:process { getattr sigkill signal };
-- dontaudit $1_dbusd_t self:process ptrace;
-- allow $1_dbusd_t self:file { getattr read write };
-- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
-- allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
-- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
-- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
-- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
--
- # For connecting to the bus
- allow $3 $1_dbusd_t:unix_stream_socket connectto;
-
- # SE-DBus specific permissions
-- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
-+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+- logging_log_filetrans($1, cron_log_t, $2, $3)
++ dontaudit $1 crond_t:fifo_file write;
+ ')
-- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+ ########################################
+ ## <summary>
+-## Read cron daemon unnamed pipes.
++## Read and write a cron daemon unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_read_pipes',`
++interface(`cron_rw_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
-- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
-- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
-- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
-+ ps_process_pattern($3, $1_dbusd_t)
-+ allow $3 $1_dbusd_t:process signal_perms;
+- allow $1 crond_t:fifo_file read_fifo_file_perms;
++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
-- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-- allow $3 $1_dbusd_t:process { signull sigkill signal };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $3 $1_dbusd_t:process ptrace;
-+ ')
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write
+-## cron daemon unnamed pipes.
++## Read and write inherited user spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_dontaudit_write_pipes',`
++interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+- type crond_t;
++ type user_cron_spool_t;
+ ')
- # cjp: this seems very broken
-- corecmd_bin_domtrans($1_dbusd_t, $3)
-+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
-+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
- allow $1_dbusd_t $3:process sigkill;
- allow $3 $1_dbusd_t:fd use;
- allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-- allow $3 $1_dbusd_t:process sigchld;
--
-- kernel_read_system_state($1_dbusd_t)
-- kernel_read_kernel_sysctls($1_dbusd_t)
--
-- corecmd_list_bin($1_dbusd_t)
-- corecmd_read_bin_symlinks($1_dbusd_t)
-- corecmd_read_bin_files($1_dbusd_t)
-- corecmd_read_bin_pipes($1_dbusd_t)
-- corecmd_read_bin_sockets($1_dbusd_t)
-
-- corenet_all_recvfrom_unlabeled($1_dbusd_t)
-- corenet_all_recvfrom_netlabel($1_dbusd_t)
-- corenet_tcp_sendrecv_generic_if($1_dbusd_t)
-- corenet_tcp_sendrecv_generic_node($1_dbusd_t)
-- corenet_tcp_sendrecv_all_ports($1_dbusd_t)
-- corenet_tcp_bind_generic_node($1_dbusd_t)
-- corenet_tcp_bind_reserved_port($1_dbusd_t)
--
-- dev_read_urand($1_dbusd_t)
--
-- domain_use_interactive_fds($1_dbusd_t)
-- domain_read_all_domains_state($1_dbusd_t)
--
-- files_read_etc_files($1_dbusd_t)
-- files_list_home($1_dbusd_t)
-- files_read_usr_files($1_dbusd_t)
-- files_dontaudit_search_var($1_dbusd_t)
--
-- fs_getattr_romfs($1_dbusd_t)
-- fs_getattr_xattr_fs($1_dbusd_t)
-- fs_list_inotifyfs($1_dbusd_t)
-- fs_dontaudit_list_nfs($1_dbusd_t)
--
-- selinux_get_fs_mount($1_dbusd_t)
-- selinux_validate_context($1_dbusd_t)
-- selinux_compute_access_vector($1_dbusd_t)
-- selinux_compute_create_context($1_dbusd_t)
-- selinux_compute_relabel_context($1_dbusd_t)
-- selinux_compute_user_contexts($1_dbusd_t)
--
-- auth_read_pam_console_data($1_dbusd_t)
- auth_use_nsswitch($1_dbusd_t)
+- dontaudit $1 crond_t:fifo_file write;
++ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+ ')
-- logging_send_audit_msgs($1_dbusd_t)
- logging_send_syslog_msg($1_dbusd_t)
--
-- miscfiles_read_localization($1_dbusd_t)
--
-- seutil_read_config($1_dbusd_t)
-- seutil_read_default_contexts($1_dbusd_t)
--
-- term_use_all_terms($1_dbusd_t)
--
-- userdom_read_user_home_content_files($1_dbusd_t)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
-- ')
--
-- optional_policy(`
-- hal_dbus_chat($1_dbusd_t)
-- ')
--
-- optional_policy(`
-- xserver_use_xdm_fds($1_dbusd_t)
-- xserver_rw_xdm_pipes($1_dbusd_t)
-- ')
+ ########################################
+ ## <summary>
+-## Read and write crond unnamed pipes.
++## Read and write inherited spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_rw_pipes',`
++interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+- type crond_t;
++ type cron_spool_t;
+ ')
+
+- allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
- #######################################
-@@ -181,11 +111,12 @@ interface(`dbus_system_bus_client',`
- type system_dbusd_t, system_dbusd_t;
- type system_dbusd_var_run_t, system_dbusd_var_lib_t;
- class dbus send_msg;
-+ attribute dbusd_unconfined;
- ')
+ ########################################
+ ## <summary>
+-## Read and write crond TCP sockets.
++## Read, and write cron daemon TCP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',`
- # SE-DBus specific permissions
- allow $1 { system_dbusd_t self }:dbus send_msg;
-- allow system_dbusd_t $1:dbus send_msg;
-+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write cron daemon TCP sockets.
++## Dontaudit Read, and write cron daemon TCP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
- files_search_var_lib($1)
-@@ -198,6 +129,34 @@ interface(`dbus_system_bus_client',`
+ ########################################
+ ## <summary>
+-## Search cron spool directories.
++## Search the directory containing user cron tables.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -627,8 +566,26 @@ interface(`cron_search_spool',`
- #######################################
+ ########################################
## <summary>
-+## Creating connections to specified
-+## DBUS sessions.
+-## Create, read, write, and delete
+-## crond pid files.
++## Search the directory containing user cron tables.
+## </summary>
-+## <param name="role_prefix">
-+## <summary>
-+## The prefix of the user role (e.g., user
-+## is the prefix for user_r).
-+## </summary>
-+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dbus_session_client',`
++interface(`cron_manage_system_spool',`
+ gen_require(`
-+ class dbus send_msg;
-+ type $1_dbusd_t;
++ type cron_system_spool_t;
+ ')
+
-+ allow $2 $1_dbusd_t:fd use;
-+ allow $2 { $1_dbusd_t self }:dbus send_msg;
-+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
++ files_search_spool($1)
++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
-+#######################################
++########################################
+## <summary>
- ## Template for creating connections to
- ## a user DBUS.
++## Manage pid files used by cron
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',`
+ type crond_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute anacron in the cron
+-## system domain.
++## Execute anacron in the cron system domain.
## </summary>
-@@ -219,7 +178,7 @@ interface(`dbus_session_bus_client',`
- # For connecting to the bus
- allow $1 session_bus_type:unix_stream_socket connectto;
+ ## <param name="domain">
+ ## <summary>
+@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',`
+ type system_cronjob_t, anacron_exec_t;
+ ')
-- dontaudit $1 session_bus_type:fd use;
-+ allow session_bus_type $1:process sigkill;
+- corecmd_search_bin($1)
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
')
########################################
-@@ -324,6 +283,11 @@ interface(`dbus_connect_session_bus',`
- ## Allow a application domain to be started
- ## by the session dbus.
+ ## <summary>
+-## Use system cron job file descriptors.
++## Inherit and use a file descriptor
++## from system cron jobs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',`
+
+ ########################################
+ ## <summary>
+-## Read system cron job lib files.
++## Write a system cron job unnamed pipe.
## </summary>
-+## <param name="domain_prefix">
-+## <summary>
-+## User domain prefix to be used.
-+## </summary>
-+## </param>
## <param name="domain">
## <summary>
- ## Type to be used as a domain.
-@@ -338,13 +302,13 @@ interface(`dbus_connect_session_bus',`
+@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',`
+ ## </summary>
+ ## </param>
#
- interface(`dbus_session_domain',`
+-interface(`cron_read_system_job_lib_files',`
++interface(`cron_write_system_job_pipes',`
gen_require(`
-- attribute session_bus_type;
-+ type $1_dbusd_t;
+- type system_cronjob_var_lib_t;
++ type system_cronjob_t;
')
-- domtrans_pattern(session_bus_type, $2, $1)
-+ domtrans_pattern($1_dbusd_t, $2, $3)
+- files_search_var_lib($1)
+- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++ allow $1 system_cronjob_t:fifo_file write;
+ ')
-- dbus_session_bus_client($1)
-- dbus_connect_session_bus($1)
-+ dbus_session_bus_client($3)
-+ dbus_connect_session_bus($3)
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## system cron job lib files.
++## Read and write a system cron job unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_manage_system_job_lib_files',`
++interface(`cron_rw_system_job_pipes',`
+ gen_require(`
+- type system_cronjob_var_lib_t;
++ type system_cronjob_t;
+ ')
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
-@@ -423,27 +387,16 @@ interface(`dbus_system_bus_unconfined',`
+ ## <summary>
+-## Write system cron job unnamed pipes.
++## Allow read/write unix stream sockets from the system cron jobs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',`
+ ## </summary>
+ ## </param>
#
- interface(`dbus_system_domain',`
+-interface(`cron_write_system_job_pipes',`
++interface(`cron_rw_system_job_stream_sockets',`
gen_require(`
-+ attribute system_bus_type;
- type system_dbusd_t;
- role system_r;
+ type system_cronjob_t;
')
-+ typeattribute $1 system_bus_type;
- domain_type($1)
- domain_entry_file($1, $2)
+- allow $1 system_cronjob_t:file write;
++ allow $1 system_cronjob_t:unix_stream_socket { read write };
+ ')
-- role system_r types $1;
--
- domtrans_pattern(system_dbusd_t, $2, $1)
--
-- dbus_system_bus_client($1)
-- dbus_connect_system_bus($1)
--
-- ps_process_pattern(system_dbusd_t, $1)
--
-- userdom_read_all_users_state($1)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-- ')
+ ########################################
+ ## <summary>
+-## Read and write system cron job
+-## unnamed pipes.
++## Read temporary files from the system cron jobs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_rw_system_job_pipes',`
++interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_t;
++ type system_cronjob_tmp_t, cron_var_run_t;
+ ')
+
+- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
++ files_search_tmp($1)
++ allow $1 system_cronjob_tmp_t:file read_file_perms;
++
++ files_search_pids($1)
++ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
-@@ -466,26 +419,25 @@ interface(`dbus_use_system_bus_fds',`
+ ## <summary>
+-## Read and write inherited system cron
+-## job unix domain stream sockets.
++## Do not audit attempts to append temporary
++## files from the system cron jobs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_rw_system_job_stream_sockets',`
++interface(`cron_dontaudit_append_system_job_tmp_files',`
+ gen_require(`
+- type system_cronjob_t;
++ type system_cronjob_tmp_t;
+ ')
+
+- allow $1 system_cronjob_t:unix_stream_socket { read write };
++ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+ ')
########################################
## <summary>
--## Dontaudit Read, and write system dbus TCP sockets.
-+## Allow unconfined access to the system DBUS.
+-## Read system cron job temporary files.
++## Do not audit attempts to write temporary
++## files from the system cron jobs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`cron_read_system_job_tmp_files',`
++interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
++ type cron_var_run_t;
+ ')
+
+- files_search_tmp($1)
+- allow $1 system_cronjob_tmp_t:file read_file_perms;
++ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ dontaudit $1 cron_var_run_t:file write_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to append temporary
+-## system cron job files.
++## Read temporary files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
@@ -16002,835 +13587,1074 @@ index fb4bf82..126d543 100644
## </summary>
## </param>
#
--interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_unconfined',`
+-interface(`cron_dontaudit_append_system_job_tmp_files',`
++interface(`cron_read_system_job_lib_files',`
gen_require(`
-- type system_dbusd_t;
-+ attribute dbusd_unconfined;
+- type system_cronjob_tmp_t;
++ type system_cronjob_var_lib_t;
')
-- allow $1 system_dbusd_t:tcp_socket { read write };
-- allow $1 system_dbusd_t:fd use;
-+ typeattribute $1 dbusd_unconfined;
+- dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
++ files_search_var_lib($1)
++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
########################################
## <summary>
--## Allow unconfined access to the system DBUS.
-+## Delete all dbus pid files
+-## Do not audit attempts to write temporary
+-## system cron job files.
++## Manage files from the system cron jobs.
## </summary>
## <param name="domain">
## <summary>
-@@ -493,10 +445,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`dbus_unconfined',`
-+interface(`dbus_delete_pid_files',`
+-interface(`cron_dontaudit_write_system_job_tmp_files',`
++interface(`cron_manage_system_job_lib_files',`
gen_require(`
-- attribute dbusd_unconfined;
-+ type system_dbusd_var_run_t;
+- type system_cronjob_tmp_t;
++ type system_cronjob_var_lib_t;
')
-- typeattribute $1 dbusd_unconfined;
-+ files_search_pids($1)
-+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
++ files_search_var_lib($1)
++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Do not audit attempts to connect to
-+## session bus types with a unix
-+## stream socket.
++## Create, read, write and delete
++## cron log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ ')
++interface(`cron_manage_log_files',`
++ gen_require(`
++ type cron_log_t;
++ ')
+
-+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
++ manage_files_pattern($1, cron_log_t, cron_log_t)
++
++ logging_search_logs($1)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Do not audit attempts to send dbus
-+## messages to session bus types.
++## Create specified objects in generic
++## log directories with the cron log file type.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## Class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
+## </param>
+#
-+interface(`dbus_dontaudit_chat_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ class dbus send_msg;
-+ ')
++interface(`cron_generic_log_filetrans_log',`
++ gen_require(`
++ type cron_log_t;
++ ')
+
-+ dontaudit $1 session_bus_type:dbus send_msg;
++ logging_log_filetrans($1, cron_log_t, $2, $3)
')
-diff --git a/dbus.te b/dbus.te
-index 625cb32..087cecf 100644
---- a/dbus.te
-+++ b/dbus.te
-@@ -10,6 +10,7 @@ gen_require(`
- #
-
- attribute dbusd_unconfined;
-+attribute system_bus_type;
- attribute session_bus_type;
-
- type dbusd_etc_t;
-@@ -35,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
-
- type system_dbusd_var_run_t;
- files_pid_file(system_dbusd_var_run_t)
-+init_sock_file(system_dbusd_var_run_t)
-
- ifdef(`enable_mcs',`
- init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,9 +53,9 @@ ifdef(`enable_mls',`
-
- # dac_override: /var/run/dbus is owned by messagebus on Debian
- # cjp: dac_override should probably go in a distro_debian
--allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
-+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
- dontaudit system_dbusd_t self:capability sys_tty_config;
--allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
-+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
- allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
- allow system_dbusd_t self:dbus { send_msg acquire_svc };
- allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -73,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
-
- read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+diff --git a/cron.te b/cron.te
+index 28e1b86..88a7b95 100644
+--- a/cron.te
++++ b/cron.te
+@@ -1,4 +1,4 @@
+-policy_module(cron, 2.5.10)
++policy_module(cron, 2.2.1)
-+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
- manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
- manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
--files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
-+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+ gen_require(`
+ class passwd rootok;
+@@ -11,46 +11,37 @@ gen_require(`
- kernel_read_system_state(system_dbusd_t)
- kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -83,11 +86,16 @@ kernel_read_kernel_sysctls(system_dbusd_t)
- dev_read_urand(system_dbusd_t)
- dev_read_sysfs(system_dbusd_t)
+ ## <desc>
+ ## <p>
+-## Determine whether system cron jobs
+-## can relabel filesystem for
+-## restoring file contexts.
++## Allow system cron jobs to relabel filesystem
++## for restoring file contexts.
+ ## </p>
+ ## </desc>
+ gen_tunable(cron_can_relabel, false)
-+files_rw_inherited_non_security_files(system_dbusd_t)
-+
- fs_getattr_all_fs(system_dbusd_t)
- fs_list_inotifyfs(system_dbusd_t)
- fs_search_auto_mountpoints(system_dbusd_t)
- fs_dontaudit_list_nfs(system_dbusd_t)
+ ## <desc>
+ ## <p>
+-## Determine whether crond can execute jobs
+-## in the user domain as opposed to the
+-## the generic cronjob domain.
+-## </p>
+-## </desc>
+-gen_tunable(cron_userdomain_transition, false)
+-
+-## <desc>
+-## <p>
+-## Determine whether extra rules
+-## should be enabled to support fcron.
++## Enable extra rules in the cron domain
++## to support fcron.
+ ## </p>
+ ## </desc>
+ gen_tunable(fcron_crond, false)
-+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
-+storage_rw_inherited_removable_device(system_dbusd_t)
-+
- mls_fd_use_all_levels(system_dbusd_t)
- mls_rangetrans_target(system_dbusd_t)
- mls_file_read_all_levels(system_dbusd_t)
-@@ -110,22 +118,25 @@ auth_read_pam_console_data(system_dbusd_t)
- corecmd_list_bin(system_dbusd_t)
- corecmd_read_bin_pipes(system_dbusd_t)
- corecmd_read_bin_sockets(system_dbusd_t)
-+# needed for system-tools-backends
-+corecmd_exec_shell(system_dbusd_t)
+-attribute cron_spool_type;
+ attribute crontab_domain;
++attribute cron_spool_type;
- domain_use_interactive_fds(system_dbusd_t)
- domain_read_all_domains_state(system_dbusd_t)
+ type anacron_exec_t;
+ application_executable_file(anacron_exec_t)
--files_read_etc_files(system_dbusd_t)
- files_list_home(system_dbusd_t)
- files_read_usr_files(system_dbusd_t)
+ type cron_spool_t;
+-files_type(cron_spool_t)
+-mta_system_content(cron_spool_t)
++files_spool_file(cron_spool_t)
- init_use_fds(system_dbusd_t)
- init_use_script_ptys(system_dbusd_t)
-+init_bin_domtrans_spec(system_dbusd_t)
- init_domtrans_script(system_dbusd_t)
-+init_rw_stream_sockets(system_dbusd_t)
-+init_status(system_dbusd_t)
++# var/lib files
+ type cron_var_lib_t;
+ files_type(cron_var_lib_t)
- logging_send_audit_msgs(system_dbusd_t)
- logging_send_syslog_msg(system_dbusd_t)
+ type cron_var_run_t;
+ files_pid_file(cron_var_run_t)
--miscfiles_read_localization(system_dbusd_t)
- miscfiles_read_generic_certs(system_dbusd_t)
++# var/log files
+ type cron_log_t;
+ logging_log_file(cron_log_t)
- seutil_read_config(system_dbusd_t)
-@@ -135,11 +146,35 @@ seutil_sigchld_newrole(system_dbusd_t)
- userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
- userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t)
+ type crond_initrc_exec_t;
+ init_script_file(crond_initrc_exec_t)
-+userdom_home_reader(system_dbusd_t)
++type crond_unit_file_t;
++systemd_unit_file(crond_unit_file_t)
+
- optional_policy(`
- bind_domtrans(system_dbusd_t)
- ')
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
+ files_poly_parent(crond_tmp_t)
+@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+ typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+ typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
++allow admin_crontab_t crond_t:process signal;
- optional_policy(`
-+ bluetooth_stream_connect(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ cpufreqselector_dbus_chat(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ getty_start_services(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ gnome_exec_gconf(system_dbusd_t)
-+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_initrc_domtrans(system_dbusd_t)
-+ networkmanager_systemctl(system_dbusd_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(system_dbusd_t)
- policykit_domtrans_auth(system_dbusd_t)
- policykit_search_lib(system_dbusd_t)
-@@ -150,12 +185,162 @@ optional_policy(`
- ')
+ type system_cron_spool_t, cron_spool_type;
+-files_type(system_cron_spool_t)
+-mta_system_content(system_cron_spool_t)
++files_spool_file(system_cron_spool_t)
- optional_policy(`
-+ systemd_use_fds_logind(system_dbusd_t)
-+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
-+ systemd_write_inhibit_pipes(system_dbusd_t)
-+# These are caused by broken systemd patch
-+ systemd_start_power_services(system_dbusd_t)
-+ systemd_config_all_services(system_dbusd_t)
-+ files_config_all_files(system_dbusd_t)
-+')
-+
-+optional_policy(`
- udev_read_db(system_dbusd_t)
- ')
+ type system_cronjob_t alias system_crond_t;
+ init_daemon_domain(system_cronjob_t, anacron_exec_t)
+ corecmd_shell_entry_type(system_cronjob_t)
+-domain_entry_file(system_cronjob_t, system_cron_spool_t)
++role system_r types system_cronjob_t;
++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
-+optional_policy(`
-+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
-+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
-+')
-+
-+########################################
-+#
-+# system_bus_type rules
-+#
-+role system_r types system_bus_type;
-+
-+fs_search_all(system_bus_type)
-+
-+dbus_system_bus_client(system_bus_type)
-+dbus_connect_system_bus(system_bus_type)
-+
-+init_status(system_bus_type)
-+init_stream_connect(system_bus_type)
-+init_dgram_send(system_bus_type)
-+init_use_fds(system_bus_type)
-+init_rw_stream_sockets(system_bus_type)
-+
-+ps_process_pattern(system_dbusd_t, system_bus_type)
-+
-+userdom_dontaudit_search_admin_dir(system_bus_type)
-+userdom_read_all_users_state(system_bus_type)
-+
-+optional_policy(`
-+ abrt_stream_connect(system_bus_type)
-+')
-+
-+optional_policy(`
-+ rpm_script_dbus_chat(system_bus_type)
-+')
-+
-+optional_policy(`
-+ unconfined_dbus_send(system_bus_type)
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
-+')
-+
-+########################################
-+#
-+# session_bus_type rules
-+#
-+allow session_bus_type self:capability2 block_suspend;
-+dontaudit session_bus_type self:capability sys_resource;
-+allow session_bus_type self:process { getattr sigkill signal };
-+dontaudit session_bus_type self:process setrlimit;
-+allow session_bus_type self:file { getattr read write };
-+allow session_bus_type self:fifo_file rw_fifo_file_perms;
-+allow session_bus_type self:dbus { send_msg acquire_svc };
-+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
-+allow session_bus_type self:unix_dgram_socket create_socket_perms;
-+allow session_bus_type self:tcp_socket create_stream_socket_perms;
-+allow session_bus_type self:netlink_selinux_socket create_socket_perms;
-+
-+allow session_bus_type dbusd_etc_t:dir list_dir_perms;
-+read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-+read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
-+
-+manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-+manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
-+
-+kernel_read_kernel_sysctls(session_bus_type)
-+
-+corecmd_list_bin(session_bus_type)
-+corecmd_read_bin_symlinks(session_bus_type)
-+corecmd_read_bin_files(session_bus_type)
-+corecmd_read_bin_pipes(session_bus_type)
-+corecmd_read_bin_sockets(session_bus_type)
-+
-+corenet_tcp_sendrecv_generic_if(session_bus_type)
-+corenet_tcp_sendrecv_generic_node(session_bus_type)
-+corenet_tcp_sendrecv_all_ports(session_bus_type)
-+corenet_tcp_bind_generic_node(session_bus_type)
-+corenet_tcp_bind_reserved_port(session_bus_type)
-+
-+dev_read_urand(session_bus_type)
-+
-+domain_use_interactive_fds(session_bus_type)
-+domain_read_all_domains_state(session_bus_type)
-+
-+files_list_home(session_bus_type)
-+files_read_usr_files(session_bus_type)
-+files_dontaudit_search_var(session_bus_type)
-+
-+fs_getattr_romfs(session_bus_type)
-+fs_getattr_xattr_fs(session_bus_type)
-+fs_list_inotifyfs(session_bus_type)
-+fs_dontaudit_list_nfs(session_bus_type)
-+
-+selinux_validate_context(session_bus_type)
-+selinux_compute_access_vector(session_bus_type)
-+selinux_compute_create_context(session_bus_type)
-+selinux_compute_relabel_context(session_bus_type)
-+selinux_compute_user_contexts(session_bus_type)
-+
-+auth_read_pam_console_data(session_bus_type)
-+
-+logging_send_audit_msgs(session_bus_type)
-+
-+seutil_read_config(session_bus_type)
-+seutil_read_default_contexts(session_bus_type)
-+
-+term_use_all_inherited_terms(session_bus_type)
-+
-+userdom_dontaudit_search_admin_dir(session_bus_type)
-+userdom_manage_user_home_content_dirs(session_bus_type)
-+userdom_manage_user_home_content_files(session_bus_type)
-+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-+userdom_manage_tmpfs_files(session_bus_type, file)
-+userdom_tmpfs_filetrans(session_bus_type, file)
-+
-+optional_policy(`
-+ gnome_read_gconf_home_files(session_bus_type)
-+')
-+
-+optional_policy(`
-+ hal_dbus_chat(session_bus_type)
-+')
-+
-+optional_policy(`
-+ thumb_domtrans(session_bus_type)
-+')
-+
-+optional_policy(`
-+ xserver_search_xdm_lib(session_bus_type)
-+ xserver_use_xdm_fds(session_bus_type)
-+ xserver_rw_xdm_pipes(session_bus_type)
-+ xserver_use_xdm_fds(session_bus_type)
-+ xserver_rw_xdm_pipes(session_bus_type)
-+ xserver_append_xdm_home_files(session_bus_type)
-+')
+ type system_cronjob_lock_t alias system_crond_lock_t;
+ files_lock_file(system_cronjob_lock_t)
+@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t)
+ type system_cronjob_tmp_t alias system_crond_tmp_t;
+ files_tmp_file(system_cronjob_tmp_t)
+
+-type system_cronjob_var_lib_t;
+-files_type(system_cronjob_var_lib_t)
+-
+-type system_cronjob_var_run_t;
+-files_pid_file(system_cronjob_var_run_t)
++type unconfined_cronjob_t;
++domain_type(unconfined_cronjob_t)
++domain_cron_exemption_target(unconfined_cronjob_t)
+
++# Type of user crontabs once moved to cron spool.
+ type user_cron_spool_t, cron_spool_type;
+ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+-files_type(user_cron_spool_t)
++files_spool_file(user_cron_spool_t)
+ ubac_constrained(user_cron_spool_t)
+ mta_system_content(user_cron_spool_t)
+
+-type user_cron_spool_log_t;
+-logging_log_file(user_cron_spool_log_t)
+-ubac_constrained(user_cron_spool_log_t)
+-mta_system_content(user_cron_spool_log_t)
++type system_cronjob_var_lib_t;
++files_type(system_cronjob_var_lib_t)
++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
++type system_cronjob_var_run_t;
++files_pid_file(system_cronjob_var_run_t)
+
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+ ')
+
+-##############################
+-#
+-# Common crontab local policy
+-#
+-
+-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+-allow crontab_domain self:process { getcap setsched signal_perms };
+-allow crontab_domain self:fifo_file rw_fifo_file_perms;
+-
+-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+-
+-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+-
+-allow crontab_domain crond_t:process signal;
+-allow crontab_domain crond_var_run_t:file read_file_perms;
+-
+-kernel_read_system_state(crontab_domain)
+-
+-selinux_dontaudit_search_fs(crontab_domain)
+-
+-files_list_spool(crontab_domain)
+-files_read_etc_files(crontab_domain)
+-files_read_usr_files(crontab_domain)
+-files_search_pids(crontab_domain)
+-
+-fs_getattr_xattr_fs(crontab_domain)
+-fs_manage_cgroup_dirs(crontab_domain)
+-fs_rw_cgroup_files(crontab_domain)
+-
+-domain_use_interactive_fds(crontab_domain)
+-
+-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+-
+-auth_rw_var_auth(crontab_domain)
+-
+-logging_send_syslog_msg(crontab_domain)
+-logging_send_audit_msgs(crontab_domain)
+-logging_set_loginuid(crontab_domain)
+-
+-init_dontaudit_write_utmp(crontab_domain)
+-init_read_utmp(crontab_domain)
+-init_read_state(crontab_domain)
+-
+-miscfiles_read_localization(crontab_domain)
+-
+-seutil_read_config(crontab_domain)
+-
+-userdom_manage_user_tmp_dirs(crontab_domain)
+-userdom_manage_user_tmp_files(crontab_domain)
+-userdom_use_user_terminals(crontab_domain)
+-userdom_read_user_home_content_files(crontab_domain)
+-userdom_read_user_home_content_symlinks(crontab_domain)
+-
+-tunable_policy(`fcron_crond',`
+- dontaudit crontab_domain crond_t:process signal;
+-')
+-
########################################
#
- # Unconfined access to this module
+-# Admin local policy
++# Admin crontab local policy
#
- allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
-+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
-+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff --git a/dcc.if b/dcc.if
-index 784753e..bf65e7d 100644
---- a/dcc.if
-+++ b/dcc.if
-@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',`
- type dcc_var_t, dccifd_var_run_t, dccifd_t;
- ')
+-allow admin_crontab_t self:capability fsetid;
+-allow admin_crontab_t crond_t:process signal;
++# Allow our crontab domain to unlink a user cron spool file.
++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
-- files_search_var($1)
-+ files_search_pids($1)
- stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
++# Manipulate other users crontab.
+ selinux_get_fs_mount(admin_crontab_t)
+ selinux_validate_context(admin_crontab_t)
+ selinux_compute_access_vector(admin_crontab_t)
+@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+ selinux_compute_user_contexts(admin_crontab_t)
+
+ tunable_policy(`fcron_crond',`
++ # fcron wants an instant update of a crontab change for the administrator
++ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
')
-diff --git a/dcc.te b/dcc.te
-index 5178337..46bbbed 100644
---- a/dcc.te
-+++ b/dcc.te
-@@ -36,7 +36,7 @@ type dcc_var_t;
- files_type(dcc_var_t)
- type dcc_var_run_t;
--files_type(dcc_var_run_t)
-+files_pid_file(dcc_var_run_t)
+ ########################################
+ #
+-# Daemon local policy
++# Cron daemon local policy
+ #
- type dccd_t;
- type dccd_exec_t;
-@@ -95,22 +95,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
- read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
- read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+ allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+ allow crond_t self:process { setexec setfscreate };
+ allow crond_t self:fd use;
+ allow crond_t self:fifo_file rw_fifo_file_perms;
++allow crond_t self:unix_dgram_socket create_socket_perms;
++allow crond_t self:unix_stream_socket create_stream_socket_perms;
+ allow crond_t self:unix_dgram_socket sendto;
+-allow crond_t self:unix_stream_socket { accept connectto listen };
++allow crond_t self:unix_stream_socket connectto;
+ allow crond_t self:shm create_shm_perms;
+ allow crond_t self:sem create_sem_perms;
+ allow crond_t self:msgq create_msgq_perms;
+@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive };
+ allow crond_t self:key { search write link };
+ dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
--corenet_all_recvfrom_unlabeled(cdcc_t)
- corenet_all_recvfrom_netlabel(cdcc_t)
- corenet_udp_sendrecv_generic_if(cdcc_t)
- corenet_udp_sendrecv_generic_node(cdcc_t)
- corenet_udp_sendrecv_all_ports(cdcc_t)
+-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+ logging_log_filetrans(crond_t, cron_log_t, file)
--files_read_etc_files(cdcc_t)
- files_read_etc_runtime_files(cdcc_t)
+ manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
+@@ -237,71 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+
+ manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+ manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
++files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+
+ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+ read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
+-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+-
+-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
++kernel_read_kernel_sysctls(crond_t)
++kernel_read_fs_sysctls(crond_t)
++kernel_search_key(crond_t)
+
+-allow crond_t system_cronjob_t:process transition;
+-allow crond_t system_cronjob_t:fd use;
+-allow crond_t system_cronjob_t:key manage_key_perms;
++dev_read_sysfs(crond_t)
++selinux_get_fs_mount(crond_t)
++selinux_validate_context(crond_t)
++selinux_compute_access_vector(crond_t)
++selinux_compute_create_context(crond_t)
++selinux_compute_relabel_context(crond_t)
++selinux_compute_user_contexts(crond_t)
+
+-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
++dev_read_urand(crond_t)
+
+-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
++fs_getattr_all_fs(crond_t)
++fs_search_auto_mountpoints(crond_t)
++fs_list_inotifyfs(crond_t)
+
+-kernel_read_kernel_sysctls(crond_t)
+-kernel_read_fs_sysctls(crond_t)
+-kernel_search_key(crond_t)
++# need auth_chkpwd to check for locked accounts.
++auth_domtrans_chk_passwd(crond_t)
++auth_manage_var_auth(crond_t)
- auth_use_nsswitch(cdcc_t)
+ corecmd_exec_shell(crond_t)
+-corecmd_exec_bin(crond_t)
+ corecmd_list_bin(crond_t)
+-
+-dev_read_sysfs(crond_t)
+-dev_read_urand(crond_t)
++corecmd_exec_bin(crond_t)
++corecmd_read_bin_symlinks(crond_t)
- logging_send_syslog_msg(cdcc_t)
+ domain_use_interactive_fds(crond_t)
+ domain_subj_id_change_exemption(crond_t)
+ domain_role_change_exemption(crond_t)
--miscfiles_read_localization(cdcc_t)
+-fs_getattr_all_fs(crond_t)
+-fs_list_inotifyfs(crond_t)
+-fs_manage_cgroup_dirs(crond_t)
+-fs_rw_cgroup_files(crond_t)
+-fs_search_auto_mountpoints(crond_t)
-
--userdom_use_user_terminals(cdcc_t)
-+userdom_use_inherited_user_terminals(cdcc_t)
+ files_read_usr_files(crond_t)
+ files_read_etc_runtime_files(crond_t)
+ files_read_generic_spool(crond_t)
+ files_list_usr(crond_t)
++# Read from /var/spool/cron.
+ files_search_var_lib(crond_t)
+ files_search_default(crond_t)
- ########################################
- #
-@@ -134,14 +130,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+-mls_fd_share_all_levels(crond_t)
++fs_manage_cgroup_dirs(crond_t)
++fs_manage_cgroup_files(crond_t)
++
++# needed by "crontab -e"
+ mls_file_read_all_levels(crond_t)
+ mls_file_write_all_levels(crond_t)
++
++# needed because of kernel check of transition
+ mls_process_set_level(crond_t)
+-mls_trusted_object(crond_t)
+
+-selinux_get_fs_mount(crond_t)
+-selinux_validate_context(crond_t)
+-selinux_compute_access_vector(crond_t)
+-selinux_compute_create_context(crond_t)
+-selinux_compute_relabel_context(crond_t)
+-selinux_compute_user_contexts(crond_t)
++# to make cronjob working
++mls_fd_share_all_levels(crond_t)
++mls_trusted_object(crond_t)
- kernel_read_system_state(dcc_client_t)
+ init_read_state(crond_t)
+ init_rw_utmp(crond_t)
+ init_spec_domtrans_script(crond_t)
--corenet_all_recvfrom_unlabeled(dcc_client_t)
- corenet_all_recvfrom_netlabel(dcc_client_t)
- corenet_udp_sendrecv_generic_if(dcc_client_t)
- corenet_udp_sendrecv_generic_node(dcc_client_t)
- corenet_udp_sendrecv_all_ports(dcc_client_t)
- corenet_udp_bind_generic_node(dcc_client_t)
+-auth_domtrans_chk_passwd(crond_t)
+ auth_manage_var_auth(crond_t)
+ auth_use_nsswitch(crond_t)
--files_read_etc_files(dcc_client_t)
- files_read_etc_runtime_files(dcc_client_t)
+@@ -311,41 +251,42 @@ logging_set_loginuid(crond_t)
- fs_getattr_all_fs(dcc_client_t)
-@@ -150,9 +144,7 @@ auth_use_nsswitch(dcc_client_t)
+ seutil_read_config(crond_t)
+ seutil_read_default_contexts(crond_t)
++seutil_sigchld_newrole(crond_t)
- logging_send_syslog_msg(dcc_client_t)
+-miscfiles_read_localization(crond_t)
--miscfiles_read_localization(dcc_client_t)
--
--userdom_use_user_terminals(dcc_client_t)
-+userdom_use_inherited_user_terminals(dcc_client_t)
++userdom_use_unpriv_users_fds(crond_t)
++# Not sure why this is needed
+ userdom_list_user_home_dirs(crond_t)
++userdom_list_admin_dir(crond_t)
++userdom_manage_all_users_keys(crond_t)
- optional_policy(`
- amavis_read_spool_files(dcc_client_t)
-@@ -182,22 +174,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+-tunable_policy(`cron_userdomain_transition',`
+- dontaudit crond_t cronjob_t:process transition;
+- dontaudit crond_t cronjob_t:fd use;
+- dontaudit crond_t cronjob_t:key manage_key_perms;
+-',`
+- allow crond_t cronjob_t:process transition;
+- allow crond_t cronjob_t:fd use;
+- allow crond_t cronjob_t:key manage_key_perms;
+-')
++mta_send_mail(crond_t)
++mta_system_content(cron_spool_t)
- kernel_read_system_state(dcc_dbclean_t)
+ ifdef(`distro_debian',`
++ # pam_limits is used
+ allow crond_t self:process setrlimit;
--corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
- corenet_all_recvfrom_netlabel(dcc_dbclean_t)
- corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
- corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
- corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+- optional_policy(`
+- logwatch_search_cache_dir(crond_t)
+- ')
++')
++
++optional_policy(`
++ logwatch_search_cache_dir(crond_t)
+ ')
--files_read_etc_files(dcc_dbclean_t)
- files_read_etc_runtime_files(dcc_dbclean_t)
+ ifdef(`distro_redhat',`
++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(crond_t)
+ ')
+ ')
- auth_use_nsswitch(dcc_dbclean_t)
+-tunable_policy(`allow_polyinstantiation',`
++tunable_policy(`polyinstantiation_enabled',`
+ files_polyinstantiate_all(crond_t)
+ ')
- logging_send_syslog_msg(dcc_dbclean_t)
+-tunable_policy(`fcron_crond',`
+- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
++tunable_policy(`fcron_crond', `
++ allow crond_t system_cron_spool_t:file manage_file_perms;
+ ')
--miscfiles_read_localization(dcc_dbclean_t)
+ optional_policy(`
+@@ -353,102 +294,135 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(crond_t)
-
--userdom_use_user_terminals(dcc_dbclean_t)
-+userdom_use_inherited_user_terminals(dcc_dbclean_t)
+- optional_policy(`
+- hal_dbus_chat(crond_t)
+- ')
+-
+- optional_policy(`
+- unconfined_dbus_send(crond_t)
+- ')
++ djbdns_search_tinydns_keys(crond_t)
++ djbdns_link_tinydns_keys(crond_t)
+ ')
- ########################################
- #
-@@ -238,7 +226,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
- kernel_read_system_state(dccd_t)
- kernel_read_kernel_sysctls(dccd_t)
+ optional_policy(`
+- amanda_search_var_lib(crond_t)
++ locallogin_search_keys(crond_t)
++ locallogin_link_keys(crond_t)
+ ')
--corenet_all_recvfrom_unlabeled(dccd_t)
- corenet_all_recvfrom_netlabel(dccd_t)
- corenet_udp_sendrecv_generic_if(dccd_t)
- corenet_udp_sendrecv_generic_node(dccd_t)
-@@ -251,7 +238,6 @@ dev_read_sysfs(dccd_t)
+ optional_policy(`
+- amavis_search_lib(crond_t)
++ # these should probably be unconfined_crond_t
++ dbus_system_bus_client(crond_t)
++ init_dbus_send_script(crond_t)
++ init_dbus_chat(crond_t)
+ ')
- domain_use_interactive_fds(dccd_t)
+ optional_policy(`
+- djbdns_search_tinydns_keys(crond_t)
+- djbdns_link_tinydns_keys(crond_t)
++ amanda_search_var_lib(crond_t)
+ ')
--files_read_etc_files(dccd_t)
- files_read_etc_runtime_files(dccd_t)
+ optional_policy(`
+- hal_write_log(crond_t)
++ amavis_search_lib(crond_t)
+ ')
- fs_getattr_all_fs(dccd_t)
-@@ -261,8 +247,6 @@ auth_use_nsswitch(dccd_t)
+ optional_policy(`
+- locallogin_search_keys(crond_t)
+- locallogin_link_keys(crond_t)
++ hal_dbus_chat(crond_t)
++ hal_write_log(crond_t)
++ hal_dbus_chat(system_cronjob_t)
+ ')
- logging_send_syslog_msg(dccd_t)
+ optional_policy(`
+- mta_send_mail(crond_t)
++ # cjp: why?
++ munin_search_lib(crond_t)
+ ')
--miscfiles_read_localization(dccd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dccd_t)
- userdom_dontaudit_search_user_home_dirs(dccd_t)
+ optional_policy(`
+- munin_search_lib(crond_t)
++ rpc_search_nfs_state_data(crond_t)
+ ')
-@@ -306,7 +290,6 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
- kernel_read_system_state(dccifd_t)
- kernel_read_kernel_sysctls(dccifd_t)
+ optional_policy(`
+- postgresql_search_db(crond_t)
++ # Commonly used from postinst scripts
++ rpm_read_pipes(crond_t)
+ ')
--corenet_all_recvfrom_unlabeled(dccifd_t)
- corenet_all_recvfrom_netlabel(dccifd_t)
- corenet_udp_sendrecv_generic_if(dccifd_t)
- corenet_udp_sendrecv_generic_node(dccifd_t)
-@@ -316,7 +299,6 @@ dev_read_sysfs(dccifd_t)
+ optional_policy(`
+- rpc_search_nfs_state_data(crond_t)
++ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
++ postgresql_search_db(crond_t)
+ ')
- domain_use_interactive_fds(dccifd_t)
+ optional_policy(`
+- rpm_read_pipes(crond_t)
++ systemd_use_fds_logind(crond_t)
++ systemd_write_inherited_logind_sessions_pipes(crond_t)
+ ')
--files_read_etc_files(dccifd_t)
- files_read_etc_runtime_files(dccifd_t)
+ optional_policy(`
+- seutil_sigchld_newrole(crond_t)
++ udev_read_db(crond_t)
+ ')
- fs_getattr_all_fs(dccifd_t)
-@@ -326,8 +308,6 @@ auth_use_nsswitch(dccifd_t)
+ optional_policy(`
+- udev_read_db(crond_t)
++ vnstatd_search_lib(crond_t)
+ ')
- logging_send_syslog_msg(dccifd_t)
+ ########################################
+ #
+-# System local policy
++# System cron process domain
+ #
--miscfiles_read_localization(dccifd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
- userdom_dontaudit_search_user_home_dirs(dccifd_t)
+ allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
++
+ allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow system_cronjob_t self:passwd rootok;
-@@ -370,7 +350,6 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
- kernel_read_system_state(dccm_t)
- kernel_read_kernel_sysctls(dccm_t)
+-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++# This is to handle creation of files in /var/log directory.
++# Used currently by rpm script log files
++allow system_cronjob_t cron_log_t:file manage_file_perms;
+ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
--corenet_all_recvfrom_unlabeled(dccm_t)
- corenet_all_recvfrom_netlabel(dccm_t)
- corenet_udp_sendrecv_generic_if(dccm_t)
- corenet_udp_sendrecv_generic_node(dccm_t)
-@@ -380,7 +359,6 @@ dev_read_sysfs(dccm_t)
++# This is to handle /var/lib/misc directory. Used currently
++# by prelink var/lib files for cron
+ allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
+ files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
- domain_use_interactive_fds(dccm_t)
+ allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+ files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
--files_read_etc_files(dccm_t)
- files_read_etc_runtime_files(dccm_t)
++allow system_cronjob_t system_cron_spool_t:file read_file_perms;
++
++mls_file_read_to_clearance(system_cronjob_t)
++
++# anacron forces the following
+ manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
++# The entrypoint interface is not used as this is not
++# a regular entrypoint. Since crontab files are
++# not directly executed, crond must ensure that
++# the crontab file has a type that is appropriate
++# for the domain of the user cron job. It
++# performs an entrypoint permission check
++# for this purpose.
++allow system_cronjob_t system_cron_spool_t:file entrypoint;
++
++# Permit a transition from the crond_t domain to this domain.
++# The transition is requested explicitly by the modified crond
++# via setexeccon. There is no way to set up an automatic
++# transition, since crontabs are configuration files, not executables.
++allow crond_t system_cronjob_t:process transition;
++dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
++allow crond_t system_cronjob_t:fd use;
++allow system_cronjob_t crond_t:fd use;
++allow system_cronjob_t crond_t:fifo_file rw_file_perms;
++allow system_cronjob_t crond_t:process sigchld;
++allow crond_t system_cronjob_t:key manage_key_perms;
++
++# Write /var/lock/makewhatis.lock.
+ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+ files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
- fs_getattr_all_fs(dccm_t)
-@@ -390,8 +368,6 @@ auth_use_nsswitch(dccm_t)
++# write temporary files
+ manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+ files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
- logging_send_syslog_msg(dccm_t)
++# var/lib files for system_crond
++files_search_var_lib(system_cronjob_t)
+ manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
--miscfiles_read_localization(dccm_t)
+-allow system_cronjob_t crond_t:fd use;
+-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+-allow system_cronjob_t crond_t:process sigchld;
-
- userdom_dontaudit_use_unpriv_user_fds(dccm_t)
- userdom_dontaudit_search_user_home_dirs(dccm_t)
++# Read from /var/spool/cron.
+ allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+ allow system_cronjob_t cron_spool_t:file rw_file_perms;
-diff --git a/ddclient.if b/ddclient.if
-index 0a1a61b..64742c6 100644
---- a/ddclient.if
-+++ b/ddclient.if
-@@ -64,13 +64,17 @@ interface(`ddclient_run',`
- interface(`ddclient_admin',`
- gen_require(`
- type ddclient_t, ddclient_etc_t, ddclient_log_t;
-- type ddclient_var_t, ddclient_var_lib_t;
-- type ddclient_var_run_t, ddclient_initrc_exec_t;
-+ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
-+ type ddclient_var_run_t;
- ')
+@@ -457,11 +431,11 @@ kernel_read_network_state(system_cronjob_t)
+ kernel_read_system_state(system_cronjob_t)
+ kernel_read_software_raid_state(system_cronjob_t)
-- allow $1 ddclient_t:process { ptrace signal_perms };
-+ allow $1 ddclient_t:process signal_perms;
- ps_process_pattern($1, ddclient_t)
++# ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot(system_cronjob_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ddclient_t:process ptrace;
-+ ')
-+
- init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 ddclient_initrc_exec_t system_r;
-diff --git a/ddclient.te b/ddclient.te
-index 24ba98a..318a5a1 100644
---- a/ddclient.te
-+++ b/ddclient.te
-@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
- type ddclient_log_t;
- logging_log_file(ddclient_log_t)
+ corecmd_exec_all_executables(system_cronjob_t)
-+type ddclient_tmp_t;
-+files_tmp_file(ddclient_tmp_t)
-+
- type ddclient_var_t;
- files_type(ddclient_var_t)
+-corenet_all_recvfrom_unlabeled(system_cronjob_t)
+ corenet_all_recvfrom_netlabel(system_cronjob_t)
+ corenet_tcp_sendrecv_generic_if(system_cronjob_t)
+ corenet_udp_sendrecv_generic_if(system_cronjob_t)
+@@ -481,6 +455,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+ fs_getattr_all_pipes(system_cronjob_t)
+ fs_getattr_all_sockets(system_cronjob_t)
-@@ -32,17 +35,23 @@ files_pid_file(ddclient_var_run_t)
- # Declarations
- #
++# quiet other ps operations
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
-+
- dontaudit ddclient_t self:capability sys_tty_config;
- allow ddclient_t self:process signal_perms;
- allow ddclient_t self:fifo_file rw_fifo_file_perms;
- allow ddclient_t self:tcp_socket create_socket_perms;
- allow ddclient_t self:udp_socket create_socket_perms;
-+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+ files_exec_etc_files(system_cronjob_t)
+@@ -493,13 +468,18 @@ files_getattr_all_pipes(system_cronjob_t)
+ files_getattr_all_sockets(system_cronjob_t)
+ files_read_usr_files(system_cronjob_t)
+ files_read_var_files(system_cronjob_t)
++# for nscd:
+ files_dontaudit_search_pids(system_cronjob_t)
++# Access other spool directories like
++# /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_cronjob_t)
+ files_create_boot_flag(system_cronjob_t)
--allow ddclient_t ddclient_etc_t:file read_file_perms;
-+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
-+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+-mls_file_read_to_clearance(system_cronjob_t)
+-
+ init_use_script_fds(system_cronjob_t)
++init_read_utmp(system_cronjob_t)
++init_dontaudit_rw_utmp(system_cronjob_t)
++# prelink tells init to restart it self, we either need to allow or dontaudit
++init_telinit(system_cronjob_t)
+ init_domtrans_script(system_cronjob_t)
+
+ auth_use_nsswitch(system_cronjob_t)
+@@ -511,20 +491,23 @@ logging_read_generic_logs(system_cronjob_t)
+ logging_send_audit_msgs(system_cronjob_t)
+ logging_send_syslog_msg(system_cronjob_t)
- allow ddclient_t ddclient_log_t:file manage_file_perms;
- logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+-miscfiles_read_localization(system_cronjob_t)
+-
+ seutil_read_config(system_cronjob_t)
-+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
-+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
+ ifdef(`distro_redhat',`
++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
++ allow crond_t system_cron_spool_t:file manage_file_perms;
+
- manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
- manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
- manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
-@@ -62,11 +71,11 @@ kernel_read_software_raid_state(ddclient_t)
- kernel_getattr_core_if(ddclient_t)
- kernel_getattr_message_if(ddclient_t)
- kernel_read_kernel_sysctls(ddclient_t)
-+kernel_search_network_sysctl(ddclient_t)
-
- corecmd_exec_shell(ddclient_t)
- corecmd_exec_bin(ddclient_t)
-
--corenet_all_recvfrom_unlabeled(ddclient_t)
- corenet_all_recvfrom_netlabel(ddclient_t)
- corenet_tcp_sendrecv_generic_if(ddclient_t)
- corenet_udp_sendrecv_generic_if(ddclient_t)
-@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
- corenet_udp_sendrecv_generic_node(ddclient_t)
- corenet_tcp_sendrecv_all_ports(ddclient_t)
- corenet_udp_sendrecv_all_ports(ddclient_t)
-+corenet_tcp_bind_generic_node(ddclient_t)
-+corenet_udp_bind_generic_node(ddclient_t)
- corenet_tcp_connect_all_ports(ddclient_t)
- corenet_sendrecv_all_client_packets(ddclient_t)
++ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+ ')
+ ')
-@@ -89,9 +100,11 @@ files_read_usr_files(ddclient_t)
- fs_getattr_all_fs(ddclient_t)
- fs_search_auto_mountpoints(ddclient_t)
++selinux_get_fs_mount(system_cronjob_t)
++
+ tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_cronjob_t)
+ ',`
+- selinux_get_fs_mount(system_cronjob_t)
+ selinux_validate_context(system_cronjob_t)
+ selinux_compute_access_vector(system_cronjob_t)
+ selinux_compute_create_context(system_cronjob_t)
+@@ -534,10 +517,17 @@ tunable_policy(`cron_can_relabel',`
+ ')
-+auth_read_passwd(ddclient_t)
+ optional_policy(`
++ # Needed for certwatch
+ apache_exec_modules(system_cronjob_t)
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
++ apache_delete_cache_dirs(system_cronjob_t)
++ apache_delete_cache_files(system_cronjob_t)
++')
+
- logging_send_syslog_msg(ddclient_t)
++optional_policy(`
++ bind_read_config(system_cronjob_t)
+ ')
--miscfiles_read_localization(ddclient_t)
-+mta_send_mail(ddclient_t)
+ optional_policy(`
+@@ -546,10 +536,6 @@ optional_policy(`
- sysnet_exec_ifconfig(ddclient_t)
- sysnet_read_config(ddclient_t)
-diff --git a/ddcprobe.te b/ddcprobe.te
-index 5e062bc..c85c30d 100644
---- a/ddcprobe.te
-+++ b/ddcprobe.te
-@@ -40,12 +40,15 @@ term_use_all_ptys(ddcprobe_t)
+ optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+-
+- optional_policy(`
+- networkmanager_dbus_chat(system_cronjob_t)
+- ')
+ ')
- libs_read_lib_files(ddcprobe_t)
+ optional_policy(`
+@@ -581,6 +567,7 @@ optional_policy(`
+ optional_policy(`
+ mta_read_config(system_cronjob_t)
+ mta_send_mail(system_cronjob_t)
++ mta_system_content(system_cron_spool_t)
+ ')
--miscfiles_read_localization(ddcprobe_t)
+ optional_policy(`
+@@ -588,15 +575,19 @@ optional_policy(`
+ ')
--modutils_read_module_deps(ddcprobe_t)
--
--userdom_use_user_terminals(ddcprobe_t)
-+userdom_use_inherited_user_terminals(ddcprobe_t)
- userdom_use_all_users_fds(ddcprobe_t)
+ optional_policy(`
+- postfix_read_config(system_cronjob_t)
++ networkmanager_dbus_chat(system_cronjob_t)
+ ')
--#reh why? this does not seem even necessary to function properly
--kudzu_getattr_exec_files(ddcprobe_t)
+ optional_policy(`
++ postfix_read_config(system_cronjob_t)
++')
++
+optional_policy(`
-+ #reh why? this does not seem even necessary to function properly
-+ kudzu_getattr_exec_files(ddcprobe_t)
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+- prelink_relabelfrom_lib(system_cronjob_t)
++ prelink_relabel_lib(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -606,6 +597,7 @@ optional_policy(`
+
+ optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
++ spamassassin_manage_home_client(system_cronjob_t)
+ ')
+
+ optional_policy(`
+@@ -613,12 +605,24 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_dbus_chat_logind(system_cronjob_t)
++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
-+ modutils_read_module_deps(ddcprobe_t)
++ unconfined_domain(crond_t)
++ unconfined_domain(system_cronjob_t)
+')
-diff --git a/denyhosts.if b/denyhosts.if
-index 567865f..b5e9376 100644
---- a/denyhosts.if
-+++ b/denyhosts.if
-@@ -59,6 +59,7 @@ interface(`denyhosts_initrc_domtrans', `
- ## Role allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
++
++optional_policy(`
++ unconfined_shell_domtrans(crond_t)
++ unconfined_dbus_send(crond_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ ')
+
+ ########################################
#
- interface(`denyhosts_admin', `
- gen_require(`
-@@ -66,20 +67,24 @@ interface(`denyhosts_admin', `
- type denyhosts_var_log_t, denyhosts_initrc_exec_t;
- ')
+-# Cronjob local policy
++# User cronjobs local policy
+ #
+
+ allow cronjob_t self:process { signal_perms setsched };
+@@ -626,12 +630,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+ allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+ allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
++# The entrypoint interface is not used as this is not
++# a regular entrypoint. Since crontab files are
++# not directly executed, crond must ensure that
++# the crontab file has a type that is appropriate
++# for the domain of the user cron job. It
++# performs an entrypoint permission check
++# for this purpose.
++allow cronjob_t user_cron_spool_t:file entrypoint;
++
++# Permit a transition from the crond_t domain to this domain.
++# The transition is requested explicitly by the modified crond
++# via setexeccon. There is no way to set up an automatic
++# transition, since crontabs are configuration files, not executables.
++allow crond_t cronjob_t:process transition;
++dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
++allow crond_t cronjob_t:fd use;
++allow cronjob_t crond_t:fd use;
++allow cronjob_t crond_t:fifo_file rw_file_perms;
++allow cronjob_t crond_t:process sigchld;
++
+ kernel_read_system_state(cronjob_t)
+ kernel_read_kernel_sysctls(cronjob_t)
+
++# ps does not need to access /boot when run from cron
+ files_dontaudit_search_boot(cronjob_t)
-- allow $1 denyhosts_t:process { ptrace signal_perms };
-+ allow $1 denyhosts_t:process signal_perms;
- ps_process_pattern($1, denyhosts_t)
+-corenet_all_recvfrom_unlabeled(cronjob_t)
+ corenet_all_recvfrom_netlabel(cronjob_t)
+ corenet_tcp_sendrecv_generic_if(cronjob_t)
+ corenet_udp_sendrecv_generic_if(cronjob_t)
+@@ -639,84 +663,152 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+ corenet_udp_sendrecv_generic_node(cronjob_t)
+ corenet_tcp_sendrecv_all_ports(cronjob_t)
+ corenet_udp_sendrecv_all_ports(cronjob_t)
+-
+-corenet_sendrecv_all_client_packets(cronjob_t)
+ corenet_tcp_connect_all_ports(cronjob_t)
+-
+-corecmd_exec_all_executables(cronjob_t)
++corenet_sendrecv_all_client_packets(cronjob_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 denyhosts_t:process ptrace;
-+ ')
+ dev_read_urand(cronjob_t)
+
+ fs_getattr_all_fs(cronjob_t)
+
++corecmd_exec_all_executables(cronjob_t)
+
- denyhosts_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 denyhosts_initrc_exec_t system_r;
- allow $2 system_r;
++# quiet other ps operations
+ domain_dontaudit_read_all_domains_state(cronjob_t)
+ domain_dontaudit_getattr_all_domains(cronjob_t)
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
- admin_pattern($1, denyhosts_var_lib_t)
+-files_exec_etc_files(cronjob_t)
+-files_read_etc_runtime_files(cronjob_t)
+-files_read_var_files(cronjob_t)
+ files_read_usr_files(cronjob_t)
+-files_search_spool(cronjob_t)
++files_exec_etc_files(cronjob_t)
++# for nscd:
+ files_dontaudit_search_pids(cronjob_t)
-- logging_search_logs($1)
-+ logging_list_logs($1)
- admin_pattern($1, denyhosts_var_log_t)
+ libs_exec_lib_files(cronjob_t)
+ libs_exec_ld_so(cronjob_t)
-- files_search_locks($1)
-+ files_list_locks($1)
- admin_pattern($1, denyhosts_var_lock_t)
- ')
-diff --git a/denyhosts.te b/denyhosts.te
-index 8ba9425..2030529 100644
---- a/denyhosts.te
-+++ b/denyhosts.te
-@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
- #
- # DenyHosts personal policy.
- #
-+# Bug #588563
-+allow denyhosts_t self:capability sys_tty_config;
-+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
++files_read_etc_runtime_files(cronjob_t)
++files_read_var_files(cronjob_t)
++files_search_spool(cronjob_t)
++
+ logging_search_logs(cronjob_t)
- allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
- allow denyhosts_t self:tcp_socket create_socket_perms;
-@@ -43,26 +46,30 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
- setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
- logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+ seutil_read_config(cronjob_t)
-+kernel_read_network_state(denyhosts_t)
- kernel_read_system_state(denyhosts_t)
-+kernel_read_network_state(denyhosts_t)
+-miscfiles_read_localization(cronjob_t)
-+corecmd_exec_shell(denyhosts_t)
- corecmd_exec_bin(denyhosts_t)
+ userdom_manage_user_tmp_files(cronjob_t)
+ userdom_manage_user_tmp_symlinks(cronjob_t)
+ userdom_manage_user_tmp_pipes(cronjob_t)
+ userdom_manage_user_tmp_sockets(cronjob_t)
++# Run scripts in user home directory and access shared libs.
+ userdom_exec_user_home_content_files(cronjob_t)
++# Access user files and dirs.
+ userdom_manage_user_home_content_files(cronjob_t)
+ userdom_manage_user_home_content_symlinks(cronjob_t)
+ userdom_manage_user_home_content_pipes(cronjob_t)
+ userdom_manage_user_home_content_sockets(cronjob_t)
++#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+-tunable_policy(`cron_userdomain_transition',`
+- dontaudit cronjob_t crond_t:fd use;
+- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+- dontaudit cronjob_t crond_t:process sigchld;
+-
+- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
+-',`
+- allow cronjob_t crond_t:fd use;
+- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
+- allow cronjob_t crond_t:process sigchld;
++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
--corenet_all_recvfrom_unlabeled(denyhosts_t)
- corenet_all_recvfrom_netlabel(denyhosts_t)
- corenet_tcp_sendrecv_generic_if(denyhosts_t)
- corenet_tcp_sendrecv_generic_node(denyhosts_t)
- corenet_tcp_bind_generic_node(denyhosts_t)
- corenet_tcp_connect_smtp_port(denyhosts_t)
-+corenet_tcp_connect_sype_port(denyhosts_t)
- corenet_sendrecv_smtp_client_packets(denyhosts_t)
+- allow cronjob_t user_cron_spool_t:file entrypoint;
++tunable_policy(`fcron_crond',`
++ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
- dev_read_urand(denyhosts_t)
++# need a per-role version of this:
++#optional_policy(`
++# mono_domtrans(cronjob_t)
++#')
++
+ optional_policy(`
+ nis_use_ypbind(cronjob_t)
+ ')
+
+ ########################################
+ #
+-# Unconfined local policy
++# Unconfined cronjobs local policy
+ #
+
+ optional_policy(`
+- type unconfined_cronjob_t;
+- domain_type(unconfined_cronjob_t)
+- domain_cron_exemption_target(unconfined_cronjob_t)
+-
++ # Permit a transition from the crond_t domain to this domain.
++ # The transition is requested explicitly by the modified crond
++ # via setexeccon. There is no way to set up an automatic
++ # transition, since crontabs are configuration files, not executables.
++ allow crond_t unconfined_cronjob_t:process transition;
+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
++ allow crond_t unconfined_cronjob_t:fd use;
--files_read_etc_files(denyhosts_t)
-+files_read_usr_files(denyhosts_t)
+ unconfined_domain(unconfined_cronjob_t)
++')
+
+- tunable_policy(`cron_userdomain_transition',`
+- dontaudit crond_t unconfined_cronjob_t:process transition;
+- dontaudit crond_t unconfined_cronjob_t:fd use;
+- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+- ',`
+- allow crond_t unconfined_cronjob_t:process transition;
+- allow crond_t unconfined_cronjob_t:fd use;
+- allow crond_t unconfined_cronjob_t:key manage_key_perms;
+- ')
++##############################
++#
++# crontab common policy
++#
++
++# dac_override is to create the file in the directory under /tmp
++allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
++allow crontab_domain self:process { getcap setsched signal_perms };
++allow crontab_domain self:fifo_file rw_fifo_file_perms;
++
++allow crontab_domain crond_t:process signal;
++allow crontab_domain crond_var_run_t:file read_file_perms;
++
++# create files in /var/spool/cron
++manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
++filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
++files_list_spool(crontab_domain)
++
++# crontab signals crond by updating the mtime on the spooldir
++allow crontab_domain cron_spool_t:dir setattr_dir_perms;
++
++# for the checks used by crontab -u
++selinux_dontaudit_search_fs(crontab_domain)
++
++fs_getattr_xattr_fs(crontab_domain)
++fs_manage_cgroup_dirs(crontab_domain)
++fs_manage_cgroup_files(crontab_domain)
++
++domain_use_interactive_fds(crontab_domain)
++
++files_read_etc_files(crontab_domain)
++files_read_usr_files(crontab_domain)
++files_dontaudit_search_pids(crontab_domain)
++
++fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
++
++auth_rw_var_auth(crontab_domain)
+
-+auth_use_nsswitch(denyhosts_t)
-
- # /var/log/secure
- logging_read_generic_logs(denyhosts_t)
--
--miscfiles_read_localization(denyhosts_t)
-+logging_send_syslog_msg(denyhosts_t)
-
- sysnet_manage_config(denyhosts_t)
- sysnet_etc_filetrans_config(denyhosts_t)
-@@ -70,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
- optional_policy(`
- cron_system_entry(denyhosts_t, denyhosts_exec_t)
- ')
++logging_send_audit_msgs(crontab_domain)
++logging_set_loginuid(crontab_domain)
++
++init_dontaudit_write_utmp(crontab_domain)
++init_read_utmp(crontab_domain)
++init_read_state(crontab_domain)
++
++
++seutil_read_config(crontab_domain)
++
++userdom_manage_user_tmp_dirs(crontab_domain)
++userdom_manage_user_tmp_files(crontab_domain)
++# Access terminals.
++userdom_use_inherited_user_terminals(crontab_domain)
++# Read user crontabs
++userdom_read_user_home_content_files(crontab_domain)
++userdom_read_user_home_content_symlinks(crontab_domain)
++
++tunable_policy(`fcron_crond',`
++ # fcron wants an instant update of a crontab change for the administrator
++ # also crontab does a security check for crontab -u
++ dontaudit crontab_domain crond_t:process signal;
++')
+
+optional_policy(`
-+ gnome_dontaudit_search_config(denyhosts_t)
++ ssh_dontaudit_use_ptys(crontab_domain)
+')
-diff --git a/devicekit.fc b/devicekit.fc
-index 9af85c8..5483806 100644
---- a/devicekit.fc
-+++ b/devicekit.fc
-@@ -1,3 +1,8 @@
-+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
-+/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
- /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-
- /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
-@@ -6,15 +11,16 @@
- /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
- /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-
--ifdef(`distro_debian',`
--/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
--')
--
- /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
- /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
--/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
-+/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++optional_policy(`
++ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
++ openshift_transition(system_cronjob_t)
+ ')
+diff --git a/ctdb.if b/ctdb.if
+index b25b01d..4f7d237 100644
+--- a/ctdb.if
++++ b/ctdb.if
+@@ -1,9 +1,144 @@
+-## <summary>Clustered Database based on Samba Trivial Database.</summary>
+
-+/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
-+/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
-
- /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
- /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
--/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++## <summary>policy for ctdbd</summary>
+
-+/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0)
- /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff --git a/devicekit.if b/devicekit.if
-index f706b99..3b4f593 100644
---- a/devicekit.if
-+++ b/devicekit.if
-@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',`
-
- ########################################
- ## <summary>
-+## Execute a domain transition to run devicekit_disk.
++########################################
++## <summary>
++## Transition to ctdbd.
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed to transition.
-+## </summary>
++## </summary>
+## </param>
+#
-+interface(`devicekit_domtrans_disk',`
++interface(`ctdbd_domtrans',`
+ gen_require(`
-+ type devicekit_disk_t, devicekit_disk_exec_t;
++ type ctdbd_t, ctdbd_exec_t;
+ ')
+
-+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+## <summary>
- ## Send to devicekit over a unix domain
- ## datagram socket.
- ## </summary>
-@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',`
-
- ########################################
- ## <summary>
-+## Use file descriptors for devicekit_disk.
++## Execute ctdbd server in the ctdbd domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16838,84 +14662,77 @@ index f706b99..3b4f593 100644
+## </summary>
+## </param>
+#
-+interface(`devicekit_use_fds_disk',`
++interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
-+ type devicekit_disk_t;
++ type ctdbd_initrc_exec_t;
+ ')
+
-+ allow $1 devicekit_disk_t:fd use;
++ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+########################################
+## <summary>
-+## Dontaudit Send and receive messages from
-+## devicekit disk over dbus.
++## Read ctdbd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`devicekit_dontaudit_dbus_chat_disk',`
++interface(`ctdbd_read_log',`
+ gen_require(`
-+ type devicekit_disk_t;
-+ class dbus send_msg;
++ type ctdbd_log_t;
+ ')
+
-+ dontaudit $1 devicekit_disk_t:dbus send_msg;
-+ dontaudit devicekit_disk_t $1:dbus send_msg;
++ logging_search_logs($1)
++ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
- ## Send signal devicekit power
- ## </summary>
- ## <param name="domain">
-@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',`
- allow devicekit_power_t $1:dbus send_msg;
- ')
-
-+#######################################
-+## <summary>
-+## Append inherited devicekit log files.
++## Append to ctdbd log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+#
-+interface(`devicekit_append_inherited_log_files',`
++interface(`ctdbd_append_log',`
+ gen_require(`
-+ type devicekit_var_log_t;
++ type ctdbd_log_t;
+ ')
+
-+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
++ logging_search_logs($1)
++ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
-+#######################################
++########################################
+## <summary>
-+## Do not audit attempts to write the devicekit
-+## log files.
++## Manage ctdbd log files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`devicekit_dontaudit_rw_log',`
++interface(`ctdbd_manage_log',`
+ gen_require(`
-+ type devicekit_var_log_t;
++ type ctdbd_log_t;
+ ')
+
-+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
++ logging_search_logs($1)
++ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
++ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
++ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+## <summary>
-+## Allow the domain to read devicekit_power state files in /proc.
++## Search ctdbd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16923,850 +14740,878 @@ index f706b99..3b4f593 100644
+## </summary>
+## </param>
+#
-+interface(`devicekit_read_state_power',`
++interface(`ctdbd_search_lib',`
+ gen_require(`
-+ type devicekit_power_t;
++ type ctdbd_var_lib_t;
+ ')
+
-+ kernel_search_proc($1)
-+ ps_process_pattern($1, devicekit_power_t)
++ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+')
+
- ########################################
- ## <summary>
- ## Read devicekit PID files.
-@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',`
-
- ########################################
- ## <summary>
--## All of the rules required to administrate
--## an devicekit environment
-+## Do not audit attempts to read
-+## devicekit PID files.
++########################################
++## <summary>
++## Read ctdbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`devicekit_dontaudit_read_pid_files',`
-+ gen_require(`
-+ type devicekit_var_run_t;
++interface(`ctdbd_read_lib_files',`
++ gen_require(`
++ type ctdbd_var_lib_t;
+ ')
+
-+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++ files_search_var_lib($1)
++ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
-+
-+
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## ctdbd lib files.
++## Manage ctdbd lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
+ ')
+
+ files_search_var_lib($1)
+- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
++ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ ')
+
+-#######################################
+########################################
-+## <summary>
-+## Manage devicekit PID files.
+ ## <summary>
+-## Connect to ctdbd with a unix
+-## domain stream socket.
++## Manage ctdbd lib directories.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -31,19 +165,58 @@ interface(`ctdbd_manage_lib_files',`
## </summary>
## </param>
--## <param name="role">
-+#
-+interface(`devicekit_manage_pid_files',`
+ #
+-interface(`ctdbd_stream_connect',`
++interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
-+ type devicekit_var_run_t;
++ type ctdbd_var_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
-+#######################################
++########################################
+## <summary>
-+## Relabel devicekit LOG files.
++## Read ctdbd PID files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`devicekit_relabel_log_files',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++interface(`ctdbd_read_pid_files',`
+ gen_require(`
+- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ type ctdbd_var_run_t;
+ ')
+
+ files_search_pids($1)
+- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
++ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Manage devicekit LOG files.
++## Connect to ctdbd over a unix stream socket.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The role to be allowed to manage the devicekit domain.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="terminal">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+interface(`devicekit_manage_log_files',`
-+ gen_require(`
-+ type devicekit_var_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
-+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
-+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
-+')
++interface(`ctdbd_stream_connect',`
++ gen_require(`
++ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ ')
+
-+########################################
-+## <summary>
++ files_search_pids($1)
++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
++ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an ctdb environment.
+## All of the rules required to administrate
-+## an devicekit environment
-+## </summary>
-+## <param name="domain">
++## an ctdbd environment
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The type of the user terminal.
-+## Domain allowed access.
- ## </summary>
+@@ -57,16 +230,19 @@ interface(`ctdbd_stream_connect',`
## </param>
## <rolecap/>
-@@ -165,21 +349,46 @@ interface(`devicekit_admin',`
- type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ #
+-interface(`ctdb_admin',`
++interface(`ctdbd_admin',`
+ gen_require(`
+- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
++ type ctdbd_t, ctdbd_initrc_exec_t;
+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
-- allow $1 devicekit_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_t:process signal_perms;
- ps_process_pattern($1, devicekit_t)
+- allow $1 ctdbd_t:process { ptrace signal_perms };
++ allow $1 ctdbd_t:process signal_perms;
+ ps_process_pattern($1, ctdbd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 devicekit_t:process ptrace;
-+ allow $1 devicekit_disk_t:process ptrace;
-+ allow $1 devicekit_power_t:process ptrace;
++ allow $1 ctdbd_t:process ptrace;
+ ')
-- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_disk_t:process signal_perms;
- ps_process_pattern($1, devicekit_disk_t)
-
-- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
-+ allow $1 devicekit_power_t:process signal_perms;
- ps_process_pattern($1, devicekit_power_t)
+- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
++ ctdbd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ctdbd_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -74,12 +250,10 @@ interface(`ctdb_admin',`
+ logging_search_logs($1)
+ admin_pattern($1, ctdbd_log_t)
- admin_pattern($1, devicekit_tmp_t)
- files_search_tmp($1)
-+ files_list_tmp($1)
-
- admin_pattern($1, devicekit_var_lib_t)
-- files_search_var_lib($1)
-+ files_list_var_lib($1)
+- admin_pattern($1, ctdbd_tmp_t)
+-
+ files_search_var_lib($1)
+ admin_pattern($1, ctdbd_var_lib_t)
- admin_pattern($1, devicekit_var_run_t)
-- files_search_pids($1)
-+ files_list_pids($1)
-+')
-+
-+########################################
-+## <summary>
-+## Transition to devicekit named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_filetrans_named_content',`
-+ gen_require(`
-+ type devicekit_var_run_t, devicekit_var_log_t;
-+ ')
-+
-+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
-+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
-+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+ files_search_pids($1)
+ admin_pattern($1, ctdbd_var_run_t)
')
-diff --git a/devicekit.te b/devicekit.te
-index 1819518..2cd919b 100644
---- a/devicekit.te
-+++ b/devicekit.te
-@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
-
- type devicekit_t;
- type devicekit_exec_t;
--dbus_system_domain(devicekit_t, devicekit_exec_t)
-+init_daemon_domain(devicekit_t, devicekit_exec_t)
-
- type devicekit_power_t;
- type devicekit_power_exec_t;
--dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
-+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
-
- type devicekit_disk_t;
- type devicekit_disk_exec_t;
--dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
-+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
++
+diff --git a/ctdb.te b/ctdb.te
+index 6ce66e7..1d0337a 100644
+--- a/ctdb.te
++++ b/ctdb.te
+@@ -85,12 +85,10 @@ dev_read_urand(ctdbd_t)
- type devicekit_tmp_t;
- files_tmp_file(devicekit_tmp_t)
-@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
- type devicekit_var_lib_t;
- files_type(devicekit_var_lib_t)
+ domain_dontaudit_read_all_domains_state(ctdbd_t)
-+type devicekit_var_log_t;
-+logging_log_file(devicekit_var_log_t)
-+
- ########################################
- #
- # DeviceKit local policy
-@@ -42,11 +45,10 @@ kernel_read_system_state(devicekit_t)
- dev_read_sysfs(devicekit_t)
- dev_read_urand(devicekit_t)
+-files_read_etc_files(ctdbd_t)
+ files_search_all_mountpoints(ctdbd_t)
--files_read_etc_files(devicekit_t)
+ logging_send_syslog_msg(ctdbd_t)
--miscfiles_read_localization(devicekit_t)
+-miscfiles_read_localization(ctdbd_t)
+ miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-+ dbus_system_domain(devicekit_t, devicekit_exec_t)
- dbus_system_bus_client(devicekit_t)
+@@ -109,6 +107,7 @@ optional_policy(`
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
+ samba_rw_var_files(ctdbd_t)
++ samba_systemctl(ctdbd_t)
+ ')
- allow devicekit_t devicekit_disk_t:dbus send_msg;
-@@ -62,7 +64,8 @@ optional_policy(`
- # DeviceKit disk local policy
- #
+ optional_policy(`
+diff --git a/cups.fc b/cups.fc
+index 949011e..63eb4c7 100644
+--- a/cups.fc
++++ b/cups.fc
+@@ -1,77 +1,86 @@
+-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
++/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+ /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
+-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+-
+-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+
+-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
--allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
-+
- allow devicekit_disk_t self:process { getsched signal_perms };
- allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
- allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +78,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
- manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
- files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
++#/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
- manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
- manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
- files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
-+files_filetrans_named_content(devicekit_disk_t)
+-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+ /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
+
+-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
++/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
++/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+kernel_list_unlabeled(devicekit_disk_t)
-+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
- kernel_getattr_message_if(devicekit_disk_t)
- kernel_read_fs_sysctls(devicekit_disk_t)
- kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
- dev_manage_generic_files(devicekit_disk_t)
- dev_getattr_all_chr_files(devicekit_disk_t)
- dev_getattr_mtrr_dev(devicekit_disk_t)
-+dev_rw_generic_blk_files(devicekit_disk_t)
+ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
++
++/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- domain_getattr_all_pipes(devicekit_disk_t)
- domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +113,16 @@ domain_read_all_domains_state(devicekit_disk_t)
-
- files_dontaudit_read_all_symlinks(devicekit_disk_t)
- files_getattr_all_sockets(devicekit_disk_t)
--files_getattr_all_mountpoints(devicekit_disk_t)
-+files_getattr_all_dirs(devicekit_disk_t)
- files_getattr_all_files(devicekit_disk_t)
-+files_getattr_all_pipes(devicekit_disk_t)
-+files_manage_boot_dirs(devicekit_disk_t)
- files_manage_isid_type_dirs(devicekit_disk_t)
- files_manage_mnt_dirs(devicekit_disk_t)
--files_read_etc_files(devicekit_disk_t)
- files_read_etc_runtime_files(devicekit_disk_t)
- files_read_usr_files(devicekit_disk_t)
-
-+fs_getattr_all_fs(devicekit_disk_t)
- fs_list_inotifyfs(devicekit_disk_t)
- fs_manage_fusefs_dirs(devicekit_disk_t)
- fs_mount_all_fs(devicekit_disk_t)
-@@ -127,16 +137,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
- storage_raw_read_removable_device(devicekit_disk_t)
- storage_raw_write_removable_device(devicekit_disk_t)
+-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
--term_use_all_terms(devicekit_disk_t)
-+term_use_all_inherited_terms(devicekit_disk_t)
+-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
- auth_use_nsswitch(devicekit_disk_t)
+-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++
++#/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff --git a/cups.if b/cups.if
+index 06da9a0..1a6b35f 100644
+--- a/cups.if
++++ b/cups.if
+@@ -15,6 +15,11 @@
+ ## Type of the program to be used as an entry point to this domain.
+ ## </summary>
+ ## </param>
++## <param name="entry_file">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ #
+ interface(`cups_backend',`
+ gen_require(`
+@@ -200,10 +205,13 @@ interface(`cups_dbus_chat_config',`
+ interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
++ type hplip_etc_t;
+ ')
--miscfiles_read_localization(devicekit_disk_t)
-+logging_send_syslog_msg(devicekit_disk_t)
+ files_search_etc($1)
+- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
++ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
++ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
++ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+ ')
- userdom_read_all_users_state(devicekit_disk_t)
- userdom_search_user_home_dirs(devicekit_disk_t)
-+userdom_manage_user_tmp_dirs(devicekit_disk_t)
+ ########################################
+@@ -306,6 +314,29 @@ interface(`cups_stream_connect_ptal',`
- optional_policy(`
-+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
- dbus_system_bus_client(devicekit_disk_t)
+ ########################################
+ ## <summary>
++## Execute cupsd server in the cupsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cupsd_systemctl',`
++ gen_require(`
++ type cupsd_t;
++ type cupsd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 cupsd_unit_file_t:file read_file_perms;
++ allow $1 cupsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, cupsd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an cups environment.
+ ## </summary>
+@@ -330,13 +361,18 @@ interface(`cups_admin',`
+ type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
+ type hplip_t, ptal_t;
++ type cupsd_unit_file_t;
+ ')
- allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -156,6 +168,7 @@ optional_policy(`
+- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
+- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
++ allow $1 { cups_pdf_t hplip_t ptal_t }:process { signal_perms };
+ ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
+ ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
- optional_policy(`
- mount_domtrans(devicekit_disk_t)
-+ mount_read_pid_files(devicekit_disk_t)
- ')
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+@@ -353,8 +389,42 @@ interface(`cups_admin',`
- optional_policy(`
-@@ -170,6 +183,10 @@ optional_policy(`
+ files_list_tmp($1)
+ admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
+-
+- files_list_pids($1)
+ admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
+ admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
++
++ cupsd_systemctl($1)
++ admin_pattern($1, cupsd_unit_file_t)
++ allow $1 cupsd_unit_file_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Transition to cups named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cups_filetrans_named_content',`
++ gen_require(`
++ type cupsd_rw_etc_t;
++ type cupsd_etc_t;
++ ')
++
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
++ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
+diff --git a/cups.te b/cups.te
+index 9f34c2e..2e06558 100644
+--- a/cups.te
++++ b/cups.te
+@@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t)
+ init_daemon_run_dir(cupsd_var_run_t, "cups")
+ mls_trusted_object(cupsd_var_run_t)
- optional_policy(`
-+ systemd_read_logind_sessions_files(devicekit_disk_t)
-+')
++type cupsd_unit_file_t;
++systemd_unit_file(cupsd_unit_file_t)
+
-+optional_policy(`
- udev_domtrans(devicekit_disk_t)
- udev_read_db(devicekit_disk_t)
- ')
-@@ -178,55 +195,84 @@ optional_policy(`
- virt_manage_images(devicekit_disk_t)
- ')
+ type hplip_t;
+ type hplip_exec_t;
+ init_daemon_domain(hplip_t, hplip_exec_t)
+@@ -76,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
+ type hplip_var_lib_t;
+ files_type(hplip_var_lib_t)
-+optional_policy(`
-+ unconfined_domain(devicekit_t)
-+ unconfined_domain(devicekit_power_t)
-+ unconfined_domain(devicekit_disk_t)
-+')
++type hplip_var_log_t;
++logging_log_file(hplip_var_log_t)
+
- ########################################
- #
- # DeviceKit-Power local policy
- #
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
--allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
--allow devicekit_power_t self:process getsched;
-+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
-+allow devicekit_power_t self:capability2 compromise_kernel;
-+allow devicekit_power_t self:process { getsched signal_perms };
- allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
- allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
- allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -120,6 +126,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
-+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-+
-+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
-+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
-+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
-+
- manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
- manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
- files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+ manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
-+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-+
-+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
-+
-+kernel_read_fs_sysctls(devicekit_power_t)
- kernel_read_network_state(devicekit_power_t)
- kernel_read_system_state(devicekit_power_t)
- kernel_rw_hotplug_sysctls(devicekit_power_t)
- kernel_rw_kernel_sysctl(devicekit_power_t)
-+kernel_rw_vm_sysctls(devicekit_power_t)
- kernel_search_debugfs(devicekit_power_t)
- kernel_write_proc_files(devicekit_power_t)
-+kernel_setsched(devicekit_power_t)
-
- corecmd_exec_bin(devicekit_power_t)
- corecmd_exec_shell(devicekit_power_t)
-
--consoletype_exec(devicekit_power_t)
--
- domain_read_all_domains_state(devicekit_power_t)
-
- dev_read_input(devicekit_power_t)
-+dev_read_urand(devicekit_power_t)
- dev_rw_generic_usb_dev(devicekit_power_t)
- dev_rw_generic_chr_files(devicekit_power_t)
- dev_rw_netcontrol(devicekit_power_t)
- dev_rw_sysfs(devicekit_power_t)
-+dev_read_rand(devicekit_power_t)
-+dev_getattr_all_chr_files(devicekit_power_t)
-
- files_read_kernel_img(devicekit_power_t)
--files_read_etc_files(devicekit_power_t)
-+files_read_etc_runtime_files(devicekit_power_t)
- files_read_usr_files(devicekit_power_t)
-+files_dontaudit_list_mnt(devicekit_power_t)
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+@@ -144,6 +151,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
- fs_list_inotifyfs(devicekit_power_t)
-+fs_getattr_all_fs(devicekit_power_t)
++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
+ manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+@@ -166,7 +174,6 @@ kernel_read_network_state(cupsd_t)
+ kernel_read_all_sysctls(cupsd_t)
+ kernel_request_load_module(cupsd_t)
--term_use_all_terms(devicekit_power_t)
-+term_use_all_inherited_terms(devicekit_power_t)
+-corenet_all_recvfrom_unlabeled(cupsd_t)
+ corenet_all_recvfrom_netlabel(cupsd_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_t)
+ corenet_udp_sendrecv_generic_if(cupsd_t)
+@@ -206,7 +213,6 @@ domain_use_interactive_fds(cupsd_t)
+ files_getattr_boot_dirs(cupsd_t)
+ files_list_spool(cupsd_t)
+ files_read_etc_runtime_files(cupsd_t)
+-files_read_usr_files(cupsd_t)
+ files_exec_usr_files(cupsd_t)
+ # for /var/lib/defoma
+ files_read_var_lib_files(cupsd_t)
+@@ -247,13 +253,11 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+ auth_rw_faillog(cupsd_t)
+ auth_use_nsswitch(cupsd_t)
- auth_use_nsswitch(devicekit_power_t)
+-libs_read_lib_files(cupsd_t)
+ libs_exec_lib_files(cupsd_t)
--miscfiles_read_localization(devicekit_power_t)
+ logging_send_audit_msgs(cupsd_t)
+ logging_send_syslog_msg(cupsd_t)
+
+-miscfiles_read_localization(cupsd_t)
+ miscfiles_read_fonts(cupsd_t)
+ miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+
+@@ -275,6 +279,8 @@ optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(cupsd_t)
+
++ init_dbus_chat(cupsd_t)
+
-+seutil_exec_setfiles(devicekit_power_t)
+ userdom_dbus_send_all_users(cupsd_t)
- sysnet_read_config(devicekit_power_t)
- sysnet_domtrans_ifconfig(devicekit_power_t)
-+sysnet_domtrans_dhcpc(devicekit_power_t)
+ optional_policy(`
+@@ -285,8 +291,10 @@ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
- userdom_read_all_users_state(devicekit_power_t)
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
-@@ -235,10 +281,16 @@ optional_policy(`
+@@ -299,8 +307,8 @@ optional_policy(`
')
optional_policy(`
-+ consoletype_exec(devicekit_power_t)
-+')
-+
-+optional_policy(`
- cron_initrc_domtrans(devicekit_power_t)
-+ cron_systemctl(devicekit_power_t)
++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
+ kerberos_manage_host_rcache(cupsd_t)
+- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
optional_policy(`
-+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
- dbus_system_bus_client(devicekit_power_t)
-
- allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -261,14 +313,21 @@ optional_policy(`
+@@ -337,7 +345,7 @@ optional_policy(`
')
optional_policy(`
-+ gnome_manage_home_config(devicekit_power_t)
-+')
-+
-+optional_policy(`
- hal_domtrans_mac(devicekit_power_t)
-- hal_manage_log(devicekit_power_t)
- hal_manage_pid_dirs(devicekit_power_t)
- hal_manage_pid_files(devicekit_power_t)
- hal_dbus_chat(devicekit_power_t)
+- virt_rw_all_image_chr_files(cupsd_t)
++ virt_rw_chr_files(cupsd_t)
')
- optional_policy(`
-+ networkmanager_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(devicekit_power_t)
- policykit_domtrans_auth(devicekit_power_t)
- policykit_read_lib(devicekit_power_t)
-@@ -276,9 +335,31 @@ optional_policy(`
+ ########################################
+@@ -386,7 +394,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_all_sysctls(cupsd_config_t)
+
+-corenet_all_recvfrom_unlabeled(cupsd_config_t)
+ corenet_all_recvfrom_netlabel(cupsd_config_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_config_t)
+ corenet_tcp_sendrecv_generic_node(cupsd_config_t)
+@@ -420,11 +427,8 @@ auth_use_nsswitch(cupsd_config_t)
+
+ logging_send_syslog_msg(cupsd_config_t)
+
+-miscfiles_read_localization(cupsd_config_t)
+ miscfiles_read_hwdata(cupsd_config_t)
+
+-seutil_dontaudit_search_config(cupsd_config_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+ userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+@@ -452,6 +456,10 @@ optional_policy(`
')
optional_policy(`
-+ modutils_domtrans_insmod(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ readahead_domtrans(devicekit_power_t)
++ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
- udev_read_db(devicekit_power_t)
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+@@ -470,6 +478,11 @@ optional_policy(`
')
optional_policy(`
-+ usbmuxd_stream_connect(devicekit_power_t)
++ policykit_dbus_chat(cupsd_config_t)
++ userdom_read_all_users_state(cupsd_config_t)
+')
+
+optional_policy(`
- vbetool_domtrans(devicekit_power_t)
+ rpm_read_db(cupsd_config_t)
')
-+
-+optional_policy(`
-+ corenet_tcp_connect_xserver_port(devicekit_power_t)
-+ xserver_stream_connect(devicekit_power_t)
-+')
-+
-diff --git a/dhcp.fc b/dhcp.fc
-index 767e0c7..9553bcf 100644
---- a/dhcp.fc
-+++ b/dhcp.fc
-@@ -1,8 +1,10 @@
--/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
- /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+@@ -513,13 +526,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+ kernel_read_system_state(cupsd_lpd_t)
+ kernel_read_network_state(cupsd_lpd_t)
- /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
- /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+ corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+ corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
+ corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
--/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
-+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
-diff --git a/dhcp.if b/dhcp.if
-index 5e2cea8..2ab8a14 100644
---- a/dhcp.if
-+++ b/dhcp.if
-@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
- ')
+ corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
+ corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++corenet_tcp_connect_printer_port(cupsd_lpd_t)
+ corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
- sysnet_search_dhcp_state($1)
-- allow $1 dhcpd_state_t:file setattr;
-+ allow $1 dhcpd_state_t:file setattr_file_perms;
- ')
+ dev_read_urand(cupsd_lpd_t)
+@@ -533,7 +546,6 @@ auth_use_nsswitch(cupsd_lpd_t)
- ########################################
-@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
+ logging_send_syslog_msg(cupsd_lpd_t)
- ########################################
- ## <summary>
-+## Execute dhcpd server in the dhcpd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`dhcpd_systemctl',`
-+ gen_require(`
-+ type dhcpd_unit_file_t;
-+ type dhcpd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
-+ allow $1 dhcpd_unit_file_t:file read_file_perms;
-+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, dhcpd_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an dhcp environment
- ## </summary>
-@@ -77,12 +101,16 @@ interface(`dhcpd_initrc_domtrans',`
- #
- interface(`dhcpd_admin',`
- gen_require(`
-- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
-+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
- type dhcpd_var_run_t, dhcpd_initrc_exec_t;
-+ type dhcpd_unit_file_t;
- ')
+-miscfiles_read_localization(cupsd_lpd_t)
+ miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-- allow $1 dhcpd_t:process { ptrace signal_perms };
-+ allow $1 dhcpd_t:process signal_perms;
- ps_process_pattern($1, dhcpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dhcpd_t:process ptrace;
-+ ')
+ optional_policy(`
+@@ -569,7 +581,6 @@ corecmd_exec_shell(cups_pdf_t)
- init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -96,4 +124,8 @@ interface(`dhcpd_admin',`
+ auth_use_nsswitch(cups_pdf_t)
- files_list_pids($1)
- admin_pattern($1, dhcpd_var_run_t)
+-miscfiles_read_localization(cups_pdf_t)
+ miscfiles_read_fonts(cups_pdf_t)
+ miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+
+@@ -582,9 +593,10 @@ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(cups_pdf_t)
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(cups_pdf_t)
+- fs_manage_cifs_files(cups_pdf_t)
++userdom_home_manager(cups_pdf_t)
+
-+ dhcpd_systemctl($1)
-+ admin_pattern($1, dhcpd_unit_file_t)
-+ allow $1 dhcpd_unit_file_t:service all_service_perms;
++optional_policy(`
++ gnome_read_config(cups_pdf_t)
')
-diff --git a/dhcp.te b/dhcp.te
-index ed07b26..bed6b0d 100644
---- a/dhcp.te
-+++ b/dhcp.te
-@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
- type dhcpd_initrc_exec_t;
- init_script_file(dhcpd_initrc_exec_t)
-+type dhcpd_unit_file_t;
-+systemd_unit_file(dhcpd_unit_file_t)
+ optional_policy(`
+@@ -613,9 +625,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
+ allow hplip_t hplip_etc_t:file read_file_perms;
+ allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+
++allow hplip_t cupsd_unit_file_t:file read_file_perms;
+
- type dhcpd_state_t;
- files_type(dhcpd_state_t)
+ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-@@ -33,9 +36,9 @@ files_pid_file(dhcpd_var_run_t)
- # Local policy
- #
++manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
++
+ manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+ files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
--allow dhcpd_t self:capability { net_raw sys_resource };
-+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
- dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
--allow dhcpd_t self:process signal_perms;
-+allow dhcpd_t self:process { getcap setcap signal_perms };
- allow dhcpd_t self:fifo_file rw_fifo_file_perms;
- allow dhcpd_t self:unix_dgram_socket create_socket_perms;
- allow dhcpd_t self:unix_stream_socket create_socket_perms;
-@@ -61,7 +64,6 @@ kernel_read_system_state(dhcpd_t)
- kernel_read_kernel_sysctls(dhcpd_t)
- kernel_read_network_state(dhcpd_t)
+@@ -627,7 +646,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+ kernel_read_system_state(hplip_t)
+ kernel_read_kernel_sysctls(hplip_t)
--corenet_all_recvfrom_unlabeled(dhcpd_t)
- corenet_all_recvfrom_netlabel(dhcpd_t)
- corenet_tcp_sendrecv_generic_if(dhcpd_t)
- corenet_udp_sendrecv_generic_if(dhcpd_t)
-@@ -80,7 +82,7 @@ corenet_tcp_connect_all_ports(dhcpd_t)
- corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
- corenet_sendrecv_pxe_server_packets(dhcpd_t)
- corenet_sendrecv_all_client_packets(dhcpd_t)
--# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
-+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
- corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+-corenet_all_recvfrom_unlabeled(hplip_t)
++# for python
++corecmd_exec_bin(hplip_t)
++
+ corenet_all_recvfrom_netlabel(hplip_t)
+ corenet_tcp_sendrecv_generic_if(hplip_t)
+ corenet_udp_sendrecv_generic_if(hplip_t)
+@@ -644,12 +665,15 @@ corenet_sendrecv_hplip_client_packets(hplip_t)
+ corenet_receive_hplip_server_packets(hplip_t)
+ corenet_tcp_bind_hplip_port(hplip_t)
+ corenet_tcp_connect_hplip_port(hplip_t)
++corenet_tcp_bind_glance_port(hplip_t)
++corenet_tcp_connect_glance_port(hplip_t)
- dev_read_sysfs(dhcpd_t)
-@@ -94,7 +96,6 @@ corecmd_exec_bin(dhcpd_t)
+ corenet_sendrecv_ipp_client_packets(hplip_t)
+ corenet_tcp_connect_ipp_port(hplip_t)
- domain_use_interactive_fds(dhcpd_t)
+ corenet_sendrecv_howl_server_packets(hplip_t)
+ corenet_udp_bind_howl_port(hplip_t)
++corenet_tcp_connect_ipp_port(hplip_t)
--files_read_etc_files(dhcpd_t)
- files_read_usr_files(dhcpd_t)
- files_read_etc_runtime_files(dhcpd_t)
- files_search_var_lib(dhcpd_t)
-@@ -103,19 +104,26 @@ auth_use_nsswitch(dhcpd_t)
+ corecmd_exec_bin(hplip_t)
- logging_send_syslog_msg(dhcpd_t)
+@@ -662,23 +686,25 @@ dev_rw_usbfs(hplip_t)
--miscfiles_read_localization(dhcpd_t)
--
- sysnet_read_dhcp_config(dhcpd_t)
+ domain_use_interactive_fds(hplip_t)
- userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
- userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+-files_read_etc_files(hplip_t)
+ files_read_etc_runtime_files(hplip_t)
+-files_read_usr_files(hplip_t)
++files_dontaudit_write_usr_dirs(hplip_t)
-+tunable_policy(`dhcpd_use_ldap',`
-+ sysnet_use_ldap(dhcpd_t)
-+')
-+
- ifdef(`distro_gentoo',`
- allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
- ')
+ fs_getattr_all_fs(hplip_t)
+ fs_search_auto_mountpoints(hplip_t)
+ fs_rw_anon_inodefs_files(hplip_t)
--tunable_policy(`dhcpd_use_ldap',`
-- sysnet_use_ldap(dhcpd_t)
-+optional_policy(`
-+ # used for dynamic DNS
-+ bind_read_dnssec_keys(dhcpd_t)
-+')
-+
-+optional_policy(`
-+ cobbler_dontaudit_rw_log(dhcpd_t)
- ')
+-logging_send_syslog_msg(hplip_t)
++term_use_ptmx(hplip_t)
- optional_policy(`
-diff --git a/dictd.if b/dictd.if
-index a0d23ce..83a7ca5 100644
---- a/dictd.if
-+++ b/dictd.if
-@@ -38,8 +38,11 @@ interface(`dictd_admin',`
- type dictd_var_run_t, dictd_initrc_exec_t;
- ')
+-miscfiles_read_localization(hplip_t)
++auth_read_passwd(hplip_t)
++
++logging_send_syslog_msg(hplip_t)
-- allow $1 dictd_t:process { ptrace signal_perms };
-+ allow $1 dictd_t:process signal_perms;
- ps_process_pattern($1, dictd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dictd_t:process ptrace;
-+ ')
+ sysnet_dns_name_resolve(hplip_t)
- init_labeled_script_domtrans($1, dictd_initrc_exec_t)
- domain_system_change_exemption($1)
-diff --git a/dictd.te b/dictd.te
-index d2d9359..b14ece6 100644
---- a/dictd.te
-+++ b/dictd.te
-@@ -45,7 +45,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
- kernel_read_system_state(dictd_t)
- kernel_read_kernel_sysctls(dictd_t)
+ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+ userdom_dontaudit_search_user_home_dirs(hplip_t)
+ userdom_dontaudit_search_user_home_content(hplip_t)
++userdom_dbus_send_all_users(hplip_t)
--corenet_all_recvfrom_unlabeled(dictd_t)
- corenet_all_recvfrom_netlabel(dictd_t)
- corenet_tcp_sendrecv_generic_if(dictd_t)
- corenet_raw_sendrecv_generic_if(dictd_t)
-@@ -66,30 +65,19 @@ fs_search_auto_mountpoints(dictd_t)
+ optional_policy(`
+ dbus_system_bus_client(hplip_t)
+@@ -731,7 +757,6 @@ kernel_read_kernel_sysctls(ptal_t)
+ kernel_list_proc(ptal_t)
+ kernel_read_proc_symlinks(ptal_t)
- domain_use_interactive_fds(dictd_t)
+-corenet_all_recvfrom_unlabeled(ptal_t)
+ corenet_all_recvfrom_netlabel(ptal_t)
+ corenet_tcp_sendrecv_generic_if(ptal_t)
+ corenet_tcp_sendrecv_generic_node(ptal_t)
+@@ -747,7 +772,6 @@ dev_rw_printer(ptal_t)
--files_read_etc_files(dictd_t)
- files_read_etc_runtime_files(dictd_t)
- files_read_usr_files(dictd_t)
- files_search_var_lib(dictd_t)
- # for checking for nscd
- files_dontaudit_search_pids(dictd_t)
+ domain_use_interactive_fds(ptal_t)
--logging_send_syslog_msg(dictd_t)
--
--miscfiles_read_localization(dictd_t)
-+auth_use_nsswitch(dictd_t)
+-files_read_etc_files(ptal_t)
+ files_read_etc_runtime_files(ptal_t)
--sysnet_read_config(dictd_t)
-+logging_send_syslog_msg(dictd_t)
+ fs_getattr_all_fs(ptal_t)
+@@ -755,8 +779,6 @@ fs_search_auto_mountpoints(ptal_t)
- userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+ logging_send_syslog_msg(ptal_t)
- optional_policy(`
-- nis_use_ypbind(dictd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(dictd_t)
--')
+-miscfiles_read_localization(ptal_t)
-
--optional_policy(`
- seutil_sigchld_newrole(dictd_t)
- ')
+ sysnet_read_config(ptal_t)
-diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
-new file mode 100644
-index 0000000..fdf5675
---- /dev/null
-+++ b/dirsrv-admin.fc
-@@ -0,0 +1,15 @@
-+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
-+
-+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
-+
-+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
-+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
-+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
-+
-+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+
-+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
-+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
-+
-+/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
-diff --git a/dirsrv-admin.if b/dirsrv-admin.if
-new file mode 100644
-index 0000000..332a1c9
---- /dev/null
-+++ b/dirsrv-admin.if
-@@ -0,0 +1,134 @@
-+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
-+
-+########################################
-+## <summary>
-+## Exec dirsrv-admin programs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrvadmin_run_exec',`
-+ gen_require(`
-+ type dirsrvadmin_exec_t;
-+ ')
-+
-+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
-+ can_exec($1, dirsrvadmin_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Exec cgi programs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrvadmin_run_httpd_script_exec',`
-+ gen_require(`
-+ type httpd_dirsrvadmin_script_exec_t;
-+ ')
-+
-+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
-+')
-+
-+########################################
+ userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+diff --git a/cvs.if b/cvs.if
+index 9fa7ffb..fd3262c 100644
+--- a/cvs.if
++++ b/cvs.if
+@@ -1,5 +1,23 @@
+ ## <summary>Concurrent versions system.</summary>
+
++######################################
+## <summary>
-+## Manage dirsrv-adminserver configuration files.
++## Dontaudit Attempts to list the CVS data and metadata.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`dirsrvadmin_read_config',`
-+ gen_require(`
-+ type dirsrvadmin_config_t;
-+ ')
++interface(`cvs_dontaudit_list_data',`
++ gen_require(`
++ type cvs_data_t;
++ ')
+
-+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
++ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Manage dirsrv-adminserver configuration files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrvadmin_manage_config',`
-+ gen_require(`
-+ type dirsrvadmin_config_t;
+ ########################################
+ ## <summary>
+ ## Read CVS data and metadata content.
+@@ -62,9 +80,14 @@ interface(`cvs_admin',`
+ type cvs_data_t, cvs_var_run_t;
+ ')
+
+- allow $1 cvs_t:process { ptrace signal_perms };
++ allow $1 cvs_t:process signal_perms;
+ ps_process_pattern($1, cvs_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cvs_t:process ptrace;
+ ')
+
-+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
-+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Read dirsrv-adminserver tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrvadmin_read_tmp',`
-+ gen_require(`
-+ type dirsrvadmin_tmp_t;
-+ ')
-+
-+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage dirsrv-adminserver tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrvadmin_manage_tmp',`
-+ gen_require(`
-+ type dirsrvadmin_tmp_t;
-+ ')
++ # Allow cvs_t to restart the apache service
+ init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cvs_initrc_exec_t system_r;
+diff --git a/cvs.te b/cvs.te
+index 53fc3af..25b3285 100644
+--- a/cvs.te
++++ b/cvs.te
+@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1)
+ ## password files.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_cvs_read_shadow, false)
++gen_tunable(cvs_read_shadow, false)
+
+ type cvs_t;
+ type cvs_exec_t;
+@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t)
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
+
++corenet_all_recvfrom_netlabel(cvs_t)
++corenet_tcp_sendrecv_generic_if(cvs_t)
++corenet_udp_sendrecv_generic_if(cvs_t)
++corenet_tcp_sendrecv_generic_node(cvs_t)
++corenet_udp_sendrecv_generic_node(cvs_t)
++corenet_tcp_sendrecv_all_ports(cvs_t)
++corenet_udp_sendrecv_all_ports(cvs_t)
+
-+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+')
+ dev_read_urand(cvs_t)
+
+ files_read_etc_runtime_files(cvs_t)
+@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t)
+
+ init_read_utmp(cvs_t)
+
++init_dontaudit_read_utmp(cvs_t)
+
+ logging_send_syslog_msg(cvs_t)
+ logging_send_audit_msgs(cvs_t)
+
+-miscfiles_read_localization(cvs_t)
+-
+ mta_send_mail(cvs_t)
+
+ userdom_dontaudit_search_user_home_dirs(cvs_t)
+
+ # cjp: typeattribute doesnt work in conditionals yet
+ auth_can_read_shadow_passwords(cvs_t)
+-tunable_policy(`allow_cvs_read_shadow',`
++tunable_policy(`cvs_read_shadow',`
+ allow cvs_t self:capability dac_override;
+ auth_tunable_read_shadow(cvs_t)
+ ')
+@@ -103,4 +111,5 @@ optional_policy(`
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+ ')
+diff --git a/cyphesis.te b/cyphesis.te
+index 916427f..9d65864 100644
+--- a/cyphesis.te
++++ b/cyphesis.te
+@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
+ corecmd_search_bin(cyphesis_t)
+ corecmd_getattr_bin_files(cyphesis_t)
+
+-corenet_all_recvfrom_unlabeled(cyphesis_t)
+ corenet_tcp_sendrecv_generic_if(cyphesis_t)
+ corenet_tcp_sendrecv_generic_node(cyphesis_t)
+ corenet_tcp_bind_generic_node(cyphesis_t)
+@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t)
+
+ logging_send_syslog_msg(cyphesis_t)
+
+-miscfiles_read_localization(cyphesis_t)
+-
+ sysnet_dns_name_resolve(cyphesis_t)
+
+ optional_policy(`
+diff --git a/cyrus.if b/cyrus.if
+index 6508280..a2860e3 100644
+--- a/cyrus.if
++++ b/cyrus.if
+@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
+ manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+ ')
+
+#######################################
+## <summary>
-+## Execute admin cgi programs in caller domain.
++## Allow write cyrus data files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -17774,300 +15619,762 @@ index 0000000..332a1c9
+## </summary>
+## </param>
+#
-+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
++interface(`cyrus_write_data',`
+ gen_require(`
-+ type dirsrvadmin_unconfined_script_t;
-+ type dirsrvadmin_unconfined_script_exec_t;
++ type cyrus_var_lib_t;
+ ')
+
-+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
-+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
-+
++ files_search_var_lib($1)
++ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
-diff --git a/dirsrv-admin.te b/dirsrv-admin.te
-new file mode 100644
-index 0000000..a3d076f
---- /dev/null
-+++ b/dirsrv-admin.te
-@@ -0,0 +1,144 @@
-+policy_module(dirsrv-admin,1.0.0)
-+
-+########################################
-+#
-+# Declarations for the daemon
-+#
-+
-+type dirsrvadmin_t;
-+type dirsrvadmin_exec_t;
-+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
-+role system_r types dirsrvadmin_t;
-+
-+type dirsrvadmin_config_t;
-+files_type(dirsrvadmin_config_t)
-+
-+type dirsrvadmin_lock_t;
-+files_lock_file(dirsrvadmin_lock_t)
-+
-+type dirsrvadmin_tmp_t;
-+files_tmp_file(dirsrvadmin_tmp_t)
-+
-+type dirsrvadmin_unconfined_script_t;
-+type dirsrvadmin_unconfined_script_exec_t;
-+domain_type(dirsrvadmin_unconfined_script_t)
-+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
-+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
-+role system_r types dirsrvadmin_unconfined_script_t;
-+
-+########################################
-+#
-+# Local policy for the daemon
-+#
-+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
-+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
-+
-+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
-+
-+kernel_read_system_state(dirsrvadmin_t)
-+
-+corecmd_exec_bin(dirsrvadmin_t)
-+corecmd_read_bin_symlinks(dirsrvadmin_t)
-+corecmd_search_bin(dirsrvadmin_t)
-+corecmd_shell_entry_type(dirsrvadmin_t)
-+
-+files_exec_etc_files(dirsrvadmin_t)
-+
-+libs_exec_ld_so(dirsrvadmin_t)
-+
-+logging_search_logs(dirsrvadmin_t)
+
+ ########################################
+ ## <summary>
+ ## Connect to Cyrus using a unix
+@@ -63,9 +82,13 @@ interface(`cyrus_admin',`
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
+ ')
+
+- allow $1 cyrus_t:process { ptrace signal_perms };
++ allow $1 cyrus_t:process signal_perms;
+ ps_process_pattern($1, cyrus_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 cyrus_t:process ptrace;
++ ')
+
-+# Needed for stop and restart scripts
-+dirsrv_read_var_run(dirsrvadmin_t)
+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cyrus_initrc_exec_t system_r;
+diff --git a/cyrus.te b/cyrus.te
+index 395f97c..f35fbae 100644
+--- a/cyrus.te
++++ b/cyrus.te
+@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+ # Local policy
+ #
+
+-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
+ dontaudit cyrus_t self:capability sys_tty_config;
+ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow cyrus_t self:process setrlimit;
+@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+ kernel_read_system_state(cyrus_t)
+ kernel_read_all_sysctls(cyrus_t)
+
+-corenet_all_recvfrom_unlabeled(cyrus_t)
+ corenet_all_recvfrom_netlabel(cyrus_t)
+ corenet_tcp_sendrecv_generic_if(cyrus_t)
+ corenet_tcp_sendrecv_generic_node(cyrus_t)
+@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+ corenet_sendrecv_lmtp_server_packets(cyrus_t)
+ corenet_tcp_bind_lmtp_port(cyrus_t)
+
++corenet_sendrecv_innd_server_packets(cyrus_t)
++corenet_tcp_bind_innd_port(cyrus_t)
+
-+optional_policy(`
-+ apache_domtrans(dirsrvadmin_t)
-+ apache_signal(dirsrvadmin_t)
+ corenet_sendrecv_pop_server_packets(cyrus_t)
+ corenet_tcp_bind_pop_port(cyrus_t)
+
+@@ -90,7 +92,6 @@ domain_use_interactive_fds(cyrus_t)
+
+ files_list_var_lib(cyrus_t)
+ files_read_etc_runtime_files(cyrus_t)
+-files_read_usr_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
+
+ fs_getattr_all_fs(cyrus_t)
+@@ -102,7 +103,6 @@ libs_exec_lib_files(cyrus_t)
+
+ logging_send_syslog_msg(cyrus_t)
+
+-miscfiles_read_localization(cyrus_t)
+ miscfiles_read_generic_certs(cyrus_t)
+
+ userdom_use_unpriv_users_fds(cyrus_t)
+@@ -116,6 +116,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(cyrus_t)
+')
+
-+########################################
-+#
-+# Local policy for the CGIs
-+#
-+#
-+#
-+# Create a domain for the CGI scripts
-+
+optional_policy(`
-+ apache_content_template(dirsrvadmin)
-+
-+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
-+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
-+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
-+
-+
-+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
-+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
-+
-+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
-+
-+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
-+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
-+
-+ files_search_var_lib(httpd_dirsrvadmin_script_t)
-+
-+ sysnet_read_config(httpd_dirsrvadmin_script_t)
-+
-+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+ kerberos_keytab_template(cyrus, cyrus_t)
+ ')
+
+@@ -128,6 +132,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
+diff --git a/daemontools.if b/daemontools.if
+index 3b3d9a0..6c8106a 100644
+--- a/daemontools.if
++++ b/daemontools.if
+@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
+ ')
+
-+ optional_policy(`
-+ # The CGI scripts must be able to manage dirsrv-admin
-+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
-+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
-+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
-+ dirsrv_signal(httpd_dirsrvadmin_script_t)
-+ dirsrv_signull(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
-+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
-+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
-+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
-+ ')
-+')
+diff --git a/daemontools.te b/daemontools.te
+index 0165962..8be5248 100644
+--- a/daemontools.te
++++ b/daemontools.te
+@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
+ allow svc_multilog_t svc_start_t:fd use;
+ allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
+
++term_write_console(svc_multilog_t)
+
-+#######################################
-+#
-+# Local policy for the admin CGIs
-+#
-+#
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+
+ logging_manage_generic_logs(svc_multilog_t)
+
+@@ -77,6 +80,8 @@ dev_read_urand(svc_run_t)
+ corecmd_exec_bin(svc_run_t)
+ corecmd_exec_shell(svc_run_t)
+
++term_write_console(svc_run_t)
+
+ files_read_etc_files(svc_run_t)
+ files_read_etc_runtime_files(svc_run_t)
+ files_search_pids(svc_run_t)
+@@ -109,6 +114,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
+
+ can_exec(svc_start_t, svc_start_exec_t)
+
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+ domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
+
+ kernel_read_kernel_sysctls(svc_start_t)
+@@ -117,11 +123,14 @@ kernel_read_system_state(svc_start_t)
+ corecmd_exec_bin(svc_start_t)
+ corecmd_exec_shell(svc_start_t)
+
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
+
-+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
-+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
++term_write_console(svc_start_t)
+
-+# needed because of filetrans rules
-+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
-+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
-+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
-+dirsrv_signal(dirsrvadmin_unconfined_script_t)
-+dirsrv_signull(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
-+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
-+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
-+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
+ files_search_var(svc_start_t)
+ files_search_pids(svc_start_t)
+
+ logging_send_syslog_msg(svc_start_t)
+-
+-miscfiles_read_localization(svc_start_t)
+diff --git a/dbadm.te b/dbadm.te
+index a67870a..76435d4 100644
+--- a/dbadm.te
++++ b/dbadm.te
+@@ -30,7 +30,7 @@ userdom_base_user_template(dbadm)
+ # Local policy
+ #
+
+-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
++allow dbadm_t self:capability { dac_override dac_read_search };
+
+ files_dontaudit_search_all_dirs(dbadm_t)
+ files_delete_generic_locks(dbadm_t)
+@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
+ selinux_get_enforce_mode(dbadm_t)
+
+ logging_send_syslog_msg(dbadm_t)
++logging_send_audit_msgs(dbadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+@@ -60,3 +61,7 @@ optional_policy(`
+ optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+ ')
+
+optional_policy(`
-+ unconfined_domain(dirsrvadmin_unconfined_script_t)
++ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
-+
-diff --git a/dirsrv.fc b/dirsrv.fc
-new file mode 100644
-index 0000000..0ea1ebb
---- /dev/null
-+++ b/dirsrv.fc
-@@ -0,0 +1,23 @@
-+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
-+
-+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
-+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
-+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
-+
-+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
-+
-+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
-+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
-+
-+# BZ:
-+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-+
-+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
-+
-+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
-+
-+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
-+
-+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
-diff --git a/dirsrv.if b/dirsrv.if
-new file mode 100644
-index 0000000..b214253
---- /dev/null
-+++ b/dirsrv.if
-@@ -0,0 +1,208 @@
-+## <summary>policy for dirsrv</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run dirsrv.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_domtrans',`
-+ gen_require(`
-+ type dirsrv_t, dirsrv_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+diff --git a/dbskk.te b/dbskk.te
+index 188e2e6..719583e 100644
+--- a/dbskk.te
++++ b/dbskk.te
+@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
+ kernel_read_system_state(dbskkd_t)
+ kernel_read_network_state(dbskkd_t)
+
+-corenet_all_recvfrom_unlabeled(dbskkd_t)
+ corenet_all_recvfrom_netlabel(dbskkd_t)
+ corenet_tcp_sendrecv_generic_if(dbskkd_t)
+ corenet_udp_sendrecv_generic_if(dbskkd_t)
+@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
+
+ fs_getattr_xattr_fs(dbskkd_t)
+
+-files_read_etc_files(dbskkd_t)
+
+ auth_use_nsswitch(dbskkd_t)
+
+ logging_send_syslog_msg(dbskkd_t)
+-
+-miscfiles_read_localization(dbskkd_t)
+diff --git a/dbus.fc b/dbus.fc
+index dda905b..31f269b 100644
+--- a/dbus.fc
++++ b/dbus.fc
+@@ -1,20 +1,26 @@
+-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
++/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+
+-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
++/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++ifdef(`distro_redhat',`
++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-+
-+
-+########################################
-+## <summary>
-+## Allow caller to signal dirsrv.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_signal',`
-+ gen_require(`
-+ type dirsrv_t;
-+ ')
-+
-+ allow $1 dirsrv_t:process signal;
+
+-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++ifdef(`distro_debian',`
++/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
-+
-+
-+########################################
-+## <summary>
-+## Send a null signal to dirsrv.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_signull',`
-+ gen_require(`
-+ type dirsrv_t;
-+ ')
-+
-+ allow $1 dirsrv_t:process signull;
+
+-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++ifdef(`distro_gentoo',`
++/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++')
+
+-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
+-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+-
+-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
++/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
++ifdef(`distro_redhat',`
+ /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
+diff --git a/dbus.if b/dbus.if
+index afcf3a2..126d543 100644
+--- a/dbus.if
++++ b/dbus.if
+@@ -1,4 +1,4 @@
+-## <summary>Desktop messaging bus.</summary>
++## <summary>Desktop messaging bus</summary>
+
+ ########################################
+ ## <summary>
+@@ -19,7 +19,7 @@ interface(`dbus_stub',`
+
+ ########################################
+ ## <summary>
+-## Role access for dbus.
++## Role access for dbus
+ ## </summary>
+ ## <param name="role_prefix">
+ ## <summary>
+@@ -41,59 +41,64 @@ interface(`dbus_stub',`
+ template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+- attribute session_bus_type;
+- type system_dbusd_t, dbusd_exec_t;
+- type session_dbusd_tmp_t, session_dbusd_home_t;
++ attribute dbusd_unconfined, session_bus_type;
++ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
++ type $1_t;
+ ')
+
+ ##############################
+ #
+- # Declarations
++ # Delcarations
+ #
+
+ type $1_dbusd_t, session_bus_type;
+- domain_type($1_dbusd_t)
+- domain_entry_file($1_dbusd_t, dbusd_exec_t)
++ application_domain($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+-
+ role $2 types $1_dbusd_t;
+
++ kernel_read_system_state($1_dbusd_t)
+
-+#######################################
-+## <summary>
-+## Allow a domain to manage dirsrv logs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_manage_log',`
-+ gen_require(`
-+ type dirsrv_var_log_t;
-+ ')
++ selinux_get_fs_mount($1_dbusd_t)
+
-+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
-+ allow $1 dirsrv_var_log_t:file manage_file_perms;
-+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
-+')
++ userdom_home_manager($1_dbusd_t)
+
-+#######################################
-+## <summary>
-+## Allow a domain to manage dirsrv /var/lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_manage_var_lib',`
-+ gen_require(`
-+ type dirsrv_var_lib_t;
-+ ')
-+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
-+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+ ##############################
+ #
+ # Local policy
+ #
+
++ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+- allow $3 $1_dbusd_t:fd use;
+-
+- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
+- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
++ # SE-DBus specific permissions
++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
++ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+
+ ps_process_pattern($3, $1_dbusd_t)
+- allow $3 $1_dbusd_t:process { ptrace signal_perms };
++ allow $3 $1_dbusd_t:process signal_perms;
+
+- allow $1_dbusd_t $3:process sigkill;
++ tunable_policy(`deny_ptrace',`',`
++ allow $3 $1_dbusd_t:process ptrace;
++ ')
+
+- corecmd_bin_domtrans($1_dbusd_t, $3)
+- corecmd_shell_domtrans($1_dbusd_t, $3)
++ # cjp: this seems very broken
++ corecmd_bin_domtrans($1_dbusd_t, $1_t)
++ corecmd_shell_domtrans($1_dbusd_t, $1_t)
++ allow $1_dbusd_t $3:process sigkill;
++ allow $3 $1_dbusd_t:fd use;
++ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+
+ auth_use_nsswitch($1_dbusd_t)
+
+- ifdef(`hide_broken_symptoms',`
+- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+- ')
++ logging_send_syslog_msg($1_dbusd_t)
+ ')
+
+ #######################################
+ ## <summary>
+ ## Template for creating connections to
+-## the system bus.
++## the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -103,65 +108,29 @@ template(`dbus_role_template',`
+ #
+ interface(`dbus_system_bus_client',`
+ gen_require(`
+- attribute dbusd_system_bus_client;
+- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
++ type system_dbusd_t, system_dbusd_t;
++ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
++ attribute dbusd_unconfined;
+ ')
+
+- typeattribute $1 dbusd_system_bus_client;
+-
++ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
+- allow system_dbusd_t $1:dbus send_msg;
++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
+
+- files_search_var_lib($1)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++ files_search_var_lib($1)
+
++ # For connecting to the bus
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+-
+ dbus_read_config($1)
+ ')
+
+ #######################################
+ ## <summary>
+-## Acquire service on DBUS
+-## session bus.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_connect_session_bus',`
+- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
+- dbus_connect_all_session_bus($1)
+-')
+-
+-#######################################
+-## <summary>
+-## Acquire service on all DBUS
+-## session busses.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_connect_all_session_bus',`
+- gen_require(`
+- attribute session_bus_type;
+- class dbus acquire_svc;
+- ')
+-
+- allow $1 session_bus_type:dbus acquire_svc;
+-')
+-
+-#######################################
+-## <summary>
+-## Acquire service on specified
+-## DBUS session bus.
++## Creating connections to specified
++## DBUS sessions.
+ ## </summary>
+ ## <param name="role_prefix">
+ ## <summary>
+@@ -175,19 +144,21 @@ interface(`dbus_connect_all_session_bus',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_connect_spec_session_bus',`
++interface(`dbus_session_client',`
+ gen_require(`
++ class dbus send_msg;
+ type $1_dbusd_t;
+- class dbus acquire_svc;
+ ')
+
+- allow $2 $1_dbusd_t:dbus acquire_svc;
++ allow $2 $1_dbusd_t:fd use;
++ allow $2 { $1_dbusd_t self }:dbus send_msg;
++ allow $2 $1_dbusd_t:unix_stream_socket connectto;
+ ')
+
+ #######################################
+ ## <summary>
+-## Creating connections to DBUS
+-## session bus.
++## Template for creating connections to
++## a user DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -196,72 +167,23 @@ interface(`dbus_connect_spec_session_bus',`
+ ## </param>
+ #
+ interface(`dbus_session_bus_client',`
+- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
+- dbus_all_session_bus_client($1)
+-')
+-
+-#######################################
+-## <summary>
+-## Creating connections to all
+-## DBUS session busses.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_all_session_bus_client',`
+ gen_require(`
+- attribute session_bus_type, dbusd_session_bus_client;
++ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+- typeattribute $1 dbusd_session_bus_client;
+-
++ # SE-DBus specific permissions
+ allow $1 { session_bus_type self }:dbus send_msg;
+- allow session_bus_type $1:dbus send_msg;
+-
+- allow $1 session_bus_type:unix_stream_socket connectto;
+- allow $1 session_bus_type:fd use;
+-')
+-
+-#######################################
+-## <summary>
+-## Creating connections to specified
+-## DBUS session bus.
+-## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user role (e.g., user
+-## is the prefix for user_r).
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_spec_session_bus_client',`
+- gen_require(`
+- attribute dbusd_session_bus_client;
+- type $1_dbusd_t;
+- class dbus send_msg;
+- ')
+
+- typeattribute $2 dbusd_session_bus_client;
+-
+- allow $2 { $1_dbusd_t self }:dbus send_msg;
+- allow $1_dbusd_t $2:dbus send_msg;
++ # For connecting to the bus
++ allow $1 session_bus_type:unix_stream_socket connectto;
+
+- allow $2 $1_dbusd_t:unix_stream_socket connectto;
+- allow $2 $1_dbusd_t:fd use;
++ allow session_bus_type $1:process sigkill;
+ ')
+
+-#######################################
++########################################
+ ## <summary>
+-## Send messages to DBUS session bus.
++## Send a message the session DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -270,59 +192,17 @@ interface(`dbus_spec_session_bus_client',`
+ ## </param>
+ #
+ interface(`dbus_send_session_bus',`
+- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
+- dbus_send_all_session_bus($1)
+-')
+-
+-#######################################
+-## <summary>
+-## Send messages to all DBUS
+-## session busses.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_send_all_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+- allow $1 dbus_session_bus_type:dbus send_msg;
+-')
+-
+-#######################################
+-## <summary>
+-## Send messages to specified
+-## DBUS session busses.
+-## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user role (e.g., user
+-## is the prefix for user_r).
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_send_spec_session_bus',`
+- gen_require(`
+- type $1_dbusd_t;
+- class dbus send_msg;
+- ')
+-
+- allow $2 $1_dbusd_t:dbus send_msg;
++ allow $1 session_bus_type:dbus send_msg;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read dbus configuration content.
++## Read dbus configuration.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -380,69 +260,32 @@ interface(`dbus_manage_lib_files',`
+
+ ########################################
+ ## <summary>
+-## Allow a application domain to be
+-## started by the specified session bus.
+-## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user role (e.g., user
+-## is the prefix for user_r).
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## Type to be used as a domain.
+-## </summary>
+-## </param>
+-## <param name="entry_point">
+-## <summary>
+-## Type of the program to be used as an
+-## entry point to this domain.
+-## </summary>
+-## </param>
+-#
+-interface(`dbus_session_domain',`
+- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
+- dbus_all_session_domain($1, $2)
+-')
+-
+-########################################
+-## <summary>
+-## Allow a application domain to be
+-## started by the specified session bus.
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Type to be used as a domain.
+-## </summary>
+-## </param>
+-## <param name="entry_point">
+-## <summary>
+-## Type of the program to be used as an
+-## entry point to this domain.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_all_session_domain',`
++interface(`dbus_connect_session_bus',`
+ gen_require(`
+- type session_bus_type;
++ attribute session_bus_type;
++ class dbus acquire_svc;
+ ')
+
+- domtrans_pattern(session_bus_type, $2, $1)
+-
+- dbus_all_session_bus_client($1)
+- dbus_connect_all_session_bus($1)
++ allow $1 session_bus_type:dbus acquire_svc;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow a application domain to be
+-## started by the specified session bus.
++## Allow a application domain to be started
++## by the session dbus.
+ ## </summary>
+-## <param name="role_prefix">
++## <param name="domain_prefix">
+ ## <summary>
+-## The prefix of the user role (e.g., user
+-## is the prefix for user_r).
++## User domain prefix to be used.
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+@@ -457,20 +300,21 @@ interface(`dbus_all_session_domain',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_spec_session_domain',`
++interface(`dbus_session_domain',`
+ gen_require(`
+ type $1_dbusd_t;
+ ')
+
+ domtrans_pattern($1_dbusd_t, $2, $3)
+
+- dbus_spec_session_bus_client($1, $2)
+- dbus_connect_spec_session_bus($1, $2)
++ dbus_session_bus_client($3)
++ dbus_connect_session_bus($3)
+ ')
+
+ ########################################
+ ## <summary>
+-## Acquire service on the DBUS system bus.
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -489,7 +333,7 @@ interface(`dbus_connect_system_bus',`
+
+ ########################################
+ ## <summary>
+-## Send messages to the DBUS system bus.
++## Send a message on the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -508,7 +352,7 @@ interface(`dbus_send_system_bus',`
+
+ ########################################
+ ## <summary>
+-## Unconfined access to DBUS system bus.
++## Allow unconfined access to the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -527,8 +371,8 @@ interface(`dbus_system_bus_unconfined',`
+
+ ########################################
+ ## <summary>
+-## Create a domain for processes which
+-## can be started by the DBUS system bus.
++## Create a domain for processes
++## which can be started by the system dbus
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -543,33 +387,57 @@ interface(`dbus_system_bus_unconfined',`
+ #
+ interface(`dbus_system_domain',`
+ gen_require(`
++ attribute system_bus_type;
+ type system_dbusd_t;
+ role system_r;
+ ')
++ typeattribute $1 system_bus_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+- role system_r types $1;
+-
+ domtrans_pattern(system_dbusd_t, $2, $1)
+')
-+
+
+- dbus_system_bus_client($1)
+- dbus_connect_system_bus($1)
+-
+- ps_process_pattern(system_dbusd_t, $1)
+########################################
+## <summary>
-+## Connect to dirsrv over a unix stream socket.
++## Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18075,439 +16382,817 @@ index 0000000..b214253
+## </summary>
+## </param>
+#
-+interface(`dirsrv_stream_connect',`
-+ gen_require(`
-+ type dirsrv_t, dirsrv_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Allow a domain to manage dirsrv /var/run files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_manage_var_run',`
-+ gen_require(`
-+ type dirsrv_var_run_t;
-+ ')
-+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
-+ allow $1 dirsrv_var_run_t:file manage_file_perms;
-+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
-+')
-+
-+######################################
-+## <summary>
-+## Allow a domain to create dirsrv pid directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_pid_filetrans',`
-+ gen_require(`
-+ type dirsrv_var_run_t;
-+ ')
-+ # Allow creating a dir in /var/run with this type
-+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
-+')
-+
-+#######################################
-+## <summary>
-+## Allow a domain to read dirsrv /var/run files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_read_var_run',`
-+ gen_require(`
-+ type dirsrv_var_run_t;
-+ ')
-+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
-+ allow $1 dirsrv_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Manage dirsrv configuration files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dirsrv_manage_config',`
++interface(`dbus_use_system_bus_fds',`
+ gen_require(`
-+ type dirsrv_config_t;
++ type system_dbusd_t;
+ ')
-+
-+ allow $1 dirsrv_config_t:dir manage_dir_perms;
-+ allow $1 dirsrv_config_t:file manage_file_perms;
+
+- userdom_read_all_users_state($1)
++ allow $1 system_dbusd_t:fd use;
+')
-+
+
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+########################################
+## <summary>
-+## Read dirsrv share files.
++## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dirsrv_read_share',`
++interface(`dbus_unconfined',`
+ gen_require(`
-+ type dirsrv_share_t;
-+ ')
-+
-+ allow $1 dirsrv_share_t:dir list_dir_perms;
-+ allow $1 dirsrv_share_t:file read_file_perms;
-+ allow $1 dirsrv_share_t:lnk_file read;
-+')
-diff --git a/dirsrv.te b/dirsrv.te
-new file mode 100644
-index 0000000..7f0b4f6
---- /dev/null
-+++ b/dirsrv.te
-@@ -0,0 +1,193 @@
-+policy_module(dirsrv,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+# main daemon
-+type dirsrv_t;
-+type dirsrv_exec_t;
-+domain_type(dirsrv_t)
-+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
-+
-+type dirsrv_snmp_t;
-+type dirsrv_snmp_exec_t;
-+domain_type(dirsrv_snmp_t)
-+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
-+
-+type dirsrv_var_lib_t;
-+files_type(dirsrv_var_lib_t)
-+
-+type dirsrv_var_log_t;
-+logging_log_file(dirsrv_var_log_t)
-+
-+type dirsrv_snmp_var_log_t;
-+logging_log_file(dirsrv_snmp_var_log_t)
-+
-+type dirsrv_var_run_t;
-+files_pid_file(dirsrv_var_run_t)
-+
-+type dirsrv_snmp_var_run_t;
-+files_pid_file(dirsrv_snmp_var_run_t)
-+
-+type dirsrv_var_lock_t;
-+files_lock_file(dirsrv_var_lock_t)
-+
-+type dirsrv_config_t;
-+files_type(dirsrv_config_t)
-+
-+type dirsrv_tmp_t;
-+files_tmp_file(dirsrv_tmp_t)
-+
-+type dirsrv_tmpfs_t;
-+files_tmpfs_file(dirsrv_tmpfs_t)
++ attribute dbusd_unconfined;
+ ')
+
-+type dirsrv_share_t;
-+files_type(dirsrv_share_t);
++ typeattribute $1 dbusd_unconfined;
+ ')
+
+ ########################################
+ ## <summary>
+-## Use and inherit DBUS system bus
+-## file descriptors.
++## Delete all dbus pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -577,18 +445,20 @@ interface(`dbus_system_domain',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_use_system_bus_fds',`
++interface(`dbus_delete_pid_files',`
+ gen_require(`
+- type system_dbusd_t;
++ type system_dbusd_var_run_t;
+ ')
+
+- allow $1 system_dbusd_t:fd use;
++ files_search_pids($1)
++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write DBUS system bus TCP sockets.
++## Do not audit attempts to connect to
++## session bus types with a unix
++## stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -596,28 +466,30 @@ interface(`dbus_use_system_bus_fds',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
++interface(`dbus_dontaudit_stream_connect_session_bus',`
+ gen_require(`
+- type system_dbusd_t;
++ attribute session_bus_type;
+ ')
+
+- dontaudit $1 system_dbusd_t:tcp_socket { read write };
++ dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to DBUS.
++## Do not audit attempts to send dbus
++## messages to session bus types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dbus_unconfined',`
++interface(`dbus_dontaudit_chat_session_bus',`
+ gen_require(`
+- attribute dbusd_unconfined;
++ attribute session_bus_type;
++ class dbus send_msg;
+ ')
+
+- typeattribute $1 dbusd_unconfined;
++ dontaudit $1 session_bus_type:dbus send_msg;
+ ')
+diff --git a/dbus.te b/dbus.te
+index 2c2e7e1..4dee5a0 100644
+--- a/dbus.te
++++ b/dbus.te
+@@ -1,20 +1,18 @@
+-policy_module(dbus, 1.18.8)
++policy_module(dbus, 1.17.0)
+
+ gen_require(`
+ class dbus all_dbus_perms;
+ ')
+
+-########################################
++##############################
+ #
+-# Declarations
++# Delcarations
+ #
+
+ attribute dbusd_unconfined;
++attribute system_bus_type;
+ attribute session_bus_type;
+
+-attribute dbusd_system_bus_client;
+-attribute dbusd_session_bus_client;
+-
+ type dbusd_etc_t;
+ files_config_file(dbusd_etc_t)
+
+@@ -22,9 +20,6 @@ type dbusd_exec_t;
+ corecmd_executable_file(dbusd_exec_t)
+ typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+-type session_dbusd_home_t;
+-userdom_user_home_content(session_dbusd_home_t)
+-
+ type session_dbusd_tmp_t;
+ typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+ typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+@@ -41,7 +36,7 @@ files_type(system_dbusd_var_lib_t)
+
+ type system_dbusd_var_run_t;
+ files_pid_file(system_dbusd_var_run_t)
+-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
++init_sock_file(system_dbusd_var_run_t)
+
+ ifdef(`enable_mcs',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+@@ -51,59 +46,56 @@ ifdef(`enable_mls',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
+ ')
+
+-########################################
++##############################
+ #
+-# Local policy
++# System bus local policy
+ #
+
++# dac_override: /var/run/dbus is owned by messagebus on Debian
++# cjp: dac_override should probably go in a distro_debian
+ allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+ dontaudit system_dbusd_t self:capability sys_tty_config;
+ allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
+ allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
++allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
++allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
++# Receive notifications of policy reloads and enforcing status changes.
+ allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+
++can_exec(system_dbusd_t, dbusd_exec_t)
+
-+########################################
-+#
-+# dirsrv local policy
-+#
-+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
-+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
-+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
-+allow dirsrv_t self:sem create_sem_perms;
-+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+ allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+ read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+ manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
++files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+ read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
+ manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
+-
+-can_exec(system_dbusd_t, dbusd_exec_t)
++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+
+ kernel_read_system_state(system_dbusd_t)
+ kernel_read_kernel_sysctls(system_dbusd_t)
+
+-corecmd_list_bin(system_dbusd_t)
+-corecmd_read_bin_pipes(system_dbusd_t)
+-corecmd_read_bin_sockets(system_dbusd_t)
+-corecmd_exec_shell(system_dbusd_t)
+-
+ dev_read_urand(system_dbusd_t)
+ dev_read_sysfs(system_dbusd_t)
+
+-domain_use_interactive_fds(system_dbusd_t)
+-domain_read_all_domains_state(system_dbusd_t)
+-
+-files_list_home(system_dbusd_t)
+-files_read_usr_files(system_dbusd_t)
++files_rw_inherited_non_security_files(system_dbusd_t)
+
+ fs_getattr_all_fs(system_dbusd_t)
+ fs_list_inotifyfs(system_dbusd_t)
+ fs_search_auto_mountpoints(system_dbusd_t)
+-fs_search_cgroup_dirs(system_dbusd_t)
+ fs_dontaudit_list_nfs(system_dbusd_t)
+
++storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
++storage_rw_inherited_removable_device(system_dbusd_t)
+
-+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+@@ -123,66 +115,156 @@ term_dontaudit_use_console(system_dbusd_t)
+ auth_use_nsswitch(system_dbusd_t)
+ auth_read_pam_console_data(system_dbusd_t)
+
++corecmd_list_bin(system_dbusd_t)
++corecmd_read_bin_pipes(system_dbusd_t)
++corecmd_read_bin_sockets(system_dbusd_t)
++# needed for system-tools-backends
++corecmd_exec_shell(system_dbusd_t)
+
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
-+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
++domain_use_interactive_fds(system_dbusd_t)
++domain_read_all_domains_state(system_dbusd_t)
+
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
-+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
-+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
++files_list_home(system_dbusd_t)
++files_read_usr_files(system_dbusd_t)
+
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
-+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+ init_use_fds(system_dbusd_t)
+ init_use_script_ptys(system_dbusd_t)
+-init_all_labeled_script_domtrans(system_dbusd_t)
++init_bin_domtrans_spec(system_dbusd_t)
++init_domtrans_script(system_dbusd_t)
++init_rw_stream_sockets(system_dbusd_t)
++init_status(system_dbusd_t)
+
+ logging_send_audit_msgs(system_dbusd_t)
+ logging_send_syslog_msg(system_dbusd_t)
+
+-miscfiles_read_localization(system_dbusd_t)
+ miscfiles_read_generic_certs(system_dbusd_t)
+
+ seutil_read_config(system_dbusd_t)
+ seutil_read_default_contexts(system_dbusd_t)
++seutil_sigchld_newrole(system_dbusd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+ userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+
++userdom_home_reader(system_dbusd_t)
+
-+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
-+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
-+files_setattr_lock_dirs(dirsrv_t)
++optional_policy(`
++ bind_domtrans(system_dbusd_t)
++')
+
-+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
-+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+ optional_policy(`
+ bluetooth_stream_connect(system_dbusd_t)
+ ')
+
+ optional_policy(`
+- policykit_read_lib(system_dbusd_t)
++ cpufreqselector_dbus_chat(system_dbusd_t)
++')
+
-+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
-+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
-+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
++optional_policy(`
++ getty_start_services(system_dbusd_t)
++')
+
-+kernel_read_system_state(dirsrv_t)
-+kernel_read_kernel_sysctls(dirsrv_t)
++optional_policy(`
++ gnome_exec_gconf(system_dbusd_t)
++ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
++')
+
-+corecmd_search_bin(dirsrv_t)
++optional_policy(`
++ networkmanager_initrc_domtrans(system_dbusd_t)
++ networkmanager_systemctl(system_dbusd_t)
++')
+
-+corenet_all_recvfrom_netlabel(dirsrv_t)
-+corenet_tcp_sendrecv_generic_if(dirsrv_t)
-+corenet_tcp_sendrecv_generic_node(dirsrv_t)
-+corenet_tcp_sendrecv_all_ports(dirsrv_t)
-+corenet_tcp_bind_generic_node(dirsrv_t)
-+corenet_tcp_bind_ldap_port(dirsrv_t)
-+corenet_tcp_bind_dogtag_port(dirsrv_t)
-+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
-+corenet_udp_bind_all_rpc_ports(dirsrv_t)
-+corenet_tcp_connect_all_ports(dirsrv_t)
-+corenet_sendrecv_ldap_server_packets(dirsrv_t)
-+corenet_sendrecv_all_client_packets(dirsrv_t)
++optional_policy(`
++ policykit_dbus_chat(system_dbusd_t)
++ policykit_domtrans_auth(system_dbusd_t)
++ policykit_search_lib(system_dbusd_t)
++')
+
-+dev_read_sysfs(dirsrv_t)
-+dev_read_urand(dirsrv_t)
++optional_policy(`
++ sysnet_domtrans_dhcpc(system_dbusd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
++ systemd_use_fds_logind(system_dbusd_t)
++ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
++ systemd_write_inhibit_pipes(system_dbusd_t)
++# These are caused by broken systemd patch
++ systemd_start_power_services(system_dbusd_t)
++ systemd_config_all_services(system_dbusd_t)
++ files_config_all_files(system_dbusd_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(system_dbusd_t)
+ ')
+
++optional_policy(`
++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
++ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
++')
+
-+files_read_etc_files(dirsrv_t)
-+files_read_usr_symlinks(dirsrv_t)
+ ########################################
+ #
+-# Common session bus local policy
++# system_bus_type rules
+ #
++role system_r types system_bus_type;
+
-+fs_getattr_all_fs(dirsrv_t)
++fs_search_all(system_bus_type)
+
-+auth_use_pam(dirsrv_t)
++dbus_system_bus_client(system_bus_type)
++dbus_connect_system_bus(system_bus_type)
+
-+logging_send_syslog_msg(dirsrv_t)
++init_status(system_bus_type)
++init_stream_connect(system_bus_type)
++init_dgram_send(system_bus_type)
++init_use_fds(system_bus_type)
++init_rw_stream_sockets(system_bus_type)
+
-+sysnet_dns_name_resolve(dirsrv_t)
++ps_process_pattern(system_dbusd_t, system_bus_type)
+
-+optional_policy(`
-+ apache_dontaudit_leaks(dirsrv_t)
-+')
++userdom_dontaudit_search_admin_dir(system_bus_type)
++userdom_read_all_users_state(system_bus_type)
+
+optional_policy(`
-+ dirsrvadmin_read_tmp(dirsrv_t)
++ abrt_stream_connect(system_bus_type)
+')
+
-+
+optional_policy(`
-+ kerberos_use(dirsrv_t)
-+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
-+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
-+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
++ rpm_script_dbus_chat(system_bus_type)
+')
+
-+# FIPS mode
+optional_policy(`
-+ prelink_exec(dirsrv_t)
++ unconfined_dbus_send(system_bus_type)
+')
-+
-+optional_policy(`
-+ rpcbind_stream_connect(dirsrv_t)
+
++ifdef(`hide_broken_symptoms',`
++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
+
+########################################
+#
-+# dirsrv-snmp local policy
++# session_bus_type rules
+#
-+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
-+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
-+
-+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++allow session_bus_type self:capability2 block_suspend;
+ dontaudit session_bus_type self:capability sys_resource;
+ allow session_bus_type self:process { getattr sigkill signal };
+-dontaudit session_bus_type self:process { ptrace setrlimit };
++dontaudit session_bus_type self:process setrlimit;
+ allow session_bus_type self:file { getattr read write };
+ allow session_bus_type self:fifo_file rw_fifo_file_perms;
+ allow session_bus_type self:dbus { send_msg acquire_svc };
+-allow session_bus_type self:unix_stream_socket { accept listen };
+-allow session_bus_type self:tcp_socket { accept listen };
++allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
++allow session_bus_type self:unix_dgram_socket create_socket_perms;
++allow session_bus_type self:tcp_socket create_stream_socket_perms;
+ allow session_bus_type self:netlink_selinux_socket create_socket_perms;
+
+ allow session_bus_type dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+ read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
+
+-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
+-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
+-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
+-
+ manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
+
+-kernel_read_system_state(session_bus_type)
+ kernel_read_kernel_sysctls(session_bus_type)
+
+ corecmd_list_bin(session_bus_type)
+@@ -191,20 +273,16 @@ corecmd_read_bin_files(session_bus_type)
+ corecmd_read_bin_pipes(session_bus_type)
+ corecmd_read_bin_sockets(session_bus_type)
+
+-corenet_all_recvfrom_unlabeled(session_bus_type)
+-corenet_all_recvfrom_netlabel(session_bus_type)
+ corenet_tcp_sendrecv_generic_if(session_bus_type)
+ corenet_tcp_sendrecv_generic_node(session_bus_type)
+ corenet_tcp_sendrecv_all_ports(session_bus_type)
+ corenet_tcp_bind_generic_node(session_bus_type)
+-
+-corenet_sendrecv_all_server_packets(session_bus_type)
+ corenet_tcp_bind_reserved_port(session_bus_type)
+
+ dev_read_urand(session_bus_type)
+
+-domain_read_all_domains_state(session_bus_type)
+ domain_use_interactive_fds(session_bus_type)
++domain_read_all_domains_state(session_bus_type)
+
+ files_list_home(session_bus_type)
+ files_read_usr_files(session_bus_type)
+@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type)
+ fs_list_inotifyfs(session_bus_type)
+ fs_dontaudit_list_nfs(session_bus_type)
+
+-selinux_get_fs_mount(session_bus_type)
+ selinux_validate_context(session_bus_type)
+ selinux_compute_access_vector(session_bus_type)
+ selinux_compute_create_context(session_bus_type)
+@@ -225,18 +302,39 @@ selinux_compute_user_contexts(session_bus_type)
+ auth_read_pam_console_data(session_bus_type)
+
+ logging_send_audit_msgs(session_bus_type)
+-logging_send_syslog_msg(session_bus_type)
+-
+-miscfiles_read_localization(session_bus_type)
+
+ seutil_read_config(session_bus_type)
+ seutil_read_default_contexts(session_bus_type)
+
+-term_use_all_terms(session_bus_type)
++term_use_all_inherited_terms(session_bus_type)
+
-+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++userdom_dontaudit_search_admin_dir(session_bus_type)
++userdom_manage_user_home_content_dirs(session_bus_type)
++userdom_manage_user_home_content_files(session_bus_type)
++userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
++userdom_manage_tmpfs_files(session_bus_type, file)
++userdom_tmpfs_filetrans(session_bus_type, file)
+
+ optional_policy(`
++ gnome_read_config(session_bus_type)
++ gnome_read_gconf_home_files(session_bus_type)
++')
+
-+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
++optional_policy(`
++ hal_dbus_chat(session_bus_type)
++')
+
-+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
-+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
-+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++optional_policy(`
++ thumb_domtrans(session_bus_type)
++')
+
-+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
-+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
++optional_policy(`
++ xserver_search_xdm_lib(session_bus_type)
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_append_xdm_home_files(session_bus_type)
+ ')
+
+ ########################################
+@@ -244,5 +342,6 @@ optional_policy(`
+ # Unconfined access to this module
+ #
+
+-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
+-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
++allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
++allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff --git a/dcc.if b/dcc.if
+index a5c21e0..4639421 100644
+--- a/dcc.if
++++ b/dcc.if
+@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+- files_search_var($1)
++ files_search_pids($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+ ')
+diff --git a/dcc.te b/dcc.te
+index 15d908f..27463a3 100644
+--- a/dcc.te
++++ b/dcc.te
+@@ -45,7 +45,7 @@ type dcc_var_t;
+ files_type(dcc_var_t)
+
+ type dcc_var_run_t;
+-files_type(dcc_var_run_t)
++files_pid_file(dcc_var_run_t)
+
+ type dccd_t;
+ type dccd_exec_t;
+@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
+ read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+ read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+
++corenet_all_recvfrom_netlabel(cdcc_t)
++corenet_udp_sendrecv_generic_if(cdcc_t)
++corenet_udp_sendrecv_generic_node(cdcc_t)
++corenet_udp_sendrecv_all_ports(cdcc_t)
+
-+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+ files_read_etc_runtime_files(cdcc_t)
+
+ auth_use_nsswitch(cdcc_t)
+
+ logging_send_syslog_msg(cdcc_t)
+
+-miscfiles_read_localization(cdcc_t)
+-
+-userdom_use_user_terminals(cdcc_t)
++userdom_use_inherited_user_terminals(cdcc_t)
+
+ ########################################
+ #
+@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+
+ kernel_read_system_state(dcc_client_t)
+
++corenet_all_recvfrom_netlabel(dcc_client_t)
++corenet_udp_sendrecv_generic_if(dcc_client_t)
++corenet_udp_sendrecv_generic_node(dcc_client_t)
++corenet_udp_sendrecv_all_ports(dcc_client_t)
++corenet_udp_bind_generic_node(dcc_client_t)
+
-+dev_read_rand(dirsrv_snmp_t)
-+dev_read_urand(dirsrv_snmp_t)
+ files_read_etc_runtime_files(dcc_client_t)
+
+ fs_getattr_all_fs(dcc_client_t)
+@@ -131,9 +140,7 @@ auth_use_nsswitch(dcc_client_t)
+
+ logging_send_syslog_msg(dcc_client_t)
+
+-miscfiles_read_localization(dcc_client_t)
+-
+-userdom_use_user_terminals(dcc_client_t)
++userdom_use_inherited_user_terminals(dcc_client_t)
+
+ optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+
+ kernel_read_system_state(dcc_dbclean_t)
+
++corenet_all_recvfrom_netlabel(dcc_dbclean_t)
++corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
++corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
++corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
-+domain_use_interactive_fds(dirsrv_snmp_t)
+ files_read_etc_runtime_files(dcc_dbclean_t)
+
+ auth_use_nsswitch(dcc_dbclean_t)
+
+ logging_send_syslog_msg(dcc_dbclean_t)
+
+-miscfiles_read_localization(dcc_dbclean_t)
+-
+-userdom_use_user_terminals(dcc_dbclean_t)
++userdom_use_inherited_user_terminals(dcc_dbclean_t)
+
+ ########################################
+ #
+@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+ kernel_read_system_state(dccd_t)
+ kernel_read_kernel_sysctls(dccd_t)
+
+-corenet_all_recvfrom_unlabeled(dccd_t)
+ corenet_all_recvfrom_netlabel(dccd_t)
+ corenet_udp_sendrecv_generic_if(dccd_t)
+ corenet_udp_sendrecv_generic_node(dccd_t)
+@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t)
+
+ logging_send_syslog_msg(dccd_t)
+
+-miscfiles_read_localization(dccd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+ userdom_dontaudit_search_user_home_dirs(dccd_t)
+
+@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+ kernel_read_system_state(dccifd_t)
+ kernel_read_kernel_sysctls(dccifd_t)
+
++corenet_all_recvfrom_netlabel(dccifd_t)
++corenet_udp_sendrecv_generic_if(dccifd_t)
++corenet_udp_sendrecv_generic_node(dccifd_t)
++corenet_udp_sendrecv_all_ports(dccifd_t)
+
-+#files_manage_var_files(dirsrv_snmp_t)
-+files_read_etc_files(dirsrv_snmp_t)
-+files_read_usr_files(dirsrv_snmp_t)
+ dev_read_sysfs(dccifd_t)
+
+ domain_use_interactive_fds(dccifd_t)
+@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t)
+
+ logging_send_syslog_msg(dccifd_t)
+
+-miscfiles_read_localization(dccifd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+ userdom_dontaudit_search_user_home_dirs(dccifd_t)
+
+@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+ kernel_read_system_state(dccm_t)
+ kernel_read_kernel_sysctls(dccm_t)
+
++corenet_all_recvfrom_netlabel(dccm_t)
++corenet_udp_sendrecv_generic_if(dccm_t)
++corenet_udp_sendrecv_generic_node(dccm_t)
++corenet_udp_sendrecv_all_ports(dccm_t)
+
-+fs_getattr_tmpfs(dirsrv_snmp_t)
-+fs_search_tmpfs(dirsrv_snmp_t)
+ dev_read_sysfs(dccm_t)
+
+ domain_use_interactive_fds(dccm_t)
+@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t)
+
+ logging_send_syslog_msg(dccm_t)
+
+-miscfiles_read_localization(dccm_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+ userdom_dontaudit_search_user_home_dirs(dccm_t)
+
+diff --git a/ddclient.if b/ddclient.if
+index 5606b40..cd18cf2 100644
+--- a/ddclient.if
++++ b/ddclient.if
+@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
+ type ddclient_var_run_t, ddclient_initrc_exec_t;
+ ')
+
+- allow $1 ddclient_t:process { ptrace signal_perms };
++ allow $1 ddclient_t:process signal_perms;
+ ps_process_pattern($1, ddclient_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ddclient_t:process ptrace;
++ ')
+
+ init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ddclient_initrc_exec_t system_r;
+diff --git a/ddclient.te b/ddclient.te
+index 0b4b8b9..6f53812 100644
+--- a/ddclient.te
++++ b/ddclient.te
+@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
+ # Declarations
+ #
+
+
-+sysnet_read_config(dirsrv_snmp_t)
-+sysnet_dns_name_resolve(dirsrv_snmp_t)
+ dontaudit ddclient_t self:capability sys_tty_config;
+ allow ddclient_t self:process signal_perms;
+ allow ddclient_t self:fifo_file rw_fifo_file_perms;
++allow ddclient_t self:tcp_socket create_socket_perms;
++allow ddclient_t self:udp_socket create_socket_perms;
++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
+
+ read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+ setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
+ corecmd_exec_shell(ddclient_t)
+ corecmd_exec_bin(ddclient_t)
+
+-corenet_all_recvfrom_unlabeled(ddclient_t)
+ corenet_all_recvfrom_netlabel(ddclient_t)
+ corenet_tcp_sendrecv_generic_if(ddclient_t)
+ corenet_udp_sendrecv_generic_if(ddclient_t)
+@@ -83,6 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+ corenet_udp_sendrecv_generic_node(ddclient_t)
+ corenet_tcp_sendrecv_all_ports(ddclient_t)
+ corenet_udp_sendrecv_all_ports(ddclient_t)
++corenet_tcp_bind_generic_node(ddclient_t)
++corenet_udp_bind_generic_node(ddclient_t)
++corenet_tcp_connect_all_ports(ddclient_t)
+
+ corenet_sendrecv_all_client_packets(ddclient_t)
+ corenet_tcp_connect_all_ports(ddclient_t)
+@@ -99,9 +105,11 @@ files_read_usr_files(ddclient_t)
+ fs_getattr_all_fs(ddclient_t)
+ fs_search_auto_mountpoints(ddclient_t)
+
++auth_read_passwd(ddclient_t)
+
-+optional_policy(`
-+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
-+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
-+ snmp_manage_var_lib_files(dirsrv_snmp_t)
-+ snmp_stream_connect(dirsrv_snmp_t)
-+')
-diff --git a/distcc.te b/distcc.te
-index 54d93e8..16d2e18 100644
---- a/distcc.te
-+++ b/distcc.te
-@@ -44,7 +44,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
- kernel_read_system_state(distccd_t)
- kernel_read_kernel_sysctls(distccd_t)
+ logging_send_syslog_msg(ddclient_t)
--corenet_all_recvfrom_unlabeled(distccd_t)
- corenet_all_recvfrom_netlabel(distccd_t)
- corenet_tcp_sendrecv_generic_if(distccd_t)
- corenet_udp_sendrecv_generic_if(distccd_t)
-@@ -73,8 +72,6 @@ libs_exec_lib_files(distccd_t)
+-miscfiles_read_localization(ddclient_t)
++mta_send_mail(ddclient_t)
+
+ sysnet_exec_ifconfig(ddclient_t)
+ sysnet_dns_name_resolve(ddclient_t)
+diff --git a/denyhosts.if b/denyhosts.if
+index a7326da..c87b5b7 100644
+--- a/denyhosts.if
++++ b/denyhosts.if
+@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
+ ## Role allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`denyhosts_admin',`
+ gen_require(`
+@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ ')
- logging_send_syslog_msg(distccd_t)
+- allow $1 denyhosts_t:process { ptrace signal_perms };
++ allow $1 denyhosts_t:process signal_perms;
+ ps_process_pattern($1, denyhosts_t)
--miscfiles_read_localization(distccd_t)
--
- sysnet_read_config(distccd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 denyhosts_t:process ptrace;
++ ')
++
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
- userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-diff --git a/djbdns.if b/djbdns.if
-index ade3079..41a21f1 100644
---- a/djbdns.if
-+++ b/djbdns.if
-@@ -34,7 +34,6 @@ template(`djbdns_daemontools_domain_template',`
- allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
- allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
-- corenet_all_recvfrom_unlabeled(djbdns_$1_t)
- corenet_all_recvfrom_netlabel(djbdns_$1_t)
- corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
- corenet_udp_sendrecv_generic_if(djbdns_$1_t)
-diff --git a/djbdns.te b/djbdns.te
-index 03b5286..62fbae1 100644
---- a/djbdns.te
-+++ b/djbdns.te
-@@ -39,6 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
- files_search_var(djbdns_axfrdns_t)
+- files_search_locks($1)
++ files_list_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+ ')
+diff --git a/denyhosts.te b/denyhosts.te
+index bcb9770..bc1d203 100644
+--- a/denyhosts.te
++++ b/denyhosts.te
+@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
+ #
+ # Local policy
+ #
++# Bug #588563
++allow denyhosts_t self:capability sys_tty_config;
++allow denyhosts_t self:fifo_file rw_fifo_file_perms;
-+daemontools_ipc_domain(djbdns_axfrdns_t)
-+daemontools_read_svc(djbdns_axfrdns_t)
-+
- ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+ allow denyhosts_t self:capability sys_tty_config;
+ allow denyhosts_t self:fifo_file rw_fifo_file_perms;
+@@ -44,11 +47,12 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
- ########################################
-diff --git a/dkim.fc b/dkim.fc
-index bf4321a..1820764 100644
---- a/dkim.fc
-+++ b/dkim.fc
-@@ -9,6 +9,7 @@
- /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
-+
- /var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ kernel_read_network_state(denyhosts_t)
+ kernel_read_system_state(denyhosts_t)
++kernel_read_network_state(denyhosts_t)
- /var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
-diff --git a/dmidecode.te b/dmidecode.te
-index d6356b5..5db989e 100644
---- a/dmidecode.te
-+++ b/dmidecode.te
-@@ -27,4 +27,4 @@ files_list_usr(dmidecode_t)
++corecmd_exec_shell(denyhosts_t)
+ corecmd_exec_bin(denyhosts_t)
+ corecmd_exec_shell(denyhosts_t)
- locallogin_use_fds(dmidecode_t)
+-corenet_all_recvfrom_unlabeled(denyhosts_t)
+ corenet_all_recvfrom_netlabel(denyhosts_t)
+ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+ corenet_tcp_sendrecv_generic_node(denyhosts_t)
+@@ -59,11 +63,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
--userdom_use_user_terminals(dmidecode_t)
-+userdom_use_inherited_user_terminals(dmidecode_t)
-diff --git a/dnsmasq.fc b/dnsmasq.fc
-index b886676..fb3b2d6 100644
---- a/dnsmasq.fc
-+++ b/dnsmasq.fc
-@@ -1,12 +1,14 @@
- /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
- /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+ dev_read_urand(denyhosts_t)
-+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
++auth_use_nsswitch(denyhosts_t)
+
- /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
-
- /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
- /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-
--/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-+/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+ logging_read_generic_logs(denyhosts_t)
+ logging_send_syslog_msg(denyhosts_t)
--/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-+/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
- /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-diff --git a/dnsmasq.if b/dnsmasq.if
-index 9bd812b..53f895e 100644
---- a/dnsmasq.if
-+++ b/dnsmasq.if
-@@ -10,7 +10,6 @@
- ## </summary>
- ## </param>
- #
--#
- interface(`dnsmasq_domtrans',`
- gen_require(`
- type dnsmasq_exec_t, dnsmasq_t;
-@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
- domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+-miscfiles_read_localization(denyhosts_t)
+-
+ sysnet_dns_name_resolve(denyhosts_t)
+ sysnet_manage_config(denyhosts_t)
+ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +75,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+ optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
-
-+#######################################
-+## <summary>
-+## Execute dnsmasq server in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`dnsmasq_exec',`
-+ gen_require(`
-+ type dnsmasq_exec_t;
-+ ')
+
-+ can_exec($1, dnsmasq_exec_t)
++optional_policy(`
++ gnome_dontaudit_search_config(denyhosts_t)
+')
-+
+diff --git a/devicekit.if b/devicekit.if
+index d294865..3b4f593 100644
+--- a/devicekit.if
++++ b/devicekit.if
+@@ -1,4 +1,4 @@
+-## <summary>Devicekit modular hardware abstraction layer.</summary>
++## <summary>Devicekit modular hardware abstraction layer</summary>
+
########################################
## <summary>
- ## Execute the dnsmasq init script in the init script domain.
-@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',`
+@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',`
+ type devicekit_t, devicekit_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, devicekit_exec_t, devicekit_t)
+ ')
########################################
## <summary>
-+## Execute dnsmasq server in the dnsmasq domain.
++## Execute a domain transition to run devicekit_disk.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18515,80 +17200,39 @@ index 9bd812b..53f895e 100644
+## </summary>
+## </param>
+#
-+interface(`dnsmasq_systemctl',`
++interface(`devicekit_domtrans_disk',`
+ gen_require(`
-+ type dnsmasq_unit_file_t;
-+ type dnsmasq_t;
++ type devicekit_disk_t, devicekit_disk_exec_t;
+ ')
+
-+ systemd_exec_systemctl($1)
-+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
-+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, dnsmasq_t)
++ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
+')
+
+########################################
+## <summary>
- ## Send dnsmasq a signal
+ ## Send to devicekit over a unix domain
+ ## datagram socket.
## </summary>
- ## <param name="domain">
-@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
- ## </summary>
- ## </param>
+@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
#
--#
- interface(`dnsmasq_delete_pid_files',`
+ interface(`devicekit_dgram_send',`
gen_require(`
- type dnsmasq_var_run_t;
+- type devicekit_t, devicekit_var_run_t;
++ type devicekit_t;
')
-+ files_search_pids($1)
- delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+- files_search_pids($1)
+- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
++ allow $1 devicekit_t:unix_dgram_socket sendto;
')
########################################
- ## <summary>
--## Read dnsmasq pid files
-+## Manage dnsmasq pid files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
- ## </summary>
- ## </param>
- #
-+interface(`dnsmasq_manage_pid_files',`
-+ gen_require(`
-+ type dnsmasq_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read dnsmasq pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- #
- interface(`dnsmasq_read_pid_files',`
- gen_require(`
- type dnsmasq_var_run_t;
- ')
-
-+ files_search_pids($1)
- read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
- ')
+@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',`
########################################
## <summary>
-+## Create dnsmasq pid dirs
+-## Send generic signals to devicekit power.
++## Use file descriptors for devicekit_disk.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18596,380 +17240,160 @@ index 9bd812b..53f895e 100644
+## </summary>
+## </param>
+#
-+interface(`dnsmasq_create_pid_dirs',`
-+ gen_require(`
-+ type dnsmasq_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ create_dirs_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Transition to dnsmasq named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="private type">
-+## <summary>
-+## The type of the directory for the object to be created.
-+## </summary>
-+## </param>
-+#
-+interface(`dnsmasq_filetrans_named_content_fromdir',`
++interface(`devicekit_use_fds_disk',`
+ gen_require(`
-+ type dnsmasq_var_run_t;
++ type devicekit_disk_t;
+ ')
+
-+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
-+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
++ allow $1 devicekit_disk_t:fd use;
+')
+
+########################################
+## <summary>
-+## Transition to dnsmasq named content
++## Dontaudit Send and receive messages from
++## devicekit disk over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`dnsmasq_filetrans_named_content',`
++interface(`devicekit_dontaudit_dbus_chat_disk',`
+ gen_require(`
-+ type dnsmasq_var_run_t;
++ type devicekit_disk_t;
++ class dbus send_msg;
+ ')
+
-+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
-+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
-+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
++ dontaudit $1 devicekit_disk_t:dbus send_msg;
++ dontaudit devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an dnsmasq environment
++## Send signal devicekit power
## </summary>
-@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
- gen_require(`
- type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t;
-+ type dnsmasq_unit_file_t;
- ')
-
-- allow $1 dnsmasq_t:process { ptrace signal_perms };
-+ allow $1 dnsmasq_t:process signal_perms;
- ps_process_pattern($1, dnsmasq_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dnsmasq_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
-
- files_list_pids($1)
- admin_pattern($1, dnsmasq_var_run_t)
-+
-+ dnsmasq_systemctl($1)
-+ admin_pattern($1, dnsmasq_unit_file_t)
-+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+ ## <param name="domain">
+ ## <summary>
+@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',`
+ allow devicekit_power_t $1:dbus send_msg;
')
-diff --git a/dnsmasq.te b/dnsmasq.te
-index fdaeeba..a29af29 100644
---- a/dnsmasq.te
-+++ b/dnsmasq.te
-@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
- type dnsmasq_var_run_t;
- files_pid_file(dnsmasq_var_run_t)
-+type dnsmasq_unit_file_t;
-+systemd_unit_file(dnsmasq_unit_file_t)
-+
- ########################################
+-########################################
++#######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## devicekit log files.
++## Append inherited devicekit log files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
#
- # Local policy
-@@ -48,13 +51,15 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
- manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
- logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
-
-+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
- manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
--files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
-+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
-
- kernel_read_kernel_sysctls(dnsmasq_t)
- kernel_read_system_state(dnsmasq_t)
-+kernel_read_network_state(dnsmasq_t)
-+kernel_request_load_module(dnsmasq_t)
-
--corenet_all_recvfrom_unlabeled(dnsmasq_t)
- corenet_all_recvfrom_netlabel(dnsmasq_t)
- corenet_tcp_sendrecv_generic_if(dnsmasq_t)
- corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -76,7 +81,6 @@ dev_read_urand(dnsmasq_t)
-
- domain_use_interactive_fds(dnsmasq_t)
-
--files_read_etc_files(dnsmasq_t)
- files_read_etc_runtime_files(dnsmasq_t)
-
- fs_getattr_all_fs(dnsmasq_t)
-@@ -86,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t)
-
- logging_send_syslog_msg(dnsmasq_t)
-
--miscfiles_read_localization(dnsmasq_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
- userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-
-@@ -96,7 +98,21 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ cron_manage_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(dnsmasq_t)
-+ dbus_connect_system_bus(dnsmasq_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_read_conf(dnsmasq_t)
-+ networkmanager_read_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
-+ ppp_read_pid_files(dnsmasq_t)
- ')
-
- optional_policy(`
-@@ -113,5 +129,7 @@ optional_policy(`
+-interface(`devicekit_manage_log_files',`
++interface(`devicekit_append_inherited_log_files',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
- optional_policy(`
- virt_manage_lib_files(dnsmasq_t)
-+ virt_read_lib_files(dnsmasq_t)
- virt_read_pid_files(dnsmasq_t)
-+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
- ')
-diff --git a/dnssec.fc b/dnssec.fc
-new file mode 100644
-index 0000000..9e231a8
---- /dev/null
-+++ b/dnssec.fc
-@@ -0,0 +1,3 @@
-+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
-+
-+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
-diff --git a/dnssec.if b/dnssec.if
-new file mode 100644
-index 0000000..a952041
---- /dev/null
-+++ b/dnssec.if
-@@ -0,0 +1,64 @@
-+
-+## <summary>policy for dnssec_trigger</summary>
-+
-+########################################
-+## <summary>
-+## Transition to dnssec_trigger.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`dnssec_trigger_domtrans',`
-+ gen_require(`
-+ type dnssec_trigger_t, dnssec_trigger_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
-+')
-+########################################
-+## <summary>
-+## Read dnssec_trigger PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dnssec_trigger_read_pid_files',`
-+ gen_require(`
-+ type dnssec_trigger_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+- logging_search_logs($1)
+- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
+')
+
-+
-+########################################
++#######################################
+## <summary>
-+## All of the rules required to administrate
-+## an dnssec_trigger environment
++## Do not audit attempts to write the devicekit
++## log files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`dnssec_trigger_admin',`
++interface(`devicekit_dontaudit_rw_log',`
+ gen_require(`
-+ type dnssec_trigger_t;
-+ type dnssec_trigger_var_run_t;
++ type devicekit_var_log_t;
+ ')
+
-+ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, dnssec_trigger_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, dnssec_trigger_var_run_t)
-+')
-diff --git a/dnssec.te b/dnssec.te
-new file mode 100644
-index 0000000..25daf6c
---- /dev/null
-+++ b/dnssec.te
-@@ -0,0 +1,59 @@
-+policy_module(dnssec, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type dnssec_trigger_t;
-+type dnssec_trigger_exec_t;
-+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
-+
-+type dnssec_trigger_var_run_t;
-+files_pid_file(dnssec_trigger_var_run_t)
-+
-+########################################
-+#
-+# dnssec_trigger local policy
-+#
-+allow dnssec_trigger_t self:capability linux_immutable;
-+allow dnssec_trigger_t self:process signal;
-+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
-+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
-+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
-+allow dnssec_trigger_t self:udp_socket create_socket_perms;
-+
-+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
-+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
-+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
-+
-+kernel_read_system_state(dnssec_trigger_t)
-+
-+corecmd_exec_bin(dnssec_trigger_t)
-+corecmd_exec_shell(dnssec_trigger_t)
-+
-+corenet_tcp_bind_generic_node(dnssec_trigger_t)
-+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
-+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
-+corenet_tcp_connect_http_port(dnssec_trigger_t)
-+
-+dev_read_urand(dnssec_trigger_t)
-+
-+domain_use_interactive_fds(dnssec_trigger_t)
-+
-+files_read_etc_runtime_files(dnssec_trigger_t)
-+files_read_etc_files(dnssec_trigger_t)
-+
-+logging_send_syslog_msg(dnssec_trigger_t)
-+
-+auth_read_passwd(dnssec_trigger_t)
-+
-+sysnet_dns_name_resolve(dnssec_trigger_t)
-+sysnet_manage_config(dnssec_trigger_t)
-+
-+optional_policy(`
-+ bind_read_config(dnssec_trigger_t)
-+ bind_read_dnssec_keys(dnssec_trigger_t)
-+')
-+
-+
-diff --git a/dovecot.fc b/dovecot.fc
-index 3a3ecb2..4448055 100644
---- a/dovecot.fc
-+++ b/dovecot.fc
-@@ -2,7 +2,7 @@
- #
- # /etc
- #
--/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
-+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
- /etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
- /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-
-@@ -24,12 +24,13 @@ ifdef(`distro_debian',`
-
- ifdef(`distro_debian', `
- /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
- ')
-
- ifdef(`distro_redhat', `
- /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
- /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
--/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
- /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
++ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
')
-@@ -37,6 +38,7 @@ ifdef(`distro_redhat', `
- # /var
+ ########################################
+ ## <summary>
+-## Relabel devicekit log files.
++## Allow the domain to read devicekit_power state files in /proc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',`
+ ## </summary>
+ ## </param>
#
- /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+-interface(`devicekit_relabel_log_files',`
++interface(`devicekit_read_state_power',`
+ gen_require(`
+- type devicekit_var_log_t;
++ type devicekit_power_t;
+ ')
- /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+- logging_search_logs($1)
+- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, devicekit_power_t)
+ ')
-diff --git a/dovecot.if b/dovecot.if
-index e1d7dc5..66d42bb 100644
---- a/dovecot.if
-+++ b/dovecot.if
-@@ -1,5 +1,46 @@
- ## <summary>Dovecot POP and IMAP mail server</summary>
+ ########################################
+@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',`
-+######################################
-+## <summary>
-+## Creates types and rules for a basic
-+## dovecot daemon domain.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## Prefix for the domain.
-+## </summary>
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
++## Do not audit attempts to read
+ ## devicekit PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+template(`dovecot_basic_types_template',`
-+ gen_require(`
-+ attribute dovecot_domain;
++interface(`devicekit_dontaudit_read_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
+ ')
+
-+ type $1_t, dovecot_domain;
-+ type $1_exec_t;
++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++')
+
-+ kernel_read_system_state($1_t)
++
++########################################
++## <summary>
++## Manage devicekit PID files.
++## </summary>
++## <param name="domain">
++## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
+ ')
+
+ files_search_pids($1)
++ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
+')
+
+#######################################
+## <summary>
-+## Connect to dovecot unix domain stream socket.
++## Relabel devicekit LOG files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18977,697 +17401,531 @@ index e1d7dc5..66d42bb 100644
+## </summary>
+## </param>
+#
-+interface(`dovecot_stream_connect',`
++interface(`devicekit_relabel_log_files',`
+ gen_require(`
-+ type dovecot_t, dovecot_var_run_t;
++ type devicekit_var_log_t;
+ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
-+')
-+
- ########################################
- ## <summary>
- ## Connect to dovecot auth unix domain stream socket.
-@@ -16,6 +57,7 @@ interface(`dovecot_stream_connect_auth',`
- type dovecot_auth_t, dovecot_var_run_t;
- ')
-
-+ files_search_pids($1)
- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
- ')
-
-@@ -52,6 +94,7 @@ interface(`dovecot_manage_spool',`
- type dovecot_spool_t;
- ')
-
-+ files_search_spool($1)
- manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
- manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
- ')
-@@ -74,6 +117,25 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
- dontaudit $1 dovecot_var_lib_t:file unlink;
++ logging_search_logs($1)
++ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
')
-+######################################
-+## <summary>
-+## Allow attempts to write inherited
-+## dovecot tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an devicekit environment.
++## Manage devicekit LOG files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
-+interface(`dovecot_write_inherited_tmp_files',`
++interface(`devicekit_manage_log_files',`
+ gen_require(`
-+ type dovecot_tmp_t;
++ type devicekit_var_log_t;
+ ')
+
-+ allow $1 dovecot_tmp_t:file write;
++ logging_search_logs($1)
++ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+')
+
- ########################################
- ## <summary>
- ## All of the rules required to administrate
-@@ -93,16 +155,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
- #
- interface(`dovecot_admin',`
++########################################
++## <summary>
++## All of the rules required to administrate
++## an devicekit environment
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -219,21 +347,48 @@ interface(`devicekit_admin',`
gen_require(`
-- type dovecot_t, dovecot_etc_t, dovecot_log_t;
-- type dovecot_spool_t, dovecot_var_lib_t;
-- type dovecot_var_run_t;
--
-- type dovecot_cert_t, dovecot_passwd_t;
-- type dovecot_initrc_exec_t;
-+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
-+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
-+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
-+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+ type devicekit_t, devicekit_disk_t, devicekit_power_t;
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+- type devicekit_var_log_t;
')
-- allow $1 dovecot_t:process { ptrace signal_perms };
-+ allow $1 dovecot_t:process signal_perms;
- ps_process_pattern($1, dovecot_t)
+- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
++ allow $1 devicekit_t:process signal_perms;
++ ps_process_pattern($1, devicekit_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dovecot_t:process ptrace;
++ allow $1 devicekit_t:process ptrace;
++ allow $1 devicekit_disk_t:process ptrace;
++ allow $1 devicekit_power_t:process ptrace;
+ ')
++
++ allow $1 devicekit_disk_t:process signal_perms;
++ ps_process_pattern($1, devicekit_disk_t)
++
++ allow $1 devicekit_power_t:process signal_perms;
++ ps_process_pattern($1, devicekit_power_t)
- init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -112,8 +175,11 @@ interface(`dovecot_admin',`
- files_list_etc($1)
- admin_pattern($1, dovecot_etc_t)
-
-- logging_list_logs($1)
-- admin_pattern($1, dovecot_log_t)
+- files_search_tmp($1)
+ admin_pattern($1, devicekit_tmp_t)
+ files_list_tmp($1)
-+ admin_pattern($1, dovecot_auth_tmp_t)
-+ admin_pattern($1, dovecot_tmp_t)
-+
-+ admin_pattern($1, dovecot_keytab_t)
- files_list_spool($1)
- admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +187,9 @@ interface(`dovecot_admin',`
- files_list_var_lib($1)
- admin_pattern($1, dovecot_var_lib_t)
+- files_search_var_lib($1)
+ admin_pattern($1, devicekit_var_lib_t)
++ files_list_var_lib($1)
-+ logging_search_logs($1)
-+ admin_pattern($1, dovecot_var_log_t)
+- logging_search_logs($1)
+- admin_pattern($1, devicekit_var_log_t)
+-
+- files_search_pids($1)
+ admin_pattern($1, devicekit_var_run_t)
++ files_list_pids($1)
++')
+
- files_list_pids($1)
- admin_pattern($1, dovecot_var_run_t)
-
-diff --git a/dovecot.te b/dovecot.te
-index 2df7766..d4e008b 100644
---- a/dovecot.te
-+++ b/dovecot.te
-@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0)
- #
- # Declarations
- #
--type dovecot_t;
--type dovecot_exec_t;
-+attribute dovecot_domain;
++########################################
++## <summary>
++## Transition to devicekit named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_filetrans_named_content',`
++ gen_require(`
++ type devicekit_var_run_t, devicekit_var_log_t;
++ ')
+
-+dovecot_basic_types_template(dovecot)
- init_daemon_domain(dovecot_t, dovecot_exec_t)
++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
+ ')
+diff --git a/devicekit.te b/devicekit.te
+index ff933af..feb84e0 100644
+--- a/devicekit.te
++++ b/devicekit.te
+@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
--type dovecot_auth_t;
--type dovecot_auth_exec_t;
-+dovecot_basic_types_template(dovecot_auth)
- domain_type(dovecot_auth_t)
- domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
- role system_r types dovecot_auth_t;
-@@ -18,14 +18,16 @@ type dovecot_auth_tmp_t;
- files_tmp_file(dovecot_auth_tmp_t)
+ type devicekit_t;
+ type devicekit_exec_t;
+-dbus_system_domain(devicekit_t, devicekit_exec_t)
++init_daemon_domain(devicekit_t, devicekit_exec_t)
- type dovecot_cert_t;
--files_type(dovecot_cert_t)
-+miscfiles_cert_type(dovecot_cert_t)
+ type devicekit_power_t;
+ type devicekit_power_exec_t;
+-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
++init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
--type dovecot_deliver_t;
--type dovecot_deliver_exec_t;
-+dovecot_basic_types_template(dovecot_deliver)
- domain_type(dovecot_deliver_t)
- domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
- role system_r types dovecot_deliver_t;
+ type devicekit_disk_t;
+ type devicekit_disk_exec_t;
+-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
++init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
-+type dovecot_deliver_tmp_t;
-+files_tmp_file(dovecot_deliver_tmp_t)
-+
- type dovecot_etc_t;
- files_config_file(dovecot_etc_t)
+ type devicekit_tmp_t;
+ files_tmp_file(devicekit_tmp_t)
+@@ -45,11 +45,10 @@ kernel_read_system_state(devicekit_t)
+ dev_read_sysfs(devicekit_t)
+ dev_read_urand(devicekit_t)
-@@ -36,7 +38,7 @@ type dovecot_passwd_t;
- files_type(dovecot_passwd_t)
+-files_read_etc_files(devicekit_t)
- type dovecot_spool_t;
--files_type(dovecot_spool_t)
-+files_spool_file(dovecot_spool_t)
+-miscfiles_read_localization(devicekit_t)
- type dovecot_tmp_t;
- files_tmp_file(dovecot_tmp_t)
-@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t)
- type dovecot_var_run_t;
- files_pid_file(dovecot_var_run_t)
+ optional_policy(`
++ dbus_system_domain(devicekit_t, devicekit_exec_t)
+ dbus_system_bus_client(devicekit_t)
-+#######################################
-+#
-+# dovecot domain local policy
-+#
-+
-+allow dovecot_domain self:capability2 block_suspend;
-+
-+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
-+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
-+
-+kernel_read_all_sysctls(dovecot_domain)
-+
-+corecmd_exec_bin(dovecot_domain)
-+corecmd_exec_shell(dovecot_domain)
-+
-+dev_read_sysfs(dovecot_domain)
-+dev_read_rand(dovecot_domain)
-+dev_read_urand(dovecot_domain)
-+
-+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
-+files_read_etc_runtime_files(dovecot_domain)
-+
- ########################################
- #
- # dovecot local policy
+ allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
+@@ -64,7 +63,8 @@ optional_policy(`
+ # Disk local policy
#
--allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
-+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
- dontaudit dovecot_t self:capability sys_tty_config;
--allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
--allow dovecot_t self:fifo_file rw_fifo_file_perms;
-+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
- allow dovecot_t self:tcp_socket create_stream_socket_perms;
--allow dovecot_t self:unix_dgram_socket create_socket_perms;
- allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
- domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
- read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
- read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-
--allow dovecot_t dovecot_etc_t:file read_file_perms;
-+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
-+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
-+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
- files_search_etc(dovecot_t)
-
- can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
- manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
- manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-
-+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
- manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
--files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
--
--kernel_read_kernel_sysctls(dovecot_t)
--kernel_read_system_state(dovecot_t)
-+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
+-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++
+ allow devicekit_disk_t self:process { getsched signal_perms };
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -81,7 +81,10 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+ manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
++files_filetrans_named_content(devicekit_disk_t)
--corenet_all_recvfrom_unlabeled(dovecot_t)
- corenet_all_recvfrom_netlabel(dovecot_t)
- corenet_tcp_sendrecv_generic_if(dovecot_t)
- corenet_tcp_sendrecv_generic_node(dovecot_t)
-@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
- corenet_tcp_bind_generic_node(dovecot_t)
- corenet_tcp_bind_mail_port(dovecot_t)
- corenet_tcp_bind_pop_port(dovecot_t)
-+corenet_tcp_bind_lmtp_port(dovecot_t)
- corenet_tcp_bind_sieve_port(dovecot_t)
- corenet_tcp_connect_all_ports(dovecot_t)
- corenet_tcp_connect_postgresql_port(dovecot_t)
- corenet_sendrecv_pop_server_packets(dovecot_t)
- corenet_sendrecv_all_client_packets(dovecot_t)
++kernel_list_unlabeled(devicekit_disk_t)
++kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+ kernel_getattr_message_if(devicekit_disk_t)
+ kernel_list_unlabeled(devicekit_disk_t)
+ kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+@@ -98,6 +101,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
--dev_read_sysfs(dovecot_t)
--dev_read_urand(dovecot_t)
--
- fs_getattr_all_fs(dovecot_t)
- fs_getattr_all_dirs(dovecot_t)
- fs_search_auto_mountpoints(dovecot_t)
- fs_list_inotifyfs(dovecot_t)
+ dev_getattr_all_chr_files(devicekit_disk_t)
+ dev_getattr_mtrr_dev(devicekit_disk_t)
++dev_rw_generic_blk_files(devicekit_disk_t)
+ dev_getattr_usbfs_dirs(devicekit_disk_t)
+ dev_manage_generic_files(devicekit_disk_t)
+ dev_read_urand(devicekit_disk_t)
+@@ -134,16 +138,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+ storage_raw_read_removable_device(devicekit_disk_t)
+ storage_raw_write_removable_device(devicekit_disk_t)
--corecmd_exec_bin(dovecot_t)
--
- domain_use_interactive_fds(dovecot_t)
+-term_use_all_terms(devicekit_disk_t)
++term_use_all_inherited_terms(devicekit_disk_t)
--files_read_etc_files(dovecot_t)
- files_search_spool(dovecot_t)
- files_search_tmp(dovecot_t)
- files_dontaudit_list_default(dovecot_t)
--# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
--files_read_etc_runtime_files(dovecot_t)
-+files_dontaudit_search_all_dirs(dovecot_t)
- files_search_all_mountpoints(dovecot_t)
-+files_read_var_lib_files(dovecot_t)
+ auth_use_nsswitch(devicekit_disk_t)
- init_getattr_utmp(dovecot_t)
+-miscfiles_read_localization(devicekit_disk_t)
++logging_send_syslog_msg(devicekit_disk_t)
- auth_use_nsswitch(dovecot_t)
+ userdom_read_all_users_state(devicekit_disk_t)
+ userdom_search_user_home_dirs(devicekit_disk_t)
++userdom_manage_user_tmp_dirs(devicekit_disk_t)
--logging_send_syslog_msg(dovecot_t)
--
- miscfiles_read_generic_certs(dovecot_t)
--miscfiles_read_localization(dovecot_t)
+ optional_policy(`
++ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+ dbus_system_bus_client(devicekit_disk_t)
-+logging_send_syslog_msg(dovecot_t)
-+
-+userdom_home_manager(dovecot_t)
- userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
- userdom_manage_user_home_content_dirs(dovecot_t)
- userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t)
- userdom_manage_user_home_content_sockets(dovecot_t)
- userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
-
--mta_manage_spool(dovecot_t)
-+optional_policy(`
-+ mta_manage_home_rw(dovecot_t)
-+ mta_manage_spool(dovecot_t)
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(dovecot_t, dovecot_t)
-+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
-+')
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+@@ -167,6 +173,7 @@ optional_policy(`
optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
-+ gnome_manage_data(dovecot_t)
-+')
-+
-+optional_policy(`
-+ postfix_manage_private_sockets(dovecot_t)
-+ postfix_search_spool(dovecot_t)
+ mount_domtrans(devicekit_disk_t)
++ mount_read_pid_files(devicekit_disk_t)
')
optional_policy(`
-@@ -164,6 +194,11 @@ optional_policy(`
+@@ -180,6 +187,10 @@ optional_policy(`
')
optional_policy(`
-+ # Handle sieve scripts
-+ sendmail_domtrans(dovecot_t)
++ systemd_read_logind_sessions_files(devicekit_disk_t)
+')
+
+optional_policy(`
- seutil_sigchld_newrole(dovecot_t)
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+ ')
+@@ -188,17 +199,27 @@ optional_policy(`
+ virt_manage_images(devicekit_disk_t)
')
-@@ -180,16 +215,17 @@ optional_policy(`
- # dovecot auth local policy
++optional_policy(`
++ unconfined_domain(devicekit_t)
++ unconfined_domain(devicekit_power_t)
++ unconfined_domain(devicekit_disk_t)
++')
++
+ ########################################
+ #
+ # Power local policy
#
--allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
--allow dovecot_auth_t self:process { signal_perms getcap setcap };
--allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
--allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
-+allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
- allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-
- allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
- read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
++allow devicekit_power_t self:capability2 compromise_kernel;
+ allow devicekit_power_t self:process { getsched signal_perms };
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+ allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
-+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
+
- manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
- manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
- files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
- manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
- dovecot_stream_connect_auth(dovecot_auth_t)
-
--kernel_read_all_sysctls(dovecot_auth_t)
--kernel_read_system_state(dovecot_auth_t)
--
- logging_send_audit_msgs(dovecot_auth_t)
--logging_send_syslog_msg(dovecot_auth_t)
--
--dev_read_urand(dovecot_auth_t)
+ manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+ manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+ files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+@@ -247,12 +268,13 @@ files_dontaudit_list_mnt(devicekit_power_t)
- auth_domtrans_chk_passwd(dovecot_auth_t)
- auth_use_nsswitch(dovecot_auth_t)
+ fs_getattr_all_fs(devicekit_power_t)
+ fs_list_inotifyfs(devicekit_power_t)
++fs_getattr_all_fs(devicekit_power_t)
--files_read_etc_files(dovecot_auth_t)
--files_read_etc_runtime_files(dovecot_auth_t)
-+logging_send_syslog_msg(dovecot_auth_t)
-+
- files_search_pids(dovecot_auth_t)
- files_read_usr_files(dovecot_auth_t)
- files_read_usr_symlinks(dovecot_auth_t)
- files_read_var_lib_files(dovecot_auth_t)
- files_search_tmp(dovecot_auth_t)
--files_read_var_lib_files(dovecot_t)
+-term_use_all_terms(devicekit_power_t)
++term_use_all_inherited_terms(devicekit_power_t)
--init_rw_utmp(dovecot_auth_t)
-+fs_getattr_xattr_fs(dovecot_auth_t)
+ auth_use_nsswitch(devicekit_power_t)
--miscfiles_read_localization(dovecot_auth_t)
-+init_rw_utmp(dovecot_auth_t)
+-miscfiles_read_localization(devicekit_power_t)
++seutil_exec_setfiles(devicekit_power_t)
--seutil_dontaudit_search_config(dovecot_auth_t)
-+sysnet_use_ldap(dovecot_auth_t)
+ sysnet_domtrans_ifconfig(devicekit_power_t)
+ sysnet_domtrans_dhcpc(devicekit_power_t)
+@@ -269,9 +291,11 @@ optional_policy(`
optional_policy(`
- kerberos_use(dovecot_auth_t)
-@@ -236,6 +265,8 @@ optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
++ cron_systemctl(devicekit_power_t)
+ ')
+
optional_policy(`
- mysql_search_db(dovecot_auth_t)
- mysql_stream_connect(dovecot_auth_t)
-+ mysql_read_config(dovecot_auth_t)
-+ mysql_tcp_connect(dovecot_auth_t)
++ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+ dbus_system_bus_client(devicekit_power_t)
+
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+@@ -302,8 +326,11 @@ optional_policy(`
')
optional_policy(`
-@@ -243,6 +274,8 @@ optional_policy(`
++ gnome_manage_home_config(devicekit_power_t)
++')
++
++optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+- hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ ')
+@@ -321,6 +348,7 @@ optional_policy(`
')
optional_policy(`
-+ postfix_manage_private_sockets(dovecot_auth_t)
-+ postfix_rw_master_pipes(dovecot_deliver_t)
- postfix_search_spool(dovecot_auth_t)
++ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+ policykit_read_reload(devicekit_power_t)
+@@ -341,3 +369,9 @@ optional_policy(`
+ optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
')
++
++optional_policy(`
++ corenet_tcp_connect_xserver_port(devicekit_power_t)
++ xserver_stream_connect(devicekit_power_t)
++')
++
+diff --git a/dhcp.fc b/dhcp.fc
+index 7956248..5fee161 100644
+--- a/dhcp.fc
++++ b/dhcp.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
-@@ -250,25 +283,32 @@ optional_policy(`
- #
- # dovecot deliver local policy
- #
--allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+ /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
- allow dovecot_deliver_t dovecot_t:process signull;
+diff --git a/dhcp.if b/dhcp.if
+index c697edb..31d45bf 100644
+--- a/dhcp.if
++++ b/dhcp.if
+@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
+ ')
--allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
--allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
-+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
-+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+ sysnet_search_dhcp_state($1)
+- allow $1 dhcpd_state_t:file setattr;
++ allow $1 dhcpd_state_t:file setattr_file_perms;
+ ')
--kernel_read_all_sysctls(dovecot_deliver_t)
--kernel_read_system_state(dovecot_deliver_t)
-+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+ ########################################
+@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
--files_read_etc_files(dovecot_deliver_t)
--files_read_etc_runtime_files(dovecot_deliver_t)
-+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+ ########################################
+ ## <summary>
++## Execute dhcpd server in the dhcpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dhcpd_systemctl',`
++ gen_require(`
++ type dhcpd_unit_file_t;
++ type dhcpd_t;
++ ')
+
-+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
-+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
-+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 dhcpd_unit_file_t:file read_file_perms;
++ allow $1 dhcpd_unit_file_t:service manage_service_perms;
+
-+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
-+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
-+dovecot_stream_connect(dovecot_deliver_t)
++ ps_process_pattern($1, dhcpd_t)
++')
+
-+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an dhcpd environment.
+ ## </summary>
+@@ -79,11 +103,16 @@ interface(`dhcpd_admin',`
+ gen_require(`
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
++ type dhcpd_unit_file_t;
+ ')
- auth_use_nsswitch(dovecot_deliver_t)
+- allow $1 dhcpd_t:process { ptrace signal_perms };
++ allow $1 dhcpd_t:process signal_perms;
+ ps_process_pattern($1, dhcpd_t)
-+logging_append_all_logs(dovecot_deliver_t)
- logging_send_syslog_msg(dovecot_deliver_t)
--logging_search_logs(dovecot_auth_t)
--
--miscfiles_read_localization(dovecot_deliver_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dhcpd_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dhcpd_initrc_exec_t system_r;
+@@ -97,4 +126,8 @@ interface(`dhcpd_admin',`
- dovecot_stream_connect_auth(dovecot_deliver_t)
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
++
++ dhcpd_systemctl($1)
++ admin_pattern($1, dhcpd_unit_file_t)
++ allow $1 dhcpd_unit_file_t:service all_service_perms;
+ ')
+diff --git a/dhcp.te b/dhcp.te
+index c93c3db..1125f7d 100644
+--- a/dhcp.te
++++ b/dhcp.te
+@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+ type dhcpd_initrc_exec_t;
+ init_script_file(dhcpd_initrc_exec_t)
-@@ -283,24 +323,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
- userdom_manage_user_home_content_sockets(dovecot_deliver_t)
- userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
++type dhcpd_unit_file_t;
++systemd_unit_file(dhcpd_unit_file_t)
++
+ type dhcpd_state_t;
+ files_type(dhcpd_state_t)
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(dovecot_deliver_t)
-- fs_manage_nfs_files(dovecot_deliver_t)
-- fs_manage_nfs_symlinks(dovecot_deliver_t)
-- fs_manage_nfs_dirs(dovecot_t)
-- fs_manage_nfs_files(dovecot_t)
-- fs_manage_nfs_symlinks(dovecot_t)
-+userdom_home_manager(dovecot_deliver_t)
+@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
+ kernel_read_kernel_sysctls(dhcpd_t)
+ kernel_read_network_state(dhcpd_t)
+
+-corenet_all_recvfrom_unlabeled(dhcpd_t)
+ corenet_all_recvfrom_netlabel(dhcpd_t)
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
+ corenet_udp_sendrecv_generic_if(dhcpd_t)
+@@ -102,8 +104,6 @@ auth_use_nsswitch(dhcpd_t)
+
+ logging_send_syslog_msg(dhcpd_t)
+
+-miscfiles_read_localization(dhcpd_t)
+-
+ sysnet_read_dhcp_config(dhcpd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+@@ -113,6 +113,19 @@ tunable_policy(`dhcpd_use_ldap',`
+ sysnet_use_ldap(dhcpd_t)
+ ')
+
++ifdef(`distro_gentoo',`
++ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
++')
+
+optional_policy(`
-+ gnome_manage_data(dovecot_deliver_t)
++ # used for dynamic DNS
++ bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`
-+ mta_mailserver_delivery(dovecot_deliver_t)
-+ mta_read_queue(dovecot_deliver_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(dovecot_deliver_t)
-- fs_manage_cifs_files(dovecot_deliver_t)
-- fs_manage_cifs_symlinks(dovecot_deliver_t)
-- fs_manage_cifs_dirs(dovecot_t)
-- fs_manage_cifs_files(dovecot_t)
-- fs_manage_cifs_symlinks(dovecot_t)
-+optional_policy(`
-+ postfix_use_fds_master(dovecot_deliver_t)
- ')
-
++ cobbler_dontaudit_rw_log(dhcpd_t)
++')
++
optional_policy(`
-- mta_manage_spool(dovecot_deliver_t)
-+ # Handle sieve scripts
-+ sendmail_domtrans(dovecot_deliver_t)
+ bind_read_dnssec_keys(dhcpd_t)
')
-diff --git a/dpkg.if b/dpkg.if
-index 4d32b42..78736d8 100644
---- a/dpkg.if
-+++ b/dpkg.if
-@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
- #
- interface(`dpkg_run',`
- gen_require(`
-- attribute_role dpkg_roles;
-+ #attribute_role dpkg_roles;
-+ type dpkg_t, dpkg_script_t;
+diff --git a/dictd.if b/dictd.if
+index 3cc3494..cb0a1f4 100644
+--- a/dictd.if
++++ b/dictd.if
+@@ -38,8 +38,11 @@ interface(`dictd_admin',`
+ type dictd_var_run_t, dictd_initrc_exec_t;
')
-+ #dpkg_domtrans($1)
-+ #roleattribute $2 dpkg_roles;
-+
- dpkg_domtrans($1)
-- roleattribute $2 dpkg_roles;
-+ role $2 types dpkg_t;
-+ role $2 types dpkg_script_t;
-+ seutil_run_loadpolicy(dpkg_script_t, $2)
-+
- ')
+- allow $1 dictd_t:process { ptrace signal_perms };
++ allow $1 dictd_t:process signal_perms;
+ ps_process_pattern($1, dictd_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dictd_t:process ptrace;
++ ')
- ########################################
-diff --git a/dpkg.te b/dpkg.te
-index 52725c4..934ce11 100644
---- a/dpkg.te
-+++ b/dpkg.te
-@@ -5,8 +5,8 @@ policy_module(dpkg, 1.10.0)
- # Declarations
- #
+ init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ domain_system_change_exemption($1)
+diff --git a/dictd.te b/dictd.te
+index fd4a602..43b800a 100644
+--- a/dictd.te
++++ b/dictd.te
+@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+ kernel_read_system_state(dictd_t)
+ kernel_read_kernel_sysctls(dictd_t)
--attribute_role dpkg_roles;
--roleattribute system_r dpkg_roles;
-+#attribute_role dpkg_roles;
-+#roleattribute system_r dpkg_roles;
-
- type dpkg_t;
- type dpkg_exec_t;
-@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
- domain_role_change_exemption(dpkg_t)
- domain_system_change_exemption(dpkg_t)
- domain_interactive_fd(dpkg_t)
--role dpkg_roles types dpkg_t;
-+#role dpkg_roles types dpkg_t;
-+role system_r types dpkg_t;
-
- # lockfile
- type dpkg_lock_t;
-@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
- domain_obj_id_change_exemption(dpkg_script_t)
- domain_system_change_exemption(dpkg_script_t)
- domain_interactive_fd(dpkg_script_t)
--role dpkg_roles types dpkg_script_t;
-+#role dpkg_roles types dpkg_script_t;
-+role system_r types dpkg_script_t;
-
- type dpkg_script_tmp_t;
- files_tmp_file(dpkg_script_tmp_t)
-@@ -92,7 +94,6 @@ kernel_read_kernel_sysctls(dpkg_t)
- corecmd_exec_all_executables(dpkg_t)
-
- # TODO: do we really need all networking?
--corenet_all_recvfrom_unlabeled(dpkg_t)
- corenet_all_recvfrom_netlabel(dpkg_t)
- corenet_tcp_sendrecv_generic_if(dpkg_t)
- corenet_raw_sendrecv_generic_if(dpkg_t)
-@@ -152,9 +153,12 @@ files_exec_etc_files(dpkg_t)
- init_domtrans_script(dpkg_t)
- init_use_script_ptys(dpkg_t)
-
-+#libs_exec_ld_so(dpkg_t)
-+#libs_exec_lib_files(dpkg_t)
-+#libs_run_ldconfig(dpkg_t, dpkg_roles)
- libs_exec_ld_so(dpkg_t)
- libs_exec_lib_files(dpkg_t)
--libs_run_ldconfig(dpkg_t, dpkg_roles)
-+libs_domtrans_ldconfig(dpkg_t)
-
- logging_send_syslog_msg(dpkg_t)
-
-@@ -195,20 +199,30 @@ domain_signal_all_domains(dpkg_t)
- domain_signull_all_domains(dpkg_t)
- files_read_etc_runtime_files(dpkg_t)
- files_exec_usr_files(dpkg_t)
--miscfiles_read_localization(dpkg_t)
--modutils_run_depmod(dpkg_t, dpkg_roles)
--modutils_run_insmod(dpkg_t, dpkg_roles)
--seutil_run_loadpolicy(dpkg_t, dpkg_roles)
--seutil_run_setfiles(dpkg_t, dpkg_roles)
-+#modutils_run_depmod(dpkg_t, dpkg_roles)
-+#modutils_run_insmod(dpkg_t, dpkg_roles)
-+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-+#seutil_run_setfiles(dpkg_t, dpkg_roles)
- userdom_use_all_users_fds(dpkg_t)
- optional_policy(`
- mta_send_mail(dpkg_t)
- ')
-+
-+
- optional_policy(`
-- usermanage_run_groupadd(dpkg_t, dpkg_roles)
-- usermanage_run_useradd(dpkg_t, dpkg_roles)
-+ modutils_domtrans_depmod(dpkg_t)
-+ modutils_domtrans_insmod(dpkg_t)
-+ seutil_domtrans_loadpolicy(dpkg_t)
-+ seutil_domtrans_setfiles(dpkg_t)
-+ usermanage_domtrans_groupadd(dpkg_t)
-+ usermanage_domtrans_useradd(dpkg_t)
- ')
+-corenet_all_recvfrom_unlabeled(dictd_t)
+ corenet_all_recvfrom_netlabel(dictd_t)
+ corenet_tcp_sendrecv_generic_if(dictd_t)
+ corenet_tcp_sendrecv_generic_node(dictd_t)
+@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
+ domain_use_interactive_fds(dictd_t)
-+#optional_policy(`
-+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
-+# usermanage_run_useradd(dpkg_t, dpkg_roles)
-+#')
-+
- ########################################
- #
- # dpkg-script Local policy
-@@ -296,21 +310,20 @@ init_use_script_fds(dpkg_script_t)
+ files_read_etc_runtime_files(dictd_t)
+-files_read_usr_files(dictd_t)
+ files_search_var_lib(dictd_t)
- libs_exec_ld_so(dpkg_script_t)
- libs_exec_lib_files(dpkg_script_t)
--libs_run_ldconfig(dpkg_script_t, dpkg_roles)
-+libs_domtrans_ldconfig(dpkg_script_t)
-+#libs_run_ldconfig(dpkg_script_t, dpkg_roles)
+ fs_getattr_xattr_fs(dictd_t)
+@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
- logging_send_syslog_msg(dpkg_script_t)
+ logging_send_syslog_msg(dictd_t)
--miscfiles_read_localization(dpkg_script_t)
+-miscfiles_read_localization(dictd_t)
-
--modutils_run_depmod(dpkg_script_t, dpkg_roles)
--modutils_run_insmod(dpkg_script_t, dpkg_roles)
-+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
-+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
-
--seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
--seutil_run_setfiles(dpkg_script_t, dpkg_roles)
-+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
-+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
-
- userdom_use_all_users_fds(dpkg_script_t)
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`selinuxuser_execmem',`
- allow dpkg_script_t self:process execmem;
- ')
-
-@@ -319,9 +332,9 @@ optional_policy(`
- apt_use_fds(dpkg_script_t)
- ')
-
--optional_policy(`
-- bootloader_run(dpkg_script_t, dpkg_roles)
--')
-+#optional_policy(`
-+# bootloader_run(dpkg_script_t, dpkg_roles)
-+#')
+ userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
- mta_send_mail(dpkg_script_t)
-@@ -335,7 +348,7 @@ optional_policy(`
- unconfined_domain(dpkg_script_t)
- ')
-
--optional_policy(`
-- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
-- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
--')
-+#optional_policy(`
-+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
-+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
-+#')
-diff --git a/drbd.fc b/drbd.fc
+diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
new file mode 100644
-index 0000000..60c19b9
+index 0000000..fdf5675
--- /dev/null
-+++ b/drbd.fc
-@@ -0,0 +1,12 @@
-+
-+/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
++++ b/dirsrv-admin.fc
+@@ -0,0 +1,15 @@
++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
-+/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
-+/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
-+/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
-+/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
++/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
-diff --git a/drbd.if b/drbd.if
++/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
+diff --git a/dirsrv-admin.if b/dirsrv-admin.if
new file mode 100644
-index 0000000..659d051
+index 0000000..332a1c9
--- /dev/null
-+++ b/drbd.if
-@@ -0,0 +1,127 @@
-+
-+## <summary>policy for drbd</summary>
++++ b/dirsrv-admin.if
+@@ -0,0 +1,134 @@
++## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
-+## Execute a domain transition to run drbd.
++## Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed access.
-+## </summary>
++## </summary>
+## </param>
+#
-+interface(`drbd_domtrans',`
++interface(`dirsrvadmin_run_exec',`
+ gen_require(`
-+ type drbd_t, drbd_exec_t;
++ type dirsrvadmin_exec_t;
+ ')
+
-+ domtrans_pattern($1, drbd_exec_t, drbd_t)
++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
-+## Search drbd lib directories.
++## Exec cgi programs.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -19675,18 +17933,18 @@ index 0000000..659d051
+## </summary>
+## </param>
+#
-+interface(`drbd_search_lib',`
++interface(`dirsrvadmin_run_httpd_script_exec',`
+ gen_require(`
-+ type drbd_var_lib_t;
++ type httpd_dirsrvadmin_script_exec_t;
+ ')
+
-+ allow $1 drbd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
-+## Read drbd lib files.
++## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -19694,19 +17952,17 @@ index 0000000..659d051
+## </summary>
+## </param>
+#
-+interface(`drbd_read_lib_files',`
++interface(`dirsrvadmin_read_config',`
+ gen_require(`
-+ type drbd_var_lib_t;
++ type dirsrvadmin_config_t;
+ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete
-+## drbd lib files.
++## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -19714,255 +17970,356 @@ index 0000000..659d051
+## </summary>
+## </param>
+#
-+interface(`drbd_manage_lib_files',`
++interface(`dirsrvadmin_manage_config',`
+ gen_require(`
-+ type drbd_var_lib_t;
++ type dirsrvadmin_config_t;
+ ')
+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
++ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Manage drbd lib dirs files.
++## Read dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`drbd_manage_lib_dirs',`
-+ gen_require(`
-+ type drbd_var_lib_t;
-+ ')
++interface(`dirsrvadmin_read_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
++ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
-+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an drbd environment
++## Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`drbd_admin',`
-+ gen_require(`
-+ type drbd_t;
-+ type drbd_var_lib_t;
-+ ')
++interface(`dirsrvadmin_manage_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
+
-+ allow $1 drbd_t:process signal_perms;
-+ ps_process_pattern($1, drbd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 drbd_t:process ptrace;
-+ ')
++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
+
-+ files_search_var_lib($1)
-+ admin_pattern($1, drbd_var_lib_t)
++#######################################
++## <summary>
++## Execute admin cgi programs in caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_domtrans_unconfined_script_t',`
++ gen_require(`
++ type dirsrvadmin_unconfined_script_t;
++ type dirsrvadmin_unconfined_script_exec_t;
++ ')
+
-+')
++ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
++ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+
-diff --git a/drbd.te b/drbd.te
++')
+diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..2f3efe7
+index 0000000..a3d076f
--- /dev/null
-+++ b/drbd.te
-@@ -0,0 +1,51 @@
-+policy_module(drbd, 1.0.0)
++++ b/dirsrv-admin.te
+@@ -0,0 +1,144 @@
++policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
-+# Declarations
++# Declarations for the daemon
+#
+
-+type drbd_t;
-+type drbd_exec_t;
-+init_daemon_domain(drbd_t, drbd_exec_t)
++type dirsrvadmin_t;
++type dirsrvadmin_exec_t;
++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
++role system_r types dirsrvadmin_t;
++
++type dirsrvadmin_config_t;
++files_type(dirsrvadmin_config_t)
++
++type dirsrvadmin_lock_t;
++files_lock_file(dirsrvadmin_lock_t)
+
-+type drbd_var_lib_t;
-+files_type(drbd_var_lib_t)
++type dirsrvadmin_tmp_t;
++files_tmp_file(dirsrvadmin_tmp_t)
+
-+type drbd_lock_t;
-+files_lock_file(drbd_lock_t)
++type dirsrvadmin_unconfined_script_t;
++type dirsrvadmin_unconfined_script_exec_t;
++domain_type(dirsrvadmin_unconfined_script_t)
++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
++role system_r types dirsrvadmin_unconfined_script_t;
+
+########################################
+#
-+# drbd local policy
++# Local policy for the daemon
+#
++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
++allow dirsrvadmin_t self:process setrlimit;
+
-+allow drbd_t self:capability { kill net_admin };
-+dontaudit drbd_t self:capability sys_tty_config;
-+allow drbd_t self:fifo_file rw_fifo_file_perms;
-+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
-+allow drbd_t self:netlink_socket create_socket_perms;
-+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrvadmin_t)
++
++corecmd_exec_bin(dirsrvadmin_t)
++corecmd_read_bin_symlinks(dirsrvadmin_t)
++corecmd_search_bin(dirsrvadmin_t)
++corecmd_shell_entry_type(dirsrvadmin_t)
+
-+manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-+manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-+manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-+files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } )
++files_exec_etc_files(dirsrvadmin_t)
+
-+manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
-+files_lock_filetrans(drbd_t, drbd_lock_t, file)
++libs_exec_ld_so(dirsrvadmin_t)
+
-+can_exec(drbd_t, drbd_exec_t)
++logging_search_logs(dirsrvadmin_t)
+
-+kernel_read_system_state(drbd_t)
+
-+dev_read_sysfs(drbd_t)
-+dev_read_rand(drbd_t)
-+dev_read_urand(drbd_t)
++# Needed for stop and restart scripts
++dirsrv_read_var_run(dirsrvadmin_t)
+
-+files_read_etc_files(drbd_t)
++optional_policy(`
++ apache_domtrans(dirsrvadmin_t)
++ apache_signal(dirsrvadmin_t)
++')
+
-+storage_raw_read_fixed_disk(drbd_t)
++########################################
++#
++# Local policy for the CGIs
++#
++#
++#
++# Create a domain for the CGI scripts
+
++optional_policy(`
++ apache_content_template(dirsrvadmin)
+
-+sysnet_dns_name_resolve(drbd_t)
-diff --git a/dspam.fc b/dspam.fc
-new file mode 100644
-index 0000000..4dc92b3
---- /dev/null
-+++ b/dspam.fc
-@@ -0,0 +1,18 @@
++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
+
-+/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0)
+
-+/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0)
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
++ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
-+/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
-+/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
+
-+/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
++ files_search_var_lib(httpd_dirsrvadmin_script_t)
+
-+# web
++ sysnet_read_config(httpd_dirsrvadmin_script_t)
+
-+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
-+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
-+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
-+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
-diff --git a/dspam.if b/dspam.if
++ optional_policy(`
++ # The CGI scripts must be able to manage dirsrv-admin
++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++ dirsrv_signal(httpd_dirsrvadmin_script_t)
++ dirsrv_signull(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++ ')
++')
++
++#######################################
++#
++# Local policy for the admin CGIs
++#
++#
++
++
++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# needed because of filetrans rules
++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
++dirsrv_signal(dirsrvadmin_unconfined_script_t)
++dirsrv_signull(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_read_share(dirsrvadmin_unconfined_script_t)
++
++optional_policy(`
++ unconfined_domain(dirsrvadmin_unconfined_script_t)
++')
++
+diff --git a/dirsrv.fc b/dirsrv.fc
new file mode 100644
-index 0000000..a446210
+index 0000000..0ea1ebb
--- /dev/null
-+++ b/dspam.if
-@@ -0,0 +1,267 @@
++++ b/dirsrv.fc
+@@ -0,0 +1,23 @@
++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
+
-+## <summary>policy for dspam</summary>
++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
++
++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
++
++# BZ:
++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++
++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
++
++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
++
++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
++
++/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
+diff --git a/dirsrv.if b/dirsrv.if
+new file mode 100644
+index 0000000..b214253
+--- /dev/null
++++ b/dirsrv.if
+@@ -0,0 +1,208 @@
++## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
-+## Execute a domain transition to run dspam.
++## Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`dspam_domtrans',`
++interface(`dirsrv_domtrans',`
+ gen_require(`
-+ type dspam_t, dspam_exec_t;
++ type dirsrv_t, dirsrv_exec_t;
+ ')
+
-+ domtrans_pattern($1, dspam_exec_t, dspam_t)
++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
+')
+
+
+########################################
+## <summary>
-+## Execute dspam server in the dspam domain.
++## Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_initrc_domtrans',`
++interface(`dirsrv_signal',`
+ gen_require(`
-+ type dspam_initrc_exec_t;
++ type dirsrv_t;
+ ')
+
-+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
++ allow $1 dirsrv_t:process signal;
+')
+
++
+########################################
+## <summary>
-+## Allow the specified domain to read dspam's log files.
++## Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`dspam_read_log',`
++interface(`dirsrv_signull',`
+ gen_require(`
-+ type dspam_log_t;
++ type dirsrv_t;
+ ')
+
-+ logging_search_logs($1)
-+ read_files_pattern($1, dspam_log_t, dspam_log_t)
++ allow $1 dirsrv_t:process signull;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Allow the specified domain to append
-+## dspam log files.
++## Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_append_log',`
++interface(`dirsrv_manage_log',`
+ gen_require(`
-+ type dspam_log_t;
++ type dirsrv_var_log_t;
+ ')
+
-+ logging_search_logs($1)
-+ append_files_pattern($1, dspam_log_t, dspam_log_t)
++ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_log_t:file manage_file_perms;
++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
+')
+
-+########################################
++#######################################
+## <summary>
-+## Allow domain to manage dspam log files
++## Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_manage_log',`
-+ gen_require(`
-+ type dspam_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
-+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
-+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
++interface(`dirsrv_manage_var_lib',`
++ gen_require(`
++ type dirsrv_var_lib_t;
++ ')
++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
-+## Search dspam lib directories.
++## Connect to dirsrv over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -19970,1843 +18327,2077 @@ index 0000000..a446210
+## </summary>
+## </param>
+#
-+interface(`dspam_search_lib',`
++interface(`dirsrv_stream_connect',`
+ gen_require(`
-+ type dspam_var_lib_t;
++ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
-+ allow $1 dspam_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
++ files_search_pids($1)
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Read dspam lib files.
++## Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_read_lib_files',`
++interface(`dirsrv_manage_var_run',`
+ gen_require(`
-+ type dspam_var_lib_t;
++ type dirsrv_var_run_t;
+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_run_t:file manage_file_perms;
++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+')
+
-+########################################
++######################################
+## <summary>
-+## Create, read, write, and delete
-+## dspam lib files.
++## Allow a domain to create dirsrv pid directories.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_manage_lib_files',`
-+ gen_require(`
-+ type dspam_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++interface(`dirsrv_pid_filetrans',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ # Allow creating a dir in /var/run with this type
++ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Manage dspam lib dirs files.
++## Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_manage_lib_dirs',`
-+ gen_require(`
-+ type dspam_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++interface(`dirsrv_read_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir list_dir_perms;
++ allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
-+
+########################################
+## <summary>
-+## Read dspam PID files.
++## Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_read_pid_files',`
++interface(`dirsrv_manage_config',`
+ gen_require(`
-+ type dspam_var_run_t;
++ type dirsrv_config_t;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 dspam_var_run_t:file read_file_perms;
++ allow $1 dirsrv_config_t:dir manage_dir_perms;
++ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
-+#######################################
++########################################
+## <summary>
-+## Connect to DSPAM using a unix domain stream socket.
++## Read dirsrv share files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dspam_stream_connect',`
-+ gen_require(`
-+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
-+ ')
++interface(`dirsrv_read_share',`
++ gen_require(`
++ type dirsrv_share_t;
++ ')
+
-+ files_search_pids($1)
-+ files_search_tmp($1)
-+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
-+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
++ allow $1 dirsrv_share_t:dir list_dir_perms;
++ allow $1 dirsrv_share_t:file read_file_perms;
++ allow $1 dirsrv_share_t:lnk_file read;
+')
+diff --git a/dirsrv.te b/dirsrv.te
+new file mode 100644
+index 0000000..7f0b4f6
+--- /dev/null
++++ b/dirsrv.te
+@@ -0,0 +1,193 @@
++policy_module(dirsrv,1.0.0)
+
+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an dspam environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
+#
-+interface(`dspam_admin',`
-+ gen_require(`
-+ type dspam_t;
-+ type dspam_initrc_exec_t;
-+ type dspam_log_t;
-+ type dspam_var_lib_t;
-+ type dspam_var_run_t;
-+ ')
++# Declarations
++#
+
-+ allow $1 dspam_t:process signal_perms;
-+ ps_process_pattern($1, dspam_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 dspam_t:process ptrace;
-+ ')
++# main daemon
++type dirsrv_t;
++type dirsrv_exec_t;
++domain_type(dirsrv_t)
++init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
-+ dspam_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 dspam_initrc_exec_t system_r;
-+ allow $2 system_r;
++type dirsrv_snmp_t;
++type dirsrv_snmp_exec_t;
++domain_type(dirsrv_snmp_t)
++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
+
-+ logging_search_logs($1)
-+ admin_pattern($1, dspam_log_t)
++type dirsrv_var_lib_t;
++files_type(dirsrv_var_lib_t)
+
-+ files_search_var_lib($1)
-+ admin_pattern($1, dspam_var_lib_t)
++type dirsrv_var_log_t;
++logging_log_file(dirsrv_var_log_t)
+
-+ files_search_pids($1)
-+ admin_pattern($1, dspam_var_run_t)
++type dirsrv_snmp_var_log_t;
++logging_log_file(dirsrv_snmp_var_log_t)
+
-+')
-diff --git a/dspam.te b/dspam.te
-new file mode 100644
-index 0000000..e6f0960
---- /dev/null
-+++ b/dspam.te
-@@ -0,0 +1,113 @@
++type dirsrv_var_run_t;
++files_pid_file(dirsrv_var_run_t)
++
++type dirsrv_snmp_var_run_t;
++files_pid_file(dirsrv_snmp_var_run_t)
++
++type dirsrv_var_lock_t;
++files_lock_file(dirsrv_var_lock_t)
++
++type dirsrv_config_t;
++files_type(dirsrv_config_t)
++
++type dirsrv_tmp_t;
++files_tmp_file(dirsrv_tmp_t)
++
++type dirsrv_tmpfs_t;
++files_tmpfs_file(dirsrv_tmpfs_t)
+
-+policy_module(dspam, 1.0.0)
++type dirsrv_share_t;
++files_type(dirsrv_share_t);
+
+########################################
+#
-+# Declarations
++# dirsrv local policy
+#
++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
++allow dirsrv_t self:fifo_file manage_fifo_file_perms;
++allow dirsrv_t self:sem create_sem_perms;
++allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
-+type dspam_t;
-+type dspam_exec_t;
-+init_daemon_domain(dspam_t, dspam_exec_t)
++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
+
-+type dspam_initrc_exec_t;
-+init_script_file(dspam_initrc_exec_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
-+type dspam_log_t;
-+logging_log_file(dspam_log_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++allow dirsrv_t dirsrv_var_log_t:dir { setattr };
++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
-+type dspam_var_lib_t;
-+files_type(dspam_var_lib_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
+
-+type dspam_var_run_t;
-+files_pid_file(dspam_var_run_t)
++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
++files_setattr_lock_dirs(dirsrv_t)
+
-+# FIXME
-+# /tmp/dspam.sock
-+type dspam_tmp_t;
-+files_tmp_file(dspam_tmp_t)
++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
-+########################################
-+#
-+# dspam local policy
-+#
++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
-+allow dspam_t self:capability net_admin;
++kernel_read_system_state(dirsrv_t)
++kernel_read_kernel_sysctls(dirsrv_t)
+
-+allow dspam_t self:process { signal };
++corecmd_search_bin(dirsrv_t)
+
-+allow dspam_t self:fifo_file rw_fifo_file_perms;
-+allow dspam_t self:unix_stream_socket create_stream_socket_perms;
++corenet_all_recvfrom_netlabel(dirsrv_t)
++corenet_tcp_sendrecv_generic_if(dirsrv_t)
++corenet_tcp_sendrecv_generic_node(dirsrv_t)
++corenet_tcp_sendrecv_all_ports(dirsrv_t)
++corenet_tcp_bind_generic_node(dirsrv_t)
++corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_dogtag_port(dirsrv_t)
++corenet_tcp_bind_all_rpc_ports(dirsrv_t)
++corenet_udp_bind_all_rpc_ports(dirsrv_t)
++corenet_tcp_connect_all_ports(dirsrv_t)
++corenet_sendrecv_ldap_server_packets(dirsrv_t)
++corenet_sendrecv_all_client_packets(dirsrv_t)
+
-+manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t)
-+manage_files_pattern(dspam_t, dspam_log_t, dspam_log_t)
++dev_read_sysfs(dirsrv_t)
++dev_read_urand(dirsrv_t)
+
-+files_search_var_lib(dspam_t)
-+manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
-+manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t)
++files_read_etc_files(dirsrv_t)
++files_read_usr_symlinks(dirsrv_t)
+
-+manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
-+manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
-+manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t)
-+files_pid_filetrans(dspam_t, dspam_var_run_t, dir, "dspam")
++fs_getattr_all_fs(dirsrv_t)
+
-+manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t)
-+files_tmp_filetrans(dspam_t, dspam_tmp_t, sock_file)
++auth_use_pam(dirsrv_t)
+
-+corenet_tcp_connect_spamd_port(dspam_t)
-+corenet_tcp_bind_spamd_port(dspam_t)
++logging_send_syslog_msg(dirsrv_t)
+
-+auth_use_nsswitch(dspam_t)
++sysnet_dns_name_resolve(dirsrv_t)
+
-+files_search_spool(dspam_t)
++optional_policy(`
++ apache_dontaudit_leaks(dirsrv_t)
++')
+
-+# for RHEL5
-+libs_use_ld_so(dspam_t)
-+libs_use_shared_libs(dspam_t)
-+libs_read_lib_files(dspam_t)
++optional_policy(`
++ dirsrvadmin_read_tmp(dirsrv_t)
++')
+
-+logging_send_syslog_msg(dspam_t)
+
+optional_policy(`
-+ mysql_tcp_connect(dspam_t)
-+ mysql_search_db(dspam_t)
-+ mysql_stream_connect(dspam_t)
++ kerberos_use(dirsrv_t)
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
+')
+
++# FIPS mode
+optional_policy(`
-+ postgresql_tcp_connect(dspam_t)
-+ postgresql_stream_connect(dspam_t)
++ prelink_exec(dirsrv_t)
+')
+
-+#######################################
++optional_policy(`
++ rpcbind_stream_connect(dirsrv_t)
++')
++
++########################################
+#
-+# dspam web local policy.
++# dirsrv-snmp local policy
+#
++allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
-+optional_policy(`
-+ apache_content_template(dspam)
++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+
-+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
-+ files_search_var_lib(httpd_dspam_script_t)
-+ list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
-+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
-+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+
-+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+
-+ term_dontaudit_search_ptys(httpd_dspam_script_t)
-+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
-+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
-+ init_read_utmp(httpd_dspam_script_t)
++corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
-+ logging_send_syslog_msg(httpd_dspam_script_t)
++dev_read_rand(dirsrv_snmp_t)
++dev_read_urand(dirsrv_snmp_t)
+
-+ mta_send_mail(httpd_dspam_script_t)
++domain_use_interactive_fds(dirsrv_snmp_t)
+
-+ optional_policy(`
-+ mysql_tcp_connect(httpd_dspam_script_t)
-+ mysql_stream_connect(httpd_dspam_script_t)
-+ ')
++#files_manage_var_files(dirsrv_snmp_t)
++files_read_etc_files(dirsrv_snmp_t)
++files_read_usr_files(dirsrv_snmp_t)
++
++fs_getattr_tmpfs(dirsrv_snmp_t)
++fs_search_tmpfs(dirsrv_snmp_t)
++
++
++sysnet_read_config(dirsrv_snmp_t)
++sysnet_dns_name_resolve(dirsrv_snmp_t)
++
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
++ snmp_manage_var_lib_files(dirsrv_snmp_t)
++ snmp_stream_connect(dirsrv_snmp_t)
+')
-diff --git a/entropyd.te b/entropyd.te
-index b6ac808..6235eb0 100644
---- a/entropyd.te
-+++ b/entropyd.te
-@@ -33,7 +33,7 @@ manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
- files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+diff --git a/distcc.te b/distcc.te
+index b441a4d..83fb340 100644
+--- a/distcc.te
++++ b/distcc.te
+@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
+ kernel_read_system_state(distccd_t)
+ kernel_read_kernel_sysctls(distccd_t)
- kernel_rw_kernel_sysctl(entropyd_t)
--kernel_list_proc(entropyd_t)
-+kernel_read_system_state(entropyd_t)
- kernel_read_proc_symlinks(entropyd_t)
+-corenet_all_recvfrom_unlabeled(distccd_t)
+ corenet_all_recvfrom_netlabel(distccd_t)
+ corenet_tcp_sendrecv_generic_if(distccd_t)
+ corenet_tcp_sendrecv_generic_node(distccd_t)
+@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
- dev_read_sysfs(entropyd_t)
-@@ -42,7 +42,6 @@ dev_write_urand(entropyd_t)
- dev_read_rand(entropyd_t)
- dev_write_rand(entropyd_t)
+ logging_send_syslog_msg(distccd_t)
--files_read_etc_files(entropyd_t)
- files_read_usr_files(entropyd_t)
+-miscfiles_read_localization(distccd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(distccd_t)
+ userdom_dontaudit_search_user_home_dirs(distccd_t)
- fs_getattr_all_fs(entropyd_t)
-@@ -52,7 +51,7 @@ domain_use_interactive_fds(entropyd_t)
+diff --git a/djbdns.if b/djbdns.if
+index 671d3c0..6d36c95 100644
+--- a/djbdns.if
++++ b/djbdns.if
+@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
- logging_send_syslog_msg(entropyd_t)
+ allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
++
++ corenet_all_recvfrom_netlabel(djbdns_$1_t)
++ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
++ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
++ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
++ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
++ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
++ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
++ corenet_tcp_bind_generic_node(djbdns_$1_t)
++ corenet_udp_bind_generic_node(djbdns_$1_t)
++ corenet_tcp_bind_dns_port(djbdns_$1_t)
++ corenet_udp_bind_dns_port(djbdns_$1_t)
++ corenet_udp_bind_generic_port(djbdns_$1_t)
++ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
++ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
++
++ files_search_var(djbdns_$1_t)
+ ')
--miscfiles_read_localization(entropyd_t)
-+auth_use_nsswitch(entropyd_t)
+ #####################################
+diff --git a/djbdns.te b/djbdns.te
+index 463d290..2f66c34 100644
+--- a/djbdns.te
++++ b/djbdns.te
+@@ -48,11 +48,16 @@ corenet_udp_bind_generic_port(djbdns_domain)
- userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
- userdom_dontaudit_search_user_home_dirs(entropyd_t)
-diff --git a/evolution.te b/evolution.te
-index 73cb712..2c6f3bc 100644
---- a/evolution.te
-+++ b/evolution.te
-@@ -146,7 +146,6 @@ corecmd_exec_shell(evolution_t)
- # Run various programs
- corecmd_exec_bin(evolution_t)
+ files_search_var(djbdns_domain)
--corenet_all_recvfrom_unlabeled(evolution_t)
- corenet_all_recvfrom_netlabel(evolution_t)
- corenet_tcp_sendrecv_generic_if(evolution_t)
- corenet_udp_sendrecv_generic_if(evolution_t)
-@@ -181,19 +180,17 @@ dev_read_urand(evolution_t)
++daemontools_ipc_domain(djbdns_axfrdns_t)
++daemontools_read_svc(djbdns_axfrdns_t)
++
++
+ ########################################
+ #
+ # axfrdns local policy
+ #
- domain_dontaudit_read_all_domains_state(evolution_t)
++ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+ allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms;
+ allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms;
--files_read_etc_files(evolution_t)
- files_read_usr_files(evolution_t)
- files_read_usr_symlinks(evolution_t)
- files_read_var_files(evolution_t)
+diff --git a/dkim.fc b/dkim.fc
+index 5818418..674367b 100644
+--- a/dkim.fc
++++ b/dkim.fc
+@@ -9,7 +9,6 @@
- fs_search_auto_mountpoints(evolution_t)
+ /var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
--logging_send_syslog_msg(evolution_t)
-+auth_use_nsswitch(evolution_t)
+-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
--miscfiles_read_localization(evolution_t)
-+logging_send_syslog_msg(evolution_t)
+diff --git a/dmidecode.te b/dmidecode.te
+index c947c2c..441d3f4 100644
+--- a/dmidecode.te
++++ b/dmidecode.te
+@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t)
- sysnet_read_config(evolution_t)
--sysnet_dns_name_resolve(evolution_t)
+ locallogin_use_fds(dmidecode_t)
- udev_read_state(evolution_t)
+-userdom_use_user_terminals(dmidecode_t)
++userdom_use_inherited_user_terminals(dmidecode_t)
+diff --git a/dnsmasq.fc b/dnsmasq.fc
+index 23ab808..4a801b5 100644
+--- a/dnsmasq.fc
++++ b/dnsmasq.fc
+@@ -2,6 +2,8 @@
-@@ -201,7 +198,7 @@ userdom_rw_user_tmp_files(evolution_t)
- userdom_manage_user_tmp_dirs(evolution_t)
- userdom_manage_user_tmp_sockets(evolution_t)
- userdom_manage_user_tmp_files(evolution_t)
--userdom_use_user_terminals(evolution_t)
-+userdom_use_inherited_user_terminals(evolution_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
-@@ -357,12 +354,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
- dev_read_urand(evolution_alarm_t)
++/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
++
+ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
--files_read_etc_files(evolution_alarm_t)
- files_read_usr_files(evolution_alarm_t)
+ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+diff --git a/dnsmasq.if b/dnsmasq.if
+index 19aa0b8..b303b37 100644
+--- a/dnsmasq.if
++++ b/dnsmasq.if
+@@ -10,7 +10,6 @@
+ ## </summary>
+ ## </param>
+ #
+-#
+ interface(`dnsmasq_domtrans',`
+ gen_require(`
+ type dnsmasq_exec_t, dnsmasq_t;
+@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+ ')
- fs_search_auto_mountpoints(evolution_alarm_t)
++#######################################
++## <summary>
++## Execute dnsmasq server in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_exec',`
++ gen_require(`
++ type dnsmasq_exec_t;
++ ')
++
++ can_exec($1, dnsmasq_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the dnsmasq init script in
+@@ -42,6 +59,29 @@ interface(`dnsmasq_initrc_domtrans',`
--miscfiles_read_localization(evolution_alarm_t)
-+auth_use_nsswitch(evolution_alarm_t)
+ ########################################
+ ## <summary>
++## Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_systemctl',`
++ gen_require(`
++ type dnsmasq_unit_file_t;
++ type dnsmasq_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 dnsmasq_unit_file_t:file read_file_perms;
++ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, dnsmasq_t)
++')
+
++########################################
++## <summary>
+ ## Send generic signals to dnsmasq.
+ ## </summary>
+ ## <param name="domain">
+@@ -145,12 +185,12 @@ interface(`dnsmasq_write_config',`
+ ## </summary>
+ ## </param>
+ #
+-#
+ interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
++ files_search_pids($1)
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
- # Access evolution home
- userdom_search_user_home_dirs(evolution_alarm_t)
-@@ -439,13 +436,13 @@ corecmd_exec_bin(evolution_exchange_t)
+@@ -176,7 +216,7 @@ interface(`dnsmasq_manage_pid_files',`
- dev_read_urand(evolution_exchange_t)
+ ########################################
+ ## <summary>
+-## Read dnsmasq pid files.
++## Read dnsmasq pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -184,12 +224,12 @@ interface(`dnsmasq_manage_pid_files',`
+ ## </summary>
+ ## </param>
+ #
+-#
+ interface(`dnsmasq_read_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
--files_read_etc_files(evolution_exchange_t)
- files_read_usr_files(evolution_exchange_t)
++ files_search_pids($1)
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ ')
- # Access evolution home
- fs_search_auto_mountpoints(evolution_exchange_t)
+@@ -214,37 +254,46 @@ interface(`dnsmasq_create_pid_dirs',`
--miscfiles_read_localization(evolution_exchange_t)
-+auth_use_nsswitch(evolution_exchange_t)
-+
+ ########################################
+ ## <summary>
+-## Create specified objects in specified
+-## directories with a type transition to
+-## the dnsmasq pid file type.
++## Transition to dnsmasq named content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ## <summary>
+-## Directory to transition on.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## The type of the directory for the object to be created.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dnsmasq_spec_filetrans_pid',`
++interface(`dnsmasq_filetrans_named_content_fromdir',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
- userdom_write_user_tmp_sockets(evolution_exchange_t)
- # Access evolution home
-@@ -506,7 +503,6 @@ kernel_read_system_state(evolution_server_t)
- corecmd_exec_shell(evolution_server_t)
+- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
++ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
++ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
++')
++
++#######################################
++## <summary>
++## Transition to dnsmasq named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_filetrans_named_content',`
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
++ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
++ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
++ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+ ')
- # Obtain weather data via http (read server name from xml file in /usr)
--corenet_all_recvfrom_unlabeled(evolution_server_t)
- corenet_all_recvfrom_netlabel(evolution_server_t)
- corenet_tcp_sendrecv_generic_if(evolution_server_t)
- corenet_tcp_sendrecv_generic_node(evolution_server_t)
-@@ -519,19 +515,18 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+ ########################################
+@@ -267,12 +316,17 @@ interface(`dnsmasq_spec_filetrans_pid',`
+ interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
++ type dnsmasq_initrc_exec_t;
++ type dnsmasq_unit_file_t;
+ ')
- dev_read_urand(evolution_server_t)
+- allow $1 dnsmasq_t:process { ptrace signal_perms };
++ allow $1 dnsmasq_t:process signal_perms;
+ ps_process_pattern($1, dnsmasq_t)
--files_read_etc_files(evolution_server_t)
- # Obtain weather data via http (read server name from xml file in /usr)
- files_read_usr_files(evolution_server_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dnsmasq_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dnsmasq_initrc_exec_t system_r;
+@@ -286,4 +340,8 @@ interface(`dnsmasq_admin',`
- fs_search_auto_mountpoints(evolution_server_t)
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
++
++ dnsmasq_systemctl($1)
++ admin_pattern($1, dnsmasq_unit_file_t)
++ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+ ')
+diff --git a/dnsmasq.te b/dnsmasq.te
+index ba14bcf..f33d9f5 100644
+--- a/dnsmasq.te
++++ b/dnsmasq.te
+@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
+ type dnsmasq_var_run_t;
+ files_pid_file(dnsmasq_var_run_t)
--miscfiles_read_localization(evolution_server_t)
-+auth_use_nsswitch(evolution_server_t)
++type dnsmasq_unit_file_t;
++systemd_unit_file(dnsmasq_unit_file_t)
+
- # Look in /etc/pki
- miscfiles_read_generic_certs(evolution_server_t)
+ ########################################
+ #
+ # Local policy
+@@ -56,7 +59,6 @@ kernel_read_network_state(dnsmasq_t)
+ kernel_read_system_state(dnsmasq_t)
+ kernel_request_load_module(dnsmasq_t)
+
+-corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+ corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+ corenet_udp_sendrecv_generic_if(dnsmasq_t)
+@@ -88,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t)
+
+ logging_send_syslog_msg(dnsmasq_t)
+
+-miscfiles_read_localization(dnsmasq_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+ userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
- # Talk to ldap (address book)
- sysnet_read_config(evolution_server_t)
--sysnet_dns_name_resolve(evolution_server_t)
- sysnet_use_ldap(evolution_server_t)
+@@ -98,11 +98,24 @@ optional_policy(`
+ ')
- # Access evolution home
-@@ -573,7 +568,6 @@ allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_per
- allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
- fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ optional_policy(`
++ cron_manage_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
+ dbus_connect_system_bus(dnsmasq_t)
+ dbus_system_bus_client(dnsmasq_t)
+ ')
--corenet_all_recvfrom_unlabeled(evolution_webcal_t)
- corenet_all_recvfrom_netlabel(evolution_webcal_t)
- corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
- corenet_raw_sendrecv_generic_if(evolution_webcal_t)
-@@ -586,9 +580,9 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
- corenet_sendrecv_http_client_packets(evolution_webcal_t)
- corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+ optional_policy(`
++ networkmanager_read_conf(dnsmasq_t)
++ networkmanager_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
++ ppp_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
+ networkmanager_read_pid_files(dnsmasq_t)
+ ')
--# Networking capability - connect to website and handle ics link
-+auth_use_nsswitch(evolution_webcal_t)
-+
- sysnet_read_config(evolution_webcal_t)
--sysnet_dns_name_resolve(evolution_webcal_t)
+@@ -124,6 +137,7 @@ optional_policy(`
- # Search home directory (?)
- userdom_search_user_home_dirs(evolution_webcal_t)
-diff --git a/exim.fc b/exim.fc
-index 298f066..02c2561 100644
---- a/exim.fc
-+++ b/exim.fc
-@@ -1,4 +1,9 @@
+ optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
++ virt_read_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ ')
+diff --git a/dnssec.fc b/dnssec.fc
+new file mode 100644
+index 0000000..9e231a8
+--- /dev/null
++++ b/dnssec.fc
+@@ -0,0 +1,3 @@
++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
-+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
++/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
+diff --git a/dnssec.if b/dnssec.if
+new file mode 100644
+index 0000000..a952041
+--- /dev/null
++++ b/dnssec.if
+@@ -0,0 +1,64 @@
+
- /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
-+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
++## <summary>policy for dnssec_trigger</summary>
+
- /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
- /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
- /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
-diff --git a/exim.if b/exim.if
-index 6bef7f8..ba138e8 100644
---- a/exim.if
-+++ b/exim.if
-@@ -20,6 +20,49 @@ interface(`exim_domtrans',`
-
- ########################################
- ## <summary>
-+## Execute the mailman program in the mailman domain.
++########################################
++## <summary>
++## Transition to dnssec_trigger.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to allow the mailman domain.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`exim_run',`
-+ gen_require(`
-+ type exim_t;
-+ ')
++interface(`dnssec_trigger_domtrans',`
++ gen_require(`
++ type dnssec_trigger_t, dnssec_trigger_exec_t;
++ ')
+
-+ exim_domtrans($1)
-+ role $2 types exim_t;
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
+')
-+
+########################################
+## <summary>
-+## Execute exim in the exim domain.
++## Read dnssec_trigger PID files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`exim_initrc_domtrans',`
++interface(`dnssec_trigger_read_pid_files',`
+ gen_require(`
-+ type exim_initrc_exec_t;
++ type dnssec_trigger_var_run_t;
+ ')
+
-+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
++ files_search_pids($1)
++ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
+')
+
-+########################################
-+## <summary>
- ## Do not audit attempts to read,
- ## exim tmp files
- ## </summary>
-@@ -194,3 +237,49 @@ interface(`exim_manage_spool_files',`
- manage_files_pattern($1, exim_spool_t, exim_spool_t)
- files_search_spool($1)
- ')
+
+########################################
+## <summary>
+## All of the rules required to administrate
-+## an exim environment.
++## an dnssec_trigger environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
+#
-+interface(`exim_admin',`
++interface(`dnssec_trigger_admin',`
+ gen_require(`
-+ type exim_t, exim_initrc_exec_t, exim_log_t;
-+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
++ type dnssec_trigger_t;
++ type dnssec_trigger_var_run_t;
+ ')
+
-+ allow $1 exim_t:process signal_perms;
-+ ps_process_pattern($1, exim_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 exim_t:process ptrace;
-+ ')
++ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
++ ps_process_pattern($1, dnssec_trigger_t)
+
-+ exim_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 exim_initrc_exec_t system_r;
-+ allow $2 system_r;
++ files_search_pids($1)
++ admin_pattern($1, dnssec_trigger_var_run_t)
++')
+diff --git a/dnssec.te b/dnssec.te
+new file mode 100644
+index 0000000..25daf6c
+--- /dev/null
++++ b/dnssec.te
+@@ -0,0 +1,59 @@
++policy_module(dnssec, 1.0.0)
+
-+ logging_list_logs($1)
-+ admin_pattern($1, exim_log_t)
++########################################
++#
++# Declarations
++#
+
-+ files_list_tmp($1)
-+ admin_pattern($1, exim_tmp_t)
++type dnssec_trigger_t;
++type dnssec_trigger_exec_t;
++init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
-+ files_list_spool($1)
-+ admin_pattern($1, exim_spool_t)
++type dnssec_trigger_var_run_t;
++files_pid_file(dnssec_trigger_var_run_t)
+
-+ files_list_pids($1)
-+ admin_pattern($1, exim_var_run_t)
++########################################
++#
++# dnssec_trigger local policy
++#
++allow dnssec_trigger_t self:capability linux_immutable;
++allow dnssec_trigger_t self:process signal;
++allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
++allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
++allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
++allow dnssec_trigger_t self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
++
++kernel_read_system_state(dnssec_trigger_t)
++
++corecmd_exec_bin(dnssec_trigger_t)
++corecmd_exec_shell(dnssec_trigger_t)
++
++corenet_tcp_bind_generic_node(dnssec_trigger_t)
++corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
++corenet_tcp_connect_rndc_port(dnssec_trigger_t)
++corenet_tcp_connect_http_port(dnssec_trigger_t)
++
++dev_read_urand(dnssec_trigger_t)
++
++domain_use_interactive_fds(dnssec_trigger_t)
++
++files_read_etc_runtime_files(dnssec_trigger_t)
++files_read_etc_files(dnssec_trigger_t)
++
++logging_send_syslog_msg(dnssec_trigger_t)
++
++auth_read_passwd(dnssec_trigger_t)
++
++sysnet_dns_name_resolve(dnssec_trigger_t)
++sysnet_manage_config(dnssec_trigger_t)
++
++optional_policy(`
++ bind_read_config(dnssec_trigger_t)
++ bind_read_dnssec_keys(dnssec_trigger_t)
+')
-diff --git a/exim.te b/exim.te
-index f28f64b..91758d5 100644
---- a/exim.te
-+++ b/exim.te
-@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t)
- application_executable_file(exim_exec_t)
- mta_agent_executable(exim_exec_t)
-
-+type exim_initrc_exec_t;
-+init_script_file(exim_initrc_exec_t)
+
- type exim_log_t;
- logging_log_file(exim_log_t)
-
- type exim_spool_t;
--files_type(exim_spool_t)
-+files_spool_file(exim_spool_t)
-
- type exim_tmp_t;
- files_tmp_file(exim_tmp_t)
-@@ -79,11 +82,10 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(exim_t)
- kernel_read_network_state(exim_t)
--kernel_dontaudit_read_system_state(exim_t)
-+kernel_read_system_state(exim_t)
++
+diff --git a/dnssectrigger.te b/dnssectrigger.te
+index ef36d73..fddd51f 100644
+--- a/dnssectrigger.te
++++ b/dnssectrigger.te
+@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
- corecmd_search_bin(exim_t)
+ logging_send_syslog_msg(dnssec_triggerd_t)
--corenet_all_recvfrom_unlabeled(exim_t)
- corenet_all_recvfrom_netlabel(exim_t)
- corenet_tcp_sendrecv_generic_if(exim_t)
- corenet_udp_sendrecv_generic_if(exim_t)
-@@ -108,7 +110,7 @@ domain_use_interactive_fds(exim_t)
+-miscfiles_read_localization(dnssec_triggerd_t)
+-
+ sysnet_dns_name_resolve(dnssec_triggerd_t)
+ sysnet_manage_config(dnssec_triggerd_t)
+ sysnet_etc_filetrans_config(dnssec_triggerd_t)
+diff --git a/dovecot.fc b/dovecot.fc
+index c880070..4448055 100644
+--- a/dovecot.fc
++++ b/dovecot.fc
+@@ -1,36 +1,48 @@
+-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
- files_search_usr(exim_t)
- files_search_var(exim_t)
--files_read_etc_files(exim_t)
-+files_read_usr_files(exim_t)
- files_read_etc_runtime_files(exim_t)
- files_getattr_all_mountpoints(exim_t)
+-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+-
+-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
++#
++# /etc
++#
++/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
++/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
++/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
-@@ -119,7 +121,6 @@ auth_use_nsswitch(exim_t)
++/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+ /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
- logging_send_syslog_msg(exim_t)
+-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
++# Debian uses /etc/dovecot/
++ifdef(`distro_debian',`
++/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
++')
--miscfiles_read_localization(exim_t)
- miscfiles_read_generic_certs(exim_t)
+-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
++#
++# /usr
++#
++/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
- userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -162,6 +163,10 @@ optional_policy(`
- ')
+-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
++/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
++/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
- optional_policy(`
-+ dovecot_stream_connect(exim_t)
+-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++ifdef(`distro_debian', `
+ /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
-+
-+optional_policy(`
- kerberos_keytab_template(exim, exim_t)
- ')
-
-@@ -171,6 +176,10 @@ optional_policy(`
- ')
- optional_policy(`
-+ nagios_search_spool(exim_t)
+-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
++ifdef(`distro_redhat', `
++/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
-+
-+optional_policy(`
- tunable_policy(`exim_can_connect_db',`
- mysql_stream_connect(exim_t)
- ')
-@@ -184,6 +193,7 @@ optional_policy(`
- optional_policy(`
- procmail_domtrans(exim_t)
-+ procmail_read_home_files(exim_t)
- ')
+-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
++#
++# /var
++#
++/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
- optional_policy(`
-diff --git a/fail2ban.fc b/fail2ban.fc
-index 0de2b83..6de0fca 100644
---- a/fail2ban.fc
-+++ b/fail2ban.fc
-@@ -4,5 +4,5 @@
- /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
++/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
- /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
--/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
-+/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0)
- /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
-diff --git a/fail2ban.if b/fail2ban.if
-index f590a1f..b1b13b0 100644
---- a/fail2ban.if
-+++ b/fail2ban.if
-@@ -40,7 +40,26 @@ interface(`fail2ban_stream_connect',`
+-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
++/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
- ########################################
- ## <summary>
--## Read and write to an fail2ban unix stream socket.
-+## Read and write inherited temporary files.
+-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
++/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+diff --git a/dovecot.if b/dovecot.if
+index dbcac59..66d42bb 100644
+--- a/dovecot.if
++++ b/dovecot.if
+@@ -1,29 +1,49 @@
+-## <summary>POP and IMAP mail server.</summary>
++## <summary>Dovecot POP and IMAP mail server</summary>
++
++######################################
++## <summary>
++## Creates types and rules for a basic
++## dovecot daemon domain.
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
+## </param>
+#
-+interface(`fail2ban_rw_inherited_tmp_files',`
++template(`dovecot_basic_types_template',`
+ gen_require(`
-+ type fail2ban_tmp_t;
++ attribute dovecot_domain;
+ ')
+
-+ files_search_tmp($1)
-+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
-+')
++ type $1_t, dovecot_domain;
++ type $1_exec_t;
+
-+########################################
-+## <summary>
-+## Read and write to an fail2ba unix stream socket.
++ kernel_read_system_state($1_t)
++')
+
+ #######################################
+ ## <summary>
+-## Connect to dovecot using a unix
+-## domain stream socket.
++## Connect to dovecot unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`dovecot_stream_connect',`
+- gen_require(`
+- type dovecot_t, dovecot_var_run_t;
+- ')
++ gen_require(`
++ type dovecot_t, dovecot_var_run_t;
++ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to dovecot using a unix
+-## domain stream socket.
++## Connect to dovecot auth unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
+
+ ########################################
+ ## <summary>
+-## Execute dovecot_deliver in the
+-## dovecot_deliver domain.
++## Execute dovecot_deliver in the dovecot_deliver domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',`
+@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
')
- files_search_var_lib($1)
-- allow $1 fail2ban_var_lib_t:file read_file_perms;
-+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
+- corecmd_search_bin($1)
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
-@@ -138,6 +157,26 @@ interface(`fail2ban_read_pid_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## dovecot spool files.
++## Create, read, write, and delete the dovecot spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
+ ')
+
+ files_search_spool($1)
+- allow $1 dovecot_spool_t:dir manage_dir_perms;
+- allow $1 dovecot_spool_t:file manage_file_perms;
+- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
++ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
++ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ ')
########################################
## <summary>
-+## dontaudit read and write an leaked file descriptors
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fail2ban_dontaudit_leaks',`
-+ gen_require(`
-+ type fail2ban_t;
-+ ')
-+
-+ dontaudit $1 fail2ban_t:tcp_socket { read write };
-+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
-+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an fail2ban environment
+-## Do not audit attempts to delete
+-## dovecot lib files.
++## Do not audit attempts to delete dovecot lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+ type dovecot_var_lib_t;
+ ')
+
+- dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
++ dontaudit $1 dovecot_var_lib_t:file unlink;
+ ')
+
+ ######################################
+ ## <summary>
+-## Write inherited dovecot tmp files.
++## Allow attempts to write inherited
++## dovecot tmp files.
## </summary>
-@@ -155,12 +194,16 @@ interface(`fail2ban_read_pid_files',`
+ ## <param name="domain">
+ ## <summary>
+@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an dovecot environment.
++## All of the rules required to administrate
++## an dovecot environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the dovecot domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
#
- interface(`fail2ban_admin',`
+ interface(`dovecot_admin',`
gen_require(`
-- type fail2ban_t, fail2ban_log_t;
-- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
-+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
-+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
-+ type fail2ban_client_t;
+- type dovecot_t, dovecot_etc_t, dovecot_var_log_t;
+- type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
+- type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
+- type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
-- allow $1 fail2ban_t:process { ptrace signal_perms };
-- ps_process_pattern($1, fail2ban_t)
-+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
-+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+- allow $1 dovecot_t:process { ptrace signal_perms };
++ allow $1 dovecot_t:process signal_perms;
+ ps_process_pattern($1, dovecot_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
++ allow $1 dovecot_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -172,4 +215,10 @@ interface(`fail2ban_admin',`
+@@ -156,20 +175,25 @@ interface(`dovecot_admin',`
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
- files_list_pids($1)
- admin_pattern($1, fail2ban_var_run_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, fail2ban_var_lib_t)
-+
+- logging_list_logs($1)
+- admin_pattern($1, dovecot_var_log_t)
+ files_list_tmp($1)
-+ admin_pattern($1, fail2ban_tmp_t)
- ')
-diff --git a/fail2ban.te b/fail2ban.te
-index 2a69e5e..5dccf2c 100644
---- a/fail2ban.te
-+++ b/fail2ban.te
-@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
- type fail2ban_var_run_t;
- files_pid_file(fail2ban_var_run_t)
++ admin_pattern($1, dovecot_auth_tmp_t)
++ admin_pattern($1, dovecot_tmp_t)
++
++ admin_pattern($1, dovecot_keytab_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
+-
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
-+type fail2ban_tmp_t;
-+files_tmp_file(fail2ban_tmp_t)
++ logging_search_logs($1)
++ admin_pattern($1, dovecot_var_log_t)
+
-+type fail2ban_client_t;
-+type fail2ban_client_exec_t;
-+init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t)
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
++ admin_pattern($1, dovecot_cert_t)
+
++ admin_pattern($1, dovecot_passwd_t)
+ ')
+diff --git a/dovecot.te b/dovecot.te
+index a7bfaf0..6344853 100644
+--- a/dovecot.te
++++ b/dovecot.te
+@@ -1,4 +1,4 @@
+-policy_module(dovecot, 1.15.6)
++policy_module(dovecot, 1.14.0)
+
########################################
#
--# fail2ban local policy
-+# fail2ban server local policy
+@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6)
+
+ attribute dovecot_domain;
+
+-type dovecot_t, dovecot_domain;
+-type dovecot_exec_t;
++dovecot_basic_types_template(dovecot)
+ init_daemon_domain(dovecot_t, dovecot_exec_t)
+
+-type dovecot_auth_t, dovecot_domain;
+-type dovecot_auth_exec_t;
++dovecot_basic_types_template(dovecot_auth)
+ domain_type(dovecot_auth_t)
+ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
+ role system_r types dovecot_auth_t;
+@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
+ type dovecot_cert_t;
+ miscfiles_cert_type(dovecot_cert_t)
+
+-type dovecot_deliver_t, dovecot_domain;
+-type dovecot_deliver_exec_t;
++dovecot_basic_types_template(dovecot_deliver)
+ domain_type(dovecot_deliver_t)
+ domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+ role system_r types dovecot_deliver_t;
+@@ -42,11 +39,12 @@ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+
+ type dovecot_spool_t;
+-files_type(dovecot_spool_t)
++files_spool_file(dovecot_spool_t)
+
+ type dovecot_tmp_t;
+ files_tmp_file(dovecot_tmp_t)
+
++# /var/lib/dovecot holds SSL parameters file
+ type dovecot_var_lib_t;
+ files_type(dovecot_var_lib_t)
+
+@@ -56,20 +54,17 @@ logging_log_file(dovecot_var_log_t)
+ type dovecot_var_run_t;
+ files_pid_file(dovecot_var_run_t)
+
+-########################################
++#######################################
+ #
+-# Common local policy
++# dovecot domain local policy
#
--allow fail2ban_t self:capability { sys_tty_config };
-+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
- allow fail2ban_t self:process signal;
- allow fail2ban_t self:fifo_file rw_fifo_file_perms;
- allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
- allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+ allow dovecot_domain self:capability2 block_suspend;
+-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
- # log files
--allow fail2ban_t fail2ban_log_t:dir setattr;
-+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
- manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
- logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
+-allow dovecot_domain dovecot_etc_t:file read_file_perms;
+-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
++allow dovecot_domain self:unix_dgram_socket create_socket_perms;
++allow dovecot_domain self:fifo_file rw_fifo_file_perms;
-@@ -50,12 +57,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+ kernel_read_all_sysctls(dovecot_domain)
+-kernel_read_system_state(dovecot_domain)
-+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
+ corecmd_exec_bin(dovecot_domain)
+ corecmd_exec_shell(dovecot_domain)
+@@ -78,37 +73,46 @@ dev_read_sysfs(dovecot_domain)
+ dev_read_rand(dovecot_domain)
+ dev_read_urand(dovecot_domain)
+
++# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_domain)
+
+-logging_send_syslog_msg(dovecot_domain)
+-
+-miscfiles_read_localization(dovecot_domain)
+-
+ ########################################
+ #
+-# Local policy
++# dovecot local policy
+ #
+
+-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
++allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
+ dontaudit dovecot_t self:capability sys_tty_config;
+ allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
+-allow dovecot_t self:tcp_socket { accept listen };
+-allow dovecot_t self:unix_stream_socket { accept connectto listen };
++allow dovecot_t self:tcp_socket create_stream_socket_perms;
++allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
- kernel_read_system_state(fail2ban_t)
++domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
++
++allow dovecot_t dovecot_auth_t:process signal;
- corecmd_exec_bin(fail2ban_t)
- corecmd_exec_shell(fail2ban_t)
+ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+-allow dovecot_t dovecot_cert_t:file read_file_perms;
+-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
++read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
++read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
++
++allow dovecot_t dovecot_etc_t:dir list_dir_perms;
++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
++files_search_etc(dovecot_t)
++
++can_exec(dovecot_t, dovecot_exec_t)
--corenet_all_recvfrom_unlabeled(fail2ban_t)
- corenet_all_recvfrom_netlabel(fail2ban_t)
- corenet_tcp_sendrecv_generic_if(fail2ban_t)
- corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -66,8 +77,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
- dev_read_urand(fail2ban_t)
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+
++# Allow dovecot to create and read SSL parameters file
+ manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
++files_search_var_lib(dovecot_t)
++files_read_var_symlinks(dovecot_t)
+
+ manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+ logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+
+ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -122,43 +126,33 @@ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+ files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
+
+-can_exec(dovecot_t, dovecot_exec_t)
+-
+-allow dovecot_t dovecot_auth_t:process signal;
+-
+-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+-
+-corenet_all_recvfrom_unlabeled(dovecot_t)
+ corenet_all_recvfrom_netlabel(dovecot_t)
+ corenet_tcp_sendrecv_generic_if(dovecot_t)
+ corenet_tcp_sendrecv_generic_node(dovecot_t)
+ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
+-
+-corenet_sendrecv_mail_server_packets(dovecot_t)
+ corenet_tcp_bind_mail_port(dovecot_t)
+-corenet_sendrecv_pop_server_packets(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
+-corenet_sendrecv_sieve_server_packets(dovecot_t)
++corenet_tcp_bind_lmtp_port(dovecot_t)
+ corenet_tcp_bind_sieve_port(dovecot_t)
+-
+-corenet_sendrecv_all_client_packets(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
++corenet_sendrecv_pop_server_packets(dovecot_t)
++corenet_sendrecv_all_client_packets(dovecot_t)
++
++fs_getattr_all_fs(dovecot_t)
++fs_getattr_all_dirs(dovecot_t)
++fs_search_auto_mountpoints(dovecot_t)
++fs_list_inotifyfs(dovecot_t)
+
+ domain_use_interactive_fds(dovecot_t)
+
+-files_read_var_lib_files(dovecot_t)
+-files_read_var_symlinks(dovecot_t)
+ files_search_spool(dovecot_t)
++files_search_tmp(dovecot_t)
+ files_dontaudit_list_default(dovecot_t)
+ files_dontaudit_search_all_dirs(dovecot_t)
+ files_search_all_mountpoints(dovecot_t)
+-
+-fs_getattr_all_fs(dovecot_t)
+-fs_getattr_all_dirs(dovecot_t)
+-fs_search_auto_mountpoints(dovecot_t)
+-fs_list_inotifyfs(dovecot_t)
++files_read_var_lib_files(dovecot_t)
+
+ init_getattr_utmp(dovecot_t)
- domain_use_interactive_fds(fail2ban_t)
-+domain_dontaudit_read_all_domains_state(fail2ban_t)
+@@ -166,36 +160,29 @@ auth_use_nsswitch(dovecot_t)
+
+ miscfiles_read_generic_certs(dovecot_t)
+
+-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+-userdom_use_user_terminals(dovecot_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(dovecot_t)
+- fs_manage_nfs_files(dovecot_t)
+- fs_manage_nfs_symlinks(dovecot_t)
+-')
++logging_send_syslog_msg(dovecot_t)
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
+-')
++userdom_home_manager(dovecot_t)
++userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
++userdom_manage_user_home_content_dirs(dovecot_t)
++userdom_manage_user_home_content_files(dovecot_t)
++userdom_manage_user_home_content_symlinks(dovecot_t)
++userdom_manage_user_home_content_pipes(dovecot_t)
++userdom_manage_user_home_content_sockets(dovecot_t)
++userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
--files_read_etc_files(fail2ban_t)
- files_read_etc_runtime_files(fail2ban_t)
- files_read_usr_files(fail2ban_t)
- files_list_var(fail2ban_t)
-@@ -81,10 +92,11 @@ auth_use_nsswitch(fail2ban_t)
- logging_read_all_logs(fail2ban_t)
- logging_send_syslog_msg(fail2ban_t)
+ optional_policy(`
+- kerberos_keytab_template(dovecot, dovecot_t)
+- kerberos_manage_host_rcache(dovecot_t)
+- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
+ ')
--miscfiles_read_localization(fail2ban_t)
--
- mta_send_mail(fail2ban_t)
+ optional_policy(`
+- mta_manage_spool(dovecot_t)
+- mta_manage_mail_home_rw_content(dovecot_t)
+- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
+- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
++ kerberos_keytab_template(dovecot_t, dovecot_t)
++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
+ ')
-+sysnet_manage_config(fail2ban_t)
-+sysnet_filetrans_named_content(fail2ban_t)
-+
optional_policy(`
- apache_read_log(fail2ban_t)
+- postgresql_stream_connect(dovecot_t)
++ gnome_manage_data(dovecot_t)
')
-@@ -94,5 +106,43 @@ optional_policy(`
+
+ optional_policy(`
+@@ -204,6 +191,11 @@ optional_policy(`
')
optional_policy(`
-+ gnome_dontaudit_search_config(fail2ban_t)
++ postgresql_stream_connect(dovecot_t)
+')
+
+optional_policy(`
- iptables_domtrans(fail2ban_t)
++ # Handle sieve scripts
+ sendmail_domtrans(dovecot_t)
')
-+
-+optional_policy(`
-+ libs_exec_ldconfig(fail2ban_t)
-+')
-+
-+optional_policy(`
-+ shorewall_domtrans(fail2ban_t)
-+')
-+
-+########################################
-+#
-+# fail2ban client local policy
-+#
-+
-+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
-+
-+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
-+
-+kernel_read_system_state(fail2ban_client_t)
-+
-+# python
-+corecmd_exec_bin(fail2ban_client_t)
-+
-+# nsswitch.conf, passwd
-+files_read_usr_files(fail2ban_client_t)
-+files_search_pids(fail2ban_client_t)
-+
-+auth_read_passwd(fail2ban_client_t)
-+
-+
-+optional_policy(`
-+ gnome_dontaudit_search_config(fail2ban_client_t)
-+')
-+
-diff --git a/fcoemon.fc b/fcoemon.fc
-new file mode 100644
-index 0000000..83279fb
---- /dev/null
-+++ b/fcoemon.fc
-@@ -0,0 +1,5 @@
-+
-+/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0)
-+
-+/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0)
-+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0)
-diff --git a/fcoemon.if b/fcoemon.if
-new file mode 100644
-index 0000000..33508c1
---- /dev/null
-+++ b/fcoemon.if
-@@ -0,0 +1,88 @@
-+
-+## <summary>policy for fcoemon</summary>
-+
-+########################################
-+## <summary>
-+## Transition to fcoemon.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`fcoemon_domtrans',`
-+ gen_require(`
-+ type fcoemon_t, fcoemon_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, fcoemon_exec_t, fcoemon_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Read fcoemon PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fcoemon_read_pid_files',`
-+ gen_require(`
-+ type fcoemon_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 fcoemon_var_run_t:file read_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Send to a fcoemon unix dgram socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fcoemon_dgram_send',`
-+ gen_require(`
-+ type fcoemon_t;
-+ ')
-+
-+ allow $1 fcoemon_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an fcoemon environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fcoemon_admin',`
-+ gen_require(`
-+ type fcoemon_t;
-+ type fcoemon_var_run_t;
-+ ')
-+
-+ allow $1 fcoemon_t:process signal_perms;
-+ ps_process_pattern($1, fcoemon_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 fcoemon_t:process ptrace;
-+ ')
-+
-+ files_search_pids($1)
-+ admin_pattern($1, fcoemon_var_run_t)
-+
-+')
-+
-diff --git a/fcoemon.te b/fcoemon.te
-new file mode 100644
-index 0000000..724ca0d
---- /dev/null
-+++ b/fcoemon.te
-@@ -0,0 +1,44 @@
-+policy_module(fcoemon, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type fcoemon_t;
-+type fcoemon_exec_t;
-+init_daemon_domain(fcoemon_t, fcoemon_exec_t)
-+
-+type fcoemon_var_run_t;
-+files_pid_file(fcoemon_var_run_t)
-+
-+########################################
-+#
-+# fcoemon local policy
-+#
-+
-+# dac_override
-+# /var/rnn/fcm/fcm_clif socket is owned by root
-+allow fcoemon_t self:capability { net_admin dac_override };
-+allow fcoemon_t self:capability { kill };
-+
-+allow fcoemon_t self:fifo_file rw_fifo_file_perms;
-+allow fcoemon_t self:unix_stream_socket create_stream_socket_perms;
-+allow fcoemon_t self:netlink_socket create_socket_perms;
-+allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
-+manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
-+manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
-+files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file sock_file })
-+
-+files_read_etc_files(fcoemon_t)
-+
-+dev_read_sysfs(fcoemon_t)
-+
-+logging_send_syslog_msg(fcoemon_t)
-+
-+optional_policy(`
-+ lldpad_dgram_send(fcoemon_t)
-+')
-+
-diff --git a/fetchmail.fc b/fetchmail.fc
-index 39928d5..6c24c84 100644
---- a/fetchmail.fc
-+++ b/fetchmail.fc
-@@ -1,3 +1,9 @@
-+#
-+# /HOME
-+#
-+HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
-+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
-+
+@@ -221,46 +213,58 @@ optional_policy(`
+
+ ########################################
#
- # /etc
-@@ -14,6 +20,7 @@
- #
- # /var
+-# Auth local policy
++# dovecot auth local policy
#
-+/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0)
- /var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
- /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
- /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
-diff --git a/fetchmail.if b/fetchmail.if
-index 6537214..406d62b 100644
---- a/fetchmail.if
-+++ b/fetchmail.if
-@@ -15,14 +15,20 @@
- interface(`fetchmail_admin',`
- gen_require(`
- type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
-- type fetchmail_var_run_t;
-+ type fetchmail_var_run_t, fetchmail_log_t;
- ')
-+ allow $1 fetchmail_t:process signal_perms;
- ps_process_pattern($1, fetchmail_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 fetchmail_t:process ptrace;
-+ ')
+ allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
+ allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
+-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
++allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
++
++allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
- files_list_etc($1)
- admin_pattern($1, fetchmail_etc_t)
+ read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
-+ admin_pattern($1, fetchmail_log_t)
++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
- admin_pattern($1, fetchmail_uidl_cache_t)
+ manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+ files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
- files_list_pids($1)
-diff --git a/fetchmail.te b/fetchmail.te
-index ac6626e..656f329 100644
---- a/fetchmail.te
-+++ b/fetchmail.te
-@@ -10,6 +10,12 @@ type fetchmail_exec_t;
- init_daemon_domain(fetchmail_t, fetchmail_exec_t)
- application_executable_file(fetchmail_exec_t)
+ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+ manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
++dovecot_stream_connect_auth(dovecot_auth_t)
-+type fetchmail_home_t;
-+userdom_user_home_content(fetchmail_home_t)
+-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
++logging_send_audit_msgs(dovecot_auth_t)
+
-+type fetchmail_log_t;
-+logging_log_file(fetchmail_log_t)
++auth_domtrans_chk_passwd(dovecot_auth_t)
++auth_use_nsswitch(dovecot_auth_t)
+
- type fetchmail_var_run_t;
- files_pid_file(fetchmail_var_run_t)
-
-@@ -37,10 +43,19 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
- allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
- mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
++logging_send_syslog_msg(dovecot_auth_t)
-+manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
-+
- manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+ files_search_pids(dovecot_auth_t)
+ files_read_usr_files(dovecot_auth_t)
++files_read_usr_symlinks(dovecot_auth_t)
+ files_read_var_lib_files(dovecot_auth_t)
++files_search_tmp(dovecot_auth_t)
-+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-+userdom_search_user_home_dirs(fetchmail_t)
-+userdom_search_admin_dir(fetchmail_t)
-+
- kernel_read_kernel_sysctls(fetchmail_t)
- kernel_list_proc(fetchmail_t)
- kernel_getattr_proc_files(fetchmail_t)
-@@ -51,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
- corecmd_exec_bin(fetchmail_t)
- corecmd_exec_shell(fetchmail_t)
+-auth_domtrans_chk_passwd(dovecot_auth_t)
+-auth_use_nsswitch(dovecot_auth_t)
++fs_getattr_xattr_fs(dovecot_auth_t)
--corenet_all_recvfrom_unlabeled(fetchmail_t)
- corenet_all_recvfrom_netlabel(fetchmail_t)
- corenet_tcp_sendrecv_generic_if(fetchmail_t)
- corenet_udp_sendrecv_generic_if(fetchmail_t)
-@@ -77,9 +91,10 @@ fs_search_auto_mountpoints(fetchmail_t)
+ init_rw_utmp(dovecot_auth_t)
- domain_use_interactive_fds(fetchmail_t)
+-logging_send_audit_msgs(dovecot_auth_t)
+-
+-seutil_dontaudit_search_config(dovecot_auth_t)
+-
+ sysnet_use_ldap(dovecot_auth_t)
-+auth_read_passwd(fetchmail_t)
+ optional_policy(`
++ kerberos_use(dovecot_auth_t)
+
- logging_send_syslog_msg(fetchmail_t)
-
--miscfiles_read_localization(fetchmail_t)
- miscfiles_read_generic_certs(fetchmail_t)
++ # for gssapi (kerberos)
+ userdom_list_user_tmp(dovecot_auth_t)
+ userdom_read_user_tmp_files(dovecot_auth_t)
+ userdom_read_user_tmp_symlinks(dovecot_auth_t)
+ ')
- sysnet_read_config(fetchmail_t)
-@@ -88,6 +103,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
- userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+ optional_policy(`
++ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+ mysql_read_config(dovecot_auth_t)
+ mysql_tcp_connect(dovecot_auth_t)
+@@ -272,14 +276,21 @@ optional_policy(`
optional_policy(`
-+ kerberos_use(fetchmail_t)
-+')
-+
-+optional_policy(`
- procmail_domtrans(fetchmail_t)
+ postfix_manage_private_sockets(dovecot_auth_t)
++ postfix_rw_inherited_master_pipes(dovecot_deliver_t)
+ postfix_search_spool(dovecot_auth_t)
')
-diff --git a/finger.te b/finger.te
-index 9b7036a..864b94a 100644
---- a/finger.te
-+++ b/finger.te
-@@ -46,7 +46,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
- kernel_read_kernel_sysctls(fingerd_t)
- kernel_read_system_state(fingerd_t)
+ ########################################
+ #
+-# Deliver local policy
++# dovecot deliver local policy
+ #
--corenet_all_recvfrom_unlabeled(fingerd_t)
- corenet_all_recvfrom_netlabel(fingerd_t)
- corenet_tcp_sendrecv_generic_if(fingerd_t)
- corenet_udp_sendrecv_generic_if(fingerd_t)
-@@ -66,6 +65,7 @@ term_getattr_all_ttys(fingerd_t)
- term_getattr_all_ptys(fingerd_t)
++allow dovecot_deliver_t dovecot_t:process signull;
++
++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
++read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
++
+ allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
- auth_read_lastlog(fingerd_t)
-+auth_use_nsswitch(fingerd_t)
+ append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+@@ -289,31 +300,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+ files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
- corecmd_exec_bin(fingerd_t)
- corecmd_exec_shell(fingerd_t)
-@@ -73,7 +73,6 @@ corecmd_exec_shell(fingerd_t)
- domain_use_interactive_fds(fingerd_t)
+ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
+-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
+-
+-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
++dovecot_stream_connect(dovecot_deliver_t)
- files_search_home(fingerd_t)
--files_read_etc_files(fingerd_t)
- files_read_etc_runtime_files(fingerd_t)
+ can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
- init_read_utmp(fingerd_t)
-@@ -85,7 +84,6 @@ mta_getattr_spool(fingerd_t)
+-allow dovecot_deliver_t dovecot_t:process signull;
++auth_use_nsswitch(dovecot_deliver_t)
- sysnet_read_config(fingerd_t)
+-fs_getattr_all_fs(dovecot_deliver_t)
++logging_append_all_logs(dovecot_deliver_t)
++logging_send_syslog_msg(dovecot_deliver_t)
--miscfiles_read_localization(fingerd_t)
+-auth_use_nsswitch(dovecot_deliver_t)
++dovecot_stream_connect_auth(dovecot_deliver_t)
- # stop it accessing sub-directories, prevents checking a Maildir for new mail,
- # have to change this when we create a type for Maildir
-diff --git a/firewalld.fc b/firewalld.fc
-new file mode 100644
-index 0000000..f440549
---- /dev/null
-+++ b/firewalld.fc
-@@ -0,0 +1,13 @@
-+
-+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
-+
-+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
-+
-+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
-+
-+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
-+
-+/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
+-logging_search_logs(dovecot_deliver_t)
++files_search_tmp(dovecot_deliver_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(dovecot_deliver_t)
+- fs_manage_nfs_files(dovecot_deliver_t)
+- fs_manage_nfs_symlinks(dovecot_deliver_t)
+-')
++fs_getattr_all_fs(dovecot_deliver_t)
+
-+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
-+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
-diff --git a/firewalld.if b/firewalld.if
-new file mode 100644
-index 0000000..c4c7510
---- /dev/null
-+++ b/firewalld.if
-@@ -0,0 +1,130 @@
-+## <summary>policy for firewalld</summary>
++userdom_manage_user_home_content_dirs(dovecot_deliver_t)
++userdom_manage_user_home_content_files(dovecot_deliver_t)
++userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
++userdom_manage_user_home_content_pipes(dovecot_deliver_t)
++userdom_manage_user_home_content_sockets(dovecot_deliver_t)
++userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_deliver_t)
+- fs_manage_cifs_files(dovecot_deliver_t)
+- fs_manage_cifs_symlinks(dovecot_deliver_t)
++userdom_home_manager(dovecot_deliver_t)
+
-+########################################
-+## <summary>
-+## Execute a domain transition to run firewalld.
++optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
+ ')
+
+ optional_policy(`
+@@ -326,5 +340,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # Handle sieve scripts
+ sendmail_domtrans(dovecot_deliver_t)
+ ')
+diff --git a/drbd.if b/drbd.if
+index 9a21639..a09fb52 100644
+--- a/drbd.if
++++ b/drbd.if
+@@ -2,12 +2,11 @@
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run drbd.
++## Execute a domain transition to run drbd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -16,26 +15,97 @@ interface(`drbd_domtrans',`
+ type drbd_t, drbd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, drbd_exec_t, drbd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an drbd environment.
++## Search drbd lib directories.
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed access.
-+## </summary>
++## </summary>
+## </param>
+#
-+interface(`firewalld_domtrans',`
++interface(`drbd_search_lib',`
+ gen_require(`
-+ type firewalld_t, firewalld_exec_t;
++ type drbd_var_lib_t;
+ ')
+
-+ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
++ allow $1 drbd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+')
+
-+
+########################################
+## <summary>
-+## Execute firewalld server in the firewalld domain.
++## Read drbd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`firewalld_initrc_domtrans',`
++interface(`drbd_read_lib_files',`
+ gen_require(`
-+ type firewalld_initrc_exec_t;
++ type drbd_var_lib_t;
+ ')
+
-+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Execute firewalld server in the firewalld domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
++## Create, read, write, and delete
++## drbd lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
-+interface(`firewalld_systemctl',`
++interface(`drbd_manage_lib_files',`
+ gen_require(`
-+ type firewalld_t;
-+ type firewalld_unit_file_t;
++ type drbd_var_lib_t;
+ ')
+
-+ systemd_exec_systemctl($1)
-+ allow $1 firewalld_unit_file_t:file read_file_perms;
-+ allow $1 firewalld_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, firewalld_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
+########################################
+## <summary>
-+## Send and receive messages from
-+## firewalld over dbus.
++## Manage drbd lib dirs files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`firewalld_dbus_chat',`
++interface(`drbd_manage_lib_dirs',`
+ gen_require(`
-+ type firewalld_t;
-+ class dbus send_msg;
++ type drbd_var_lib_t;
+ ')
+
-+ allow $1 firewalld_t:dbus send_msg;
-+ allow firewalld_t $1:dbus send_msg;
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
+')
+
++
+########################################
+## <summary>
+## All of the rules required to administrate
-+## an firewalld environment
++## an drbd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`firewalld_admin',`
-+ gen_require(`
-+ type firewalld_t, firewalld_initrc_exec_t;
-+ type firewall_etc_rw_t, firewalld_var_run_t;
-+ type firewalld_var_log_t;
-+ ')
-+
-+ allow $1 firewalld_t:process signal_perms;
-+ ps_process_pattern($1, firewalld_t)
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`drbd_admin',`
+ gen_require(`
+@@ -43,9 +113,13 @@ interface(`drbd_admin',`
+ type drbd_var_lib_t;
+ ')
+
+- allow $1 drbd_t:process { ptrace signal_perms };
++ allow $1 drbd_t:process signal_perms;
+ ps_process_pattern($1, drbd_t)
+
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 firewalld_t:process ptrace;
++ allow $1 drbd_t:process ptrace;
+ ')
+
-+ firewalld_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 firewalld_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_pids($1)
-+ admin_pattern($1, firewalld_var_run_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, firewalld_var_log_t)
-+
-+ admin_pattern($1, firewall_etc_rw_t)
-+
-+ admin_pattern($1, firewalld_unit_file_t)
-+ firewalld_systemctl($1)
-+ allow $1 firewalld_unit_file_t:service all_service_perms;
-+')
-diff --git a/firewalld.te b/firewalld.te
-new file mode 100644
-index 0000000..90c8ee3
---- /dev/null
-+++ b/firewalld.te
-@@ -0,0 +1,95 @@
-+
-+policy_module(firewalld,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type firewalld_t;
-+type firewalld_exec_t;
-+init_daemon_domain(firewalld_t, firewalld_exec_t)
+ init_labeled_script_domtrans($1, drbd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 drbd_initrc_exec_t system_r;
+@@ -57,3 +131,4 @@ interface(`drbd_admin',`
+ files_search_var_lib($1)
+ admin_pattern($1, drbd_var_lib_t)
+ ')
+
-+type firewalld_initrc_exec_t;
-+init_script_file(firewalld_initrc_exec_t)
+diff --git a/drbd.te b/drbd.te
+index 8e5ee54..6e11edb 100644
+--- a/drbd.te
++++ b/drbd.te
+@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
+ allow drbd_t self:fifo_file rw_fifo_file_perms;
+ allow drbd_t self:unix_stream_socket create_stream_socket_perms;
+ allow drbd_t self:netlink_socket create_socket_perms;
+-allow drbd_t self:netlink_route_socket nlmsg_write;
++allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+ manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
+@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
+ dev_read_sysfs(drbd_t)
+ dev_read_urand(drbd_t)
+
+-files_read_etc_files(drbd_t)
+-
+ storage_raw_read_fixed_disk(drbd_t)
+
+-miscfiles_read_localization(drbd_t)
+-
+ sysnet_dns_name_resolve(drbd_t)
+diff --git a/dspam.fc b/dspam.fc
+index 5eddac5..c08c8f6 100644
+--- a/dspam.fc
++++ b/dspam.fc
+@@ -5,8 +5,13 @@
+ /usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+
+ /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
+-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
+
+ /var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
+
+ /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
+
-+type firewalld_etc_rw_t;
-+files_config_file(firewalld_etc_rw_t)
++# web
++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
++/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
+
-+type firewalld_var_log_t;
-+logging_log_file(firewalld_var_log_t)
++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
+diff --git a/dspam.if b/dspam.if
+index 18f2452..a446210 100644
+--- a/dspam.if
++++ b/dspam.if
+@@ -1,13 +1,15 @@
+-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
+
-+type firewalld_var_run_t;
-+files_pid_file(firewalld_var_run_t)
++## <summary>policy for dspam</summary>
+
-+type firewalld_unit_file_t;
-+systemd_unit_file(firewalld_unit_file_t)
+
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run dspam.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`dspam_domtrans',`
+@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
+ type dspam_t, dspam_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, dspam_exec_t, dspam_t)
+ ')
+
+-#######################################
+
+########################################
+ ## <summary>
+-## Connect to dspam using a unix
+-## domain stream socket.
++## Execute dspam server in the dspam domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
+#
-+# firewalld local policy
-+#
-+dontaudit firewalld_t self:capability sys_tty_config;
-+allow firewalld_t self:fifo_file rw_fifo_file_perms;
-+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
-+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
-+
-+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
-+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
-+
-+# should be fixed to cooperate with systemd to create /var/run/firewalld directory
-+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
-+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
-+can_exec(firewalld_t, firewalld_var_run_t)
-+
-+kernel_read_network_state(firewalld_t)
-+kernel_read_system_state(firewalld_t)
-+
-+corecmd_exec_bin(firewalld_t)
-+corecmd_exec_shell(firewalld_t)
-+
-+dev_read_urand(firewalld_t)
-+
-+domain_use_interactive_fds(firewalld_t)
-+
-+files_read_etc_files(firewalld_t)
-+files_read_usr_files(firewalld_t)
-+
-+fs_getattr_xattr_fs(firewalld_t)
-+
-+auth_use_nsswitch(firewalld_t)
-+
-+logging_send_syslog_msg(firewalld_t)
-+
-+sysnet_dns_name_resolve(firewalld_t)
-+
-+sysnet_read_config(firewalld_t)
-+
-+optional_policy(`
-+ dbus_system_domain(firewalld_t, firewalld_exec_t)
-+
-+ optional_policy(`
-+ devicekit_dbus_chat_power(firewalld_t)
-+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat(firewalld_t)
-+ ')
++interface(`dspam_initrc_domtrans',`
++ gen_require(`
++ type dspam_initrc_exec_t;
++ ')
+
-+ optional_policy(`
-+ networkmanager_dbus_chat(firewalld_t)
-+ ')
++ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
+')
+
-+optional_policy(`
-+ iptables_domtrans(firewalld_t)
-+')
++########################################
++## <summary>
++## Allow the specified domain to read dspam's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`dspam_stream_connect',`
++interface(`dspam_read_log',`
++ gen_require(`
++ type dspam_log_t;
++ ')
+
-+optional_policy(`
-+ modutils_domtrans_insmod(firewalld_t)
++ logging_search_logs($1)
++ read_files_pattern($1, dspam_log_t, dspam_log_t)
+')
-diff --git a/firewallgui.fc b/firewallgui.fc
-new file mode 100644
-index 0000000..ce498b3
---- /dev/null
-+++ b/firewallgui.fc
-@@ -0,0 +1,3 @@
-+
-+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
-diff --git a/firewallgui.if b/firewallgui.if
-new file mode 100644
-index 0000000..2bd5790
---- /dev/null
-+++ b/firewallgui.if
-@@ -0,0 +1,41 @@
++########################################
++## <summary>
++## Allow the specified domain to append
++## dspam log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dspam_append_log',`
++ gen_require(`
++ type dspam_log_t;
++ ')
+
-+## <summary>policy for firewallgui</summary>
++ logging_search_logs($1)
++ append_files_pattern($1, dspam_log_t, dspam_log_t)
++')
+
+########################################
+## <summary>
-+## Send and receive messages from
-+## firewallgui over dbus.
++## Allow domain to manage dspam log files
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`firewallgui_dbus_chat',`
++interface(`dspam_manage_log',`
+ gen_require(`
-+ type firewallgui_t;
-+ class dbus send_msg;
++ type dspam_log_t;
+ ')
+
-+ allow $1 firewallgui_t:dbus send_msg;
-+ allow firewallgui_t $1:dbus send_msg;
++ logging_search_logs($1)
++ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
++ manage_files_pattern($1, dspam_log_t, dspam_log_t)
++ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
+')
+
+########################################
+## <summary>
-+## Read and write firewallgui unnamed pipes.
++## Search dspam lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`firewallgui_dontaudit_rw_pipes',`
++interface(`dspam_search_lib',`
+ gen_require(`
-+ type firewallgui_t;
++ type dspam_var_lib_t;
+ ')
+
-+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 dspam_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+')
-diff --git a/firewallgui.te b/firewallgui.te
-new file mode 100644
-index 0000000..6bd855e
---- /dev/null
-+++ b/firewallgui.te
-@@ -0,0 +1,73 @@
-+policy_module(firewallgui,1.0.0)
+
+########################################
++## <summary>
++## Read dspam lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+# Declarations
-+#
-+
-+type firewallgui_t;
-+type firewallgui_exec_t;
-+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
-+init_daemon_domain(firewallgui_t, firewallgui_exec_t)
++interface(`dspam_read_lib_files',`
++ gen_require(`
++ type dspam_var_lib_t;
++ ')
+
-+type firewallgui_tmp_t;
-+files_tmp_file(firewallgui_tmp_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
++')
+
+########################################
++## <summary>
++## Create, read, write, and delete
++## dspam lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+# firewallgui local policy
-+#
-+
-+allow firewallgui_t self:capability { net_admin sys_rawio } ;
-+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
-+
-+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
-+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
-+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
-+
-+kernel_read_system_state(firewallgui_t)
-+kernel_read_network_state(firewallgui_t)
-+kernel_rw_net_sysctls(firewallgui_t)
-+kernel_rw_kernel_sysctl(firewallgui_t)
-+kernel_rw_vm_sysctls(firewallgui_t)
-+
-+corecmd_exec_shell(firewallgui_t)
-+corecmd_exec_bin(firewallgui_t)
-+
-+dev_read_urand(firewallgui_t)
-+dev_read_sysfs(firewallgui_t)
-+
-+files_manage_system_conf_files(firewallgui_t)
-+files_etc_filetrans_system_conf(firewallgui_t)
-+files_read_usr_files(firewallgui_t)
-+files_search_kernel_modules(firewallgui_t)
-+files_list_kernel_modules(firewallgui_t)
-+
-+auth_use_nsswitch(firewallgui_t)
-+
-+
-+seutil_read_config(firewallgui_t)
-+
-+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
++interface(`dspam_manage_lib_files',`
++ gen_require(`
++ type dspam_var_lib_t;
++ ')
+
-+optional_policy(`
-+ consoletype_exec(firewallgui_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
-+optional_policy(`
-+ gnome_read_gconf_home_files(firewallgui_t)
-+')
++########################################
++## <summary>
++## Manage dspam lib dirs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dspam_manage_lib_dirs',`
+ gen_require(`
+- type dspam_t, dspam_var_run_t, dspam_tmp_t;
++ type dspam_var_lib_t;
++ ')
+
-+optional_policy(`
-+ iptables_domtrans(firewallgui_t)
-+ iptables_initrc_domtrans(firewallgui_t)
-+ iptables_systemctl(firewallgui_t)
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
+')
+
-+optional_policy(`
-+ modutils_getattr_module_deps(firewallgui_t)
-+')
+
-+optional_policy(`
-+ policykit_dbus_chat(firewallgui_t)
-+')
-diff --git a/firstboot.if b/firstboot.if
-index 8fa451c..f3a67c9 100644
---- a/firstboot.if
-+++ b/firstboot.if
-@@ -85,6 +85,25 @@ interface(`firstboot_dontaudit_use_fds',`
-
- ########################################
- ## <summary>
-+## dontaudit read and write an leaked file descriptors
++########################################
++## <summary>
++## Read dspam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`firstboot_dontaudit_leaks',`
++interface(`dspam_read_pid_files',`
+ gen_require(`
-+ type firstboot_t;
-+ ')
-+
-+ dontaudit $1 firstboot_t:socket_class_set { read write };
-+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
++ type dspam_var_run_t;
+ ')
+
+ files_search_pids($1)
++ allow $1 dspam_var_run_t:file read_file_perms;
+')
+
-+########################################
++#######################################
+## <summary>
- ## Write to a firstboot unnamed pipe.
++## Connect to DSPAM using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dspam_stream_connect',`
++ gen_require(`
++ type dspam_t, dspam_var_run_t, dspam_tmp_t;
++ ')
++
++ files_search_pids($1)
+ files_search_tmp($1)
+- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
++ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
++ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an dspam environment.
++## All of the rules required to administrate
++## an dspam environment
## </summary>
## <param name="domain">
-@@ -98,6 +117,7 @@ interface(`firstboot_write_pipes',`
- type firstboot_t;
+ ## <summary>
+@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
+ #
+ interface(`dspam_admin',`
+ gen_require(`
+- type dspam_t, dspam_initrc_exec_t, dspam_log_t;
+- type dspam_var_lib_t, dspam_var_run_t;
++ type dspam_t;
++ type dspam_initrc_exec_t;
++ type dspam_log_t;
++ type dspam_var_lib_t;
++ type dspam_var_run_t;
')
-+ allow $1 firstboot_t:fd use;
- allow $1 firstboot_t:fifo_file write;
- ')
-
-diff --git a/firstboot.te b/firstboot.te
-index c4d8998..0647c46 100644
---- a/firstboot.te
-+++ b/firstboot.te
-@@ -1,7 +1,7 @@
- policy_module(firstboot, 1.12.0)
-
- gen_require(`
-- class passwd rootok;
-+ class passwd { passwd chfn chsh rootok crontab };
- ')
-
- ########################################
-@@ -29,14 +29,16 @@ allow firstboot_t self:process setfscreate;
- allow firstboot_t self:fifo_file rw_fifo_file_perms;
- allow firstboot_t self:tcp_socket create_stream_socket_perms;
- allow firstboot_t self:unix_stream_socket { connect create };
--allow firstboot_t self:passwd rootok;
-+allow firstboot_t self:passwd { rootok passwd chfn chsh };
+- allow $1 dspam_t:process { ptrace signal_perms };
++ allow $1 dspam_t:process signal_perms;
+ ps_process_pattern($1, dspam_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 dspam_t:process ptrace;
++ ')
- allow firstboot_t firstboot_etc_t:file read_file_perms;
+- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
++ dspam_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 dspam_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -79,4 +263,5 @@ interface(`dspam_admin',`
-+files_manage_generic_tmp_dirs(firstboot_t)
-+files_manage_generic_tmp_files(firstboot_t)
+ files_search_pids($1)
+ admin_pattern($1, dspam_var_run_t)
+
- kernel_read_system_state(firstboot_t)
- kernel_read_kernel_sysctls(firstboot_t)
-
--corenet_all_recvfrom_unlabeled(firstboot_t)
- corenet_all_recvfrom_netlabel(firstboot_t)
- corenet_tcp_sendrecv_generic_if(firstboot_t)
- corenet_tcp_sendrecv_generic_node(firstboot_t)
-@@ -62,6 +64,8 @@ files_read_usr_files(firstboot_t)
- files_manage_var_dirs(firstboot_t)
- files_manage_var_files(firstboot_t)
- files_manage_var_symlinks(firstboot_t)
-+files_create_boot_flag(firstboot_t)
-+files_delete_boot_flag(firstboot_t)
-
- init_domtrans_script(firstboot_t)
- init_rw_utmp(firstboot_t)
-@@ -73,14 +77,10 @@ locallogin_use_fds(firstboot_t)
-
- logging_send_syslog_msg(firstboot_t)
-
--miscfiles_read_localization(firstboot_t)
-+sysnet_dns_name_resolve(firstboot_t)
-
--modutils_domtrans_insmod(firstboot_t)
--modutils_domtrans_depmod(firstboot_t)
--modutils_read_module_config(firstboot_t)
--modutils_read_module_deps(firstboot_t)
-+userdom_use_inherited_user_terminals(firstboot_t)
-
--userdom_use_user_terminals(firstboot_t)
- # Add/remove user home directories
- userdom_manage_user_home_content_dirs(firstboot_t)
- userdom_manage_user_home_content_files(firstboot_t)
-@@ -91,10 +91,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
- userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+ ')
+diff --git a/dspam.te b/dspam.te
+index 266cb8f..dbbe097 100644
+--- a/dspam.te
++++ b/dspam.te
+@@ -64,14 +64,33 @@ auth_use_nsswitch(dspam_t)
- optional_policy(`
-- consoletype_domtrans(firstboot_t)
--')
--
--optional_policy(`
- dbus_system_bus_client(firstboot_t)
+ logging_send_syslog_msg(dspam_t)
- optional_policy(`
-@@ -103,7 +99,10 @@ optional_policy(`
- ')
+-miscfiles_read_localization(dspam_t)
optional_policy(`
-- nis_use_ypbind(firstboot_t)
-+ modutils_domtrans_insmod(firstboot_t)
-+ modutils_domtrans_depmod(firstboot_t)
-+ modutils_read_module_config(firstboot_t)
-+ modutils_read_module_deps(firstboot_t)
- ')
+ apache_content_template(dspam)
- optional_policy(`
-@@ -113,18 +112,11 @@ optional_policy(`
- optional_policy(`
- unconfined_domtrans(firstboot_t)
- # The big hammer
-- unconfined_domain(firstboot_t)
--')
--
--optional_policy(`
-- usermanage_domtrans_chfn(firstboot_t)
-- usermanage_domtrans_groupadd(firstboot_t)
-- usermanage_domtrans_passwd(firstboot_t)
-- usermanage_domtrans_useradd(firstboot_t)
-- usermanage_domtrans_admin_passwd(firstboot_t)
-+ unconfined_domain_noaudit(firstboot_t)
++ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
++
++ files_search_var_lib(httpd_dspam_script_t)
+ list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
+- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
+- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
++ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
++
++ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
++
++ term_dontaudit_search_ptys(httpd_dspam_script_t)
++ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
++ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
++
++ init_read_utmp(httpd_dspam_script_t)
++
++ logging_send_syslog_msg(httpd_dspam_script_t)
++
++ mta_send_mail(httpd_dspam_script_t)
++
++ optional_policy(`
++ mysql_tcp_connect(httpd_dspam_script_t)
++ mysql_stream_connect(httpd_dspam_script_t)
++ ')
')
optional_policy(`
-+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
- gnome_manage_config(firstboot_t)
- ')
+diff --git a/entropyd.te b/entropyd.te
+index a0da189..d8bc9d5 100644
+--- a/entropyd.te
++++ b/entropyd.te
+@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
+ dev_read_rand(entropyd_t)
+ dev_write_rand(entropyd_t)
-@@ -132,4 +124,5 @@ optional_policy(`
- xserver_domtrans(firstboot_t)
- xserver_rw_shm(firstboot_t)
- xserver_unconfined(firstboot_t)
-+ xserver_stream_connect(firstboot_t)
- ')
-diff --git a/fprintd.if b/fprintd.if
-index ebad8c4..640293e 100644
---- a/fprintd.if
-+++ b/fprintd.if
-@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
- allow $1 fprintd_t:dbus send_msg;
- allow fprintd_t $1:dbus send_msg;
- ')
+-files_read_etc_files(entropyd_t)
+-files_read_usr_files(entropyd_t)
-
-diff --git a/fprintd.te b/fprintd.te
-index 7df52c7..46499bd 100644
---- a/fprintd.te
-+++ b/fprintd.te
-@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
-
- type fprintd_t;
- type fprintd_exec_t;
--dbus_system_domain(fprintd_t, fprintd_exec_t)
-+init_daemon_domain(fprintd_t, fprintd_exec_t)
-
- type fprintd_var_lib_t;
- files_type(fprintd_var_lib_t)
-@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
- # Local policy
- #
-
--allow fprintd_t self:capability sys_ptrace;
-+allow fprintd_t self:capability sys_nice;
-+
- allow fprintd_t self:fifo_file rw_fifo_file_perms;
--allow fprintd_t self:process { getsched signal };
-+allow fprintd_t self:process { getsched setsched signal sigkill };
-
- manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
- manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -33,14 +34,12 @@ dev_list_usbfs(fprintd_t)
- dev_rw_generic_usb_dev(fprintd_t)
- dev_read_sysfs(fprintd_t)
-
--files_read_etc_files(fprintd_t)
- files_read_usr_files(fprintd_t)
-
- fs_getattr_all_fs(fprintd_t)
+ fs_getattr_all_fs(entropyd_t)
+ fs_search_auto_mountpoints(entropyd_t)
- auth_use_nsswitch(fprintd_t)
+@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
--miscfiles_read_localization(fprintd_t)
+ logging_send_syslog_msg(entropyd_t)
- userdom_use_user_ptys(fprintd_t)
- userdom_read_all_users_state(fprintd_t)
-@@ -50,8 +49,17 @@ optional_policy(`
- ')
+-miscfiles_read_localization(entropyd_t)
++auth_use_nsswitch(entropyd_t)
- optional_policy(`
-+ dbus_system_domain(fprintd_t, fprintd_exec_t)
-+')
-+
-+optional_policy(`
- policykit_read_reload(fprintd_t)
- policykit_read_lib(fprintd_t)
- policykit_dbus_chat(fprintd_t)
- policykit_domtrans_auth(fprintd_t)
-+ policykit_dbus_chat_auth(fprintd_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_state_xdm(fprintd_t)
- ')
-diff --git a/ftp.fc b/ftp.fc
-index 69dcd2a..4d97da7 100644
---- a/ftp.fc
-+++ b/ftp.fc
-@@ -6,6 +6,9 @@
- /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+ userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+ userdom_dontaudit_search_user_home_dirs(entropyd_t)
+diff --git a/exim.if b/exim.if
+index 6041113..ef3b449 100644
+--- a/exim.if
++++ b/exim.if
+@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
-+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
- #
- # /usr
+ ########################################
+ ## <summary>
+-## Execute exim in the exim domain,
+-## and allow the specified role
+-## the exim domain.
++## Execute the mailman program in the mailman domain.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+ ## </param>
+ ## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
++## <summary>
++## The role to allow the mailman domain.
++## </summary>
+ ## </param>
+ ## <rolecap/>
#
-@@ -29,3 +32,4 @@
- /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
- /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
- /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
-+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
-diff --git a/ftp.if b/ftp.if
-index 9d3201b..6e75e3d 100644
---- a/ftp.if
-+++ b/ftp.if
-@@ -1,5 +1,66 @@
- ## <summary>File transfer protocol service</summary>
-
-+######################################
-+## <summary>
-+## Execute a domain transition to run ftpd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ftp_domtrans',`
-+ gen_require(`
-+ type ftpd_t, ftpd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
-+
-+')
-+
-+#######################################
-+## <summary>
-+## Execute ftpd server in the ftpd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`ftp_initrc_domtrans',`
-+ gen_require(`
-+ type ftpd_initrc_exec_t;
-+ ')
+ interface(`exim_run',`
++ gen_require(`
++ type exim_t;
++ ')
+
-+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
++ exim_domtrans($1)
++ role $2 types exim_t;
+')
+
+########################################
+## <summary>
-+## Execute ftpd server in the ftpd domain.
++## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -21814,905 +20405,931 @@ index 9d3201b..6e75e3d 100644
+## </summary>
+## </param>
+#
-+interface(`ftp_systemctl',`
-+ gen_require(`
-+ type ftpd_unit_file_t;
-+ type ftpd_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 ftpd_unit_file_t:file read_file_perms;
-+ allow $1 ftpd_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, ftpd_t)
-+')
-+
- #######################################
- ## <summary>
- ## Allow domain dyntransition to sftpd_anon domain.
-@@ -174,10 +235,14 @@ interface(`ftp_admin',`
- type ftpd_etc_t, ftpd_lock_t;
- type ftpd_var_run_t, xferlog_t;
- type ftpd_initrc_exec_t;
-+ type ftpd_unit_file_t;
++interface(`exim_initrc_domtrans',`
+ gen_require(`
+- attribute_role exim_roles;
++ type exim_initrc_exec_t;
')
-- allow $1 ftpd_t:process { ptrace signal_perms };
-+ allow $1 ftpd_t:process signal_perms;
- ps_process_pattern($1, ftpd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 ftpd_t:process ptrace;
-+ ')
-
- init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -203,4 +268,8 @@ interface(`ftp_admin',`
-
- logging_list_logs($1)
- admin_pattern($1, xferlog_t)
-+
-+ ftp_systemctl($1)
-+ admin_pattern($1, ftpd_unit_file_t)
-+ allow $1 ftpd_unit_file_t:service all_service_perms;
+- exim_domtrans($1)
+- roleattribute $2 exim_roles;
++ init_labeled_script_domtrans($1, exim_initrc_exec_t)
')
-diff --git a/ftp.te b/ftp.te
-index 80026bb..30968b3 100644
---- a/ftp.te
-+++ b/ftp.te
-@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
- ## public_content_rw_t.
- ## </p>
- ## </desc>
--gen_tunable(allow_ftpd_anon_write, false)
-+gen_tunable(ftpd_anon_write, false)
-
- ## <desc>
- ## <p>
-@@ -20,7 +20,7 @@ gen_tunable(allow_ftpd_anon_write, false)
- ## read/write all files on the system, governed by DAC.
- ## </p>
- ## </desc>
--gen_tunable(allow_ftpd_full_access, false)
-+gen_tunable(ftpd_full_access, false)
- ## <desc>
- ## <p>
-@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false)
- ## used for public file transfer services.
- ## </p>
- ## </desc>
--gen_tunable(allow_ftpd_use_cifs, false)
-+gen_tunable(ftpd_use_cifs, false)
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read exim
+-## temporary tmp files.
++## Do not audit attempts to read,
++## exim tmp files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
- ## <desc>
- ## <p>
-@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false)
- ## used for public file transfer services.
- ## </p>
- ## </desc>
--gen_tunable(allow_ftpd_use_nfs, false)
-+gen_tunable(ftpd_use_nfs, false)
-+
-+## <desc>
-+## <p>
-+## Allow ftp servers to connect to mysql database ports
-+## </p>
-+## </desc>
-+gen_tunable(ftpd_connect_db, false)
-+
-+## <desc>
-+## <p>
-+## Allow ftp servers to use bind to all unreserved ports for passive mode
-+## </p>
-+## </desc>
-+gen_tunable(ftpd_use_passive_mode, false)
-+
-+## <desc>
-+## <p>
-+## Allow ftp servers to connect to all ports > 1023
-+## </p>
-+## </desc>
-+gen_tunable(ftpd_connect_all_unreserved, false)
+ ########################################
+ ## <summary>
+-## Read exim temporary files.
++## Allow domain to read, exim tmp files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
- ## <desc>
- ## <p>
-@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
- ## </desc>
- gen_tunable(sftpd_full_access, false)
+ ########################################
+ ## <summary>
+-## Read exim pid files.
++## Read exim PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
-+## <desc>
-+## <p>
-+## Allow internal-sftp to read and write files
-+## in the user ssh home directories.
-+## </p>
-+## </desc>
-+gen_tunable(sftpd_write_ssh_home, false)
-+
- type anon_sftpd_t;
- typealias anon_sftpd_t alias sftpd_anon_t;
- domain_type(anon_sftpd_t)
-@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
- type ftpd_initrc_exec_t;
- init_script_file(ftpd_initrc_exec_t)
+ ########################################
+ ## <summary>
+-## Read exim log files.
++## Allow the specified domain to read exim's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -125,7 +141,8 @@ interface(`exim_read_log',`
-+type ftpd_unit_file_t;
-+systemd_unit_file(ftpd_unit_file_t)
-+
- type ftpd_lock_t;
- files_lock_file(ftpd_lock_t)
+ ########################################
+ ## <summary>
+-## Append exim log files.
++## Allow the specified domain to append
++## exim log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -144,8 +161,7 @@ interface(`exim_append_log',`
-@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
- init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
- ')
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## exim log files.
++## Allow the specified domain to manage exim's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete
+-## exim spool directories.
++## exim spool dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',`
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
-+')
-+
########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an exim environment.
++## All of the rules required to administrate
++## an exim environment.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',`
+ ## Role allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
#
- # anon-sftp local policy
-@@ -133,7 +169,7 @@ tunable_policy(`sftpd_anon_write',`
- # ftpd local policy
- #
+ interface(`exim_admin',`
+ gen_require(`
+- type exim_t, exim_spool_t, exim_log_t;
+- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++ type exim_t, exim_initrc_exec_t, exim_log_t;
++ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
--allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
-+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource };
- dontaudit ftpd_t self:capability sys_tty_config;
- allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
- allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +187,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+- allow $1 exim_t:process { ptrace signal_perms };
++ allow $1 exim_t:process signal_perms;
+ ps_process_pattern($1, exim_t)
- manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
- manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
--files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+- init_labeled_script_domtrans($1, exim_initrc_exec_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 exim_t:process ptrace;
++ ')
++
++ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+diff --git a/exim.te b/exim.te
+index 19325ce..c41cedc 100644
+--- a/exim.te
++++ b/exim.te
+@@ -49,7 +49,7 @@ type exim_log_t;
+ logging_log_file(exim_log_t)
- manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
- manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +198,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
- manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
- manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
- manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
--files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
-+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
-
- # proftpd requires the client side to bind a socket so that
- # it can stat the socket to perform access control decisions,
- # since getsockopt with SO_PEERCRED is not available on all
- # proftpd-supported OSs
--allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
-+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
-
- # Create and modify /var/log/xferlog.
- manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -177,14 +212,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+ type exim_spool_t;
+-files_type(exim_spool_t)
++files_spool_file(exim_spool_t)
- kernel_read_kernel_sysctls(ftpd_t)
- kernel_read_system_state(ftpd_t)
--kernel_search_network_state(ftpd_t)
-+kernel_read_network_state(ftpd_t)
+ type exim_tmp_t;
+ files_tmp_file(exim_tmp_t)
+@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t)
- dev_read_sysfs(ftpd_t)
- dev_read_urand(ftpd_t)
+ kernel_read_kernel_sysctls(exim_t)
+ kernel_read_network_state(exim_t)
+-kernel_dontaudit_read_system_state(exim_t)
++kernel_read_system_state(exim_t)
- corecmd_exec_bin(ftpd_t)
+ corecmd_search_bin(exim_t)
--corenet_all_recvfrom_unlabeled(ftpd_t)
- corenet_all_recvfrom_netlabel(ftpd_t)
- corenet_tcp_sendrecv_generic_if(ftpd_t)
- corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -196,9 +230,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
- corenet_tcp_bind_ftp_port(ftpd_t)
- corenet_tcp_bind_ftp_data_port(ftpd_t)
- corenet_tcp_bind_generic_port(ftpd_t)
--corenet_tcp_bind_all_unreserved_ports(ftpd_t)
--corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
--corenet_tcp_connect_all_ports(ftpd_t)
-+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
-+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
- corenet_sendrecv_ftp_server_packets(ftpd_t)
+-corenet_all_recvfrom_unlabeled(exim_t)
+ corenet_all_recvfrom_netlabel(exim_t)
+ corenet_tcp_sendrecv_generic_if(exim_t)
+ corenet_udp_sendrecv_generic_if(exim_t)
+@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t)
- domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +245,11 @@ fs_search_auto_mountpoints(ftpd_t)
- fs_getattr_all_fs(ftpd_t)
- fs_search_fusefs(ftpd_t)
-
--auth_use_nsswitch(ftpd_t)
--auth_domtrans_chk_passwd(ftpd_t)
--# Append to /var/log/wtmp.
--auth_append_login_records(ftpd_t)
-+auth_use_pam(ftpd_t)
- #kerberized ftp requires the following
- auth_write_login_records(ftpd_t)
- auth_rw_faillog(ftpd_t)
-+auth_manage_var_auth(ftpd_t)
-
- init_rw_utmp(ftpd_t)
-
-@@ -226,42 +257,47 @@ logging_send_audit_msgs(ftpd_t)
- logging_send_syslog_msg(ftpd_t)
- logging_set_loginuid(ftpd_t)
+ logging_send_syslog_msg(exim_t)
--miscfiles_read_localization(ftpd_t)
- miscfiles_read_public_files(ftpd_t)
+-miscfiles_read_localization(exim_t)
+ miscfiles_read_generic_certs(exim_t)
--seutil_dontaudit_search_config(ftpd_t)
--
- sysnet_read_config(ftpd_t)
- sysnet_use_ldap(ftpd_t)
+ userdom_dontaudit_search_user_home_dirs(exim_t)
+@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',`
+ corenet_sendrecv_mssql_client_packets(exim_t)
+ corenet_tcp_connect_mssql_port(exim_t)
+ corenet_tcp_sendrecv_mssql_port(exim_t)
+- corenet_sendrecv_oracledb_client_packets(exim_t)
+- corenet_tcp_connect_oracledb_port(exim_t)
+- corenet_tcp_sendrecv_oracledb_port(exim_t)
++ corenet_sendrecv_oracle_client_packets(exim_t)
++ corenet_tcp_connect_oracle_port(exim_t)
++ corenet_tcp_sendrecv_oracle_port(exim_t)
+ ')
- userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
- userdom_dontaudit_search_user_home_dirs(ftpd_t)
+ tunable_policy(`exim_read_user_files',`
+@@ -218,6 +216,7 @@ optional_policy(`
--tunable_policy(`allow_ftpd_anon_write',`
-+tunable_policy(`ftpd_anon_write',`
- miscfiles_manage_public_files(ftpd_t)
+ optional_policy(`
+ procmail_domtrans(exim_t)
++ procmail_read_home_files(exim_t)
')
--tunable_policy(`allow_ftpd_use_cifs',`
-+tunable_policy(`ftpd_use_cifs',`
- fs_read_cifs_files(ftpd_t)
- fs_read_cifs_symlinks(ftpd_t)
+ optional_policy(`
+diff --git a/fail2ban.if b/fail2ban.if
+index 50d0084..6565422 100644
+--- a/fail2ban.if
++++ b/fail2ban.if
+@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
+ domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
--tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
-+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
- fs_manage_cifs_files(ftpd_t)
+-########################################
++#######################################
+ ## <summary>
+-## Execute the fail2ban client in
+-## the fail2ban client domain.
++## Execute the fail2ban client in
++## the fail2ban client domain.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+ ## </param>
+ #
+ interface(`fail2ban_domtrans_client',`
+- gen_require(`
+- type fail2ban_client_t, fail2ban_client_exec_t;
+- ')
++ gen_require(`
++ type fail2ban_client_t, fail2ban_client_exec_t;
++ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
')
--tunable_policy(`allow_ftpd_use_nfs',`
-+tunable_policy(`ftpd_use_nfs',`
- fs_read_nfs_files(ftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
+-########################################
++#######################################
+ ## <summary>
+-## Execute fail2ban client in the
+-## fail2ban client domain, and allow
+-## the specified role the fail2ban
+-## client domain.
++## Execute fail2ban client in the
++## fail2ban client domain, and allow
++## the specified role the fail2ban
++## client domain.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+ ## </param>
+ ## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
++## <summary>
++## Role allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`fail2ban_run_client',`
+- gen_require(`
+- attribute_role fail2ban_client_roles;
+- ')
++ gen_require(`
++ attribute_role fail2ban_client_roles;
++ ')
+
+- fail2ban_domtrans_client($1)
+- roleattribute $2 fail2ban_client_roles;
++ fail2ban_domtrans_client($1)
++ roleattribute $2 fail2ban_client_roles;
')
--tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
-+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
- fs_manage_nfs_files(ftpd_t)
+ #####################################
+ ## <summary>
+-## Connect to fail2ban over a
+-## unix domain stream socket.
++## Connect to fail2ban over a unix domain
++## stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -102,51 +102,12 @@ interface(`fail2ban_rw_inherited_tmp_files',`
+ ')
+
+ files_search_tmp($1)
+- allow $1 fail2ban_tmp_t:file { read write };
+-')
+-
+-########################################
+-## <summary>
+-## Do not audit attempts to use
+-## fail2ban file descriptors.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
+-## </param>
+-#
+-interface(`fail2ban_dontaudit_use_fds',`
+- gen_require(`
+- type fail2ban_t;
+- ')
+-
+- dontaudit $1 fail2ban_t:fd use;
+-')
+-
+-########################################
+-## <summary>
+-## Do not audit attempts to read and
+-## write fail2ban unix stream sockets
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
+-## </param>
+-#
+-interface(`fail2ban_dontaudit_rw_stream_sockets',`
+- gen_require(`
+- type fail2ban_t;
+- ')
+-
+- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
++ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
--tunable_policy(`allow_ftpd_full_access',`
-+tunable_policy(`ftpd_full_access',`
- allow ftpd_t self:capability { dac_override dac_read_search };
-- files_manage_non_auth_files(ftpd_t)
-+ files_manage_non_security_files(ftpd_t)
-+')
-+
-+tunable_policy(`ftpd_use_passive_mode',`
-+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
-+')
-+
-+tunable_policy(`ftpd_connect_all_unreserved',`
-+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
+ ########################################
+ ## <summary>
+-## Read and write fail2ban unix
+-## stream sockets.
++## Read and write to an fail2ba unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -178,12 +139,12 @@ interface(`fail2ban_read_lib_files',`
+ ')
+
+ files_search_var_lib($1)
+- allow $1 fail2ban_var_lib_t:file read_file_perms;
++ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
- tunable_policy(`ftp_home_dir',`
-@@ -270,10 +306,13 @@ tunable_policy(`ftp_home_dir',`
- # allow access to /home
- files_list_home(ftpd_t)
- userdom_read_user_home_content_files(ftpd_t)
-- userdom_manage_user_home_content_dirs(ftpd_t)
-- userdom_manage_user_home_content_files(ftpd_t)
-- userdom_manage_user_home_content_symlinks(ftpd_t)
-- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
-+ userdom_manage_user_home_content(ftpd_t)
-+ userdom_manage_user_tmp_files(ftpd_t)
-+ userdom_tmp_filetrans_user_tmp(ftpd_t, file)
-+',`
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
-+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+ ########################################
+ ## <summary>
+-## Read fail2ban log files.
++## Allow the specified domain to read fail2ban's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -198,12 +159,14 @@ interface(`fail2ban_read_log',`
+ ')
+
+ logging_search_logs($1)
++ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file read_file_perms;
')
- tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +348,35 @@ optional_policy(`
+ ########################################
+ ## <summary>
+-## Append fail2ban log files.
++## Allow the specified domain to append
++## fail2ban log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -217,12 +180,13 @@ interface(`fail2ban_append_log',`
+ ')
+
+ logging_search_logs($1)
++ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file append_file_perms;
')
- optional_policy(`
-+ fail2ban_read_lib_files(ftpd_t)
-+')
-+
-+optional_policy(`
- selinux_validate_context(ftpd_t)
+ ########################################
+ ## <summary>
+-## Read fail2ban pid files.
++## Read fail2ban PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -241,8 +205,28 @@ interface(`fail2ban_read_pid_files',`
- kerberos_keytab_template(ftpd, ftpd_t)
-- kerberos_manage_host_rcache(ftpd_t)
-+ # this part of auth_use_pam
-+ #kerberos_manage_host_rcache(ftpd_t)
-+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
-+')
-+
-+optional_policy(`
-+ tunable_policy(`ftpd_connect_db',`
-+ mysql_stream_connect(ftpd_t)
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an fail2ban environment.
++## dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fail2ban_dontaudit_leaks',`
++ gen_require(`
++ type fail2ban_t;
+ ')
-+')
+
-+optional_policy(`
-+ tunable_policy(`ftpd_connect_db',`
-+ postgresql_stream_connect(ftpd_t)
-+ ')
++ dontaudit $1 fail2ban_t:tcp_socket { read write };
++ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
++ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
-+optional_policy(`
-+ tunable_policy(`ftpd_connect_db',`
-+ mysql_tcp_connect(ftpd_t)
-+ postgresql_tcp_connect(ftpd_t)
++########################################
++## <summary>
++## All of the rules required to administrate
++## an fail2ban environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -251,21 +235,25 @@ interface(`fail2ban_read_pid_files',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the fail2ban domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`fail2ban_admin',`
+ gen_require(`
+- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
+- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+- type fail2ban_var_lib_t, fail2ban_client_t;
++ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
++ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
++ type fail2ban_client_t;
+ ')
+
+- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
++ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+ ')
- ')
++
+ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fail2ban_initrc_exec_t system_r;
+@@ -277,10 +265,10 @@ interface(`fail2ban_admin',`
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
- optional_policy(`
-@@ -347,16 +411,17 @@ optional_policy(`
+- files_search_var_lib($1)
++ files_list_var_lib($1)
+ admin_pattern($1, fail2ban_var_lib_t)
- # Allow ftpdctl to talk to ftpd over a socket connection
- stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
-+files_search_pids(ftpdctl_t)
+- files_search_tmp($1)
++ files_list_tmp($1)
+ admin_pattern($1, fail2ban_tmp_t)
- # ftpdctl creates a socket so that the daemon can perform
- # access control decisions (see comments in ftpd_t rules above)
--allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
-+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
- files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+ fail2ban_run_client($1, $2)
+diff --git a/fail2ban.te b/fail2ban.te
+index 0872e50..e985043 100644
+--- a/fail2ban.te
++++ b/fail2ban.te
+@@ -60,12 +60,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
- # Allow ftpdctl to read config files
- files_read_etc_files(ftpdctl_t)
++manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
++manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
++exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
++files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
++
+ kernel_read_system_state(fail2ban_t)
--userdom_use_user_terminals(ftpdctl_t)
-+userdom_use_inherited_user_terminals(ftpdctl_t)
+ corecmd_exec_bin(fail2ban_t)
+ corecmd_exec_shell(fail2ban_t)
- ########################################
- #
-@@ -365,18 +430,34 @@ userdom_use_user_terminals(ftpdctl_t)
+-corenet_all_recvfrom_unlabeled(fail2ban_t)
+ corenet_all_recvfrom_netlabel(fail2ban_t)
+ corenet_tcp_sendrecv_generic_if(fail2ban_t)
+ corenet_tcp_sendrecv_generic_node(fail2ban_t)
+@@ -80,7 +84,6 @@ domain_use_interactive_fds(fail2ban_t)
+ domain_dontaudit_read_all_domains_state(fail2ban_t)
- files_read_etc_files(sftpd_t)
+ files_read_etc_runtime_files(fail2ban_t)
+-files_read_usr_files(fail2ban_t)
+ files_list_var(fail2ban_t)
+ files_dontaudit_list_tmp(fail2ban_t)
+@@ -92,13 +95,14 @@ auth_use_nsswitch(fail2ban_t)
+ logging_read_all_logs(fail2ban_t)
+ logging_send_syslog_msg(fail2ban_t)
+
+-miscfiles_read_localization(fail2ban_t)
+-
+ sysnet_manage_config(fail2ban_t)
+ sysnet_etc_filetrans_config(fail2ban_t)
+
+ mta_send_mail(fail2ban_t)
+
++sysnet_manage_config(fail2ban_t)
++sysnet_filetrans_named_content(fail2ban_t)
+
- # allow read access to /home by default
- userdom_read_user_home_content_files(sftpd_t)
- userdom_read_user_home_content_symlinks(sftpd_t)
-+userdom_dontaudit_list_admin_dir(sftpd_t)
-+
-+tunable_policy(`sftpd_full_access',`
-+ allow sftpd_t self:capability { dac_override dac_read_search };
-+ fs_read_noxattr_fs_files(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
+ optional_policy(`
+ apache_read_log(fail2ban_t)
+ ')
+@@ -108,6 +112,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
-+ tunable_policy(`sftpd_write_ssh_home',`
-+ ssh_manage_home_files(sftpd_t)
-+ ')
-+')
-
- tunable_policy(`sftpd_enable_homedirs',`
- allow sftpd_t self:capability { dac_override dac_read_search };
-
- # allow access to /home
- files_list_home(sftpd_t)
-- userdom_manage_user_home_content_files(sftpd_t)
-- userdom_manage_user_home_content_dirs(sftpd_t)
-- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
-+ userdom_read_user_home_content_files(sftpd_t)
-+ userdom_manage_user_home_content(sftpd_t)
-+',`
-+ # Needed for permissive mode, to make sure everything gets labeled correctly
-+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+ iptables_domtrans(fail2ban_t)
')
- tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +475,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
- tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
-- files_manage_non_auth_files(sftpd_t)
-+ files_manage_non_security_files(sftpd_t)
- ')
+@@ -137,14 +145,10 @@ corecmd_exec_bin(fail2ban_client_t)
--tunable_policy(`use_samba_home_dirs',`
-- # allow read access to /home by default
-- fs_list_cifs(sftpd_t)
-- fs_read_cifs_files(sftpd_t)
-- fs_read_cifs_symlinks(sftpd_t)
--')
--
--tunable_policy(`use_nfs_home_dirs',`
-- # allow read access to /home by default
-- fs_list_nfs(sftpd_t)
-- fs_read_nfs_files(sftpd_t)
-- fs_read_nfs_symlinks(ftpd_t)
--')
-+userdom_home_reader(sftpd_t)
-diff --git a/games.te b/games.te
-index b73d33c..ffacbd2 100644
---- a/games.te
-+++ b/games.te
-@@ -75,8 +75,6 @@ init_use_script_ptys(games_srv_t)
+ domain_use_interactive_fds(fail2ban_client_t)
- logging_send_syslog_msg(games_srv_t)
+-files_read_etc_files(fail2ban_client_t)
+-files_read_usr_files(fail2ban_client_t)
+ files_search_pids(fail2ban_client_t)
--miscfiles_read_localization(games_srv_t)
--
- userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+ logging_getattr_all_logs(fail2ban_client_t)
+ logging_search_all_logs(fail2ban_client_t)
- userdom_dontaudit_search_user_home_dirs(games_srv_t)
-@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
+-miscfiles_read_localization(fail2ban_client_t)
+-
+ userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
+ userdom_use_user_terminals(fail2ban_client_t)
+diff --git a/fetchmail.fc b/fetchmail.fc
+index 2486e2a..ea07c4f 100644
+--- a/fetchmail.fc
++++ b/fetchmail.fc
+@@ -1,4 +1,5 @@
+ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
++/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
- corecmd_exec_bin(games_t)
+ /etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
--corenet_all_recvfrom_unlabeled(games_t)
- corenet_all_recvfrom_netlabel(games_t)
- corenet_tcp_sendrecv_generic_if(games_t)
- corenet_udp_sendrecv_generic_if(games_t)
-@@ -151,9 +148,6 @@ init_dontaudit_rw_utmp(games_t)
+diff --git a/fetchmail.if b/fetchmail.if
+index c3f7916..cab3954 100644
+--- a/fetchmail.if
++++ b/fetchmail.if
+@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
+ type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
+ ')
- logging_dontaudit_search_logs(games_t)
++ ps_process_pattern($1, fetchmail_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 fetchmail_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fetchmail_initrc_exec_t system_r;
+ allow $2 system_r;
--miscfiles_read_man_pages(games_t)
--miscfiles_read_localization(games_t)
+- allow $1 fetchmail_t:process { ptrace signal_perms };
+- ps_process_pattern($1, fetchmail_t)
-
- sysnet_read_config(games_t)
-
- userdom_manage_user_tmp_dirs(games_t)
-@@ -163,7 +157,7 @@ userdom_manage_user_tmp_sockets(games_t)
- # Suppress .icons denial until properly implemented
- userdom_dontaudit_read_user_home_content_files(games_t)
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`', `
- allow games_t self:process execmem;
- ')
+ files_list_etc($1)
+ admin_pattern($1, fetchmail_etc_t)
-diff --git a/gatekeeper.te b/gatekeeper.te
-index 99a94de..8b84eda 100644
---- a/gatekeeper.te
-+++ b/gatekeeper.te
-@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
- allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
- allow gatekeeper_t self:udp_socket create_socket_perms;
+diff --git a/fetchmail.te b/fetchmail.te
+index f0388cb..73521ff 100644
+--- a/fetchmail.te
++++ b/fetchmail.te
+@@ -50,10 +50,19 @@ logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
+ allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
+ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
--allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
-+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
- allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
- files_search_etc(gatekeeper_t)
++manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
++manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
++logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
++
+ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
-@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
++list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
++read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
++userdom_search_user_home_dirs(fetchmail_t)
++userdom_search_admin_dir(fetchmail_t)
++
+ kernel_read_kernel_sysctls(fetchmail_t)
+ kernel_list_proc(fetchmail_t)
+ kernel_getattr_proc_files(fetchmail_t)
+@@ -63,7 +72,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
+ corecmd_exec_bin(fetchmail_t)
+ corecmd_exec_shell(fetchmail_t)
- corecmd_list_bin(gatekeeper_t)
+-corenet_all_recvfrom_unlabeled(fetchmail_t)
+ corenet_all_recvfrom_netlabel(fetchmail_t)
+ corenet_tcp_sendrecv_generic_if(fetchmail_t)
+ corenet_tcp_sendrecv_generic_node(fetchmail_t)
+@@ -84,17 +92,20 @@ fs_search_auto_mountpoints(fetchmail_t)
--corenet_all_recvfrom_unlabeled(gatekeeper_t)
- corenet_all_recvfrom_netlabel(gatekeeper_t)
- corenet_tcp_sendrecv_generic_if(gatekeeper_t)
- corenet_udp_sendrecv_generic_if(gatekeeper_t)
-@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(gatekeeper_t)
+ domain_use_interactive_fds(fetchmail_t)
- logging_send_syslog_msg(gatekeeper_t)
+-auth_use_nsswitch(fetchmail_t)
++auth_read_passwd(fetchmail_t)
--miscfiles_read_localization(gatekeeper_t)
--
- sysnet_read_config(gatekeeper_t)
+ logging_send_syslog_msg(fetchmail_t)
- userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-diff --git a/gift.te b/gift.te
-index 4975343..1c20b64 100644
---- a/gift.te
-+++ b/gift.te
-@@ -52,7 +52,6 @@ domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
- kernel_read_system_state(gift_t)
-
- # Connect to gift daemon
--corenet_all_recvfrom_unlabeled(gift_t)
- corenet_all_recvfrom_netlabel(gift_t)
- corenet_tcp_sendrecv_generic_if(gift_t)
- corenet_tcp_sendrecv_generic_node(gift_t)
-@@ -67,17 +66,7 @@ sysnet_read_config(gift_t)
- # giftui looks in .icons, .themes.
- userdom_dontaudit_read_user_home_content_files(gift_t)
+-miscfiles_read_localization(fetchmail_t)
+ miscfiles_read_generic_certs(fetchmail_t)
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(gift_t)
-- fs_manage_nfs_files(gift_t)
-- fs_manage_nfs_symlinks(gift_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(gift_t)
-- fs_manage_cifs_files(gift_t)
-- fs_manage_cifs_symlinks(gift_t)
--')
-+userdom_home_manager(gift_t)
+ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_search_user_home_dirs(fetchmail_t)
optional_policy(`
- nscd_socket_use(gift_t)
-@@ -106,7 +95,6 @@ kernel_read_system_state(giftd_t)
- kernel_read_kernel_sysctls(giftd_t)
++ kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ procmail_domtrans(fetchmail_t)
+ ')
- # Serve content on various p2p networks. Ports can be random.
--corenet_all_recvfrom_unlabeled(giftd_t)
- corenet_all_recvfrom_netlabel(giftd_t)
- corenet_tcp_sendrecv_generic_if(giftd_t)
- corenet_udp_sendrecv_generic_if(giftd_t)
-@@ -125,20 +113,8 @@ files_read_usr_files(giftd_t)
- # Read /etc/mtab
- files_read_etc_runtime_files(giftd_t)
+diff --git a/finger.te b/finger.te
+index af4b6d7..92245bf 100644
+--- a/finger.te
++++ b/finger.te
+@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
+ kernel_read_kernel_sysctls(fingerd_t)
+ kernel_read_system_state(fingerd_t)
+
+-corenet_all_recvfrom_unlabeled(fingerd_t)
+ corenet_all_recvfrom_netlabel(fingerd_t)
+ corenet_tcp_sendrecv_generic_if(fingerd_t)
+ corenet_tcp_sendrecv_generic_node(fingerd_t)
+@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
+ domain_use_interactive_fds(fingerd_t)
--miscfiles_read_localization(giftd_t)
+ files_read_etc_runtime_files(fingerd_t)
++files_search_home(fingerd_t)
- sysnet_read_config(giftd_t)
+ fs_getattr_all_fs(fingerd_t)
+ fs_search_auto_mountpoints(fingerd_t)
+@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
+ term_getattr_all_ptys(fingerd_t)
--userdom_use_user_terminals(giftd_t)
--
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(giftd_t)
-- fs_manage_nfs_files(giftd_t)
-- fs_manage_nfs_symlinks(giftd_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(giftd_t)
-- fs_manage_cifs_files(giftd_t)
-- fs_manage_cifs_symlinks(giftd_t)
--')
-+userdom_use_inherited_user_terminals(giftd_t)
-+userdom_home_manager(gitd_t)
-diff --git a/git.fc b/git.fc
-index 13e72a7..a4dc0b9 100644
---- a/git.fc
-+++ b/git.fc
-@@ -1,11 +1,15 @@
- HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0)
+ auth_read_lastlog(fingerd_t)
++auth_use_nsswitch(fingerd_t)
-+/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
-+
- /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+ init_read_utmp(fingerd_t)
+ init_dontaudit_write_utmp(fingerd_t)
+@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
- /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+ mta_getattr_spool(fingerd_t)
- /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0)
+-miscfiles_read_localization(fingerd_t)
++sysnet_read_config(fingerd_t)
- /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
- /var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
- /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
-diff --git a/git.if b/git.if
-index b0242d9..407e79d 100644
---- a/git.if
-+++ b/git.if
-@@ -15,9 +15,9 @@
- ## </summary>
- ## </param>
- #
--template(`git_role',`
-+template(`git_session_role',`
- gen_require(`
-- type git_session_t, gitd_exec_t, git_user_content_t;
-+ type git_session_t, gitd_exec_t;
- ')
+ userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
- ########################################
-@@ -32,19 +32,495 @@ template(`git_role',`
- # Policy
- #
+diff --git a/firewalld.fc b/firewalld.fc
+index 21d7b84..0e272bd 100644
+--- a/firewalld.fc
++++ b/firewalld.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
++
+ /etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
-- manage_dirs_pattern($2, git_user_content_t, git_user_content_t)
-- relabel_dirs_pattern($2, git_user_content_t, git_user_content_t)
--
-- exec_files_pattern($2, git_user_content_t, git_user_content_t)
-- manage_files_pattern($2, git_user_content_t, git_user_content_t)
-- relabel_files_pattern($2, git_user_content_t, git_user_content_t)
--
-- allow $2 git_session_t:process { ptrace signal_perms };
-+ allow $2 git_session_t:process signal_perms;
- ps_process_pattern($2, git_session_t)
+ /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+diff --git a/firewalld.if b/firewalld.if
+index 5cf6ac6..839999e 100644
+--- a/firewalld.if
++++ b/firewalld.if
+@@ -2,6 +2,66 @@
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 git_session_t:process ptrace;
-+ ')
-+
- tunable_policy(`git_session_users',`
- domtrans_pattern($2, gitd_exec_t, git_session_t)
- ',`
- can_exec($2, gitd_exec_t)
- ')
- ')
-+
-+########################################
-+## <summary>
-+## Create a set of derived types for Git
-+## daemon shared repository content.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## The prefix to be used for deriving type names.
-+## </summary>
-+## </param>
-+#
-+template(`git_content_template',`
-+ gen_require(`
-+ attribute git_system_content, git_content;
-+ ')
-+
-+ ########################################
-+ #
-+ # Git daemon content shared declarations.
-+ #
-+
-+ type git_$1_content_t, git_system_content, git_content;
-+ files_type(git_$1_content_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create a set of derived types for Git
-+## daemon shared repository roles.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## The prefix to be used for deriving type names.
-+## </summary>
-+## </param>
-+#
-+template(`git_role_template',`
-+ gen_require(`
-+ class context contains;
-+ role system_r;
-+ ')
-+
-+ ########################################
-+ #
-+ # Git daemon role shared declarations.
-+ #
-+
-+ attribute $1_usertype;
-+
-+ type $1_t;
-+ userdom_unpriv_usertype($1, $1_t)
-+ domain_type($1_t)
-+
-+ role $1_r types $1_t;
-+ allow system_r $1_r;
-+
-+ ########################################
-+ #
-+ # Git daemon role shared policy.
-+ #
-+
-+ allow $1_t self:context contains;
-+ allow $1_t self:fifo_file rw_fifo_file_perms;
-+
-+ corecmd_exec_bin($1_t)
-+ corecmd_bin_entry_type($1_t)
-+ corecmd_shell_entry_type($1_t)
-+
-+ domain_interactive_fd($1_t)
-+ domain_user_exemption_target($1_t)
-+
-+ kernel_read_system_state($1_t)
-+
-+ files_read_etc_files($1_t)
-+ files_dontaudit_search_home($1_t)
-+
-+
-+ git_rwx_generic_system_content($1_t)
-+
-+ ssh_rw_stream_sockets($1_t)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1_t)
-+ fs_manage_cifs_dirs($1_t)
-+ fs_manage_cifs_files($1_t)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1_t)
-+ fs_manage_nfs_dirs($1_t)
-+ fs_manage_nfs_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ nscd_read_pid($1_t)
-+ ')
-+')
-+
-+#######################################
-+## <summary>
-+## Allow specified domain access to the
-+## specified Git daemon content.
+ ########################################
+ ## <summary>
++## Execute a domain transition to run firewalld.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="object">
-+## <summary>
-+## Type of the object that access is allowed to.
-+## </summary>
-+## </param>
-+#
-+interface(`git_content_delegation',`
-+ gen_require(`
-+ type $1, $2;
-+ ')
-+
-+ exec_files_pattern($1, $2, $2)
-+ manage_dirs_pattern($1, $2, $2)
-+ manage_files_pattern($1, $2, $2)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
-+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
-+')
-+
-+########################################
+## <summary>
-+## Allow the specified domain to manage
-+## and execute all Git daemon content.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+## Domain allowed access.
-+## </summary>
++## </summary>
+## </param>
+#
-+interface(`git_rwx_all_content',`
++interface(`firewalld_domtrans',`
+ gen_require(`
-+ attribute git_content;
-+ ')
-+
-+ exec_files_pattern($1, git_content, git_content)
-+ manage_dirs_pattern($1, git_content, git_content)
-+ manage_files_pattern($1, git_content, git_content)
-+ userdom_search_user_home_dirs($1)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
++ type firewalld_t, firewalld_exec_t;
+ ')
+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
++ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
+')
+
++
+########################################
+## <summary>
-+## Allow the specified domain to manage
-+## and execute all Git daemon system content.
++## Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The type of the process performing this action.
+## </summary>
+## </param>
+#
-+interface(`git_rwx_all_system_content',`
++interface(`firewalld_initrc_domtrans',`
+ gen_require(`
-+ attribute git_system_content;
-+ ')
-+
-+ exec_files_pattern($1, git_system_content, git_system_content)
-+ manage_dirs_pattern($1, git_system_content, git_system_content)
-+ manage_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
++ type firewalld_initrc_exec_t;
+ ')
+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
++ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to manage
-+## and execute Git daemon generic system content.
++## Execute firewalld server in the firewalld domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`git_rwx_generic_system_content',`
++interface(`firewalld_systemctl',`
+ gen_require(`
-+ type git_sys_content_t;
++ type firewalld_t;
++ type firewalld_unit_file_t;
+ ')
+
-+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
-+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_exec_cifs_files($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ ')
++ systemd_exec_systemctl($1)
++ allow $1 firewalld_unit_file_t:file read_file_perms;
++ allow $1 firewalld_unit_file_t:service manage_service_perms;
+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_exec_nfs_files($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ ')
++ ps_process_pattern($1, firewalld_t)
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to read
-+## all Git daemon content files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`git_read_all_content_files',`
-+ gen_require(`
-+ attribute git_content;
+ ## Send and receive messages from
+ ## firewalld over dbus.
+ ## </summary>
+@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an firewalld environment.
++## All of the rules required to administrate
++## an firewalld environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -45,10 +105,14 @@ interface(`firewalld_admin',`
+ type firewalld_var_log_t;
+ ')
+
+- allow $1 firewalld_t:process { ptrace signal_perms };
++ allow $1 firewalld_t:process signal_perms;
+ ps_process_pattern($1, firewalld_t)
+
+- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 firewalld_t:process ptrace;
+ ')
+
-+ list_dirs_pattern($1, git_content, git_content)
-+ read_files_pattern($1, git_content, git_content)
-+ userdom_search_user_home_dirs($1)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
++ firewalld_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 firewalld_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -59,6 +123,9 @@ interface(`firewalld_admin',`
+ logging_search_logs($1)
+ admin_pattern($1, firewalld_var_log_t)
+
+- files_search_etc($1)
+ admin_pattern($1, firewall_etc_rw_t)
+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+')
++ admin_pattern($1, firewalld_unit_file_t)
++ firewalld_systemctl($1)
++ allow $1 firewalld_unit_file_t:service all_service_perms;
+ ')
+diff --git a/firewalld.te b/firewalld.te
+index c8014f8..646818a 100644
+--- a/firewalld.te
++++ b/firewalld.te
+@@ -21,6 +21,9 @@ logging_log_file(firewalld_var_log_t)
+ type firewalld_var_run_t;
+ files_pid_file(firewalld_var_run_t)
+
++type firewalld_unit_file_t;
++systemd_unit_file(firewalld_unit_file_t)
+
-+########################################
+ ########################################
+ #
+ # Local policy
+@@ -42,6 +45,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+
+ manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+ files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
++can_exec(firewalld_t, firewalld_var_run_t)
+
+ kernel_read_network_state(firewalld_t)
+ kernel_read_system_state(firewalld_t)
+@@ -53,20 +57,17 @@ dev_read_urand(firewalld_t)
+
+ domain_use_interactive_fds(firewalld_t)
+
+-files_read_etc_files(firewalld_t)
+-files_read_usr_files(firewalld_t)
++files_dontaudit_access_check_tmp(firewalld_t)
+ files_dontaudit_list_tmp(firewalld_t)
+
+ fs_getattr_xattr_fs(firewalld_t)
++fs_dontaudit_all_access_check(firewalld_t)
+
+-logging_send_syslog_msg(firewalld_t)
+-
+-miscfiles_read_localization(firewalld_t)
++auth_use_nsswitch(firewalld_t)
+
+-seutil_exec_setfiles(firewalld_t)
+-seutil_read_file_contexts(firewalld_t)
++logging_send_syslog_msg(firewalld_t)
+
+-sysnet_read_config(firewalld_t)
++sysnet_dns_name_resolve(firewalld_t)
+
+ optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+diff --git a/firewallgui.if b/firewallgui.if
+index e6866d1..941f4ef 100644
+--- a/firewallgui.if
++++ b/firewallgui.if
+@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
+ type firewallgui_t;
+ ')
+
+- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+diff --git a/firewallgui.te b/firewallgui.te
+index c5ceab1..0d9c1ce 100644
+--- a/firewallgui.te
++++ b/firewallgui.te
+@@ -36,8 +36,11 @@ corecmd_exec_shell(firewallgui_t)
+ dev_read_sysfs(firewallgui_t)
+ dev_read_urand(firewallgui_t)
+
+-files_list_kernel_modules(firewallgui_t)
++files_manage_system_conf_files(firewallgui_t)
++files_etc_filetrans_system_conf(firewallgui_t)
+ files_read_usr_files(firewallgui_t)
++files_search_kernel_modules(firewallgui_t)
++files_list_kernel_modules(firewallgui_t)
+
+ auth_use_nsswitch(firewallgui_t)
+
+@@ -60,12 +63,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- gnome_read_generic_gconf_home_content(firewallgui_t)
++ gnome_read_gconf_home_files(firewallgui_t)
+ ')
+
+ optional_policy(`
+ iptables_domtrans(firewallgui_t)
+ iptables_initrc_domtrans(firewallgui_t)
++ iptables_systemctl(firewallgui_t)
+ ')
+
+ optional_policy(`
+diff --git a/firstboot.fc b/firstboot.fc
+index 12c782c..ba614e4 100644
+--- a/firstboot.fc
++++ b/firstboot.fc
+@@ -1,5 +1,3 @@
+-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
++/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
+-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+-
+-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
++/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+diff --git a/firstboot.if b/firstboot.if
+index 280f875..f3a67c9 100644
+--- a/firstboot.if
++++ b/firstboot.if
+@@ -1,4 +1,7 @@
+-## <summary>Initial system configuration utility.</summary>
+## <summary>
-+## Allow the specified domain to read
-+## Git daemon session content files.
++## Final system configuration run during the first boot
++## after installation of Red Hat/Fedora systems.
+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`git_read_session_content_files',`
-+ gen_require(`
-+ type git_user_content_t;
-+ ')
-+
-+ list_dirs_pattern($1, git_user_content_t, git_user_content_t)
-+ read_files_pattern($1, git_user_content_t, git_user_content_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+#######################################
-+## <summary>
-+## Dontaudit the specified domain to read
-+## Git daemon session content files.
+
+ ########################################
+ ## <summary>
+@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
+ type firstboot_t, firstboot_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, firstboot_exec_t, firstboot_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute firstboot in the firstboot
+-## domain, and allow the specified role
+-## the firstboot domain.
++## Execute firstboot in the firstboot domain, and
++## allow the specified role the firstboot domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
+ #
+ interface(`firstboot_run',`
+ gen_require(`
+- attribute_role firstboot_roles;
++ type firstboot_t;
+ ')
+
+ firstboot_domtrans($1)
+- roleattribute $2 firstboot_roles;
++ role $2 types firstboot_t;
+ ')
+
+ ########################################
+ ## <summary>
+-## Inherit and use firstboot file descriptors.
++## Inherit and use a file descriptor from firstboot.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to inherit
+-## firstboot file descriptors.
++## Do not audit attempts to inherit a
++## file descriptor from firstboot.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Write firstboot unnamed pipes.
++## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
@@ -22720,364 +21337,782 @@ index b0242d9..407e79d 100644
+## </summary>
+## </param>
+#
-+interface(`git_dontaudit_read_session_content_files',`
++interface(`firstboot_dontaudit_leaks',`
+ gen_require(`
-+ type git_user_content_t;
++ type firstboot_t;
+ ')
+
-+ dontaudit $1 git_user_content_t:file read_file_perms;
++ dontaudit $1 firstboot_t:socket_class_set { read write };
++ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to read
-+## all Git daemon system content files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`git_read_all_system_content_files',`
-+ gen_require(`
-+ attribute git_system_content;
-+ ')
-+
-+ list_dirs_pattern($1, git_system_content, git_system_content)
-+ read_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var_lib($1)
-+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
++## Write to a firstboot unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
+ type firstboot_t;
+ ')
+
++ allow $1 firstboot_t:fd use;
+ allow $1 firstboot_t:fifo_file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and Write firstboot unnamed pipes.
++## Read and Write to a firstboot unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attemps to read and
+-## write firstboot unnamed pipes.
++## Do not audit attemps to read and write to a firstboot unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attemps to read and
+-## write firstboot unix domain
+-## stream sockets.
++## Do not audit attemps to read and write to a firstboot
++## unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+diff --git a/firstboot.te b/firstboot.te
+index c12c067..0647c46 100644
+--- a/firstboot.te
++++ b/firstboot.te
+@@ -1,7 +1,7 @@
+-policy_module(firstboot, 1.12.3)
++policy_module(firstboot, 1.12.0)
+
+ gen_require(`
+- class passwd { passwd chfn chsh rootok };
++ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
+ ########################################
+@@ -9,17 +9,12 @@ gen_require(`
+ # Declarations
+ #
+
+-attribute_role firstboot_roles;
+-
+ type firstboot_t;
+ type firstboot_exec_t;
+ init_system_domain(firstboot_t, firstboot_exec_t)
+ domain_obj_id_change_exemption(firstboot_t)
+ domain_subj_id_change_exemption(firstboot_t)
+-role firstboot_roles types firstboot_t;
+-
+-type firstboot_initrc_exec_t;
+-init_script_file(firstboot_initrc_exec_t)
++role system_r types firstboot_t;
+
+ type firstboot_etc_t;
+ files_config_file(firstboot_etc_t)
+@@ -32,18 +27,36 @@ files_config_file(firstboot_etc_t)
+ allow firstboot_t self:capability { dac_override setgid };
+ allow firstboot_t self:process setfscreate;
+ allow firstboot_t self:fifo_file rw_fifo_file_perms;
+-allow firstboot_t self:tcp_socket { accept listen };
++allow firstboot_t self:tcp_socket create_stream_socket_perms;
++allow firstboot_t self:unix_stream_socket { connect create };
+ allow firstboot_t self:passwd { rootok passwd chfn chsh };
+
+ allow firstboot_t firstboot_etc_t:file read_file_perms;
+
++files_manage_generic_tmp_dirs(firstboot_t)
++files_manage_generic_tmp_files(firstboot_t)
+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
-+')
+ kernel_read_system_state(firstboot_t)
+ kernel_read_kernel_sysctls(firstboot_t)
+
+-corecmd_exec_all_executables(firstboot_t)
++corenet_all_recvfrom_netlabel(firstboot_t)
++corenet_tcp_sendrecv_generic_if(firstboot_t)
++corenet_tcp_sendrecv_generic_node(firstboot_t)
++corenet_tcp_sendrecv_all_ports(firstboot_t)
+
+ dev_read_urand(firstboot_t)
+
++selinux_get_fs_mount(firstboot_t)
++selinux_validate_context(firstboot_t)
++selinux_compute_access_vector(firstboot_t)
++selinux_compute_create_context(firstboot_t)
++selinux_compute_relabel_context(firstboot_t)
++selinux_compute_user_contexts(firstboot_t)
+
-+########################################
-+## <summary>
-+## Allow the specified domain to read
-+## Git daemon generic system content files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`git_read_generic_system_content_files',`
-+ gen_require(`
-+ type git_sys_content_t;
-+ ')
++auth_dontaudit_getattr_shadow(firstboot_t)
+
-+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
-+ read_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ files_search_var_lib($1)
++corecmd_exec_all_executables(firstboot_t)
+
-+ tunable_policy(`git_system_use_cifs',`
-+ fs_list_cifs($1)
-+ fs_read_cifs_files($1)
-+ ')
+ files_exec_etc_files(firstboot_t)
+ files_manage_etc_files(firstboot_t)
+ files_manage_etc_runtime_files(firstboot_t)
+@@ -54,15 +67,6 @@ files_manage_var_symlinks(firstboot_t)
+ files_create_boot_flag(firstboot_t)
+ files_delete_boot_flag(firstboot_t)
+
+-selinux_get_fs_mount(firstboot_t)
+-selinux_validate_context(firstboot_t)
+-selinux_compute_access_vector(firstboot_t)
+-selinux_compute_create_context(firstboot_t)
+-selinux_compute_relabel_context(firstboot_t)
+-selinux_compute_user_contexts(firstboot_t)
+-
+-auth_dontaudit_getattr_shadow(firstboot_t)
+-
+ init_domtrans_script(firstboot_t)
+ init_rw_utmp(firstboot_t)
+
+@@ -73,11 +77,11 @@ locallogin_use_fds(firstboot_t)
+
+ logging_send_syslog_msg(firstboot_t)
+
+-miscfiles_read_localization(firstboot_t)
+-
+ sysnet_dns_name_resolve(firstboot_t)
+
+-userdom_use_user_terminals(firstboot_t)
++userdom_use_inherited_user_terminals(firstboot_t)
+
-+ tunable_policy(`git_system_use_nfs',`
-+ fs_list_nfs($1)
-+ fs_read_nfs_files($1)
-+ ')
++# Add/remove user home directories
+ userdom_manage_user_home_content_dirs(firstboot_t)
+ userdom_manage_user_home_content_files(firstboot_t)
+ userdom_manage_user_home_content_symlinks(firstboot_t)
+@@ -102,20 +106,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(firstboot_t)
+-')
+-
+-optional_policy(`
+ samba_rw_config(firstboot_t)
+ ')
+
+ optional_policy(`
+ unconfined_domtrans(firstboot_t)
+- unconfined_domain(firstboot_t)
++ # The big hammer
++ unconfined_domain_noaudit(firstboot_t)
+ ')
+
+ optional_policy(`
+- gnome_manage_generic_home_content(firstboot_t)
++ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
++ gnome_manage_config(firstboot_t)
+ ')
+
+ optional_policy(`
+diff --git a/fprintd.te b/fprintd.te
+index c81b6e8..5794a7b 100644
+--- a/fprintd.te
++++ b/fprintd.te
+@@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t)
+ dev_read_sysfs(fprintd_t)
+ dev_rw_generic_usb_dev(fprintd_t)
+
+-files_read_usr_files(fprintd_t)
+-
+ fs_getattr_all_fs(fprintd_t)
+
+ auth_use_nsswitch(fprintd_t)
+
+-miscfiles_read_localization(fprintd_t)
+-
+ userdom_use_user_ptys(fprintd_t)
+ userdom_read_all_users_state(fprintd_t)
+
+@@ -55,7 +51,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- policykit_domtrans_auth(fprintd_t)
++ dbus_system_domain(fprintd_t, fprintd_exec_t)
+')
+
-+########################################
-+## <summary>
-+## Allow the specified domain to relabel
-+## all Git daemon content.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`git_relabel_all_content',`
-+ gen_require(`
-+ attribute git_content;
-+ ')
-+
-+ relabel_dirs_pattern($1, git_content, git_content)
-+ relabel_files_pattern($1, git_content, git_content)
-+ userdom_search_user_home_dirs($1)
-+ files_search_var_lib($1)
++optional_policy(`
+ policykit_read_reload(fprintd_t)
+ policykit_read_lib(fprintd_t)
++ policykit_dbus_chat(fprintd_t)
++ policykit_domtrans_auth(fprintd_t)
++ policykit_dbus_chat_auth(fprintd_t)
+')
+
-+########################################
++optional_policy(`
++ xserver_read_state_xdm(fprintd_t)
+ ')
+diff --git a/ftp.fc b/ftp.fc
+index ddb75c1..44f74e6 100644
+--- a/ftp.fc
++++ b/ftp.fc
+@@ -1,5 +1,8 @@
+ /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+
++/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+ /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+diff --git a/ftp.if b/ftp.if
+index d062080..e098a40 100644
+--- a/ftp.if
++++ b/ftp.if
+@@ -1,5 +1,66 @@
+ ## <summary>File transfer protocol service.</summary>
+
++######################################
+## <summary>
-+## Allow the specified domain to relabel
-+## all Git daemon system content.
++## Execute a domain transition to run ftpd.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
+## </param>
+#
-+interface(`git_relabel_all_system_content',`
-+ gen_require(`
-+ attribute git_system_content;
-+ ')
++interface(`ftp_domtrans',`
++ gen_require(`
++ type ftpd_t, ftpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
+
-+ relabel_dirs_pattern($1, git_system_content, git_system_content)
-+ relabel_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var_lib($1)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Allow the specified domain to relabel
-+## Git daemon generic system content.
++## Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## The type of the process performing this action.
++## </summary>
+## </param>
+#
-+interface(`git_relabel_generic_system_content',`
-+ gen_require(`
-+ type git_sys_content_t;
-+ ')
++interface(`ftp_initrc_domtrans',`
++ gen_require(`
++ type ftpd_initrc_exec_t;
++ ')
+
-+ relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
-+ relabel_files_pattern($1, git_sys_content_t, git_sys_content_t)
-+ files_search_var_lib($1)
++ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to relabel
-+## Git daemon session content.
++## Execute ftpd server in the ftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`git_relabel_session_content',`
++interface(`ftp_systemctl',`
+ gen_require(`
-+ type git_user_content_t;
++ type ftpd_unit_file_t;
++ type ftpd_t;
+ ')
+
-+ relabel_dirs_pattern($1, git_user_content_t, git_user_content_t)
-+ relabel_files_pattern($1, git_user_content_t, git_user_content_t)
-+ userdom_search_user_home_dirs($1)
++ systemd_exec_systemctl($1)
++ allow $1 ftpd_unit_file_t:file read_file_perms;
++ allow $1 ftpd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ftpd_t)
+')
+
-+########################################
-+## <summary>
-+## Create Git user content with a
-+## named file transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`git_filetrans_user_content',`
-+ gen_require(`
-+ type git_user_content_t;
+ #######################################
+ ## <summary>
+ ## Execute a dyntransition to run anon sftpd.
+@@ -178,8 +239,11 @@ interface(`ftp_admin',`
+ type ftpd_initrc_exec_t, ftpdctl_tmp_t;
+ ')
+
+- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
++ allow $1 ftpd_t:process signal_perms;
+ ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -203,5 +267,9 @@ interface(`ftp_admin',`
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
+
++ ftp_systemctl($1)
++ admin_pattern($1, ftpd_unit_file_t)
++ allow $1 ftpd_unit_file_t:service all_service_perms;
+
-+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
-+')
-diff --git a/git.te b/git.te
-index 6e8e1f3..decdda3 100644
---- a/git.te
-+++ b/git.te
-@@ -31,20 +31,21 @@ gen_tunable(git_cgi_use_nfs, false)
+ ftp_run_ftpdctl($1, $2)
+ ')
+diff --git a/ftp.te b/ftp.te
+index e50f33c..fd43185 100644
+--- a/ftp.te
++++ b/ftp.te
+@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
+ ## be labeled public_content_rw_t.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_ftpd_anon_write, false)
++gen_tunable(ftpd_anon_write, false)
## <desc>
## <p>
--## Determine whether calling user domains
--## can execute Git daemon in the
--## git_session_t domain.
-+## Determine whether Git session daemon
-+## can bind TCP sockets to all
-+## unreserved ports.
+@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
+ ## all files on the system, governed by DAC.
## </p>
## </desc>
--gen_tunable(git_session_users, false)
-+gen_tunable(git_session_bind_all_unreserved_ports, false)
+-gen_tunable(allow_ftpd_full_access, false)
++gen_tunable(ftpd_full_access, false)
## <desc>
## <p>
--## Determine whether Git session daemons
--## can send syslog messages.
-+## Determine whether calling user domains
-+## can execute Git daemon in the
-+## git_session_t domain.
+@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false)
+ ## used for public file transfer services.
## </p>
## </desc>
--gen_tunable(git_session_send_syslog_msg, false)
-+gen_tunable(git_session_users, false)
+-gen_tunable(allow_ftpd_use_cifs, false)
++gen_tunable(ftpd_use_cifs, false)
+
+ ## <desc>
+ ## <p>
+@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
+ ## used for public file transfer services.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_ftpd_use_nfs, false)
++gen_tunable(ftpd_use_nfs, false)
## <desc>
## <p>
-@@ -71,6 +72,10 @@ gen_tunable(git_system_use_cifs, false)
- gen_tunable(git_system_use_nfs, false)
+@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+
++type ftpd_unit_file_t;
++systemd_unit_file(ftpd_unit_file_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+
+@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ allow ftpd_t ftpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
++manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
++manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
++
+ manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+ manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+ manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
+-kernel_search_network_state(ftpd_t)
++kernel_read_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
+
+ corecmd_exec_bin(ftpd_t)
+
+-corenet_all_recvfrom_unlabeled(ftpd_t)
+ corenet_all_recvfrom_netlabel(ftpd_t)
+ corenet_tcp_sendrecv_generic_if(ftpd_t)
+ corenet_udp_sendrecv_generic_if(ftpd_t)
+@@ -223,6 +228,10 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+
+ corenet_sendrecv_ftp_data_server_packets(ftpd_t)
+ corenet_tcp_bind_ftp_data_port(ftpd_t)
++corenet_tcp_bind_generic_port(ftpd_t)
++corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
++corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
++corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+ domain_use_interactive_fds(ftpd_t)
+
+@@ -245,7 +254,6 @@ logging_send_audit_msgs(ftpd_t)
+ logging_send_syslog_msg(ftpd_t)
+ logging_set_loginuid(ftpd_t)
+
+-miscfiles_read_localization(ftpd_t)
+ miscfiles_read_public_files(ftpd_t)
+
+ seutil_dontaudit_search_config(ftpd_t)
+@@ -255,31 +263,39 @@ sysnet_use_ldap(ftpd_t)
+ userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+ userdom_dontaudit_search_user_home_dirs(ftpd_t)
+
+-tunable_policy(`allow_ftpd_anon_write',`
++tunable_policy(`ftpd_anon_write',`
+ miscfiles_manage_public_files(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_cifs',`
++tunable_policy(`ftpd_use_cifs',`
+ fs_read_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+ ')
- attribute git_daemon;
-+attribute git_system_content;
-+attribute git_content;
+-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
++tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
+ fs_manage_cifs_files(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_nfs',`
+ fs_read_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
++tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
+ fs_manage_nfs_files(ftpd_t)
+ ')
+
+-tunable_policy(`allow_ftpd_full_access',`
++tunable_policy(`ftpd_full_access',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+- files_manage_non_auth_files(ftpd_t)
++ files_manage_non_security_files(ftpd_t)
++')
++
++tunable_policy(`ftpd_use_passive_mode',`
++ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
+
-+role git_shell_r;
++tunable_policy(`ftpd_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
+ ')
+
+ tunable_policy(`ftpd_use_passive_mode',`
+@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',`
+ corenet_sendrecv_mssql_client_packets(ftpd_t)
+ corenet_tcp_connect_mssql_port(ftpd_t)
+ corenet_tcp_sendrecv_mssql_port(ftpd_t)
+- corenet_sendrecv_oracledb_client_packets(ftpd_t)
+- corenet_tcp_connect_oracledb_port(ftpd_t)
+- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
++ corenet_sendrecv_oracle_client_packets(ftpd_t)
++ corenet_tcp_connect_oracle_port(ftpd_t)
++ corenet_tcp_sendrecv_oracle_port(ftpd_t)
+ ')
+
+ tunable_policy(`ftp_home_dir',`
+@@ -360,7 +376,7 @@ optional_policy(`
+ selinux_validate_context(ftpd_t)
- apache_content_template(git)
+ kerberos_keytab_template(ftpd, ftpd_t)
+- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
+ ')
-@@ -79,13 +84,16 @@ type gitd_exec_t;
- inetd_service_domain(git_system_t, gitd_exec_t)
+ optional_policy(`
+@@ -410,6 +426,7 @@ optional_policy(`
+ #
- type git_session_t, git_daemon;
--userdom_user_application_domain(git_session_t, gitd_exec_t)
-+application_domain(git_session_t, gitd_exec_t)
-+ubac_constrained(git_session_t)
+ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
++files_search_pids(ftpdctl_t)
--type git_sys_content_t;
-+type git_sys_content_t, git_content, git_system_content;
- files_type(git_sys_content_t)
-+typealias git_sys_content_t alias { git_data_t git_system_content_t };
+ allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
+ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+@@ -417,7 +434,7 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+ files_read_etc_files(ftpdctl_t)
+ files_search_pids(ftpdctl_t)
--type git_user_content_t;
-+type git_user_content_t, git_content;
- userdom_user_home_content(git_user_content_t)
-+typealias git_user_content_t alias git_session_content_t;
+-userdom_use_user_terminals(ftpdctl_t)
++userdom_use_inherited_user_terminals(ftpdctl_t)
########################################
#
-@@ -98,8 +106,9 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -441,6 +458,19 @@ files_read_etc_files(sftpd_t)
+
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_read_user_home_content_symlinks(sftpd_t)
++userdom_dontaudit_list_admin_dir(sftpd_t)
++
++tunable_policy(`sftpd_full_access',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++ fs_read_noxattr_fs_files(sftpd_t)
++ files_manage_non_security_files(sftpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`sftpd_write_ssh_home',`
++ ssh_manage_home_files(sftpd_t)
++ ')
++')
+
+ tunable_policy(`sftpd_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+@@ -475,21 +505,11 @@ tunable_policy(`sftpd_anon_write',`
+ tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+- files_manage_non_auth_files(sftpd_t)
++ files_manage_non_security_files(sftpd_t)
+ ')
+
++userdom_home_reader(sftpd_t)
++
+ tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_home_files(sftpd_t)
+ ')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_list_cifs(sftpd_t)
+- fs_read_cifs_files(sftpd_t)
+- fs_read_cifs_symlinks(sftpd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_list_nfs(sftpd_t)
+- fs_read_nfs_files(sftpd_t)
+- fs_read_nfs_symlinks(ftpd_t)
+-')
+diff --git a/games.te b/games.te
+index 572fb12..9c05eee 100644
+--- a/games.te
++++ b/games.te
+@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
+
+ logging_send_syslog_msg(games_srv_t)
+
+-miscfiles_read_localization(games_srv_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+ userdom_dontaudit_search_user_home_dirs(games_srv_t)
+@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
+
+ corecmd_exec_bin(games_t)
+
+-corenet_all_recvfrom_unlabeled(games_t)
+ corenet_all_recvfrom_netlabel(games_t)
+ corenet_tcp_sendrecv_generic_if(games_t)
+ corenet_tcp_sendrecv_generic_node(games_t)
+@@ -151,7 +148,6 @@ init_dontaudit_rw_utmp(games_t)
+ logging_dontaudit_search_logs(games_t)
+
+ miscfiles_read_man_pages(games_t)
+-miscfiles_read_localization(games_t)
+
+ sysnet_dns_name_resolve(games_t)
+
+@@ -161,7 +157,7 @@ userdom_manage_user_tmp_symlinks(games_t)
+ userdom_manage_user_tmp_sockets(games_t)
+ userdom_dontaudit_read_user_home_content_files(games_t)
+
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`', `
+ allow games_t self:process execmem;
+ ')
+
+diff --git a/gatekeeper.te b/gatekeeper.te
+index fc3b036..10a1bbe 100644
+--- a/gatekeeper.te
++++ b/gatekeeper.te
+@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
+
+ corecmd_list_bin(gatekeeper_t)
+
+-corenet_all_recvfrom_unlabeled(gatekeeper_t)
+ corenet_all_recvfrom_netlabel(gatekeeper_t)
+ corenet_tcp_sendrecv_generic_if(gatekeeper_t)
+ corenet_udp_sendrecv_generic_if(gatekeeper_t)
+@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
+
+ domain_use_interactive_fds(gatekeeper_t)
+
+-files_read_etc_files(gatekeeper_t)
+-
+ fs_getattr_all_fs(gatekeeper_t)
+ fs_search_auto_mountpoints(gatekeeper_t)
+
+ logging_send_syslog_msg(gatekeeper_t)
+
+-miscfiles_read_localization(gatekeeper_t)
+-
+ sysnet_read_config(gatekeeper_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/gift.te b/gift.te
+index 395238e..af76abb 100644
+--- a/gift.te
++++ b/gift.te
+@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
+
+ userdom_dontaudit_read_user_home_content_files(gift_t)
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(gift_t)
+- fs_manage_nfs_files(gift_t)
+- fs_manage_nfs_symlinks(gift_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(gift_t)
+- fs_manage_cifs_files(gift_t)
+- fs_manage_cifs_symlinks(gift_t)
+-')
++userdom_home_manager(gift_t)
+
+ optional_policy(`
+ xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
+ corenet_tcp_connect_all_ports(giftd_t)
+
+ files_read_etc_runtime_files(giftd_t)
+-files_read_usr_files(giftd_t)
+-
+-miscfiles_read_localization(giftd_t)
+
+ sysnet_dns_name_resolve(giftd_t)
+
+-userdom_use_user_terminals(giftd_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(giftd_t)
+- fs_manage_nfs_files(giftd_t)
+- fs_manage_nfs_symlinks(giftd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(giftd_t)
+- fs_manage_cifs_files(giftd_t)
+- fs_manage_cifs_symlinks(giftd_t)
+-')
++userdom_use_inherited_user_terminals(giftd_t)
++userdom_home_manager(gitd_t)
+diff --git a/git.if b/git.if
+index 1e29af1..9f159d1 100644
+--- a/git.if
++++ b/git.if
+@@ -79,3 +79,21 @@ interface(`git_read_generic_sys_content_files',`
+ fs_read_nfs_files($1)
+ ')
+ ')
++
++#######################################
++## <summary>
++## Create Git user content with a
++## named file transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`git_filetrans_user_content',`
++ gen_require(`
++ type git_user_content_t;
++ ')
++ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git"
++')
+diff --git a/git.te b/git.te
+index 93b0301..8561970 100644
+--- a/git.te
++++ b/git.te
+@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
+
+ ## <desc>
+ ## <p>
+-## Determine whether Git session daemons
+-## can send syslog messages.
+-## </p>
+-## </desc>
+-gen_tunable(git_session_send_syslog_msg, false)
+-
+-## <desc>
+-## <p>
+ ## Determine whether Git system daemon
+ ## can search home directories.
+ ## </p>
+@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
+kernel_read_system_state(git_session_t)
+
corenet_all_recvfrom_netlabel(git_session_t)
--corenet_all_recvfrom_unlabeled(git_session_t)
+ corenet_all_recvfrom_unlabeled(git_session_t)
corenet_tcp_bind_generic_node(git_session_t)
- corenet_tcp_sendrecv_generic_if(git_session_t)
- corenet_tcp_sendrecv_generic_node(git_session_t)
-@@ -112,10 +121,13 @@ auth_use_nsswitch(git_session_t)
-
- userdom_use_user_terminals(git_session_t)
+@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_tcp_sendrecv_all_ports(git_session_t)
+ ')
-tunable_policy(`git_session_send_syslog_msg',`
- logging_send_syslog_msg(git_session_t)
-+tunable_policy(`git_session_bind_all_unreserved_ports',`
-+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
-+ corenet_sendrecv_generic_server_packets(git_session_t)
- ')
-
+-')
+logging_send_syslog_msg(git_session_t)
-+
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(git_session_t)
- ',`
-@@ -133,10 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
- # Git system policy
- #
--list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
--read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
-+list_dirs_pattern(git_system_t, git_content, git_content)
-+read_files_pattern(git_system_t, git_content, git_content)
- files_search_var_lib(git_system_t)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(git_session_t)
+@@ -157,6 +149,8 @@ tunable_policy(`use_samba_home_dirs',`
+ list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+ read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+kernel_read_system_state(git_system_t)
+
- auth_use_nsswitch(git_system_t)
-
- logging_send_syslog_msg(git_system_t)
-@@ -174,8 +188,8 @@ tunable_policy(`git_system_use_nfs',`
- # Git CGI policy
- #
-
--list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
--read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
-+list_dirs_pattern(httpd_git_script_t, git_content, git_content)
-+read_files_pattern(httpd_git_script_t, git_content, git_content)
- files_search_var_lib(httpd_git_script_t)
+ files_search_var_lib(git_system_t)
- files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-@@ -217,12 +231,16 @@ tunable_policy(`git_cgi_use_nfs',`
+ auth_use_nsswitch(git_system_t)
+@@ -255,12 +249,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
-kernel_read_system_state(git_daemon)
--
- corecmd_exec_bin(git_daemon)
++#kernel_read_system_state(git_daemon)
- files_read_usr_files(git_daemon)
+ corecmd_exec_bin(git_daemon)
+-files_read_usr_files(git_daemon)
+-
fs_search_auto_mountpoints(git_daemon)
-miscfiles_read_localization(git_daemon)
-+
-+########################################
-+#
-+# Git-shell private policy.
-+#
-+git_role_template(git_shell)
-+gen_user(git_shell_u, user, git_shell_r, s0, s0)
-diff --git a/gitosis.fc b/gitosis.fc
-index 24f6441..4de3a6b 100644
---- a/gitosis.fc
-+++ b/gitosis.fc
-@@ -6,4 +6,4 @@ ifdef(`distro_debian',`
- /usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
-
- /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
--/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-+/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/gitosis.te b/gitosis.te
-index 0eb75f4..3607a5b 100644
+index 3194b76..d3acb1a 100644
--- a/gitosis.te
+++ b/gitosis.te
-@@ -5,6 +5,13 @@ policy_module(gitosis, 1.3.0)
- # Declarations
- #
+@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
-+## <desc>
-+## <p>
-+## Allow gitisis daemon to send mail
-+## </p>
-+## </desc>
-+gen_tunable(gitosis_can_sendmail, false)
-+
- type gitosis_t;
- type gitosis_exec_t;
- application_domain(gitosis_t, gitosis_exec_t)
-@@ -36,6 +43,11 @@ files_read_etc_files(gitosis_t)
- files_read_usr_files(gitosis_t)
+ dev_read_urand(gitosis_t)
+
+-files_read_etc_files(gitosis_t)
+-files_read_usr_files(gitosis_t)
files_search_var_lib(gitosis_t)
-miscfiles_read_localization(gitosis_t)
-
+-
sysnet_read_config(gitosis_t)
-+
-+corenet_tcp_bind_all_ports(gitosis_t)
-+
-+tunable_policy(`gitosis_can_sendmail',`
-+ mta_send_mail(gitosis_t)
-+')
+
+ tunable_policy(`gitosis_can_sendmail',`
diff --git a/glance.if b/glance.if
-index 7ff9d6d..b1c97f2 100644
+index 9eacb2c..229782f 100644
--- a/glance.if
+++ b/glance.if
-@@ -1,5 +1,27 @@
- ## <summary>policy for glance</summary>
+@@ -1,5 +1,30 @@
+ ## <summary>OpenStack image registry and delivery service.</summary>
+#######################################
+## <summary>
@@ -23099,13 +22134,16 @@ index 7ff9d6d..b1c97f2 100644
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
++
++ corenet_all_recvfrom_unlabeled($1_t)
++ corenet_all_recvfrom_netlabel($1_t)
+')
+
########################################
## <summary>
- ## Transition to glance registry.
-@@ -24,9 +46,9 @@ interface(`glance_domtrans_registry',`
- ## Transition to glance api.
+ ## Execute a domain transition to
+@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',`
+ ## run glance api.
## </summary>
## <param name="domain">
-## <summary>
@@ -23116,22 +22154,27 @@ index 7ff9d6d..b1c97f2 100644
## </param>
#
interface(`glance_domtrans_api',`
-@@ -238,6 +260,10 @@ interface(`glance_admin',`
+@@ -242,8 +267,13 @@ interface(`glance_admin',`
+ type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
+ ')
- allow $1 glance_registry_t:process signal_perms;
- ps_process_pattern($1, glance_registry_t)
+- allow $1 { glance_api_t glance_registry_t }:process signal_perms;
+- ps_process_pattern($1, { glance_api_t glance_registry_t })
++ allow $1 glance_registry_t:process signal_perms;
++ ps_process_pattern($1, glance_registry_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 glance_registry_t:process ptrace;
+ allow $1 glance_api_t:process ptrace;
+ ')
- allow $1 glance_api_t:process signal_perms;
- ps_process_pattern($1, glance_api_t)
+ init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
+ domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index 4afb81f..efff577 100644
+index e0a4f46..8892bda 100644
--- a/glance.te
+++ b/glance.te
-@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
+@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
attribute glance_domain;
@@ -23154,94 +22197,99 @@ index 4afb81f..efff577 100644
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
-@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-kernel_read_system_state(glance_domain)
-
- corecmd_exec_bin(glance_domain)
-+corecmd_exec_shell(glance_domain)
+-corenet_all_recvfrom_unlabeled(glance_domain)
+-corenet_all_recvfrom_netlabel(glance_domain)
+ corenet_tcp_sendrecv_generic_if(glance_domain)
+ corenet_tcp_sendrecv_generic_node(glance_domain)
+ corenet_tcp_sendrecv_all_ports(glance_domain)
+@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
- files_read_etc_files(glance_domain)
- files_read_usr_files(glance_domain)
+-files_read_etc_files(glance_domain)
+-files_read_usr_files(glance_domain)
++auth_read_passwd(glance_domain)
+
+ libs_exec_ldconfig(glance_domain)
-miscfiles_read_localization(glance_domain)
-+auth_read_passwd(glance_domain)
-+
-+libs_exec_ldconfig(glance_domain)
-+
+-
+ sysnet_dns_name_resolve(glance_domain)
- optional_policy(`
- sysnet_dns_name_resolve(glance_domain)
-@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ ########################################
+@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
- files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
+
- corenet_tcp_bind_generic_node(glance_registry_t)
++corenet_tcp_bind_generic_node(glance_registry_t)
+ corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_mysqld_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
-+
-+logging_send_syslog_msg(glance_registry_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(glance_registry_t)
-+')
- ########################################
- #
-@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t)
- corecmd_exec_shell(glance_api_t)
+ logging_send_syslog_msg(glance_registry_t)
+
+@@ -108,8 +109,12 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+ files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
+ can_exec(glance_api_t, glance_tmp_t)
- corenet_tcp_bind_generic_node(glance_api_t)
+-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
+-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
++corenet_tcp_bind_generic_node(glance_api_t)
++
+corenet_tcp_bind_glance_port(glance_api_t)
- corenet_tcp_bind_hplip_port(glance_api_t)
- corenet_tcp_connect_glance_registry_port(glance_api_t)
++corenet_tcp_connect_glance_registry_port(glance_api_t)
++
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
- dev_read_urand(glance_api_t)
+ corenet_sendrecv_hplip_server_packets(glance_api_t)
+ corenet_tcp_bind_hplip_port(glance_api_t)
+@@ -118,3 +123,7 @@ corenet_sendrecv_glance_registry_client_packets(glance_api_t)
+ corenet_tcp_connect_glance_registry_port(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
-
--libs_exec_ldconfig(glance_api_t)
++
+optional_policy(`
+ mysql_stream_connect(glance_api_t)
+')
diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644
-index 0000000..6418e39
+index 0000000..4bd6ade
--- /dev/null
+++ b/glusterd.fc
@@ -0,0 +1,16 @@
++/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
-+/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+
-+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
-+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0)
-+
-+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+
-+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
++/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
-+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
-+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+
++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if
new file mode 100644
-index 0000000..e15bbb0
+index 0000000..1ed97fe
--- /dev/null
+++ b/glusterd.if
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,150 @@
+
+## <summary>policy for glusterd</summary>
+
@@ -23368,12 +22416,16 @@ index 0000000..e15bbb0
+ type glusterd_initrc_exec_t;
+ type glusterd_log_t;
+ type glusterd_tmp_t;
-+ type glusterd_etc_t;
++ type glusterd_conf_t;
+ ')
+
-+ allow $1 glusterd_t:process { ptrace signal_perms };
++ allow $1 glusterd_t:process { signal_perms };
+ ps_process_pattern($1, glusterd_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 glusterd_t:process ptrace;
++ ')
++
+ glusterd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 glusterd_initrc_exec_t system_r;
@@ -23384,17 +22436,17 @@ index 0000000..e15bbb0
+
+ admin_pattern($1, glusterd_tmp_t)
+
-+ admin_pattern($1, glusterd_etc_t)
++ admin_pattern($1, glusterd_conf_t)
+
+')
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..d35f2b0
+index 0000000..8f595f8
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,101 @@
-+policy_module(glusterd, 1.0.0)
+@@ -0,0 +1,102 @@
++policy_module(glusterfs, 1.0.1)
+
+########################################
+#
@@ -23405,15 +22457,15 @@ index 0000000..d35f2b0
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+
-+type glusterd_etc_t;
-+files_type(glusterd_etc_t)
-+
-+type glusterd_tmp_t;
-+files_tmp_file(glusterd_tmp_t)
++type glusterd_conf_t;
++files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
++type glusterd_tmp_t;
++files_tmp_file(glusterd_tmp_t)
++
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
@@ -23423,32 +22475,31 @@ index 0000000..d35f2b0
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t);
+
-+
+########################################
+#
-+# glusterd local policy
++# Local policy
+#
+
-+allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
+allow glusterd_t self:process { setrlimit signal };
-+allow glusterd_t self:capability sys_resource;
-+
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
-+allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow glusterd_t self:tcp_socket create_stream_socket_perms;
-+allow glusterd_t self:udp_socket create_socket_perms;
-+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
-+allow glusterd_t self:unix_dgram_socket create_socket_perms;
++allow glusterd_t self:tcp_socket { accept listen };
++allow glusterd_t self:unix_stream_socket { accept listen };
++
++manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
++manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
++files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
-+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
-+userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
-+logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
++append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
@@ -23456,11 +22507,7 @@ index 0000000..d35f2b0
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
-+manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
-+files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
@@ -23469,46 +22516,264 @@ index 0000000..d35f2b0
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
-+domain_use_interactive_fds(glusterd_t)
-+
++corenet_all_recvfrom_unlabeled(glusterd_t)
++corenet_all_recvfrom_netlabel(glusterd_t)
++corenet_tcp_sendrecv_generic_if(glusterd_t)
++corenet_udp_sendrecv_generic_if(glusterd_t)
++corenet_tcp_sendrecv_generic_node(glusterd_t)
++corenet_udp_sendrecv_generic_node(glusterd_t)
++corenet_tcp_sendrecv_all_ports(glusterd_t)
++corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
-+corenet_tcp_bind_generic_port(glusterd_t)
++corenet_udp_bind_generic_node(glusterd_t)
++
++# Too coarse?
++corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
-+corenet_tcp_connect_unreserved_ports(glusterd_t)
-+corenet_udp_bind_generic_node(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
++corenet_sendrecv_all_client_packets(glusterd_t)
++corenet_tcp_connect_all_unreserved_ports(glusterd_t)
++
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
-+files_read_usr_files(glusterd_t)
-+files_rw_pid_dirs(glusterd_t)
-+
-+# Why is this needed
-+#files_manage_urandom_seed(glusterd_t)
++domain_use_interactive_fds(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+
-+sysnet_read_config(glusterd_t)
++miscfiles_read_localization(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
+diff --git a/glusterfs.fc b/glusterfs.fc
+deleted file mode 100644
+index 4bd6ade..0000000
+--- a/glusterfs.fc
++++ /dev/null
+@@ -1,16 +0,0 @@
+-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+-
+-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+-
+-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+-
+-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
+-
+-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+-
+-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+-
+-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+diff --git a/glusterfs.if b/glusterfs.if
+deleted file mode 100644
+index 05233c8..0000000
+--- a/glusterfs.if
++++ /dev/null
+@@ -1,71 +0,0 @@
+-## <summary>Cluster File System binary, daemon and command line.</summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an glusterfs environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`glusterd_admin',`
+- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
+- glusterfs_admin($1, $2)
+-')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an glusterfs environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`glusterfs_admin',`
+- gen_require(`
+- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
+- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
+- type glusterd_var_run_t;
+- ')
+-
+- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 glusterd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- allow $1 glusterd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, glusterd_t)
+-
+- files_search_etc($1)
+- admin_pattern($1, glusterd_conf_t)
+-
+- logging_search_logs($1)
+- admin_pattern($1, glusterd_log_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, glusterd_tmp_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, glusterd_var_lib_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, glusterd_var_run_t)
+-')
+diff --git a/glusterfs.te b/glusterfs.te
+deleted file mode 100644
+index fd02acc..0000000
+--- a/glusterfs.te
++++ /dev/null
+@@ -1,102 +0,0 @@
+-policy_module(glusterfs, 1.0.1)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type glusterd_t;
+-type glusterd_exec_t;
+-init_daemon_domain(glusterd_t, glusterd_exec_t)
+-
+-type glusterd_conf_t;
+-files_type(glusterd_conf_t)
+-
+-type glusterd_initrc_exec_t;
+-init_script_file(glusterd_initrc_exec_t)
+-
+-type glusterd_tmp_t;
+-files_tmp_file(glusterd_tmp_t)
+-
+-type glusterd_log_t;
+-logging_log_file(glusterd_log_t)
+-
+-type glusterd_var_run_t;
+-files_pid_file(glusterd_var_run_t)
+-
+-type glusterd_var_lib_t;
+-files_type(glusterd_var_lib_t);
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
+-allow glusterd_t self:process { setrlimit signal };
+-allow glusterd_t self:fifo_file rw_fifo_file_perms;
+-allow glusterd_t self:tcp_socket { accept listen };
+-allow glusterd_t self:unix_stream_socket { accept listen };
+-
+-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
+-
+-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+-
+-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+-
+-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
+-
+-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+-
+-can_exec(glusterd_t, glusterd_exec_t)
+-
+-kernel_read_system_state(glusterd_t)
+-
+-corecmd_exec_bin(glusterd_t)
+-corecmd_exec_shell(glusterd_t)
+-
+-corenet_all_recvfrom_unlabeled(glusterd_t)
+-corenet_all_recvfrom_netlabel(glusterd_t)
+-corenet_tcp_sendrecv_generic_if(glusterd_t)
+-corenet_udp_sendrecv_generic_if(glusterd_t)
+-corenet_tcp_sendrecv_generic_node(glusterd_t)
+-corenet_udp_sendrecv_generic_node(glusterd_t)
+-corenet_tcp_sendrecv_all_ports(glusterd_t)
+-corenet_udp_sendrecv_all_ports(glusterd_t)
+-corenet_tcp_bind_generic_node(glusterd_t)
+-corenet_udp_bind_generic_node(glusterd_t)
+-
+-# Too coarse?
+-corenet_sendrecv_all_server_packets(glusterd_t)
+-corenet_tcp_bind_all_reserved_ports(glusterd_t)
+-corenet_udp_bind_all_rpc_ports(glusterd_t)
+-corenet_udp_bind_ipp_port(glusterd_t)
+-
+-corenet_sendrecv_all_client_packets(glusterd_t)
+-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+-
+-dev_read_sysfs(glusterd_t)
+-dev_read_urand(glusterd_t)
+-
+-domain_use_interactive_fds(glusterd_t)
+-
+-files_read_usr_files(glusterd_t)
+-
+-auth_use_nsswitch(glusterd_t)
+-
+-logging_send_syslog_msg(glusterd_t)
+-
+-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..52e5a3a 100644
+index e39de43..52e5a3a 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,9 +1,57 @@
--HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+@@ -1,15 +1,57 @@
+-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
+-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
- HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
- HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
++HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
@@ -23522,7 +22787,8 @@ index 00a19e3..52e5a3a 100644
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+
+
+-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
@@ -23542,16 +22808,17 @@ index 00a19e3..52e5a3a 100644
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-
- /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
++
++/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
--/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
-+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-+
+ /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
@@ -23560,30 +22827,38 @@ index 00a19e3..52e5a3a 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..69577c7 100644
+index d03fd43..2d6e6bb 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,44 +1,1048 @@
- ## <summary>GNU network object model environment (GNOME)</summary>
+@@ -1,123 +1,155 @@
+-## <summary>GNU network object model environment.</summary>
++## <summary>GNU network object model environment (GNOME)</summary>
--############################################################
+-########################################
+###########################################################
## <summary>
--## Role access for gnome
+-## Role access for gnome. (Deprecated)
+## Role access for gnome
## </summary>
## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+## <summary>
+## Role allowed access
+## </summary>
-+## </param>
-+## <param name="domain">
+ ## </param>
+ ## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+## <summary>
+## User domain for the role
+## </summary>
-+## </param>
-+#
-+interface(`gnome_role',`
+ ## </param>
+ #
+ interface(`gnome_role',`
+- refpolicywarn(`$0($*) has been deprecated')
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
@@ -23601,28 +22876,61 @@ index f5afe78..69577c7 100644
+ #gnome_stream_connect_gconf_template($1, $2)
+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+ allow $2 gconfd_t:unix_stream_socket connectto;
-+')
-+
+ ')
+
+-#######################################
+######################################
-+## <summary>
+ ## <summary>
+-## The role template for gnome.
+## The role template for the gnome-keyring-daemon.
-+## </summary>
+ ## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
+## </summary>
-+## </param>
-+## <param name="user_role">
+ ## </param>
+ ## <param name="user_role">
+-## <summary>
+-## The role associated with the user domain.
+-## </summary>
+## <summary>
+## The user role.
+## </summary>
-+## </param>
-+## <param name="user_domain">
+ ## </param>
+ ## <param name="user_domain">
+-## <summary>
+-## The type of the user domain.
+-## </summary>
+## <summary>
+## The user domain associated with the role.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-template(`gnome_role_template',`
+- gen_require(`
+- attribute gnomedomain, gkeyringd_domain;
+- attribute_role gconfd_roles;
+- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+- type gconfd_t, gconfd_exec_t, gconf_tmp_t;
+- type gconf_home_t;
+- ')
+-
+- ########################################
+- #
+- # Gconf declarations
+- #
+-
+- roleattribute $2 gconfd_roles;
+-
+- ########################################
+- #
+- # Gkeyringd declarations
+- #
+interface(`gnome_role_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
@@ -23631,48 +22939,80 @@ index f5afe78..69577c7 100644
+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+ class dbus send_msg;
+ ')
-+
-+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+
+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+- userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
+ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ ubac_constrained($1_gkeyringd_t)
-+ domain_user_exemption_target($1_gkeyringd_t)
-+
+ domain_user_exemption_target($1_gkeyringd_t)
+
+- role $2 types $1_gkeyringd_t;
+ userdom_home_manager($1_gkeyringd_t)
-+
+
+- ########################################
+- #
+- # Gconf policy
+- #
+ role $2 types $1_gkeyringd_t;
-+
+
+- domtrans_pattern($3, gconfd_exec_t, gconfd_t)
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+
+
+- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
+- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
-+
+
+- allow $3 gconfd_t:process { ptrace signal_perms };
+- ps_process_pattern($3, gconfd_t)
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-+
+
+- ########################################
+- #
+- # Gkeyringd policy
+- #
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
-+
+
+- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+ kernel_read_system_state($1_gkeyringd_t)
-+
+
+- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+ ps_process_pattern($1_gkeyringd_t, $3)
-+
+
+- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
+- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
+- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
+-
+- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+ auth_use_nsswitch($1_gkeyringd_t)
-+
+
+- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ logging_send_syslog_msg($1_gkeyringd_t)
-+
-+ ps_process_pattern($3, $1_gkeyringd_t)
+
+ ps_process_pattern($3, $1_gkeyringd_t)
+- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
-+
+
+- corecmd_bin_domtrans($1_gkeyringd_t, $3)
+- corecmd_shell_domtrans($1_gkeyringd_t, $3)
+-
+- gnome_stream_connect_gkeyringd($1, $3)
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
-+
+
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
-+ optional_policy(`
+ optional_policy(`
+- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_home_dir_filetrans($1_gkeyringd_t)
@@ -23685,7 +23025,8 @@ index f5afe78..69577c7 100644
+ ')
+ ')
+')
-+
+
+- gnome_dbus_chat_gkeyringd($1, $3)
+#######################################
+## <summary>
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -23710,136 +23051,206 @@ index f5afe78..69577c7 100644
+ gen_require(`
+ type $1_gkeyringd_t;
+ type gkeyringd_exec_t;
-+ ')
+ ')
+ role $2 types $1_gkeyringd_t;
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute gconf in the caller domain.
+## gconf connection template.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -125,18 +157,18 @@ template(`gnome_role_template',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_exec_t;
+ type gconfd_t, gconf_tmp_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- can_exec($1, gconfd_exec_t)
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read gconf configuration content.
+## Connect to gkeyringd with a unix stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gkeyringd',`
-+ gen_require(`
+ gen_require(`
+- type gconf_etc_t;
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
+ type cache_home_t;
-+ ')
-+
+ ')
+
+- files_search_etc($1)
+- allow $1 gconf_etc_t:dir list_dir_perms;
+- allow $1 gconf_etc_t:file read_file_perms;
+- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ userdom_search_user_tmp_dirs($1)
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read
+-## inherited gconf configuration files.
+## Run gconfd in gconfd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+interface(`gnome_domtrans_gconfd',`
-+ gen_require(`
+ gen_require(`
+- type gconf_etc_t;
+ type gconfd_t, gconfd_exec_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 gconf_etc_t:file read;
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+')
-+
+ ')
+
+-#######################################
+########################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## gconf configuration content.
+## Dontaudit read gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_gconf_config',`
+interface(`gnome_dontaudit_read_config',`
-+ gen_require(`
+ gen_require(`
+- type gconf_etc_t;
+ attribute gnome_home_type;
-+ ')
-+
+ ')
+
+- files_search_etc($1)
+- allow $1 gconf_etc_t:dir manage_dir_perms;
+- allow $1 gconf_etc_t:file manage_file_perms;
+- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to gconf using a unix
+-## domain stream socket.
+## Dontaudit search gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_dontaudit_search_config',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconf_tmp_t;
+ attribute gnome_home_type;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
-+')
+ ')
+
+ ########################################
+ ## <summary>
+-## Run gconfd in gconfd domain.
++## Dontaudit write gnome homedir content (.config)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_domtrans_gconfd',`
++interface(`gnome_dontaudit_append_config_files',`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
++ attribute gnome_home_type;
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ dontaudit $1 gnome_home_type:file append;
+ ')
+
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Create generic gnome home directories.
+## Dontaudit write gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_create_generic_home_dirs',`
+interface(`gnome_dontaudit_write_config_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ attribute gnome_home_type;
-+ ')
-+
+ ')
+
+- allow $1 gnome_home_t:dir create_dir_perms;
+ dontaudit $1 gnome_home_type:file write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Set attributes of generic gnome
+-## user home directories. (Deprecated)
+## manage gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_setattr_config_dirs',`
+- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
+- gnome_setattr_generic_home_dirs($1)
+interface(`gnome_manage_config',`
+ gen_require(`
+ attribute gnome_home_type;
@@ -23850,37 +23261,44 @@ index f5afe78..69577c7 100644
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Set attributes of generic gnome
+-## user home directories.
+## Send general signals to all gconf domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_setattr_generic_home_dirs',`
+interface(`gnome_signal_all',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ attribute gnomedomain;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 gnomedomain:process signal;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic gnome user home content. (Deprecated)
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
@@ -23896,7 +23314,10 @@ index f5afe78..69577c7 100644
+## The name of the object being created.
+## </summary>
+## </param>
-+#
+ #
+-interface(`gnome_read_config',`
+- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
+- gnome_read_generic_home_content($1)
+interface(`gnome_cache_filetrans',`
+ gen_require(`
+ type cache_home_t;
@@ -23904,19 +23325,20 @@ index f5afe78..69577c7 100644
+
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic gnome home content.
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
@@ -23932,26 +23354,38 @@ index f5afe78..69577c7 100644
+## The name of the object being created.
+## </summary>
+## </param>
-+#
+ #
+-interface(`gnome_read_generic_home_content',`
+interface(`gnome_config_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type config_home_t;
-+ ')
-+
+ ')
+
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ userdom_search_user_home_dirs($1)
+- allow $1 gnome_home_t:dir list_dir_perms;
+- allow $1 gnome_home_t:file read_file_perms;
+- allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
+- allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
+- allow $1 gnome_home_t:sock_file read_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## generic gnome user home content. (Deprecated)
+## Read generic cache home files (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_config',`
+- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
+- gnome_manage_generic_home_content($1)
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
@@ -23959,186 +23393,258 @@ index f5afe78..69577c7 100644
+
+ read_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## generic gnome home content.
+## Set attributes of cache home dir (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_generic_home_content',`
+interface(`gnome_setattr_cache_home_dir',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type cache_home_t;
-+ ')
-+
+ ')
+
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## Manage cache home dir (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ userdom_search_user_home_dirs($1)
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search generic gnome home directories.
++## Manage cache home dir (.cache)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_search_generic_home',`
+interface(`gnome_manage_cache_home_dir',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type cache_home_t;
-+ ')
-+
+ ')
+
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ userdom_search_user_home_dirs($1)
+- allow $1 gnome_home_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in gnome user home
+-## directories with a private type.
+## append to generic cache home files (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private_type">
+-## <summary>
+-## Private file type.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`gnome_home_filetrans',`
+interface(`gnome_append_generic_cache_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type cache_home_t;
-+ ')
-+
+ ')
+
+ append_files_pattern($1, cache_home_t, cache_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ userdom_search_user_home_dirs($1)
+- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create generic gconf home directories.
+## write to generic cache home files (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_create_generic_gconf_home_dirs',`
+interface(`gnome_write_generic_cache_files',`
-+ gen_require(`
+ gen_require(`
+- type gconf_home_t;
+ type cache_home_t;
-+ ')
-+
+ ')
+
+- allow $1 gconf_home_t:dir create_dir_perms;
+ write_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic gconf home content.
+## Manage a sock_file in the generic cache home files (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -449,46 +498,36 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_read_generic_gconf_home_content',`
+interface(`gnome_manage_generic_cache_sockets',`
-+ gen_require(`
+ gen_require(`
+- type gconf_home_t;
+ type cache_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
+ ')
+
+ userdom_search_user_home_dirs($1)
+- allow $1 gconf_home_t:dir list_dir_perms;
+- allow $1 gconf_home_t:file read_file_perms;
+- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
+- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
+- allow $1 gconf_home_t:sock_file read_sock_file_perms;
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## generic gconf home content.
+## Dontaudit read/write to generic cache home files (.cache)
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_generic_gconf_home_content',`
+interface(`gnome_dontaudit_rw_generic_cache_files',`
-+ gen_require(`
+ gen_require(`
+- type gconf_home_t;
+ type cache_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 gconf_home_t:dir manage_dir_perms;
+- allow $1 gconf_home_t:file manage_file_perms;
+- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search generic gconf home directories.
+## read gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -496,29 +535,35 @@ interface(`gnome_manage_generic_gconf_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_search_generic_gconf_home',`
+interface(`gnome_read_config',`
-+ gen_require(`
+ gen_require(`
+- type gconf_home_t;
+ attribute gnome_home_type;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 gconf_home_t:dir search_dir_perms;
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the generic gconf
+-## home type.
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
-+## <param name="object_class">
-+## <summary>
+ ## <param name="object_class">
+ ## <summary>
+-## Class of the object being created.
+## The class of the object to be created.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -527,62 +572,125 @@ interface(`gnome_search_generic_gconf_home',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_home_filetrans_gconf_home',`
+interface(`gnome_data_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type gconf_home_t;
+ type data_home_t;
-+ ')
-+
+ ')
+
+- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
+ gnome_search_gconf($1)
-+')
-+
+ ')
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Create objects in user home
+-## directories with the generic gnome
+-## home type.
+## Read generic data home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+#
+interface(`gnome_read_generic_data_home_files',`
+ gen_require(`
@@ -24171,10 +23677,12 @@ index f5afe78..69577c7 100644
+## Manage gconf data home files
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Class of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+#
+interface(`gnome_manage_data',`
+ gen_require(`
@@ -24193,32 +23701,39 @@ index f5afe78..69577c7 100644
+## Read icc data home content.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_home_filetrans_gnome_home',`
+interface(`gnome_read_home_icc_data_content',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type icc_data_home_t, gconf_home_t, data_home_t;
-+ ')
-+
+ ')
+
+- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+ userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in gnome gconf home
+-## directories with a private type.
+## Read inherited icc data home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private_type">
+#
+interface(`gnome_read_inherited_home_icc_data_files',`
+ gen_require(`
@@ -24233,63 +23748,86 @@ index f5afe78..69577c7 100644
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Private file type.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
+ ## </summary>
+ ## </param>
+ ## <param name="object_class">
+ ## <summary>
+-## Class of the object being created.
+## The class of the object to be created.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -591,65 +699,76 @@ interface(`gnome_home_filetrans_gnome_home',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_gconf_home_filetrans',`
+interface(`gnome_admin_home_gconf_filetrans',`
-+ gen_require(`
-+ type gconf_home_t;
-+ ')
-+
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic gnome keyring home files.
+## Do not audit attempts to read
+## inherited gconf config files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_read_keyring_home_files',`
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t, gnome_keyring_home_t;
+ type gconf_etc_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Send and receive messages from
+-## gnome keyring daemon over dbus.
+## read gconf config files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+-## </param>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_dbus_chat_gkeyringd',`
+interface(`gnome_read_gconf_config',`
-+ gen_require(`
+ gen_require(`
+- type $1_gkeyringd_t;
+- class dbus send_msg;
+ type gconf_etc_t;
-+ ')
-+
+ ')
+
+- allow $2 $1_gkeyringd_t:dbus send_msg;
+- allow $1_gkeyringd_t $2:dbus send_msg;
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
@@ -24312,58 +23850,82 @@ index f5afe78..69577c7 100644
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Send and receive messages from all
+-## gnome keyring daemon over dbus.
+## Execute gconf programs in
+## in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -657,46 +776,36 @@ interface(`gnome_dbus_chat_gkeyringd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_dbus_chat_all_gkeyringd',`
+interface(`gnome_exec_gconf',`
-+ gen_require(`
+ gen_require(`
+- attribute gkeyringd_domain;
+- class dbus send_msg;
+ type gconfd_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 gkeyringd_domain:dbus send_msg;
+- allow gkeyringd_domain $1:dbus send_msg;
+ can_exec($1, gconfd_exec_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to gnome keyring daemon
+-## with a unix stream socket.
+## Execute gnome keyringd in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+-## </param>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_gkeyringd',`
+interface(`gnome_exec_keyringd',`
-+ gen_require(`
+ gen_require(`
+- type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ type gkeyringd_exec_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($2)
+- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+ can_exec($1, gkeyringd_exec_t)
+ corecmd_search_bin($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to all gnome keyring daemon
+-## with a unix stream socket.
+## Read gconf home files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -704,12 +813,772 @@ interface(`gnome_stream_connect_gkeyringd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_all_gkeyringd',`
+interface(`gnome_read_gconf_home_files',`
-+ gen_require(`
+ gen_require(`
+- attribute gkeyringd_domain;
+- type gnome_keyring_tmp_t;
+ type gconf_home_t;
+ type data_home_t;
+ ')
@@ -24390,9 +23952,10 @@ index f5afe78..69577c7 100644
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
+ ')
+
+ files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
+')
+
@@ -24533,11 +24096,10 @@ index f5afe78..69577c7 100644
+## manage gconf home files
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+ gen_require(`
@@ -24552,27 +24114,22 @@ index f5afe78..69577c7 100644
+## <summary>
+## Connect to gnome over a unix stream socket.
+## </summary>
- ## <param name="domain">
- ## <summary>
--## User domain for the role
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
- ## </summary>
- ## </param>
- #
--interface(`gnome_role',`
++## </summary>
++## </param>
++#
+interface(`gnome_stream_connect',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-- type gconf_tmp_t;
++ gen_require(`
+ attribute gnome_home_type;
- ')
-
-- role $1 types gconfd_t;
++ ')
++
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
@@ -24591,15 +24148,10 @@ index f5afe78..69577c7 100644
+ gen_require(`
+ type config_home_t;
+ ')
-
-- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
-- allow gconfd_t $2:fd use;
-- allow gconfd_t $2:fifo_file write;
-- allow gconfd_t $2:unix_stream_socket connectto;
++
+ allow $1 config_home_t:dir list_dir_perms;
+')
-
-- ps_process_pattern($2, gconfd_t)
++
+########################################
+## <summary>
+## Set attributes of gnome homedir content (.config)
@@ -24614,34 +24166,26 @@ index f5afe78..69577c7 100644
+ gen_require(`
+ type config_home_t;
+ ')
-
-- #gnome_stream_connect_gconf_template($1, $2)
-- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
-- allow $2 gconfd_t:unix_stream_socket connectto;
++
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
- ')
-
- ########################################
- ## <summary>
--## Execute gconf programs in
--## in the caller domain.
++')
++
++########################################
++## <summary>
+## read gnome homedir content (.config)
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -46,37 +1050,91 @@ interface(`gnome_role',`
- ## </summary>
- ## </param>
- #
--interface(`gnome_exec_gconf',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_read_home_config',`
- gen_require(`
-- type gconfd_exec_t;
++ gen_require(`
+ type config_home_t;
- ')
-
-- can_exec($1, gconfd_exec_t)
++ ')
++
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
@@ -24681,36 +24225,28 @@ index f5afe78..69577c7 100644
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
- ')
-
- ########################################
- ## <summary>
--## Read gconf config files.
++')
++
++########################################
++## <summary>
+## manage gnome homedir content (.config)
- ## </summary>
--## <param name="user_domain">
++## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--template(`gnome_read_gconf_config',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_manage_home_config',`
- gen_require(`
-- type gconf_etc_t;
++ gen_require(`
+ type config_home_t;
- ')
-
-- allow $1 gconf_etc_t:dir list_dir_perms;
-- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
++ ')
++
+ manage_files_pattern($1, config_home_t, config_home_t)
- ')
-
- #######################################
- ## <summary>
--## Create, read, write, and delete gconf config files.
++')
++
++#######################################
++## <summary>
+## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
@@ -24730,46 +24266,36 @@ index f5afe78..69577c7 100644
+########################################
+## <summary>
+## manage gnome homedir content (.config)
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',`
- ## </summary>
- ## </param>
- #
--interface(`gnome_manage_gconf_config',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_manage_home_config_dirs',`
- gen_require(`
-- type gconf_etc_t;
++ gen_require(`
+ type config_home_t;
- ')
-
-- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-- files_search_etc($1)
++ ')
++
+ manage_dirs_pattern($1, config_home_t, config_home_t)
- ')
-
- ########################################
- ## <summary>
--## gconf connection template.
++')
++
++########################################
++## <summary>
+## manage gstreamer home content files.
- ## </summary>
--## <param name="user_domain">
++## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`gnome_stream_connect_gconf',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_manage_gstreamer_home_files',`
- gen_require(`
-- type gconfd_t, gconf_tmp_t;
++ gen_require(`
+ type gstreamer_home_t;
- ')
-
-- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-- allow $1 gconfd_t:unix_stream_socket connectto;
++ ')
++
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
+ gnome_filetrans_gstreamer_home_content($1)
@@ -24843,33 +24369,28 @@ index f5afe78..69577c7 100644
+ ')
+
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
- ')
-
- ########################################
- ## <summary>
--## Run gconfd in gconfd domain.
++')
++
++########################################
++## <summary>
+## Read/Write all inherited gnome home config
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',`
- ## </summary>
- ## </param>
- #
--interface(`gnome_domtrans_gconfd',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_rw_inherited_config',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
++ gen_require(`
+ attribute gnome_home_type;
- ')
-
-- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ ')
++
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Set attributes of Gnome config dirs.
++')
++
++########################################
++## <summary>
+## Dontaudit Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
@@ -24890,68 +24411,54 @@ index f5afe78..69577c7 100644
+## <summary>
+## Send and receive messages from
+## gconf system service over dbus.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',`
- ## </summary>
- ## </param>
- #
--interface(`gnome_setattr_config_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_dbus_chat_gconfdefault',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type gconfdefaultsm_t;
+ class dbus send_msg;
- ')
-
-- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- files_search_home($1)
++ ')
++
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
- ')
-
- ########################################
- ## <summary>
--## Read gnome homedir content (.config)
++')
++
++########################################
++## <summary>
+## Send and receive messages from
+## gkeyringd over dbus.
- ## </summary>
--## <param name="user_domain">
++## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--template(`gnome_read_config',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_dbus_chat_gkeyringd',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
- ')
-
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ ')
++
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
- ')
-
- ########################################
- ## <summary>
--## manage gnome homedir content (.config)
++')
++
++########################################
++## <summary>
+## Send signull signal to gkeyringd processes.
- ## </summary>
--## <param name="user_domain">
++## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`gnome_manage_config',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_signull_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
@@ -24990,15 +24497,13 @@ index f5afe78..69577c7 100644
+## </param>
+#
+interface(`gnome_home_dir_filetrans',`
- gen_require(`
- type gnome_home_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
++ gen_require(`
++ type gnome_home_t;
++ ')
++
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
- userdom_search_user_home_dirs($1)
- ')
++ userdom_search_user_home_dirs($1)
++')
+
+######################################
+## <summary>
@@ -25188,15 +24693,23 @@ index f5afe78..69577c7 100644
+ allow $2 gkeyringd_exec_t:file entrypoint;
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
+ type_transition $1 gkeyringd_exec_t:process $2;
-+')
+ ')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..7757943 100644
+index 20f726b..3a0a272 100644
--- a/gnome.te
+++ b/gnome.te
-@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
+@@ -1,18 +1,36 @@
+-policy_module(gnome, 2.2.5)
++policy_module(gnome, 2.2.0)
+
+ ##############################
+ #
+ # Declarations
#
+-attribute gkeyringd_domain;
attribute gnomedomain;
+-attribute_role gconfd_roles;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
@@ -25226,9 +24739,11 @@ index 783c5fb..7757943 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -28,12 +48,33 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+@@ -29,107 +47,233 @@ type gconfd_exec_t;
+ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
+-role gconfd_roles types gconfd_t;
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
@@ -25241,12 +24756,17 @@ index 783c5fb..7757943 100644
+type config_usr_t;
+files_type(config_usr_t)
+
-+type gkeyringd_exec_t;
+ type gkeyringd_exec_t;
+-application_executable_file(gkeyringd_exec_t)
+corecmd_executable_file(gkeyringd_exec_t)
-+
+
+-type gnome_keyring_home_t;
+-userdom_user_home_content(gnome_keyring_home_t)
+type gkeyringd_gnome_home_t;
+userdom_user_home_content(gkeyringd_gnome_home_t)
-+
+
+-type gnome_keyring_tmp_t;
+-userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gkeyringd_tmp_t;
+userdom_user_tmp_content(gkeyringd_tmp_t)
+
@@ -25257,37 +24777,83 @@ index 783c5fb..7757943 100644
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
-+
+
##############################
#
- # Local Policy
-@@ -57,7 +98,6 @@ dev_read_urand(gconfd_t)
+-# Common local Policy
++# Local Policy
+ #
- files_read_etc_files(gconfd_t)
+-allow gnomedomain self:process { getsched signal };
+-allow gnomedomain self:fifo_file rw_fifo_file_perms;
++allow gconfd_t self:process getsched;
++allow gconfd_t self:fifo_file rw_fifo_file_perms;
--miscfiles_read_localization(gconfd_t)
+-dev_read_urand(gnomedomain)
++manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
++manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
++userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+-domain_use_interactive_fds(gnomedomain)
++manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
++manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
++userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
++
++allow gconfd_t gconf_etc_t:dir list_dir_perms;
++read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
++
++dev_read_urand(gconfd_t)
++
++files_read_etc_files(gconfd_t)
- logging_send_syslog_msg(gconfd_t)
+-files_read_etc_files(gnomedomain)
-@@ -73,3 +113,163 @@ optional_policy(`
- xserver_use_xdm_fds(gconfd_t)
- xserver_rw_xdm_pipes(gconfd_t)
+-miscfiles_read_localization(gnomedomain)
++logging_send_syslog_msg(gconfd_t)
+
+-logging_send_syslog_msg(gnomedomain)
++userdom_manage_user_tmp_sockets(gconfd_t)
++userdom_manage_user_tmp_dirs(gconfd_t)
++userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+-userdom_use_user_terminals(gnomedomain)
++optional_policy(`
++ nscd_dontaudit_search_pid(gconfd_t)
++')
+
+ optional_policy(`
+- xserver_rw_xdm_pipes(gnomedomain)
+- xserver_use_xdm_fds(gnomedomain)
++ xserver_use_xdm_fds(gconfd_t)
++ xserver_rw_xdm_pipes(gconfd_t)
')
-+
+
+-##############################
+#######################################
-+#
+ #
+-# Conf daemon local Policy
+# gconf-defaults-mechanisms local policy
-+#
-+
+ #
+
+-allow gconfd_t gconf_etc_t:dir list_dir_perms;
+-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-+
+
+-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+corecmd_search_bin(gconfdefaultsm_t)
-+
+
+-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+files_read_etc_files(gconfdefaultsm_t)
+files_read_usr_files(gconfdefaultsm_t)
-+
+
+-userdom_manage_user_tmp_dirs(gconfd_t)
+-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
@@ -25296,11 +24862,13 @@ index 783c5fb..7757943 100644
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
-+
-+optional_policy(`
+
+ optional_policy(`
+- nscd_dontaudit_search_pid(gconfd_t)
+ consolekit_dbus_chat(gconfdefaultsm_t)
-+')
-+
+ ')
+
+-##############################
+optional_policy(`
+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+')
@@ -25319,7 +24887,8 @@ index 783c5fb..7757943 100644
+userdom_home_manager(gconfdefaultsm_t)
+
+#######################################
-+#
+ #
+-# Keyring-daemon local policy
+# gnome-system-monitor-mechanisms local policy
+#
+
@@ -25376,55 +24945,73 @@ index 783c5fb..7757943 100644
+######################################
+#
+# gnome-keyring-daemon local policy
-+#
-+
-+allow gkeyringd_domain self:capability ipc_lock;
+ #
+
+ allow gkeyringd_domain self:capability ipc_lock;
+-allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
-+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
-+
+ allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
+-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
+-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+allow gkeyringd_domain config_home_t:file write;
-+
+
+-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
-+
++allow gkeyringd_domain data_home_t:dir create_dir_perms;
++allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
++filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
++filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
++filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
+
+-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
-+
-+kernel_read_crypto_sysctls(gkeyringd_domain)
-+
+
+-kernel_read_system_state(gkeyringd_domain)
+ kernel_read_crypto_sysctls(gkeyringd_domain)
+
+corecmd_search_bin(gkeyringd_domain)
+
-+dev_read_rand(gkeyringd_domain)
+ dev_read_rand(gkeyringd_domain)
+dev_read_urand(gkeyringd_domain)
-+dev_read_sysfs(gkeyringd_domain)
-+
+ dev_read_sysfs(gkeyringd_domain)
+
+files_read_etc_files(gkeyringd_domain)
-+files_read_usr_files(gkeyringd_domain)
+ files_read_usr_files(gkeyringd_domain)
+# for nscd?
+files_search_pids(gkeyringd_domain)
-+
+
+-fs_getattr_all_fs(gkeyringd_domain)
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
-+
-+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
-+
-+optional_policy(`
+
+-selinux_getattr_fs(gkeyringd_domain)
++userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
+
+ optional_policy(`
+- ssh_read_user_home_files(gkeyringd_domain)
+ xserver_append_xdm_home_files(gkeyringd_domain)
+ xserver_read_xdm_home_files(gkeyringd_domain)
+ xserver_use_xdm_fds(gkeyringd_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- telepathy_mission_control_read_state(gkeyringd_domain)
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_read_generic_cache_files(gkeyringd_domain)
+ gnome_write_generic_cache_files(gkeyringd_domain)
+ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
-+')
+ ')
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
@@ -25434,253 +25021,500 @@ index 783c5fb..7757943 100644
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
-index 462de63..5d92f4e 100644
+index b687443..5d92f4e 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
-@@ -1,2 +1,7 @@
+@@ -1,5 +1,7 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+
+
+-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
-index 671d8fd..25c7ab8 100644
+index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
+++ b/gnomeclock.if
-@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
- allow $1 gnomeclock_t:dbus send_msg;
- allow gnomeclock_t $1:dbus send_msg;
+@@ -2,8 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run gnomeclock.
++## Execute a domain transition to run gnomeclock.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
+ type gnomeclock_t, gnomeclock_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Execute gnomeclock in the gnomeclock
+-## domain, and allow the specified
+-## role the gnomeclock domain.
++## Execute gnomeclock in the gnomeclock domain, and
++## allow the specified role the gnomeclock domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
+ #
+ interface(`gnomeclock_run',`
+ gen_require(`
+- attribute_role gnomeclock_roles;
++ type gnomeclock_t;
+ ')
+
+ gnomeclock_domtrans($1)
+- roleattribute $2 gnomeclock_roles;
++ role $2 types gnomeclock_t;
+ ')
+
+ ########################################
+@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to send and
+-## receive messages from gnomeclock
+-## over dbus.
+## Do not audit send and receive messages from
+## gnomeclock over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`gnomeclock_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type gnomeclock_t;
-+ class dbus send_msg;
-+ ')
-+
-+ dontaudit $1 gnomeclock_t:dbus send_msg;
-+ dontaudit gnomeclock_t $1:dbus send_msg;
-+')
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..d58acfc 100644
+index 6d79eb5..d58acfc 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
-@@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0)
+@@ -1,86 +1,91 @@
+-policy_module(gnomeclock, 1.0.5)
++policy_module(gnomeclock, 1.0.0)
+ ########################################
+ #
+ # Declarations
+ #
+
+-attribute_role gnomeclock_roles;
+-
type gnomeclock_t;
type gnomeclock_exec_t;
--dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
+-role gnomeclock_roles types gnomeclock_t;
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
########################################
#
- # gnomeclock local policy
+-# Local policy
++# gnomeclock local policy
#
--allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
--allow gnomeclock_t self:process { getattr getsched };
+-allow gnomeclock_t self:capability { sys_nice sys_time };
+allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
-+allow gnomeclock_t self:process { getattr getsched signal };
+ allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
- allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+-allow gnomeclock_t self:unix_stream_socket { accept listen };
++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
-+
-+kernel_read_system_state(gnomeclock_t)
+
+ kernel_read_system_state(gnomeclock_t)
corecmd_exec_bin(gnomeclock_t)
-+corecmd_exec_shell(gnomeclock_t)
+ corecmd_exec_shell(gnomeclock_t)
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
-+
+
+-corenet_all_recvfrom_unlabeled(gnomeclock_t)
+-corenet_all_recvfrom_netlabel(gnomeclock_t)
+-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
+-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
+-
+-# tcp:37 (time)
+-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
+-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
+-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
+corenet_tcp_connect_time_port(gnomeclock_t)
-+
-+dev_rw_realtime_clock(gnomeclock_t)
+
+-dev_read_sysfs(gnomeclock_t)
+-dev_read_urand(gnomeclock_t)
+ dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
--files_read_etc_files(gnomeclock_t)
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
-+fs_getattr_xattr_fs(gnomeclock_t)
-+
+ fs_getattr_xattr_fs(gnomeclock_t)
+
auth_use_nsswitch(gnomeclock_t)
--clock_domtrans(gnomeclock_t)
+init_dbus_chat(gnomeclock_t)
+
+logging_stream_connect_syslog(gnomeclock_t)
-+logging_send_syslog_msg(gnomeclock_t)
+ logging_send_syslog_msg(gnomeclock_t)
--miscfiles_read_localization(gnomeclock_t)
+-miscfiles_etc_filetrans_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
- miscfiles_etc_filetrans_localization(gnomeclock_t)
+-miscfiles_read_localization(gnomeclock_t)
++miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
+- chronyd_initrc_domtrans(gnomeclock_t)
+ chronyd_systemctl(gnomeclock_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ clock_read_adjtime(gnomeclock_t)
-+ clock_domtrans(gnomeclock_t)
-+')
-+
-+optional_policy(`
- consolekit_dbus_chat(gnomeclock_t)
+ clock_domtrans(gnomeclock_t)
')
optional_policy(`
-+ consoletype_exec(gnomeclock_t)
+- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++ consolekit_dbus_chat(gnomeclock_t)
+')
+
+optional_policy(`
++ consoletype_exec(gnomeclock_t)
++')
+
+- optional_policy(`
+- consolekit_dbus_chat(gnomeclock_t)
+- ')
++optional_policy(`
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+')
-+
+
+- optional_policy(`
+- policykit_dbus_chat(gnomeclock_t)
+- ')
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+ gnome_manage_home_config(gnomeclock_t)
-+')
-+
-+optional_policy(`
-+ ntp_domtrans_ntpdate(gnomeclock_t)
-+ ntp_initrc_domtrans(gnomeclock_t)
+ ')
+
+ optional_policy(`
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
+ init_dontaudit_getattr_exec(gnomeclock_t)
+ ntp_systemctl(gnomeclock_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(gnomeclock_t)
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
+ policykit_read_reload(gnomeclock_t)
diff --git a/gpg.fc b/gpg.fc
-index 5207fc2..c02fa56 100644
+index 888cd2c..c02fa56 100644
--- a/gpg.fc
+++ b/gpg.fc
-@@ -1,10 +1,13 @@
- HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
- HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-
+@@ -1,10 +1,14 @@
+-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
++HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
++HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
++
+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
-+
+
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
- /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
++/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
--/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
++/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/gpg.if b/gpg.if
-index 6d50300..2f0feca 100644
+index 180f1b7..951b790 100644
--- a/gpg.if
+++ b/gpg.if
-@@ -54,15 +54,16 @@ interface(`gpg_role',`
- manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
- relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+@@ -2,57 +2,75 @@
-+ allow gpg_pinentry_t $2:fifo_file { read write };
+ ############################################################
+ ## <summary>
+-## Role access for gpg.
++## Role access for gpg
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
+ #
+ interface(`gpg_role',`
+ gen_require(`
+- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+- type gpg_t, gpg_exec_t, gpg_agent_t;
+- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
+- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
++ type gpg_t, gpg_exec_t;
++ type gpg_agent_t, gpg_agent_exec_t;
++ type gpg_agent_tmp_t;
++ type gpg_helper_t, gpg_pinentry_t;
++ type gpg_pinentry_tmp_t;
+ ')
+
+- roleattribute $1 gpg_roles;
+- roleattribute $1 gpg_agent_roles;
+- roleattribute $1 gpg_helper_roles;
+- roleattribute $1 gpg_pinentry_roles;
++ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+
++ # transition from the userdomain to the derived domain
+ domtrans_pattern($2, gpg_exec_t, gpg_t)
+- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
+- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
++ # allow ps to show gpg
++ ps_process_pattern($2, gpg_t)
++ allow $2 gpg_t:process { signull sigstop signal sigkill };
+
+- allow gpg_pinentry_t $2:process signull;
++ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
++ allow gpg_helper_t $2:fifo_file write;
++
++ # allow ps to show gpg-agent
++ ps_process_pattern($2, gpg_agent_t)
+
+- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
++ # Allow the user shell to signal the gpg-agent program.
++ allow $2 gpg_agent_t:process { signal sigkill };
++
++ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
++ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
++ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
++ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
++
++ # Transition from the user domain to the agent domain.
++ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
++
++ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
++ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
++ allow gpg_pinentry_t $2:fifo_file { read write };
+
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
-
++
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
- ifdef(`hide_broken_symptoms',`
- #Leaked File Descriptors
-- dontaudit gpg_t $2:socket_class_set { getattr read write };
- dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
-- dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
- dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
- ')
++ ifdef(`hide_broken_symptoms',`
++ #Leaked File Descriptors
++ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
++ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
++ ')
')
-@@ -85,13 +86,13 @@ interface(`gpg_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute the gpg in the gpg domain.
++## Transition to a user gpg domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -65,13 +83,12 @@ interface(`gpg_domtrans',`
+ type gpg_t, gpg_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
-########################################
+######################################
## <summary>
--## Execute the gpg application without transitioning
+-## Execute the gpg in the caller domain.
+## Execute gpg in the caller domain.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed to execute gpg
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -100,9 +101,47 @@ interface(`gpg_exec',`
- type gpg_exec_t;
- ')
-
-+ corecmd_search_bin($1)
+@@ -88,76 +105,46 @@ interface(`gpg_exec',`
can_exec($1, gpg_exec_t)
')
-+######################################
-+## <summary>
+-########################################
+-## <summary>
+-## Execute gpg in a specified domain.
+-## </summary>
+-## <desc>
+-## <p>
+-## Execute gpg in a specified domain.
+-## </p>
+-## <p>
+-## No interprocess communication (signals, pipes,
+-## etc.) is provided by this interface since
+-## the domains are not owned by this module.
+-## </p>
+-## </desc>
+-## <param name="source_domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="target_domain">
+-## <summary>
+-## Domain to transition to.
+-## </summary>
+-## </param>
+-#
+-interface(`gpg_spec_domtrans',`
+- gen_require(`
+- type gpg_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- domain_auto_trans($1, gpg_exec_t, $2)
+-')
+-
+ ######################################
+ ## <summary>
+-## Execute gpg in the gpg web domain. (Deprecated)
+## Transition to a gpg web domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`gpg_domtrans_web',`
+ ## </param>
+ #
+ interface(`gpg_domtrans_web',`
+- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type gpg_web_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
-+')
-+
-+######################################
-+## <summary>
+ ')
+
+ ######################################
+ ## <summary>
+-## Make gpg executable files an
+-## entrypoint for the specified domain.
+## Make gpg an entrypoint for
+## the specified domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## The domain for which gpg_exec_t is an entrypoint.
+-## </summary>
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
-+## </param>
-+#
-+interface(`gpg_entry_type',`
+ ## </param>
+ #
+ interface(`gpg_entry_type',`
+- gen_require(`
+- type gpg_exec_t;
+- ')
+ gen_require(`
+ type gpg_exec_t;
+ ')
-+
+
+- domain_entry_file($1, gpg_exec_t)
+ domain_entry_file($1, gpg_exec_t)
-+')
-+
+ ')
+
+ ########################################
+ ## <summary>
+-## Send generic signals to gpg.
++## Send generic signals to user gpg processes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -175,7 +162,7 @@ interface(`gpg_signal',`
+
+ ########################################
+ ## <summary>
+-## Read and write gpg agent pipes.
++## Read and write GPG agent pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -184,6 +171,7 @@ interface(`gpg_signal',`
+ ## </param>
+ #
+ interface(`gpg_rw_agent_pipes',`
++ # Just wants read/write could this be a leak?
+ gen_require(`
+ type gpg_agent_t;
+ ')
+@@ -193,8 +181,8 @@ interface(`gpg_rw_agent_pipes',`
+
+ ########################################
+ ## <summary>
+-## Send messages to and from gpg
+-## pinentry over DBUS.
++## Send messages to and from GPG
++## Pinentry over DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -214,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',`
+
########################################
## <summary>
- ## Send generic signals to user gpg processes.
-@@ -179,3 +218,21 @@ interface(`gpg_list_user_secrets',`
+-## List gpg user secrets.
++## List Gnu Privacy Guard user secrets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -230,3 +218,39 @@ interface(`gpg_list_user_secrets',`
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_search_user_home_dirs($1)
')
++###########################
++## <summary>
++## Allow to manage gpg named home content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gpg_manage_home_content',`
++ gen_require(`
++ type gpg_secret_t;
++ ')
+
++ manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
++ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
++')
+########################################
+## <summary>
+## Transition to gpg named home content
@@ -25699,22 +25533,41 @@ index 6d50300..2f0feca 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
-index 72a113e..29063e5 100644
+index 44cf341..29063e5 100644
--- a/gpg.te
+++ b/gpg.te
-@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
+@@ -1,47 +1,47 @@
+-policy_module(gpg, 2.7.3)
++policy_module(gpg, 2.6.0)
+
+ ########################################
#
# Declarations
#
+attribute gpgdomain;
## <desc>
- ## <p>
-@@ -13,23 +14,34 @@ policy_module(gpg, 2.6.0)
+-## <p>
+-## Determine whether GPG agent can manage
+-## generic user home content files. This is
+-## required by the --write-env-file option.
+-## </p>
++## <p>
++## Allow usage of the gpg-agent --write-env-file option.
++## This also allows gpg-agent to manage user files.
++## </p>
## </desc>
gen_tunable(gpg_agent_env_file, false)
--type gpg_t;
+-attribute_role gpg_roles;
+-roleattribute system_r gpg_roles;
+-
+-attribute_role gpg_agent_roles;
+-
+-attribute_role gpg_helper_roles;
+-roleattribute system_r gpg_helper_roles;
+-
+-attribute_role gpg_pinentry_roles;
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
@@ -25722,21 +25575,24 @@ index 72a113e..29063e5 100644
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
-+
+
+-type gpg_t;
+type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
-userdom_user_application_domain(gpg_t, gpg_exec_t)
+-role gpg_roles types gpg_t;
+application_domain(gpg_t, gpg_exec_t)
+ubac_constrained(gpg_t)
- role system_r types gpg_t;
++role system_r types gpg_t;
type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
-userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
+-role gpg_agent_roles types gpg_agent_t;
+application_domain(gpg_agent_t, gpg_agent_exec_t)
+ubac_constrained(gpg_agent_t)
@@ -25749,20 +25605,22 @@ index 72a113e..29063e5 100644
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -40,32 +52,43 @@ type gpg_helper_t;
+@@ -52,112 +52,112 @@ type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
-userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
+-role gpg_helper_roles types gpg_helper_t;
+application_domain(gpg_helper_t, gpg_helper_exec_t)
+ubac_constrained(gpg_helper_t)
- role system_r types gpg_helper_t;
++role system_r types gpg_helper_t;
type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
-userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
+-role gpg_pinentry_roles types gpg_pinentry_t;
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+ubac_constrained(gpg_pinentry_t)
@@ -25775,7 +25633,10 @@ index 72a113e..29063e5 100644
-userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
-+
+
+-optional_policy(`
+- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+-')
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
@@ -25783,33 +25644,44 @@ index 72a113e..29063e5 100644
########################################
#
- # GPG local policy
+-# Local policy
++# GPG local policy
#
-allow gpg_t self:capability { ipc_lock setuid };
--# setrlimit is for ulimit -c 0
--allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
+-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
+-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
+-allow gpg_t self:fifo_file rw_fifo_file_perms;
+-allow gpg_t self:tcp_socket { accept listen };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
-
--allow gpg_t self:fifo_file rw_fifo_file_perms;
--allow gpg_t self:tcp_socket create_stream_socket_perms;
++
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -77,16 +100,16 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
- domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+ files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
- allow gpg_t gpg_secret_t:dir create_dir_perms;
-+manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
++
++# transition from the gpg domain to the helper domain
++domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
++
++allow gpg_t gpg_secret_t:dir create_dir_perms;
+ manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+-
+-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+-
+-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
@@ -25820,25 +25692,44 @@ index 72a113e..29063e5 100644
-corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
- corenet_udp_sendrecv_generic_if(gpg_t)
-@@ -106,7 +129,6 @@ fs_list_inotifyfs(gpg_t)
++corenet_udp_sendrecv_generic_if(gpg_t)
+ corenet_tcp_sendrecv_generic_node(gpg_t)
+-
+-corenet_sendrecv_all_client_packets(gpg_t)
+-corenet_tcp_connect_all_ports(gpg_t)
++corenet_udp_sendrecv_generic_node(gpg_t)
+ corenet_tcp_sendrecv_all_ports(gpg_t)
++corenet_udp_sendrecv_all_ports(gpg_t)
++corenet_tcp_connect_all_ports(gpg_t)
++corenet_sendrecv_all_client_packets(gpg_t)
- domain_use_interactive_fds(gpg_t)
+-dev_read_generic_usb_dev(gpg_t)
+ dev_read_rand(gpg_t)
+ dev_read_urand(gpg_t)
+-
+-files_read_usr_files(gpg_t)
+-files_dontaudit_search_var(gpg_t)
++dev_read_generic_usb_dev(gpg_t)
--files_read_etc_files(gpg_t)
- files_read_usr_files(gpg_t)
- files_dontaudit_search_var(gpg_t)
+ fs_getattr_xattr_fs(gpg_t)
+ fs_list_inotifyfs(gpg_t)
+
+ domain_use_interactive_fds(gpg_t)
-@@ -114,24 +136,23 @@ auth_use_nsswitch(gpg_t)
++files_read_usr_files(gpg_t)
++files_dontaudit_search_var(gpg_t)
++
+ auth_use_nsswitch(gpg_t)
logging_send_syslog_msg(gpg_t)
-miscfiles_read_localization(gpg_t)
-
-userdom_use_user_terminals(gpg_t)
-+userdom_use_inherited_user_terminals(gpg_t)
- # sign/encrypt user files
+-
-userdom_manage_user_tmp_files(gpg_t)
++userdom_use_inherited_user_terminals(gpg_t)
++# sign/encrypt user files
+userdom_manage_all_user_tmp_content(gpg_t)
+#userdom_manage_user_home_content(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
@@ -25846,39 +25737,49 @@ index 72a113e..29063e5 100644
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_stream_connect(gpg_t)
--mta_write_config(gpg_t)
-+mta_manage_config(gpg_t)
-+mta_read_spool(gpg_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(gpg_t)
- fs_manage_nfs_files(gpg_t)
-')
-+userdom_home_manager(gpg_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(gpg_t)
- fs_manage_cifs_files(gpg_t)
-+optional_policy(`
+-')
++mta_manage_config(gpg_t)
++mta_read_spool(gpg_t)
+
+-optional_policy(`
+- gnome_read_generic_home_content(gpg_t)
+- gnome_stream_connect_all_gkeyringd(gpg_t)
+-')
++userdom_home_manager(gpg_t)
+
+ optional_policy(`
+- mozilla_dontaudit_rw_user_home_files(gpg_t)
+ gnome_read_config(gpg_t)
+ gnome_stream_connect_gkeyringd(gpg_t)
')
optional_policy(`
-@@ -140,15 +161,19 @@ optional_policy(`
+- mta_read_spool_files(gpg_t)
+- mta_write_config(gpg_t)
++ mozilla_read_user_home_files(gpg_t)
++ mozilla_write_user_home_files(gpg_t)
')
optional_policy(`
-- xserver_use_xdm_fds(gpg_t)
-- xserver_rw_xdm_pipes(gpg_t)
-+ spamassassin_read_spamd_tmp_files(gpg_t)
+@@ -165,37 +165,49 @@ optional_policy(`
')
optional_policy(`
- cron_system_entry(gpg_t, gpg_exec_t)
- cron_read_system_job_tmp_files(gpg_t)
-+ xserver_use_xdm_fds(gpg_t)
-+ xserver_rw_xdm_pipes(gpg_t)
+-')
+-
+-optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
')
+#optional_policy(`
@@ -25888,21 +25789,40 @@ index 72a113e..29063e5 100644
+
########################################
#
- # GPG helper local policy
-@@ -166,7 +191,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+-# Helper local policy
++# GPG helper local policy
+ #
- dontaudit gpg_helper_t gpg_secret_t:file read;
+ allow gpg_helper_t self:process { getsched setsched };
++
++# for helper programs (which automatically fetch keys)
++# Note: this is only tested with the hkp interface. If you use eg the
++# mail interface you will likely need additional permissions.
++
+ allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
++allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
++allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
++dontaudit gpg_helper_t gpg_secret_t:file read;
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
- corenet_raw_sendrecv_generic_if(gpg_helper_t)
-@@ -180,11 +204,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
- corenet_udp_bind_generic_node(gpg_helper_t)
++corenet_raw_sendrecv_generic_if(gpg_helper_t)
++corenet_udp_sendrecv_generic_if(gpg_helper_t)
+ corenet_tcp_sendrecv_generic_node(gpg_helper_t)
++corenet_udp_sendrecv_generic_node(gpg_helper_t)
++corenet_raw_sendrecv_generic_node(gpg_helper_t)
+ corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+-
+-corenet_sendrecv_all_client_packets(gpg_helper_t)
++corenet_udp_sendrecv_all_ports(gpg_helper_t)
++corenet_tcp_bind_generic_node(gpg_helper_t)
++corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
--files_read_etc_files(gpg_helper_t)
-
++
auth_use_nsswitch(gpg_helper_t)
-userdom_use_user_terminals(gpg_helper_t)
@@ -25910,42 +25830,57 @@ index 72a113e..29063e5 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -198,15 +221,17 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +219,33 @@ tunable_policy(`use_samba_home_dirs',`
+
+ ########################################
#
- # GPG agent local policy
+-# Agent local policy
++# GPG agent local policy
#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
- # rlimit: gpg-agent wants to prevent coredumps
++# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-
--allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-+manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+ manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -223,43 +248,34 @@ corecmd_read_bin_symlinks(gpg_agent_t)
- corecmd_search_bin(gpg_agent_t)
- corecmd_exec_shell(gpg_agent_t)
++# Allow the gpg-agent to manage its tmp files (socket)
+ manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+-
+-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+-
+-kernel_dontaudit_search_sysctl(gpg_agent_t)
++# allow gpg to connect to the gpg agent
++stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-+dev_read_rand(gpg_agent_t)
- dev_read_urand(gpg_agent_t)
++corecmd_read_bin_symlinks(gpg_agent_t)
++corecmd_search_bin(gpg_agent_t)
+ corecmd_exec_shell(gpg_agent_t)
- domain_use_interactive_fds(gpg_agent_t)
+ dev_read_rand(gpg_agent_t)
+@@ -239,32 +255,27 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
-miscfiles_read_localization(gpg_agent_t)
- # Write to the user domain tty.
-userdom_use_user_terminals(gpg_agent_t)
++# Write to the user domain tty.
+userdom_use_inherited_user_terminals(gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
@@ -25954,13 +25889,13 @@ index 72a113e..29063e5 100644
')
tunable_policy(`gpg_agent_env_file',`
- # write ~/.gpg-agent-info or a similar to the users home dir
- # or subdir (gpg-agent --write-env-file option)
- #
-- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
++ # write ~/.gpg-agent-info or a similar to the users home dir
++ # or subdir (gpg-agent --write-env-file option)
++ #
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
+- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')
-tunable_policy(`use_nfs_home_dirs',`
@@ -25978,39 +25913,71 @@ index 72a113e..29063e5 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,10 +310,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
- # read /proc/meminfo
+@@ -277,8 +288,17 @@ optional_policy(`
+
+ allow gpg_pinentry_t self:process { getcap getsched setsched signal };
+ allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
++allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
+ allow gpg_pinentry_t self:shm create_shm_perms;
+-allow gpg_pinentry_t self:tcp_socket { accept listen };
++allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
++allow gpg_pinentry_t self:unix_dgram_socket sendto;
++allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
++
++can_exec(gpg_pinentry_t, pinentry_exec_t)
++
++# we need to allow gpg-agent to call pinentry so it can get the passphrase
++# from the user.
++domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+ manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+@@ -287,53 +307,91 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+ manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
+-can_exec(gpg_pinentry_t, pinentry_exec_t)
+-
++# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
-+corecmd_exec_shell(gpg_pinentry_t)
+ corecmd_exec_shell(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
- corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
- corenet_tcp_bind_generic_node(gpg_pinentry_t)
- corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
-@@ -310,7 +326,6 @@ dev_read_rand(gpg_pinentry_t)
++corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
++corenet_tcp_bind_generic_node(gpg_pinentry_t)
++corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+ corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+ corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
++corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
+ dev_read_urand(gpg_pinentry_t)
+ dev_read_rand(gpg_pinentry_t)
+
+-domain_use_interactive_fds(gpg_pinentry_t)
+-
files_read_usr_files(gpg_pinentry_t)
- # read /etc/X11/qtrc
--files_read_etc_files(gpg_pinentry_t)
++# read /etc/X11/qtrc
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
- fs_getattr_tmpfs(gpg_pinentry_t)
-@@ -320,18 +335,19 @@ auth_use_nsswitch(gpg_pinentry_t)
++fs_getattr_tmpfs(gpg_pinentry_t)
+
+ auth_use_nsswitch(gpg_pinentry_t)
+
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
-miscfiles_read_localization(gpg_pinentry_t)
- # for .Xauthority
- userdom_read_user_home_content_files(gpg_pinentry_t)
- userdom_read_user_tmpfs_files(gpg_pinentry_t)
++# for .Xauthority
++userdom_read_user_home_content_files(gpg_pinentry_t)
++userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
-+userdom_use_user_terminals(gpg_pinentry_t)
+ userdom_use_user_terminals(gpg_pinentry_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
@@ -26024,20 +25991,25 @@ index 72a113e..29063e5 100644
')
optional_policy(`
-@@ -340,6 +356,12 @@ optional_policy(`
+- dbus_all_session_bus_client(gpg_pinentry_t)
++ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
+- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+ gnome_write_generic_cache_files(gpg_pinentry_t)
+ gnome_read_generic_cache_files(gpg_pinentry_t)
+ gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
- pulseaudio_exec(gpg_pinentry_t)
- pulseaudio_rw_home_files(gpg_pinentry_t)
- pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +371,27 @@ optional_policy(`
++ pulseaudio_exec(gpg_pinentry_t)
++ pulseaudio_rw_home_files(gpg_pinentry_t)
++ pulseaudio_setattr_home_dir(gpg_pinentry_t)
++ pulseaudio_stream_connect(gpg_pinentry_t)
++ pulseaudio_signull(gpg_pinentry_t)
+ ')
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -26065,52 +26037,12 @@ index 72a113e..29063e5 100644
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
')
-diff --git a/gpm.if b/gpm.if
-index 7d97298..d6b2959 100644
---- a/gpm.if
-+++ b/gpm.if
-@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',`
- type gpmctl_t, gpm_t;
- ')
-
-- allow $1 gpmctl_t:sock_file rw_sock_file_perms;
-- allow $1 gpm_t:unix_stream_socket connectto;
-+ dev_list_all_dev_nodes($1)
-+ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
- ')
-
- ########################################
-@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 gpmctl_t:sock_file getattr;
-+ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
-@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
- type gpmctl_t;
- ')
-
-- dontaudit $1 gpmctl_t:sock_file getattr;
-+ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
- ')
-
- ########################################
-@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 gpmctl_t:sock_file setattr;
-+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
- ')
diff --git a/gpm.te b/gpm.te
-index a627b34..0120907 100644
+index 3226f52..bc3f49e 100644
--- a/gpm.te
+++ b/gpm.te
-@@ -10,7 +10,7 @@ type gpm_exec_t;
- init_daemon_domain(gpm_t, gpm_exec_t)
+@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
+ init_script_file(gpm_initrc_exec_t)
type gpm_conf_t;
-files_type(gpm_conf_t)
@@ -26118,12 +26050,13 @@ index a627b34..0120907 100644
type gpm_tmp_t;
files_tmp_file(gpm_tmp_t)
-@@ -65,10 +65,9 @@ domain_use_interactive_fds(gpm_t)
+@@ -68,11 +68,9 @@ domain_use_interactive_fds(gpm_t)
logging_send_syslog_msg(gpm_t)
-miscfiles_read_localization(gpm_t)
-
+-userdom_use_user_terminals(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_user_home_dirs(gpm_t)
+userdom_use_inherited_user_terminals(gpm_t)
@@ -26131,36 +26064,12 @@ index a627b34..0120907 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 03742d8..4fefc6e 100644
+index 25f09ae..61d3e29 100644
--- a/gpsd.te
+++ b/gpsd.te
-@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
- # gpsd local policy
- #
-
--allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
--allow gpsd_t self:process setsched;
-+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-+dontaudit gpsd_t self:capability { dac_read_search dac_override };
-+allow gpsd_t self:process { setsched signal_perms };
- allow gpsd_t self:shm create_shm_perms;
- allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,22 +39,34 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
- manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
- files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
-
--corenet_all_recvfrom_unlabeled(gpsd_t)
-+kernel_list_proc(gpsd_t)
-+kernel_request_load_module(gpsd_t)
-+
- corenet_all_recvfrom_netlabel(gpsd_t)
- corenet_tcp_sendrecv_generic_if(gpsd_t)
- corenet_tcp_sendrecv_generic_node(gpsd_t)
- corenet_tcp_sendrecv_all_ports(gpsd_t)
--corenet_tcp_bind_all_nodes(gpsd_t)
-+corenet_tcp_bind_generic_node(gpsd_t)
- corenet_tcp_bind_gpsd_port(gpsd_t)
+@@ -60,14 +60,25 @@ dev_rw_realtime_clock(gpsd_t)
+
+ domain_dontaudit_read_all_domains_state(gpsd_t)
+dev_read_sysfs(gpsd_t)
+dev_rw_realtime_clock(gpsd_t)
@@ -26170,6 +26079,7 @@ index 03742d8..4fefc6e 100644
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
++term_setattr_usb_ttys(gpsd_t)
auth_use_nsswitch(gpsd_t)
@@ -26183,383 +26093,41 @@ index 03742d8..4fefc6e 100644
+')
optional_policy(`
- dbus_system_bus_client(gpsd_t)
+ chronyd_rw_shm(gpsd_t)
diff --git a/guest.te b/guest.te
-index 1cb7311..1de82b2 100644
+index d928711..93d2d83 100644
--- a/guest.te
+++ b/guest.te
-@@ -9,9 +9,15 @@ role guest_r;
-
- userdom_restricted_user_template(guest)
-
-+kernel_read_system_state(guest_t)
-+
- ########################################
- #
- # Local policy
- #
-
--#gen_user(guest_u,, guest_r, s0, s0)
-+optional_policy(`
-+ apache_role(guest_r, guest_t)
-+')
-+
-+gen_user(guest_u, user, guest_r, s0, s0)
-diff --git a/hadoop.if b/hadoop.if
-index 2d0b4e1..6649814 100644
---- a/hadoop.if
-+++ b/hadoop.if
-@@ -89,7 +89,6 @@ template(`hadoop_domain_template',`
- corecmd_exec_bin(hadoop_$1_t)
- corecmd_exec_shell(hadoop_$1_t)
-
-- corenet_all_recvfrom_unlabeled(hadoop_$1_t)
- corenet_all_recvfrom_netlabel(hadoop_$1_t)
- corenet_tcp_bind_all_nodes(hadoop_$1_t)
- corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
-@@ -120,7 +119,6 @@ template(`hadoop_domain_template',`
- logging_send_audit_msgs(hadoop_$1_t)
- logging_send_syslog_msg(hadoop_$1_t)
-
-- miscfiles_read_localization(hadoop_$1_t)
-
- sysnet_read_config(hadoop_$1_t)
-
-@@ -191,7 +189,6 @@ template(`hadoop_domain_template',`
- logging_send_syslog_msg(hadoop_$1_initrc_t)
- logging_send_audit_msgs(hadoop_$1_initrc_t)
-
-- miscfiles_read_localization(hadoop_$1_initrc_t)
-
- userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
-
-@@ -224,14 +221,21 @@ interface(`hadoop_role',`
- hadoop_domtrans($2)
- role $1 types hadoop_t;
-
-- allow $2 hadoop_t:process { ptrace signal_perms };
-+ allow $2 hadoop_t:process signal_perms;
- ps_process_pattern($2, hadoop_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 hadoop_t:process ptrace;
-+ ')
-
- hadoop_domtrans_zookeeper_client($2)
- role $1 types zookeeper_t;
-
-- allow $2 zookeeper_t:process { ptrace signal_perms };
-+ allow $2 zookeeper_t:process signal_perms;
- ps_process_pattern($2, zookeeper_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $2 zookeeper_t:process ptrace;
-+ ')
-+
- ')
-
- ########################################
-diff --git a/hadoop.te b/hadoop.te
-index c81c58a..86e3d1d 100644
---- a/hadoop.te
-+++ b/hadoop.te
-@@ -123,7 +123,6 @@ kernel_read_system_state(hadoop_t)
- corecmd_exec_bin(hadoop_t)
- corecmd_exec_shell(hadoop_t)
-
--corenet_all_recvfrom_unlabeled(hadoop_t)
- corenet_all_recvfrom_netlabel(hadoop_t)
- corenet_tcp_sendrecv_generic_if(hadoop_t)
- corenet_udp_sendrecv_generic_if(hadoop_t)
-@@ -151,20 +150,22 @@ dev_read_urand(hadoop_t)
- domain_use_interactive_fds(hadoop_t)
-
- files_dontaudit_search_spool(hadoop_t)
--files_read_etc_files(hadoop_t)
- files_read_usr_files(hadoop_t)
-
- fs_getattr_xattr_fs(hadoop_t)
-
--miscfiles_read_localization(hadoop_t)
-+auth_use_nsswitch(hadoop_t)
-
--sysnet_read_config(hadoop_t)
-
--userdom_use_user_terminals(hadoop_t)
-+userdom_use_inherited_user_terminals(hadoop_t)
-
--java_exec(hadoop_t)
-+optional_policy(`
-+ java_exec(hadoop_t)
-+')
-
--kerberos_use(hadoop_t)
-+optional_policy(`
-+ kerberos_use(hadoop_t)
-+')
-
- optional_policy(`
- nis_use_ypbind(hadoop_t)
-@@ -311,7 +312,6 @@ kernel_read_system_state(zookeeper_t)
- corecmd_exec_bin(zookeeper_t)
- corecmd_exec_shell(zookeeper_t)
-
--corenet_all_recvfrom_unlabeled(zookeeper_t)
- corenet_all_recvfrom_netlabel(zookeeper_t)
- corenet_tcp_sendrecv_generic_if(zookeeper_t)
- corenet_udp_sendrecv_generic_if(zookeeper_t)
-@@ -333,20 +333,18 @@ dev_read_urand(zookeeper_t)
-
- domain_use_interactive_fds(zookeeper_t)
-
--files_read_etc_files(zookeeper_t)
- files_read_usr_files(zookeeper_t)
-
--miscfiles_read_localization(zookeeper_t)
-+auth_use_nsswitch(zookeeper_t)
-+
-
- sysnet_read_config(zookeeper_t)
-
--userdom_use_user_terminals(zookeeper_t)
-+userdom_use_inherited_user_terminals(zookeeper_t)
- userdom_dontaudit_search_user_home_dirs(zookeeper_t)
-
--java_exec(zookeeper_t)
--
- optional_policy(`
-- nscd_socket_use(zookeeper_t)
-+ java_exec(zookeeper_t)
- ')
-
- ########################################
-@@ -393,7 +391,6 @@ kernel_read_system_state(zookeeper_server_t)
- corecmd_exec_bin(zookeeper_server_t)
- corecmd_exec_shell(zookeeper_server_t)
-
--corenet_all_recvfrom_unlabeled(zookeeper_server_t)
- corenet_all_recvfrom_netlabel(zookeeper_server_t)
- corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
- corenet_udp_sendrecv_generic_if(zookeeper_server_t)
-@@ -421,15 +418,14 @@ dev_read_rand(zookeeper_server_t)
- dev_read_sysfs(zookeeper_server_t)
- dev_read_urand(zookeeper_server_t)
-
--files_read_etc_files(zookeeper_server_t)
- files_read_usr_files(zookeeper_server_t)
-
- fs_getattr_xattr_fs(zookeeper_server_t)
-
- logging_send_syslog_msg(zookeeper_server_t)
-
--miscfiles_read_localization(zookeeper_server_t)
--
- sysnet_read_config(zookeeper_server_t)
-
--java_exec(zookeeper_server_t)
-+optional_policy(`
-+ java_exec(zookeeper_server_t)
-+')
-diff --git a/hal.if b/hal.if
-index 7cf6763..9d2be6b 100644
---- a/hal.if
-+++ b/hal.if
-@@ -69,7 +69,9 @@ interface(`hal_ptrace',`
- type hald_t;
- ')
-
-- allow $1 hald_t:process ptrace;
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 hald_t:process ptrace;
-+ ')
- ')
-
- ########################################
-@@ -431,3 +433,22 @@ interface(`hal_manage_pid_files',`
- files_search_pids($1)
- manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+@@ -20,4 +20,4 @@ optional_policy(`
+ apache_role(guest_r, guest_t)
')
-+
-+#######################################
-+## <summary>
-+## Do not audit attempts to read
-+## hald PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`hal_dontaudit_read_pid_files',`
-+ gen_require(`
-+ type hald_var_run_t;
-+ ')
-+
-+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
-+')
-diff --git a/hal.te b/hal.te
-index e0476cb..0caa5ba 100644
---- a/hal.te
-+++ b/hal.te
-@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
- type hald_var_lib_t;
- files_type(hald_var_lib_t)
-
-+typealias hald_log_t alias pmtools_log_t;
-+typealias hald_var_run_t alias pmtools_var_run_t;
-+
- ########################################
- #
- # Local policy
-@@ -61,7 +64,7 @@ files_type(hald_var_lib_t)
-
- # execute openvt which needs setuid
- allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
--dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
-+dontaudit hald_t self:capability sys_tty_config;
- allow hald_t self:process { getsched getattr signal_perms };
- allow hald_t self:fifo_file rw_fifo_file_perms;
- allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -99,6 +102,7 @@ kernel_read_fs_sysctls(hald_t)
- kernel_rw_irq_sysctls(hald_t)
- kernel_rw_vm_sysctls(hald_t)
- kernel_write_proc_files(hald_t)
-+kernel_rw_net_sysctls(hald_t)
- kernel_search_network_sysctl(hald_t)
- kernel_setsched(hald_t)
- kernel_request_load_module(hald_t)
-@@ -107,7 +111,6 @@ auth_read_pam_console_data(hald_t)
-
- corecmd_exec_all_executables(hald_t)
-
--corenet_all_recvfrom_unlabeled(hald_t)
- corenet_all_recvfrom_netlabel(hald_t)
- corenet_tcp_sendrecv_generic_if(hald_t)
- corenet_udp_sendrecv_generic_if(hald_t)
-@@ -139,7 +142,6 @@ domain_read_all_domains_state(hald_t)
- domain_dontaudit_ptrace_all_domains(hald_t)
-
- files_exec_etc_files(hald_t)
--files_read_etc_files(hald_t)
- files_rw_etc_runtime_files(hald_t)
- files_manage_mnt_dirs(hald_t)
- files_manage_mnt_files(hald_t)
-@@ -201,7 +203,6 @@ logging_send_audit_msgs(hald_t)
- logging_send_syslog_msg(hald_t)
- logging_search_logs(hald_t)
-
--miscfiles_read_localization(hald_t)
- miscfiles_read_hwdata(hald_t)
-
- modutils_domtrans_insmod(hald_t)
-@@ -372,7 +373,6 @@ dev_setattr_generic_usb_dev(hald_acl_t)
- dev_setattr_usbfs_files(hald_acl_t)
-
- files_read_usr_files(hald_acl_t)
--files_read_etc_files(hald_acl_t)
-
- fs_getattr_all_fs(hald_acl_t)
-
-@@ -385,8 +385,6 @@ auth_use_nsswitch(hald_acl_t)
-
- logging_send_syslog_msg(hald_acl_t)
-
--miscfiles_read_localization(hald_acl_t)
--
- optional_policy(`
- policykit_dbus_chat(hald_acl_t)
- policykit_domtrans_auth(hald_acl_t)
-@@ -418,14 +416,11 @@ dev_write_raw_memory(hald_mac_t)
- dev_read_sysfs(hald_mac_t)
-
- files_read_usr_files(hald_mac_t)
--files_read_etc_files(hald_mac_t)
-
- auth_use_nsswitch(hald_mac_t)
-
- logging_send_syslog_msg(hald_mac_t)
-
--miscfiles_read_localization(hald_mac_t)
--
- ########################################
- #
- # Local hald sonypic policy
-@@ -446,7 +441,6 @@ write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
-
- files_read_usr_files(hald_sonypic_t)
-
--miscfiles_read_localization(hald_sonypic_t)
-
- ########################################
- #
-@@ -465,10 +459,8 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
-
- dev_rw_input_dev(hald_keymap_t)
-
--files_read_etc_files(hald_keymap_t)
- files_read_usr_files(hald_keymap_t)
-
--miscfiles_read_localization(hald_keymap_t)
-
- ########################################
- #
-@@ -504,7 +496,6 @@ kernel_search_network_sysctl(hald_dccm_t)
- dev_read_urand(hald_dccm_t)
-
--corenet_all_recvfrom_unlabeled(hald_dccm_t)
- corenet_all_recvfrom_netlabel(hald_dccm_t)
- corenet_tcp_sendrecv_generic_if(hald_dccm_t)
- corenet_udp_sendrecv_generic_if(hald_dccm_t)
-@@ -518,14 +509,12 @@ corenet_udp_bind_dhcpc_port(hald_dccm_t)
- corenet_tcp_bind_ftp_port(hald_dccm_t)
- corenet_tcp_bind_dccm_port(hald_dccm_t)
-
--logging_send_syslog_msg(hald_dccm_t)
--
- files_read_usr_files(hald_dccm_t)
-
--miscfiles_read_localization(hald_dccm_t)
--
- hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
-
-+logging_send_syslog_msg(hald_dccm_t)
-+
- optional_policy(`
- dbus_system_bus_client(hald_dccm_t)
- ')
+-#gen_user(guest_u, user, guest_r, s0, s0)
++gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/hddtemp.if b/hddtemp.if
-index 87b4531..901d905 100644
+index 1728071..77e71ea 100644
--- a/hddtemp.if
+++ b/hddtemp.if
-@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
+@@ -60,9 +60,13 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
- allow $1 hddtemp_t:process { ptrace signal_perms };
+ allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 hddtemp_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -69,9 +72,5 @@ interface(`hddtemp_admin',`
- allow $2 system_r;
-
- admin_pattern($1, hddtemp_etc_t)
-- files_search_etc($1)
--
-- allow $1 hddtemp_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
-- kernel_search_proc($1)
-+ files_list_etc($1)
- ')
+ role_transition $2 hddtemp_initrc_exec_t system_r;
diff --git a/hddtemp.te b/hddtemp.te
-index c234b32..41d985d 100644
+index 18d76bb..588c964 100644
--- a/hddtemp.te
+++ b/hddtemp.te
-@@ -28,7 +28,6 @@ allow hddtemp_t self:udp_socket create_socket_perms;
+@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
@@ -26567,29 +26135,26 @@ index c234b32..41d985d 100644
corenet_all_recvfrom_netlabel(hddtemp_t)
corenet_tcp_sendrecv_generic_if(hddtemp_t)
corenet_tcp_sendrecv_generic_node(hddtemp_t)
-@@ -38,12 +37,13 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
+@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
-files_search_etc(hddtemp_t)
-+files_read_etc_files(hddtemp_t)
- files_read_usr_files(hddtemp_t)
-
- storage_raw_read_fixed_disk(hddtemp_t)
+-files_read_usr_files(hddtemp_t)
-
-+storage_raw_read_removable_device(hddtemp_t)
+ storage_raw_read_fixed_disk(hddtemp_t)
+ storage_raw_read_removable_device(hddtemp_t)
+
+@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t)
+
logging_send_syslog_msg(hddtemp_t)
-miscfiles_read_localization(hddtemp_t)
--
-+optional_policy(`
-+ sysnet_dns_name_resolve(hddtemp_t)
-+')
diff --git a/howl.te b/howl.te
-index 6ad2d3c..b23d54a 100644
+index e207823..4e0f8ba 100644
--- a/howl.te
+++ b/howl.te
-@@ -33,7 +33,6 @@ kernel_request_load_module(howl_t)
+@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
@@ -26597,35 +26162,41 @@ index 6ad2d3c..b23d54a 100644
corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_generic_if(howl_t)
corenet_udp_sendrecv_generic_if(howl_t)
-@@ -60,8 +59,6 @@ init_rw_utmp(howl_t)
+@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
logging_send_syslog_msg(howl_t)
-miscfiles_read_localization(howl_t)
-
- sysnet_read_config(howl_t)
-
userdom_dontaudit_use_unpriv_user_fds(howl_t)
+ userdom_dontaudit_search_user_home_dirs(howl_t)
+
diff --git a/i18n_input.te b/i18n_input.te
-index 5fc89c4..087c2d0 100644
+index 3bed8fa..a738d7f 100644
--- a/i18n_input.te
+++ b/i18n_input.te
-@@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
+@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_all_recvfrom_unlabeled(i18n_input_t)
corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
- corenet_udp_sendrecv_generic_if(i18n_input_t)
-@@ -68,22 +67,11 @@ init_stream_connect_script(i18n_input_t)
+ corenet_tcp_sendrecv_generic_node(i18n_input_t)
+@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
+ fs_search_auto_mountpoints(i18n_input_t)
+
+ files_read_etc_runtime_files(i18n_input_t)
+-files_read_usr_files(i18n_input_t)
+
+ auth_use_nsswitch(i18n_input_t)
+
+@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t)
logging_send_syslog_msg(i18n_input_t)
-miscfiles_read_localization(i18n_input_t)
-
- sysnet_read_config(i18n_input_t)
-
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_read_user_home_content_files(i18n_input_t)
-
@@ -26643,88 +26214,49 @@ index 5fc89c4..087c2d0 100644
optional_policy(`
canna_stream_connect(i18n_input_t)
diff --git a/icecast.if b/icecast.if
-index ecab47a..6eddc6d 100644
+index 580b533..c267cea 100644
--- a/icecast.if
+++ b/icecast.if
-@@ -173,7 +173,11 @@ interface(`icecast_admin',`
- type icecast_t, icecast_initrc_exec_t;
+@@ -176,6 +176,14 @@ interface(`icecast_admin',`
+ type icecast_var_run_t;
')
+ allow $1 icecast_t:process signal_perms;
- ps_process_pattern($1, icecast_t)
++ ps_process_pattern($1, icecast_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 icecast_t:process ptrace;
+ ')
-
- # Allow icecast_t to restart the apache service
++
++ # Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
-@@ -184,5 +188,4 @@ interface(`icecast_admin',`
- icecast_manage_pid_files($1)
-
- icecast_manage_log($1)
--
- ')
+ domain_system_change_exemption($1)
+ role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
-index fdb7e9a..b910581 100644
+index ac6f9d5..73f5015 100644
--- a/icecast.te
+++ b/icecast.te
-@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0)
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow icecast to connect to all ports, not just
-+## sound ports.
-+## </p>
-+## </desc>
-+gen_tunable(icecast_connect_any, false)
-+
- type icecast_t;
- type icecast_exec_t;
- init_daemon_domain(icecast_t, icecast_exec_t)
-@@ -39,18 +47,24 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
-
- kernel_read_system_state(icecast_t)
+@@ -65,12 +65,12 @@ dev_read_sysfs(icecast_t)
+ dev_read_urand(icecast_t)
+ dev_read_rand(icecast_t)
-+dev_read_sysfs(icecast_t)
-+dev_read_urand(icecast_t)
-+dev_read_rand(icecast_t)
++auth_use_nsswitch(icecast_t)
+
- corenet_tcp_bind_soundd_port(icecast_t)
-+corenet_tcp_connect_soundd_port(icecast_t)
-+
-+tunable_policy(`icecast_connect_any',`
-+ corenet_tcp_connect_all_ports(icecast_t)
-+ corenet_tcp_bind_all_ports(icecast_t)
-+ corenet_sendrecv_all_client_packets(icecast_t)
-+')
-
- # Init script handling
domain_use_interactive_fds(icecast_t)
--files_read_etc_files(icecast_t)
--
auth_use_nsswitch(icecast_t)
-miscfiles_read_localization(icecast_t)
-
--sysnet_dns_name_resolve(icecast_t)
-
- optional_policy(`
- apache_read_sys_content(icecast_t)
+ tunable_policy(`icecast_use_any_tcp_ports',`
+ corenet_tcp_connect_all_ports(icecast_t)
+ corenet_sendrecv_all_client_packets(icecast_t)
diff --git a/ifplugd.if b/ifplugd.if
-index dfb4232..35343f8 100644
+index 8999899..96909ae 100644
--- a/ifplugd.if
+++ b/ifplugd.if
-@@ -113,11 +113,11 @@ interface(`ifplugd_read_pid_files',`
- #
- interface(`ifplugd_admin',`
- gen_require(`
-- type ifplugd_t, ifplugd_etc_t;
-- type ifplugd_var_run_t, ifplugd_initrc_exec_t;
-+ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
-+ type ifplugd_initrc_exec_t;
+@@ -119,7 +119,7 @@ interface(`ifplugd_admin',`
+ type ifplugd_initrc_exec_t;
')
- allow $1 ifplugd_t:process { ptrace signal_perms };
@@ -26733,35 +26265,23 @@ index dfb4232..35343f8 100644
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff --git a/ifplugd.te b/ifplugd.te
-index 978c32f..05927a7 100644
+index 6910e49..c4a9fcb 100644
--- a/ifplugd.te
+++ b/ifplugd.te
-@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+@@ -10,7 +10,7 @@ type ifplugd_exec_t;
+ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
- # config files
type ifplugd_etc_t;
-files_type(ifplugd_etc_t)
+files_config_file(ifplugd_etc_t)
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
-@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
- #
-
- allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
--dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
-+dontaudit ifplugd_t self:capability sys_tty_config;
- allow ifplugd_t self:process { signal signull };
- allow ifplugd_t self:fifo_file rw_fifo_file_perms;
- allow ifplugd_t self:tcp_socket create_stream_socket_perms;
-@@ -54,15 +54,14 @@ corecmd_exec_bin(ifplugd_t)
- # reading of hardware information
+@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t)
dev_read_sysfs(ifplugd_t)
-+#domain_read_all_domains_state(ifplugd_t)
domain_read_confined_domains_state(ifplugd_t)
-domain_dontaudit_read_all_domains_state(ifplugd_t)
-+#domain_dontaudit_read_all_domains_state(ifplugd_t)
auth_use_nsswitch(ifplugd_t)
@@ -26770,53 +26290,31 @@ index 978c32f..05927a7 100644
-miscfiles_read_localization(ifplugd_t)
-
netutils_domtrans(ifplugd_t)
- # transition to ifconfig & dhcpc
- sysnet_domtrans_ifconfig(ifplugd_t)
-diff --git a/imaze.fc b/imaze.fc
-index 8d455ba..58729cb 100644
---- a/imaze.fc
-+++ b/imaze.fc
-@@ -1,4 +1,4 @@
- /usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
- /usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
--/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
-+/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0)
+ sysnet_domtrans_ifconfig(ifplugd_t)
diff --git a/imaze.te b/imaze.te
-index 0778af8..66fb4ae 100644
+index 05387d1..08a489c 100644
--- a/imaze.te
+++ b/imaze.te
-@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(imazesrv_t)
- kernel_list_proc(imazesrv_t)
+@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
+ kernel_read_kernel_sysctls(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_all_recvfrom_unlabeled(imazesrv_t)
corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
-@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(imazesrv_t)
+@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t)
logging_send_syslog_msg(imazesrv_t)
-miscfiles_read_localization(imazesrv_t)
-
- sysnet_read_config(imazesrv_t)
-
userdom_use_unpriv_users_fds(imazesrv_t)
-diff --git a/inetd.fc b/inetd.fc
-index 39d5baa..4288778 100644
---- a/inetd.fc
-+++ b/inetd.fc
-@@ -7,6 +7,6 @@
- /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
- /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
-
--/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
-+/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0)
-
- /var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+ userdom_dontaudit_search_user_home_dirs(imazesrv_t)
+
diff --git a/inetd.if b/inetd.if
-index df48e5e..161814e 100644
+index fbb54e7..b347964 100644
--- a/inetd.if
+++ b/inetd.if
@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
@@ -26831,10 +26329,10 @@ index df48e5e..161814e 100644
########################################
diff --git a/inetd.te b/inetd.te
-index 10f25d3..ec4cd54 100644
+index 1a5ed62..5eebf38 100644
--- a/inetd.te
+++ b/inetd.te
-@@ -38,9 +38,9 @@ ifdef(`enable_mcs',`
+@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -26844,120 +26342,78 @@ index 10f25d3..ec4cd54 100644
-allow inetd_t self:process { setsched setexec setrlimit };
+allow inetd_t self:process { setsched setexec };
allow inetd_t self:fifo_file rw_fifo_file_perms;
- allow inetd_t self:tcp_socket create_stream_socket_perms;
- allow inetd_t self:udp_socket create_socket_perms;
-@@ -65,7 +65,6 @@ kernel_tcp_recvfrom_unlabeled(inetd_t)
- corecmd_bin_domtrans(inetd_t, inetd_child_t)
-
- # base networking:
--corenet_all_recvfrom_unlabeled(inetd_t)
- corenet_all_recvfrom_netlabel(inetd_t)
- corenet_tcp_sendrecv_generic_if(inetd_t)
- corenet_udp_sendrecv_generic_if(inetd_t)
-@@ -89,16 +88,19 @@ corenet_tcp_bind_ftp_port(inetd_t)
- corenet_udp_bind_ftp_port(inetd_t)
+ allow inetd_t self:tcp_socket { accept listen };
+ allow inetd_t self:fd use;
+@@ -98,6 +98,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+
+corenet_tcp_bind_echo_port(inetd_t)
+corenet_udp_bind_echo_port(inetd_t)
+corenet_tcp_bind_time_port(inetd_t)
+corenet_udp_bind_time_port(inetd_t)
++
+ corenet_sendrecv_ircd_server_packets(inetd_t)
corenet_tcp_bind_ircd_port(inetd_t)
- corenet_udp_bind_ktalkd_port(inetd_t)
--corenet_tcp_bind_pop_port(inetd_t)
- corenet_tcp_bind_printer_port(inetd_t)
- corenet_udp_bind_rlogind_port(inetd_t)
- corenet_udp_bind_rsh_port(inetd_t)
- corenet_tcp_bind_rsh_port(inetd_t)
- corenet_tcp_bind_rsync_port(inetd_t)
- corenet_udp_bind_rsync_port(inetd_t)
--corenet_tcp_bind_stunnel_port(inetd_t)
-+#corenet_tcp_bind_stunnel_port(inetd_t)
- corenet_tcp_bind_swat_port(inetd_t)
- corenet_udp_bind_swat_port(inetd_t)
- corenet_tcp_bind_telnetd_port(inetd_t)
-@@ -119,7 +121,7 @@ corenet_sendrecv_ktalkd_server_packets(inetd_t)
- corenet_sendrecv_printer_server_packets(inetd_t)
- corenet_sendrecv_rsh_server_packets(inetd_t)
- corenet_sendrecv_rsync_server_packets(inetd_t)
--corenet_sendrecv_stunnel_server_packets(inetd_t)
-+#corenet_sendrecv_stunnel_server_packets(inetd_t)
- corenet_sendrecv_swat_server_packets(inetd_t)
- corenet_sendrecv_tftp_server_packets(inetd_t)
-
-@@ -137,20 +139,20 @@ corecmd_read_bin_symlinks(inetd_t)
-
- domain_use_interactive_fds(inetd_t)
-
--files_read_etc_files(inetd_t)
- files_read_etc_runtime_files(inetd_t)
-
- auth_use_nsswitch(inetd_t)
+
+@@ -157,13 +162,13 @@ auth_use_nsswitch(inetd_t)
logging_send_syslog_msg(inetd_t)
-miscfiles_read_localization(inetd_t)
-
- # xinetd needs MLS override privileges to work
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
-+mls_net_outbound_all_levels(inetd_t)
+ mls_net_outbound_all_levels(inetd_t)
mls_process_set_level(inetd_t)
+#706086
+mls_net_outbound_all_levels(inetd_t)
- sysnet_read_config(inetd_t)
-
-@@ -177,6 +179,10 @@ optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(inetd_t)
+ userdom_dontaudit_search_user_home_dirs(inetd_t)
+@@ -188,7 +193,7 @@ optional_policy(`
')
optional_policy(`
+- tftp_read_config_files(inetd_t)
+ tftp_read_config(inetd_t)
-+')
-+
-+optional_policy(`
- udev_read_db(inetd_t)
')
-@@ -210,7 +216,6 @@ kernel_read_kernel_sysctls(inetd_child_t)
- kernel_read_system_state(inetd_child_t)
+ optional_policy(`
+@@ -220,6 +225,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_network_state(inetd_child_t)
+ kernel_read_system_state(inetd_child_t)
--corenet_all_recvfrom_unlabeled(inetd_child_t)
- corenet_all_recvfrom_netlabel(inetd_child_t)
- corenet_tcp_sendrecv_generic_if(inetd_child_t)
- corenet_udp_sendrecv_generic_if(inetd_child_t)
-@@ -223,15 +228,12 @@ dev_read_urand(inetd_child_t)
++corenet_all_recvfrom_netlabel(inetd_child_t)
++corenet_tcp_sendrecv_generic_if(inetd_child_t)
++corenet_udp_sendrecv_generic_if(inetd_child_t)
++corenet_tcp_sendrecv_generic_node(inetd_child_t)
++corenet_udp_sendrecv_generic_node(inetd_child_t)
++corenet_tcp_sendrecv_all_ports(inetd_child_t)
++corenet_udp_sendrecv_all_ports(inetd_child_t)
++
+ dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-
--files_read_etc_files(inetd_child_t)
- files_read_etc_runtime_files(inetd_child_t)
-
- auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
logging_send_syslog_msg(inetd_child_t)
-miscfiles_read_localization(inetd_child_t)
--
- sysnet_read_config(inetd_child_t)
++sysnet_read_config(inetd_child_t)
++
++optional_policy(`
++ kerberos_use(inetd_child_t)
++')
optional_policy(`
+ unconfined_domain(inetd_child_t)
diff --git a/inn.if b/inn.if
-index ebc9e0d..617f52f 100644
+index eb87f23..8e11e4b 100644
--- a/inn.if
+++ b/inn.if
-@@ -13,7 +13,7 @@
- #
- interface(`inn_exec',`
- gen_require(`
-- type innd_t;
-+ type innd_exec_t;
- ')
-
- can_exec($1, innd_exec_t)
-@@ -93,6 +93,7 @@ interface(`inn_read_config',`
+@@ -124,6 +124,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
@@ -26965,15 +26421,15 @@ index ebc9e0d..617f52f 100644
allow $1 innd_etc_t:dir list_dir_perms;
allow $1 innd_etc_t:file read_file_perms;
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
-@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',`
+@@ -144,6 +145,7 @@ interface(`inn_read_news_lib',`
type innd_var_lib_t;
')
+ files_search_var_lib($1)
allow $1 innd_var_lib_t:dir list_dir_perms;
allow $1 innd_var_lib_t:file read_file_perms;
- allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
-@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',`
+ ')
+@@ -163,6 +165,7 @@ interface(`inn_read_news_spool',`
type news_spool_t;
')
@@ -26981,7 +26437,7 @@ index ebc9e0d..617f52f 100644
allow $1 news_spool_t:dir list_dir_perms;
allow $1 news_spool_t:file read_file_perms;
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
-@@ -195,12 +198,15 @@ interface(`inn_domtrans',`
+@@ -226,8 +229,15 @@ interface(`inn_domtrans',`
interface(`inn_admin',`
gen_require(`
type innd_t, innd_etc_t, innd_log_t;
@@ -26989,30 +26445,21 @@ index ebc9e0d..617f52f 100644
- type innd_var_run_t, innd_initrc_exec_t;
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
+ type innd_initrc_exec_t;
- ')
-
-- allow $1 innd_t:process { ptrace signal_perms };
++ ')
++
+ allow $1 innd_t:process signal_perms;
- ps_process_pattern($1, innd_t)
++ ps_process_pattern($1, innd_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 innd_t:process ptrace;
-+ ')
+ ')
init_labeled_script_domtrans($1, innd_initrc_exec_t)
- domain_system_change_exemption($1)
diff --git a/inn.te b/inn.te
-index 7311364..28012eb 100644
+index 5aab5d0..e694d0f 100644
--- a/inn.te
+++ b/inn.te
-@@ -4,6 +4,7 @@ policy_module(inn, 1.10.0)
- #
- # Declarations
- #
-+
- type innd_t;
- type innd_exec_t;
- init_daemon_domain(innd_t, innd_exec_t)
-@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t)
+@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
type news_spool_t;
files_mountpoint(news_spool_t)
@@ -27020,22 +26467,16 @@ index 7311364..28012eb 100644
########################################
#
- # Local policy
- #
-+
- allow innd_t self:capability { dac_override kill setgid setuid };
- dontaudit innd_t self:capability sys_tty_config;
- allow innd_t self:process { setsched signal_perms };
-@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- can_exec(innd_t, innd_exec_t)
-
- manage_files_pattern(innd_t, innd_log_t, innd_log_t)
--allow innd_t innd_log_t:dir setattr;
-+allow innd_t innd_log_t:dir setattr_dir_perms;
- logging_log_filetrans(innd_t, innd_log_t, file)
+@@ -43,6 +44,8 @@ allow innd_t self:tcp_socket { accept listen };
+ read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
-@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
++can_exec(innd_t, innd_exec_t)
++
+ allow innd_t innd_log_t:dir setattr_dir_perms;
+ append_files_pattern(innd_t, innd_log_t, innd_log_t)
+ create_files_pattern(innd_t, innd_log_t, innd_log_t)
+@@ -54,7 +57,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -27044,23 +26485,21 @@ index 7311364..28012eb 100644
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
-@@ -65,7 +68,6 @@ manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+@@ -65,7 +68,6 @@ can_exec(innd_t, innd_exec_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_all_recvfrom_unlabeled(innd_t)
corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_generic_if(innd_t)
- corenet_udp_sendrecv_generic_if(innd_t)
-@@ -97,14 +99,11 @@ files_read_usr_files(innd_t)
+ corenet_tcp_sendrecv_generic_node(innd_t)
+@@ -97,12 +99,11 @@ auth_use_nsswitch(innd_t)
logging_send_syslog_msg(innd_t)
-miscfiles_read_localization(innd_t)
-
--seutil_dontaudit_search_config(innd_t)
--
- sysnet_read_config(innd_t)
+ seutil_dontaudit_search_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
@@ -27068,87 +26507,63 @@ index 7311364..28012eb 100644
mta_send_mail(innd_t)
-diff --git a/irc.fc b/irc.fc
-index 65ece18..7e7873c 100644
---- a/irc.fc
-+++ b/irc.fc
-@@ -2,10 +2,15 @@
- # /home
- #
- HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
-+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
-+HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
-+
-+/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
-
- #
- # /usr
- #
- /usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
- /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
- /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/irc.if b/irc.if
-index 4f9dc90..2af9361 100644
+index ac00fb0..06cb083 100644
--- a/irc.if
+++ b/irc.if
-@@ -18,9 +18,11 @@
- interface(`irc_role',`
- gen_require(`
- type irc_t, irc_exec_t;
+@@ -20,6 +20,7 @@ interface(`irc_role',`
+ attribute_role irc_roles;
+ type irc_t, irc_exec_t, irc_home_t;
+ type irc_tmp_t, irc_log_home_t;
+ type irssi_t, irssi_exec_t, irssi_home_t;
')
- role $1 types irc_t;
-+ role $1 types irssi_t;
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, irc_exec_t, irc_t)
-@@ -28,4 +30,39 @@ interface(`irc_role',`
- # allow ps to show irc
+ ########################################
+@@ -39,10 +40,33 @@ interface(`irc_role',`
ps_process_pattern($2, irc_t)
- allow $2 irc_t:process signal;
-+
+ allow $2 irc_t:process { ptrace signal_perms };
+
+- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
+- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
+- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
-+ allow $2 irssi_t:process signal_perms;
-+ ps_process_pattern($2, irssi_t)
-+
-+ manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
-+ manage_files_pattern($2, irssi_home_t, irssi_home_t)
-+ manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
++ allow $2 irssi_t:process signal_perms;
++ ps_process_pattern($2, irssi_t)
+
-+ relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
-+ relabel_files_pattern($2, irssi_home_t, irssi_home_t)
-+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ irc_filetrans_home_content($2)
+')
+
-+########################################
++#######################################
+## <summary>
-+## Transition to alsa named content
++## Transition to alsa named content
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed access.
-+## </summary>
++## </summary>
+## </param>
+#
+interface(`irc_filetrans_home_content',`
-+ gen_require(`
-+ type irc_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
-+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
-+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
++ gen_require(`
++ type irc_home_t;
++ ')
++ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index 6e2dbd2..73e129e 100644
+index ecad9c7..8cbe5cf 100644
--- a/irc.te
+++ b/irc.te
-@@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t)
+@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
@@ -27172,6 +26587,7 @@ index 6e2dbd2..73e129e 100644
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
++role irc_roles types irssi_t;
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
@@ -27181,37 +26597,50 @@ index 6e2dbd2..73e129e 100644
########################################
#
-@@ -33,7 +57,7 @@ allow irc_t self:udp_socket create_socket_perms;
+@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
--userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
+-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
+-
+-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
+-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
+-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
+-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
+irc_filetrans_home_content(irc_t)
- # access files under /tmp
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -45,7 +69,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+ manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
- kernel_read_proc_symlinks(irc_t)
+ kernel_read_system_state(irc_t)
-corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
- corenet_udp_sendrecv_generic_if(irc_t)
-@@ -75,7 +98,6 @@ term_list_ptys(irc_t)
+ corenet_tcp_sendrecv_generic_node(irc_t)
+@@ -106,7 +124,6 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
-miscfiles_read_localization(irc_t)
- # Inherit and use descriptors from newrole.
- seutil_use_newrole_fds(irc_t)
-@@ -83,20 +105,74 @@ seutil_use_newrole_fds(irc_t)
- sysnet_read_config(irc_t)
+ userdom_use_user_terminals(irc_t)
- # Write to the user domain tty.
--userdom_use_user_terminals(irc_t)
+@@ -114,6 +131,9 @@ userdom_manage_user_home_content_dirs(irc_t)
+ userdom_manage_user_home_content_files(irc_t)
+ userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+
++# Write to the user domain tty.
+userdom_use_inherited_user_terminals(irc_t)
++
+ tunable_policy(`irc_use_any_tcp_ports',`
+ corenet_sendrecv_all_server_packets(irc_t)
+ corenet_tcp_bind_all_unreserved_ports(irc_t)
+@@ -122,18 +142,72 @@ tunable_policy(`irc_use_any_tcp_ports',`
+ corenet_tcp_sendrecv_all_ports(irc_t)
+ ')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(irc_t)
@@ -27288,35 +26717,34 @@ index 6e2dbd2..73e129e 100644
+userdom_home_manager(irssi_t)
+
optional_policy(`
-- nis_use_ypbind(irc_t)
-+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
+ seutil_use_newrole_fds(irc_t)
')
diff --git a/ircd.te b/ircd.te
-index 75ab1e2..603ea55 100644
+index e9f746e..40e440c 100644
--- a/ircd.te
+++ b/ircd.te
-@@ -49,7 +49,6 @@ kernel_read_kernel_sysctls(ircd_t)
+@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
- corecmd_search_bin(ircd_t)
+ corecmd_exec_bin(ircd_t)
-corenet_all_recvfrom_unlabeled(ircd_t)
corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
- corenet_udp_sendrecv_generic_if(ircd_t)
-@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(ircd_t)
+ corenet_tcp_sendrecv_generic_node(ircd_t)
+@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t)
logging_send_syslog_msg(ircd_t)
-miscfiles_read_localization(ircd_t)
-
- sysnet_read_config(ircd_t)
-
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
+ userdom_dontaudit_search_user_home_dirs(ircd_t)
+
diff --git a/irqbalance.te b/irqbalance.te
-index 9aeeaf9..a91de65 100644
+index c5a8112..947efe0 100644
--- a/irqbalance.te
+++ b/irqbalance.te
-@@ -19,6 +19,12 @@ files_pid_file(irqbalance_var_run_t)
+@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t)
allow irqbalance_t self:capability { setpcap net_admin };
dontaudit irqbalance_t self:capability sys_tty_config;
@@ -27329,7 +26757,15 @@ index 9aeeaf9..a91de65 100644
allow irqbalance_t self:process { getcap setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
-@@ -42,8 +48,6 @@ domain_use_interactive_fds(irqbalance_t)
+@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
+
+ dev_read_sysfs(irqbalance_t)
+
+-files_read_etc_files(irqbalance_t)
+ files_read_etc_runtime_files(irqbalance_t)
+
+ fs_getattr_all_fs(irqbalance_t)
+@@ -45,8 +50,6 @@ domain_use_interactive_fds(irqbalance_t)
logging_send_syslog_msg(irqbalance_t)
@@ -27338,70 +26774,38 @@ index 9aeeaf9..a91de65 100644
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
-diff --git a/iscsi.fc b/iscsi.fc
-index 14d9670..e94b352 100644
---- a/iscsi.fc
-+++ b/iscsi.fc
-@@ -1,7 +1,17 @@
- /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
- /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
- /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
-+
- /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
--/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+
-+/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+
- /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-+/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-+
-+/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/iscsi.te b/iscsi.te
-index 8bcfa2f..f71614d 100644
+index 57304e4..3dba77f 100644
--- a/iscsi.te
+++ b/iscsi.te
-@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
+@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t)
#
allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
- allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -66,8 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
-
- kernel_read_network_state(iscsid_t)
+ allow iscsid_t self:unix_stream_socket { accept connectto listen };
+@@ -68,7 +67,6 @@ kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
-+kernel_setsched(iscsid_t)
+ kernel_setsched(iscsid_t)
-corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -75,14 +74,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
- corenet_tcp_connect_http_port(iscsid_t)
- corenet_tcp_connect_iscsi_port(iscsid_t)
+@@ -85,6 +83,10 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
-+corenet_tcp_connect_winshadow_port(iscsid_t)
+ corenet_tcp_sendrecv_isns_port(iscsid_t)
++corenet_sendrecv_winshadow_client_packets(iscsid_t)
++corenet_tcp_connect_winshadow_port(iscsid_t)
++corenet_tcp_sendrecv_winshadow_port(iscsid_t)
++
+ dev_read_raw_memory(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-+dev_read_raw_memory(iscsid_t)
-+dev_write_raw_memory(iscsid_t)
-
- domain_use_interactive_fds(iscsid_t)
- domain_dontaudit_read_all_domains_state(iscsid_t)
-
--files_read_etc_files(iscsid_t)
-
- auth_use_nsswitch(iscsid_t)
-
-@@ -90,8 +91,6 @@ init_stream_connect_script(iscsid_t)
+@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -27410,303 +26814,69 @@ index 8bcfa2f..f71614d 100644
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
')
-diff --git a/isnsd.fc b/isnsd.fc
-new file mode 100644
-index 0000000..3e29080
---- /dev/null
-+++ b/isnsd.fc
-@@ -0,0 +1,8 @@
-+/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0)
-+
-+/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0)
-+
-+/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0)
-+
-+/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0)
-+/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0)
-diff --git a/isnsd.if b/isnsd.if
-new file mode 100644
-index 0000000..1b3514a
---- /dev/null
-+++ b/isnsd.if
-@@ -0,0 +1,181 @@
-+
-+## <summary>policy for isnsd</summary>
-+
-+
-+########################################
-+## <summary>
-+## Transition to isnsd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_domtrans',`
-+ gen_require(`
-+ type isnsd_t, isnsd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, isnsd_exec_t, isnsd_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Execute isnsd server in the isnsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_initrc_domtrans',`
-+ gen_require(`
-+ type isnsd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, isnsd_initrc_exec_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Search isnsd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_search_lib',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ allow $1 isnsd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read isnsd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_read_lib_files',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage isnsd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_manage_lib_files',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage isnsd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_manage_lib_dirs',`
-+ gen_require(`
-+ type isnsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Read isnsd PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`isnsd_read_pid_files',`
-+ gen_require(`
-+ type isnsd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 isnsd_var_run_t:file read_file_perms;
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an isnsd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`isnsd_admin',`
-+ gen_require(`
-+ type isnsd_t;
-+ type isnsd_initrc_exec_t;
-+ type isnsd_var_lib_t;
-+ type isnsd_var_run_t;
-+ ')
-+
-+ allow $1 isnsd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, isnsd_t)
-+
-+ isnsd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 isnsd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, isnsd_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, isnsd_var_run_t)
-+
-+')
-+
-diff --git a/isnsd.te b/isnsd.te
-new file mode 100644
-index 0000000..951fbae
---- /dev/null
-+++ b/isnsd.te
-@@ -0,0 +1,52 @@
-+policy_module(isnsd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type isnsd_t;
-+type isnsd_exec_t;
-+init_daemon_domain(isnsd_t, isnsd_exec_t)
-+
-+type isnsd_initrc_exec_t;
-+init_script_file(isnsd_initrc_exec_t)
-+
-+type isnsd_var_lib_t;
-+files_type(isnsd_var_lib_t)
-+
-+type isnsd_var_run_t;
-+files_pid_file(isnsd_var_run_t)
-+
-+########################################
-+#
-+# isnsd local policy
-+#
-+
-+allow isnsd_t self:capability { kill };
-+allow isnsd_t self:process { signal };
-+
-+allow isnsd_t self:fifo_file rw_fifo_file_perms;
-+allow isnsd_t self:tcp_socket { listen };
-+allow isnsd_t self:udp_socket { listen };
-+allow isnsd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-+manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t)
-+files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-+manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-+manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t)
-+files_pid_filetrans(isnsd_t, isnsd_var_run_t, { dir file sock_file })
-+
-+corenet_tcp_bind_generic_node(isnsd_t)
-+corenet_tcp_bind_isns_port(isnsd_t)
-+
-+domain_use_interactive_fds(isnsd_t)
-+
-+files_read_etc_files(isnsd_t)
-+
-+logging_send_syslog_msg(isnsd_t)
-+
-+sysnet_dns_name_resolve(isnsd_t)
+diff --git a/isns.te b/isns.te
+index bc11034..e393434 100644
+--- a/isns.te
++++ b/isns.te
+@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
+ corenet_sendrecv_isns_server_packets(isnsd_t)
+ corenet_tcp_bind_isns_port(isnsd_t)
+
+-files_read_etc_files(isnsd_t)
+-
+ logging_send_syslog_msg(isnsd_t)
+
+ miscfiles_read_localization(isnsd_t)
diff --git a/jabber.fc b/jabber.fc
-index da6f4b4..bd02cc8 100644
+index 59ad3b3..bd02cc8 100644
--- a/jabber.fc
+++ b/jabber.fc
-@@ -1,10 +1,18 @@
--/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+@@ -1,25 +1,18 @@
+-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
--/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
--/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
--/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
--/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
--/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
--/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
+# pyicq-t
-+
+
+-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
-+
+
+-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
+-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
-+
+
+-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
diff --git a/jabber.if b/jabber.if
-index 9878499..01673a4 100644
+index 16b1666..01673a4 100644
--- a/jabber.if
+++ b/jabber.if
-@@ -1,8 +1,114 @@
- ## <summary>Jabber instant messaging server</summary>
-
--########################################
+@@ -1,29 +1,76 @@
+-## <summary>Jabber instant messaging servers.</summary>
++## <summary>Jabber instant messaging server</summary>
++
+#####################################
+## <summary>
+## Creates types and rules for a basic
@@ -27738,27 +26908,38 @@ index 9878499..01673a4 100644
+
+ logging_send_syslog_msg($1_t)
+')
-+
-+#######################################
-+## <summary>
+
+ #######################################
+ ## <summary>
+-## The template to define a jabber domain.
+## Execute a domain transition to run jabberd services
-+## </summary>
+ ## </summary>
+-## <param name="domain_prefix">
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Domain prefix to be used.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-template(`jabber_domain_template',`
+interface(`jabber_domtrans_jabberd',`
-+ gen_require(`
+ gen_require(`
+- attribute jabberd_domain;
+ type jabberd_t, jabberd_exec_t;
-+ ')
-+
+ ')
+
+- type $1_t, jabberd_domain;
+- type $1_exec_t;
+- init_daemon_domain($1_t, $1_exec_t)
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## jabber lib files.
+## Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
@@ -27778,22 +26959,25 @@ index 9878499..01673a4 100644
+#######################################
+## <summary>
+## Read jabberd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -31,18 +78,37 @@ template(`jabber_domain_template',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`jabber_manage_lib_files',`
+interface(`jabberd_read_lib_files',`
-+ gen_require(`
-+ type jabberd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
-+')
-+
+ ')
+
+-########################################
+#######################################
+## <summary>
+## Dontaudit inherited read jabberd lib files.
@@ -27820,7 +27004,7 @@ index 9878499..01673a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -10,8 +116,13 @@
+@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',`
## </summary>
## </param>
#
@@ -27836,19 +27020,37 @@ index 9878499..01673a4 100644
')
########################################
-@@ -33,24 +144,25 @@ interface(`jabber_tcp_connect',`
+ ## <summary>
+-## All of the rules required to
+-## administrate an jabber environment.
++## All of the rules required to administrate
++## an jabber environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -66,38 +137,32 @@ interface(`jabber_tcp_connect',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the jabber domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
#
interface(`jabber_admin',`
gen_require(`
-- type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
-- type jabberd_var_run_t, jabberd_initrc_exec_t;
+- attribute jabberd_domain;
+- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
+- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
+ type jabberd_t, jabberd_var_lib_t;
+ type jabberd_initrc_exec_t, jabberd_router_t;
')
-- allow $1 jabberd_t:process { ptrace signal_perms };
+- allow $1 jabberd_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, jabberd_domain)
+ allow $1 jabberd_t:process signal_perms;
- ps_process_pattern($1, jabberd_t)
++ ps_process_pattern($1, jabberd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 jabberd_t:process ptrace;
+ allow $1 jabberd_router_t:process ptrace;
@@ -27862,43 +27064,50 @@ index 9878499..01673a4 100644
role_transition $2 jabberd_initrc_exec_t system_r;
allow $2 system_r;
-- logging_list_logs($1)
+- files_search_locks($1))
+- admin_pattern($1, jabberd_lock_t)
+-
+- logging_search_logs($1)
- admin_pattern($1, jabberd_log_t)
-
- files_list_var_lib($1)
+- files_search_spool($1)
+- admin_pattern($1, jabberd_spool_t)
+-
+- files_search_var_lib($1)
++ files_list_var_lib($1)
admin_pattern($1, jabberd_var_lib_t)
-
-- files_list_pids($1)
+- files_search_pids($1)
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index 53e53ca..c1ce1b7 100644
+index bb12c90..c1ce1b7 100644
--- a/jabber.te
+++ b/jabber.te
-@@ -1,94 +1,146 @@
--policy_module(jabber, 1.9.0)
+@@ -1,4 +1,4 @@
+-policy_module(jabber, 1.9.1)
+policy_module(jabber, 1.8.0)
########################################
#
- # Declarations
- #
+@@ -9,129 +9,138 @@ attribute jabberd_domain;
--type jabberd_t;
--type jabberd_exec_t;
--init_daemon_domain(jabberd_t, jabberd_exec_t)
-+attribute jabberd_domain;
-+
-+jabber_domain_template(jabberd)
-+jabber_domain_template(jabberd_router)
+ jabber_domain_template(jabberd)
+ jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
+-type jabberd_lock_t;
+-files_lock_file(jabberd_lock_t)
+-
-type jabberd_log_t;
-logging_log_file(jabberd_log_t)
-
+-type jabberd_spool_t;
+-files_type(jabberd_spool_t)
+-
+# type which includes log/pid files pro jabberd components
type jabberd_var_lib_t;
files_type(jabberd_var_lib_t)
@@ -27910,159 +27119,167 @@ index 53e53ca..c1ce1b7 100644
+logging_log_file(pyicqt_log_t);
-########################################
+-#
+-# Common local policy
+-#
+type pyicqt_var_spool_t;
+files_spool_file(pyicqt_var_spool_t)
-+
+
+-allow jabberd_domain self:process signal_perms;
+-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+-allow jabberd_domain self:tcp_socket { accept listen };
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
-+
+
+-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+######################################
- #
--# Local policy
++#
+# Local policy for jabberd-router and c2s components
- #
++#
--allow jabberd_t self:capability dac_override;
--dontaudit jabberd_t self:capability sys_tty_config;
--allow jabberd_t self:process signal_perms;
--allow jabberd_t self:fifo_file read_fifo_file_perms;
--allow jabberd_t self:tcp_socket create_stream_socket_perms;
--allow jabberd_t self:udp_socket create_socket_perms;
+-kernel_read_system_state(jabberd_domain)
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
--manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
--
--manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
--logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
--
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
--
--kernel_read_kernel_sysctls(jabberd_t)
--kernel_list_proc(jabberd_t)
--kernel_read_proc_symlinks(jabberd_t)
--
--corenet_all_recvfrom_unlabeled(jabberd_t)
--corenet_all_recvfrom_netlabel(jabberd_t)
--corenet_tcp_sendrecv_generic_if(jabberd_t)
--corenet_udp_sendrecv_generic_if(jabberd_t)
--corenet_tcp_sendrecv_generic_node(jabberd_t)
--corenet_udp_sendrecv_generic_node(jabberd_t)
--corenet_tcp_sendrecv_all_ports(jabberd_t)
--corenet_udp_sendrecv_all_ports(jabberd_t)
--corenet_tcp_bind_generic_node(jabberd_t)
--corenet_tcp_bind_jabber_client_port(jabberd_t)
--corenet_tcp_bind_jabber_interserver_port(jabberd_t)
--corenet_sendrecv_jabber_client_server_packets(jabberd_t)
--corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+-corenet_all_recvfrom_unlabeled(jabberd_domain)
+-corenet_all_recvfrom_netlabel(jabberd_domain)
+-corenet_tcp_sendrecv_generic_if(jabberd_domain)
+-corenet_tcp_sendrecv_generic_node(jabberd_domain)
+-corenet_tcp_bind_generic_node(jabberd_domain)
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
-+
+
+-dev_read_urand(jabberd_domain)
+-dev_read_sysfs(jabberd_domain)
+kernel_read_network_state(jabberd_router_t)
-+
+
+-fs_getattr_all_fs(jabberd_domain)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
--dev_read_sysfs(jabberd_t)
--# For SSL
--dev_read_rand(jabberd_t)
+-logging_send_syslog_msg(jabberd_domain)
+fs_getattr_all_fs(jabberd_router_t)
--domain_use_interactive_fds(jabberd_t)
+-miscfiles_read_localization(jabberd_domain)
+miscfiles_read_generic_certs(jabberd_router_t)
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
-+optional_policy(`
+ optional_policy(`
+- nis_use_ypbind(jabberd_domain)
+ kerberos_use(jabberd_router_t)
-+')
+ ')
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
-+optional_policy(`
+ optional_policy(`
+- seutil_sigchld_newrole(jabberd_domain)
+ nis_use_ypbind(jabberd_router_t)
-+')
+ ')
--logging_send_syslog_msg(jabberd_t)
+-########################################
+#####################################
-+#
+ #
+-# Local policy
+# Local policy for other jabberd components
-+#
+ #
--miscfiles_read_localization(jabberd_t)
+-allow jabberd_t self:capability dac_override;
+-dontaudit jabberd_t self:capability sys_tty_config;
+-allow jabberd_t self:tcp_socket create_socket_perms;
+-allow jabberd_t self:udp_socket create_socket_perms;
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--sysnet_read_config(jabberd_t)
+-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
- userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
- userdom_dontaudit_search_user_home_dirs(jabberd_t)
+-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
+-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
++userdom_dontaudit_search_user_home_dirs(jabberd_t)
- optional_policy(`
-- nis_use_ypbind(jabberd_t)
+-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
++optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
- ')
++')
- optional_policy(`
-- seutil_sigchld_newrole(jabberd_t)
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
++optional_policy(`
+ udev_read_db(jabberd_t)
+')
-+
+
+-kernel_read_kernel_sysctls(jabberd_t)
+######################################
+#
+# Local policy for pyicq-t
+#
-+
+
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
+# need for /var/log/pyicq-t.log
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
-+
+
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
-+
+
+-dev_read_rand(jabberd_t)
+files_search_spool(pyicqt_t)
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
-+
+
+-domain_use_interactive_fds(jabberd_t)
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
-+
+
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+corecmd_exec_bin(pyicqt_t)
-+
+
+-fs_search_auto_mountpoints(jabberd_t)
+dev_read_urand(pyicqt_t);
-+
+
+-sysnet_read_config(jabberd_t)
+files_read_usr_files(pyicqt_t)
-+
+
+-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+-userdom_dontaudit_search_user_home_dirs(jabberd_t)
+auth_use_nsswitch(pyicqt_t);
-+
+
+# for RHEL5
+libs_use_ld_so(pyicqt_t)
+libs_use_shared_libs(pyicqt_t)
+
+# needed for pyicq-t-mysql
-+optional_policy(`
+ optional_policy(`
+- udev_read_db(jabberd_t)
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
- optional_policy(`
-- udev_read_db(jabberd_t)
+-########################################
++optional_policy(`
+ sysnet_use_ldap(pyicqt_t)
- ')
++')
+
+#######################################
-+#
+ #
+-# Router local policy
+# Local policy for jabberd domains
-+#
-+
+ #
+
+-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
-+
+
+-kernel_read_network_state(jabberd_router_t)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
@@ -28070,66 +27287,46 @@ index 53e53ca..c1ce1b7 100644
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
-+
+
+-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
+dev_read_urand(jabberd_domain)
+dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
-+
+
+-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
+-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
-+
-+sysnet_read_config(jabberd_domain)
-diff --git a/java.fc b/java.fc
-index bc1a419..f630930 100644
---- a/java.fc
-+++ b/java.fc
-@@ -28,8 +28,6 @@
- /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
--/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
--
- /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-
- ifdef(`distro_redhat',`
+-auth_use_nsswitch(jabberd_router_t)
++sysnet_read_config(jabberd_domain)
diff --git a/java.te b/java.te
-index ff52c16..bdb4610 100644
+index b3fcfbb..b2c5451 100644
--- a/java.te
+++ b/java.te
-@@ -10,7 +10,7 @@ policy_module(java, 2.6.0)
- ## Allow java executable stack
- ## </p>
+@@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
+ ## its stack executable.
+ ## </p>
## </desc>
-gen_tunable(allow_java_execstack, false)
+gen_tunable(java_execstack, false)
- type java_t;
- type java_exec_t;
-@@ -62,7 +62,6 @@ kernel_read_system_state(java_t)
- # Search bin directory under java for java executable
- corecmd_search_bin(java_t)
-
--corenet_all_recvfrom_unlabeled(java_t)
- corenet_all_recvfrom_netlabel(java_t)
- corenet_tcp_sendrecv_generic_if(java_t)
- corenet_udp_sendrecv_generic_if(java_t)
-@@ -91,7 +90,6 @@ fs_dontaudit_rw_tmpfs_files(java_t)
-
- logging_send_syslog_msg(java_t)
+ attribute java_domain;
--miscfiles_read_localization(java_t)
- # Read global fonts and font config
- miscfiles_read_fonts(java_t)
+@@ -112,7 +112,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s
-@@ -108,7 +106,7 @@ userdom_manage_user_home_content_sockets(java_t)
- userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
- userdom_write_user_tmp_sockets(java_t)
+ userdom_write_user_tmp_sockets(java_domain)
-tunable_policy(`allow_java_execstack',`
+tunable_policy(`java_execstack',`
- allow java_t self:process execstack;
+ allow java_domain self:process { execmem execstack };
- allow java_t java_tmp_t:file execute;
+ libs_legacy_use_shared_libs(java_domain)
diff --git a/jetty.fc b/jetty.fc
new file mode 100644
index 0000000..1725b7e
@@ -28450,24 +27647,12 @@ index 0000000..af510ea
+#
+
+# No local policy. This module just contains type definitions
-diff --git a/jockey.fc b/jockey.fc
-new file mode 100644
-index 0000000..a59ad8d
---- /dev/null
-+++ b/jockey.fc
-@@ -0,0 +1,6 @@
-+/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
-+
-+/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
-+
-+/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
-+/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0)
diff --git a/jockey.if b/jockey.if
-new file mode 100644
-index 0000000..868c7d0
---- /dev/null
+index 2fb7a20..c6ba007 100644
+--- a/jockey.if
+++ b/jockey.if
-@@ -0,0 +1,126 @@
+@@ -1 +1,131 @@
+-## <summary>Jockey driver manager.</summary>
+
+## <summary>policy for jockey</summary>
+
@@ -28582,6 +27767,7 @@ index 0000000..868c7d0
+ gen_require(`
+ type jockey_t;
+ type jockey_cache_t;
++ type jockey_var_log_t;
+ ')
+
+ allow $1 jockey_t:process { ptrace signal_perms };
@@ -28589,79 +27775,39 @@ index 0000000..868c7d0
+
+ files_search_var($1)
+ admin_pattern($1, jockey_cache_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, jockey_var_log_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/jockey.te b/jockey.te
-new file mode 100644
-index 0000000..03a01b4
---- /dev/null
+index d59ec10..1b5410d 100644
+--- a/jockey.te
+++ b/jockey.te
-@@ -0,0 +1,62 @@
-+policy_module(jockey, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type jockey_t;
-+type jockey_exec_t;
-+init_daemon_domain(jockey_t, jockey_exec_t)
-+
-+type jockey_cache_t;
-+files_type(jockey_cache_t)
-+
-+type jockey_var_log_t;
-+logging_log_file(jockey_var_log_t)
-+
-+########################################
-+#
-+# jockey local policy
-+#
-+allow jockey_t self:fifo_file rw_fifo_file_perms;
-+
-+manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-+manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-+manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
-+files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
-+
-+manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
-+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
-+
-+kernel_read_system_state(jockey_t)
-+
-+corecmd_exec_bin(jockey_t)
-+corecmd_exec_shell(jockey_t)
-+
-+dev_read_rand(jockey_t)
-+dev_read_urand(jockey_t)
-+
-+dev_read_sysfs(jockey_t)
-+
-+domain_use_interactive_fds(jockey_t)
-+
-+files_read_etc_files(jockey_t)
-+files_read_usr_files(jockey_t)
-+
+@@ -47,13 +47,18 @@ domain_use_interactive_fds(jockey_t)
+ files_read_etc_files(jockey_t)
+ files_read_usr_files(jockey_t)
+
+-miscfiles_read_localization(jockey_t)
+auth_read_passwd(jockey_t)
-+
-+optional_policy(`
-+ dbus_system_domain(jockey_t, jockey_exec_t)
-+')
-+
-+optional_policy(`
+
+ optional_policy(`
+ dbus_system_domain(jockey_t, jockey_exec_t)
+ ')
+
+ optional_policy(`
+ gnome_dontaudit_search_config(jockey_t)
+')
+
+optional_policy(`
-+ modutils_domtrans_insmod(jockey_t)
-+ modutils_read_module_config(jockey_t)
+ modutils_domtrans_insmod(jockey_t)
+ modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
-+')
+ ')
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 0000000..25e4b68
@@ -28699,10 +27845,10 @@ index 0000000..cf65577
+')
diff --git a/kde.te b/kde.te
new file mode 100644
-index 0000000..7b4b5ff
+index 0000000..dbe3f03
--- /dev/null
+++ b/kde.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,41 @@
+policy_module(kde,1.0.0)
+
+########################################
@@ -28718,6 +27864,7 @@ index 0000000..7b4b5ff
+#
+# backlighthelper local policy
+#
++
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(kdebacklighthelper_t)
@@ -28725,9 +27872,7 @@ index 0000000..7b4b5ff
+# r/w brightness values
+dev_rw_sysfs(kdebacklighthelper_t)
+
-+files_read_etc_files(kdebacklighthelper_t)
+files_read_etc_runtime_files(kdebacklighthelper_t)
-+files_read_usr_files(kdebacklighthelper_t)
+
+fs_getattr_all_fs(kdebacklighthelper_t)
+
@@ -28746,25 +27891,40 @@ index 0000000..7b4b5ff
+')
+
diff --git a/kdump.fc b/kdump.fc
-index c66934f..1906ffe 100644
+index a49ae4e..1906ffe 100644
--- a/kdump.fc
+++ b/kdump.fc
-@@ -3,3 +3,11 @@
+@@ -1,13 +1,13 @@
+ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
++/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
- /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
- /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-+
-+
+-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
++/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
++/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+
+-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+
+-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
-+
+
+-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
-+
+
+-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/kdump.if b/kdump.if
-index 4198ff5..15d521b 100644
+index 3a00b3a..15d521b 100644
--- a/kdump.if
+++ b/kdump.if
+@@ -1,4 +1,4 @@
+-## <summary>Kernel crash dumping mechanism.</summary>
++## <summary>Kernel crash dumping mechanism</summary>
+
+ ######################################
+ ## <summary>
@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
domtrans_pattern($1, kdump_exec_t, kdump_t)
')
@@ -28792,7 +27952,7 @@ index 4198ff5..15d521b 100644
#######################################
## <summary>
## Execute kdump in the kdump domain.
-@@ -37,6 +57,30 @@ interface(`kdump_initrc_domtrans',`
+@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',`
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
@@ -28822,8 +27982,12 @@ index 4198ff5..15d521b 100644
+
#####################################
## <summary>
- ## Read kdump configuration file.
-@@ -56,6 +100,24 @@ interface(`kdump_read_config',`
+-## Read kdump configuration files.
++## Read kdump configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -56,10 +100,27 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -28847,8 +28011,13 @@ index 4198ff5..15d521b 100644
+
####################################
## <summary>
- ## Manage kdump configuration file.
-@@ -75,6 +137,27 @@ interface(`kdump_manage_config',`
+-## Create, read, write, and delete
+-## kdmup configuration files.
++## Manage kdump configuration file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -76,10 +137,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -28875,162 +28044,206 @@ index 4198ff5..15d521b 100644
+
######################################
## <summary>
- ## All of the rules required to administrate
-@@ -96,10 +179,14 @@ interface(`kdump_admin',`
+-## All of the rules required to
+-## administrate an kdump environment.
++## All of the rules required to administrate
++## an kdump environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -88,19 +170,23 @@ interface(`kdump_manage_config',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the kdump domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`kdump_admin',`
gen_require(`
- type kdump_t, kdump_etc_t;
- type kdump_initrc_exec_t;
+- type kdump_t, kdump_etc_t, kdumpctl_tmp_t;
+- type kdump_initrc_exec_t, kdumpctl_t;
++ type kdump_t, kdump_etc_t;
++ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
')
-- allow $1 kdump_t:process { ptrace signal_perms };
+- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { kdump_t kdumpctl_t })
+ allow $1 kdump_t:process signal_perms;
- ps_process_pattern($1, kdump_t)
++ ps_process_pattern($1, kdump_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kdump_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -108,4 +195,8 @@ interface(`kdump_admin',`
-
+@@ -110,6 +196,7 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
-+
+
+- files_search_tmp($1)
+- admin_pattern($1, kdumpctl_tmp_t)
+ kdump_systemctl($1)
+ admin_pattern($1, kdump_unit_file_t)
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index b29d8e2..6b6a6c4 100644
+index 70f3007..6b6a6c4 100644
--- a/kdump.te
+++ b/kdump.te
-@@ -15,15 +15,28 @@ files_config_file(kdump_etc_t)
+@@ -1,4 +1,4 @@
+-policy_module(kdump, 1.2.3)
++policy_module(kdump, 1.2.0)
+
+ #######################################
+ #
+@@ -15,30 +15,34 @@ files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
+type kdump_unit_file_t alias kdumpctl_unit_file_t;
+systemd_unit_file(kdump_unit_file_t)
+
-+type kdumpctl_t;
-+type kdumpctl_exec_t;
-+init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
+ type kdumpctl_t;
+ type kdumpctl_exec_t;
+ init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
+-application_executable_file(kdumpctl_exec_t)
+init_initrc_domain(kdumpctl_t)
-+
-+type kdumpctl_tmp_t;
-+files_tmp_file(kdumpctl_tmp_t)
-+
+
+ type kdumpctl_tmp_t;
+ files_tmp_file(kdumpctl_tmp_t)
+
#####################################
#
- # kdump local policy
+-# Local policy
++# kdump local policy
#
allow kdump_t self:capability { sys_boot dac_override };
+allow kdump_t self:capability2 compromise_kernel;
- read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+-allow kdump_t kdump_etc_t:file read_file_perms;
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-+files_read_etc_files(kdump_t)
+ files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
-@@ -36,3 +49,89 @@ dev_read_framebuffer(kdump_t)
- dev_read_sysfs(kdump_t)
++kernel_read_system_state(kdump_t)
+ kernel_read_core_if(kdump_t)
+ kernel_read_debugfs(kdump_t)
+-kernel_read_system_state(kdump_t)
+ kernel_request_load_module(kdump_t)
- term_use_console(kdump_t)
-+
-+#######################################
-+#
+ dev_read_framebuffer(kdump_t)
+@@ -48,22 +52,27 @@ term_use_console(kdump_t)
+
+ #######################################
+ #
+-# Ctl local policy
+# kdumpctl local policy
-+#
-+
+ #
+
+#cjp:almost all rules are needed by dracut
+
+kdump_domtrans(kdumpctl_t)
+
-+allow kdumpctl_t self:capability { dac_override sys_chroot };
-+allow kdumpctl_t self:process setfscreate;
-+
+ allow kdumpctl_t self:capability { dac_override sys_chroot };
+ allow kdumpctl_t self:process setfscreate;
+-allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
+-allow kdumpctl_t self:unix_stream_socket { accept listen };
+
+-allow kdumpctl_t kdump_etc_t:file read_file_perms;
+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+
+ manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
-+files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
+ manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
-+
+
+-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
-+
-+kernel_read_system_state(kdumpctl_t)
-+
-+corecmd_exec_bin(kdumpctl_t)
-+corecmd_exec_shell(kdumpctl_t)
-+
-+dev_read_sysfs(kdumpctl_t)
+
+ kernel_read_system_state(kdumpctl_t)
+
+@@ -71,6 +80,7 @@ corecmd_exec_bin(kdumpctl_t)
+ corecmd_exec_shell(kdumpctl_t)
+
+ dev_read_sysfs(kdumpctl_t)
+# dracut
-+dev_manage_all_dev_nodes(kdumpctl_t)
-+
-+domain_use_interactive_fds(kdumpctl_t)
-+
-+files_create_kernel_img(kdumpctl_t)
-+files_read_etc_files(kdumpctl_t)
-+files_read_etc_runtime_files(kdumpctl_t)
-+files_read_usr_files(kdumpctl_t)
-+files_read_kernel_modules(kdumpctl_t)
-+files_getattr_all_dirs(kdumpctl_t)
+ dev_manage_all_dev_nodes(kdumpctl_t)
+
+ domain_use_interactive_fds(kdumpctl_t)
+@@ -81,36 +91,47 @@ files_read_etc_runtime_files(kdumpctl_t)
+ files_read_usr_files(kdumpctl_t)
+ files_read_kernel_modules(kdumpctl_t)
+ files_getattr_all_dirs(kdumpctl_t)
+files_delete_kernel(kdumpctl_t)
-+
-+fs_getattr_all_fs(kdumpctl_t)
-+fs_search_all(kdumpctl_t)
-+
+
+ fs_getattr_all_fs(kdumpctl_t)
+ fs_search_all(kdumpctl_t)
+
+-init_domtrans_script(kdumpctl_t)
+application_executable_ioctl(kdumpctl_t)
+
+auth_read_passwd(kdumpctl_t)
+
-+init_exec(kdumpctl_t)
+ init_exec(kdumpctl_t)
+systemd_exec_systemctl(kdumpctl_t)
+systemd_read_unit_files(kdumpctl_t)
-+
-+libs_exec_ld_so(kdumpctl_t)
-+
-+logging_send_syslog_msg(kdumpctl_t)
+
+ libs_exec_ld_so(kdumpctl_t)
+
+ logging_send_syslog_msg(kdumpctl_t)
+# Need log file from /var/log/dracut.log
+logging_write_generic_logs(kdumpctl_t)
-+
+
+-miscfiles_read_localization(kdumpctl_t)
+optional_policy(`
+ gpg_exec(kdumpctl_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- gpg_exec(kdumpctl_t)
+ lvm_read_config(kdumpctl_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- lvm_read_config(kdumpctl_t)
+ modutils_domtrans_insmod(kdumpctl_t)
+ modutils_list_module_config(kdumpctl_t)
+ modutils_read_module_config(kdumpctl_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- modutils_domtrans_insmod(kdumpctl_t)
+- modutils_read_module_config(kdumpctl_t)
+ plymouthd_domtrans_plymouth(kdumpctl_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- plymouthd_domtrans_plymouth(kdumpctl_t)
+ ssh_exec(kdumpctl_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- ssh_exec(kdumpctl_t)
+ unconfined_domain(kdumpctl_t)
-+')
+ ')
diff --git a/kdumpgui.if b/kdumpgui.if
-index d6af9b0..8b1d9c2 100644
+index 182ab8b..8b1d9c2 100644
--- a/kdumpgui.if
+++ b/kdumpgui.if
-@@ -1,2 +1,23 @@
- ## <summary>system-config-kdump GUI</summary>
-
+@@ -1 +1,23 @@
+-## <summary>System-config-kdump GUI.</summary>
++## <summary>system-config-kdump GUI</summary>
++
+########################################
+## <summary>
+## Send and receive messages from
@@ -29053,34 +28266,42 @@ index d6af9b0..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..acb89ac 100644
+index e7f5c81..acb89ac 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
-@@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0)
+@@ -1,4 +1,4 @@
+-policy_module(kdumpgui, 1.1.4)
++policy_module(kdumpgui, 1.1.0)
+
+ ########################################
+ #
+@@ -7,61 +7,66 @@ policy_module(kdumpgui, 1.1.4)
type kdumpgui_t;
type kdumpgui_exec_t;
--dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
-+
-+type kdumpgui_tmp_t;
-+files_tmp_file(kdumpgui_tmp_t)
+
+ type kdumpgui_tmp_t;
+ files_tmp_file(kdumpgui_tmp_t)
######################################
#
- # system-config-kdump local policy
+-# Local policy
++# system-config-kdump local policy
#
--allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
-+allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
+ allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
+-allow kdumpgui_t self:process { setsched sigkill };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow kdumpgui_t self:process { setsched sigkill };
-+
-+manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
-+manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
-+files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
+ manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
+ manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
+ files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
+
+-kernel_getattr_core_if(kdumpgui_t)
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
+kernel_getattr_core_if(kdumpgui_t)
@@ -29088,6 +28309,7 @@ index 0c52f60..acb89ac 100644
corecmd_exec_bin(kdumpgui_t)
corecmd_exec_shell(kdumpgui_t)
+-dev_getattr_all_blk_files(kdumpgui_t)
dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t)
@@ -29095,97 +28317,147 @@ index 0c52f60..acb89ac 100644
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
-@@ -36,28 +47,53 @@ files_manage_etc_runtime_files(kdumpgui_t)
++# Needed for running chkconfig
+ files_manage_etc_symlinks(kdumpgui_t)
++# for blkid.tab
+ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
+fs_read_dos_files(kdumpgui_t)
-+fs_getattr_all_fs(kdumpgui_t)
-+fs_list_hugetlbfs(kdumpgui_t)
-+
+ fs_getattr_all_fs(kdumpgui_t)
+ fs_list_hugetlbfs(kdumpgui_t)
+-fs_read_dos_files(kdumpgui_t)
+
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
+storage_getattr_removable_dev(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
- logging_send_syslog_msg(kdumpgui_t)
-+logging_list_logs(kdumpgui_t)
-+logging_read_generic_logs(kdumpgui_t)
-
++logging_send_syslog_msg(kdumpgui_t)
+ logging_list_logs(kdumpgui_t)
+ logging_read_generic_logs(kdumpgui_t)
+-logging_send_syslog_msg(kdumpgui_t)
+-
-miscfiles_read_localization(kdumpgui_t)
-+mount_exec(kdumpgui_t)
+
+ mount_exec(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+init_access_check(kdumpgui_t)
+
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
-+
-+optional_policy(`
-+ bootloader_exec(kdumpgui_t)
-+ bootloader_rw_config(kdumpgui_t)
-+')
optional_policy(`
- consoletype_exec(kdumpgui_t)
+ bootloader_exec(kdumpgui_t)
+@@ -73,11 +78,11 @@ optional_policy(`
')
optional_policy(`
+- dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+ consoletype_exec(kdumpgui_t)
+')
-+
+
+- optional_policy(`
+- policykit_dbus_chat(kdumpgui_t)
+- ')
+optional_policy(`
+ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-+')
-+
-+optional_policy(`
- dev_rw_lvm_control(kdumpgui_t)
')
optional_policy(`
+@@ -87,4 +92,10 @@ optional_policy(`
+ optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
+ kdump_systemctl(kdumpgui_t)
+ kdumpctl_domtrans(kdumpgui_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(kdumpgui_t)
')
-
- optional_policy(`
diff --git a/kerberos.fc b/kerberos.fc
-index 3525d24..8c702c9 100644
+index 4fe75fd..8c702c9 100644
--- a/kerberos.fc
+++ b/kerberos.fc
-@@ -13,13 +13,14 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -1,52 +1,44 @@
+-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
++HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
++/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+
+-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
++/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
+
+-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+ /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
--/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
--/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
- /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
++/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
--/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+-
+-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+-
+-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-
+-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+ /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
- /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-
+-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-@@ -27,7 +28,17 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
- /var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-
--/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
--/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+-
+-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
+-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
+-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
+-
+-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
-
++
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
- /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -29194,12 +28466,104 @@ index 3525d24..8c702c9 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index 604f67b..138e1e2 100644
+index f9de9fc..138e1e2 100644
--- a/kerberos.if
+++ b/kerberos.if
-@@ -82,14 +82,11 @@ interface(`kerberos_use',`
- #kerberos libraries are attempting to set the correct file context
+@@ -1,27 +1,29 @@
+-## <summary>MIT Kerberos admin and KDC.</summary>
++## <summary>MIT Kerberos admin and KDC</summary>
++## <desc>
++## <p>
++## This policy supports:
++## </p>
++## <p>
++## Servers:
++## <ul>
++## <li>kadmind</li>
++## <li>krb5kdc</li>
++## </ul>
++## </p>
++## <p>
++## Clients:
++## <ul>
++## <li>kinit</li>
++## <li>kdestroy</li>
++## <li>klist</li>
++## <li>ksu (incomplete)</li>
++## </ul>
++## </p>
++## </desc>
+
+ ########################################
+ ## <summary>
+-## Role access for kerberos.
+-## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+-## </param>
+-#
+-template(`kerberos_role',`
+- refpolicywarn(`$0($*) has been deprecated')
+-')
+-
+-########################################
+-## <summary>
+-## Execute kadmind in the caller domain.
++## Execute kadmind in the current domain
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',`
+ type kadmind_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, kadmind_exec_t)
+ ')
+
+@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',`
+ type kpropd_t, kpropd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, kpropd_exec_t, kpropd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Support kerberos services.
++## Use kerberos services
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -69,45 +69,43 @@ interface(`kerberos_domtrans_kpropd',`
+ #
+ interface(`kerberos_use',`
+ gen_require(`
+- type krb5kdc_conf_t, krb5_host_rcache_t;
++ type krb5_conf_t, krb5kdc_conf_t;
++ type krb5_host_rcache_t;
+ ')
+
+- kerberos_read_config($1)
+-
+- dontaudit $1 krb5_conf_t:file write_file_perms;
++ files_search_etc($1)
++ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
++ dontaudit $1 krb5_conf_t:file write;
+ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+ dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
++ #kerberos libraries are attempting to set the correct file context
dontaudit $1 self:process setfscreate;
+-
selinux_dontaudit_validate_context($1)
- seutil_dontaudit_read_file_contexts($1)
@@ -29213,13 +28577,24 @@ index 604f67b..138e1e2 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -103,11 +100,12 @@ interface(`kerberos_use',`
- corenet_sendrecv_kerberos_client_packets($1)
- corenet_sendrecv_ocsp_client_packets($1)
+ corenet_udp_sendrecv_generic_node($1)
+-
+- corenet_sendrecv_kerberos_client_packets($1)
+- corenet_tcp_connect_kerberos_port($1)
+ corenet_tcp_sendrecv_kerberos_port($1)
+ corenet_udp_sendrecv_kerberos_port($1)
+-
+- corenet_sendrecv_ocsp_client_packets($1)
++ corenet_tcp_bind_generic_node($1)
++ corenet_udp_bind_generic_node($1)
++ corenet_tcp_connect_kerberos_port($1)
+ corenet_tcp_connect_ocsp_port($1)
+- corenet_tcp_sendrecv_ocsp_port($1)
++ corenet_sendrecv_kerberos_client_packets($1)
++ corenet_sendrecv_ocsp_client_packets($1)
-- allow $1 krb5_host_rcache_t:file getattr;
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
-+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
')
optional_policy(`
@@ -29228,53 +28603,247 @@ index 604f67b..138e1e2 100644
pcscd_stream_connect($1)
')
')
-@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',`
+@@ -119,7 +117,7 @@ interface(`kerberos_use',`
+
+ ########################################
+ ## <summary>
+-## Read kerberos configuration files.
++## Read the kerberos configuration file (/etc/krb5.conf).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -135,15 +133,13 @@ interface(`kerberos_read_config',`
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file read_file_perms;
+-
+- userdom_search_user_home_dirs($1)
+ allow $1 krb5_home_t:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write
+-## kerberos configuration files.
++## Do not audit attempts to write the kerberos
++## configuration file (/etc/krb5.conf).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -156,13 +152,12 @@ interface(`kerberos_dontaudit_write_config',`
+ type krb5_conf_t;
+ ')
+
+- dontaudit $1 krb5_conf_t:file write_file_perms;
++ dontaudit $1 krb5_conf_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write kerberos
+-## configuration files.
++## Read and write the kerberos configuration file (/etc/krb5.conf).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -182,75 +177,7 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
+-## Create, read, write, and delete
+-## kerberos home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`kerberos_manage_krb5_home_files',`
+- gen_require(`
+- type krb5_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file manage_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Relabel kerberos home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`kerberos_relabel_krb5_home_files',`
+- gen_require(`
+- type krb5_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file relabel_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create objects in user home
+-## directories with the krb5 home type.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+-#
+-interface(`kerberos_home_filetrans_krb5_home',`
+- gen_require(`
+- type krb5_home_t;
+- ')
+-
+- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+-')
+-
+-########################################
+-## <summary>
+-## Read kerberos key table files.
++## Read the kerberos key table.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -270,7 +197,7 @@ interface(`kerberos_read_keytab',`
+
+ ########################################
+ ## <summary>
+-## Read and write kerberos key table files.
++## Read/Write the kerberos key table.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -289,40 +216,13 @@ interface(`kerberos_rw_keytab',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## kerberos key table files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`kerberos_manage_keytab_files',`
+- gen_require(`
+- type krb5_keytab_t;
+- ')
+-
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+## Create keytab file in /etc
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_etc_filetrans_keytab',`
-+ gen_require(`
-+ type krb5_keytab_t;
-+ ')
-+
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+ ## <param name="name" optional="true">
+ ## <summary>
+ ## The name of the object being created.
+@@ -334,13 +234,13 @@ interface(`kerberos_etc_filetrans_keytab',`
+ type krb5_keytab_t;
+ ')
+
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
-+')
-+
-+########################################
-+## <summary>
- ## Create a derived type for kerberos keytab
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a derived type for kerberos
+-## keytab files.
++## Create a derived type for kerberos keytab
## </summary>
## <param name="prefix">
-@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',`
+ ## <summary>
+@@ -354,21 +254,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+ ## </param>
+ #
+ template(`kerberos_keytab_template',`
+-
+- ########################################
+- #
+- # Declarations
+- #
+-
type $1_keytab_t;
files_type($1_keytab_t)
+- ########################################
+- #
+- # Policy
+- #
+ allow $2 self:process setfscreate;
- allow $2 $1_keytab_t:file read_file_perms;
++ allow $2 $1_keytab_t:file read_file_perms;
+- allow $2 $1_keytab_t:file read_file_perms;
+ seutil_read_file_contexts($2)
+ seutil_read_config($2)
+ selinux_get_enforce_mode($2)
-+
+
kerberos_read_keytab($2)
kerberos_use($2)
- ')
-@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',`
- # does not work in conditionals
+@@ -376,7 +270,7 @@ template(`kerberos_keytab_template',`
+
+ ########################################
+ ## <summary>
+-## Read kerberos kdc configuration files.
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -396,8 +290,7 @@ interface(`kerberos_read_kdc_config',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## kerberos host rcache files.
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -411,34 +304,99 @@ interface(`kerberos_manage_host_rcache',`
+ type krb5_host_rcache_t;
+ ')
+
++ # creates files as system_u no matter what the selinux user
++ # cjp: should be in the below tunable but typeattribute
++ # does not work in conditionals
domain_obj_id_change_exemption($1)
- tunable_policy(`allow_kerberos',`
@@ -29285,127 +28854,150 @@ index 604f67b..138e1e2 100644
seutil_read_file_contexts($1)
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
files_search_tmp($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
')
')
########################################
## <summary>
--## Connect to krb524 service
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_connect_524',`
-- tunable_policy(`allow_kerberos',`
-- allow $1 self:udp_socket create_socket_perms;
--
-- corenet_all_recvfrom_unlabeled($1)
-- corenet_udp_sendrecv_generic_if($1)
-- corenet_udp_sendrecv_generic_node($1)
-- corenet_udp_sendrecv_kerberos_master_port($1)
-- corenet_sendrecv_kerberos_master_client_packets($1)
-- ')
--')
--
--########################################
--## <summary>
- ## All of the rules required to administrate
- ## an kerberos environment
- ## </summary>
-@@ -338,18 +344,22 @@ interface(`kerberos_admin',`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-- type krb5kdc_principal_t, krb5kdc_tmp_t;
+-## Create objects in generic temporary
+-## directories with the kerberos host
+-## rcache type.
++## All of the rules required to administrate
++## an kerberos environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="role">
+ ## <summary>
+-## Class of the object being created.
++## The role to be allowed to manage the kerberos domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`kerberos_admin',`
++ gen_require(`
++ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
++ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-- type kpropd_t;
- ')
-
-- allow $1 kadmind_t:process { ptrace signal_perms };
++ type krb5kdc_var_run_t, krb5_host_rcache_t;
++ ')
++
+ allow $1 kadmind_t:process signal_perms;
- ps_process_pattern($1, kadmind_t)
++ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kadmind_t:process ptrace;
+ allow $1 krb5kdc_t:process ptrace;
+ allow $1 kpropd_t:process ptrace;
+ ')
-
-- allow $1 krb5kdc_t:process { ptrace signal_perms };
++
+ allow $1 krb5kdc_t:process signal_perms;
- ps_process_pattern($1, krb5kdc_t)
-
-- allow $1 kpropd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, krb5kdc_t)
++
+ allow $1 kpropd_t:process signal_perms;
- ps_process_pattern($1, kpropd_t)
-
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +388,121 @@ interface(`kerberos_admin',`
-
- admin_pattern($1, krb5kdc_var_run_t)
- ')
++ ps_process_pattern($1, kpropd_t)
+
-+########################################
-+## <summary>
-+## Type transition files created in /tmp
-+## to the krb5_host_rcache type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_tmp_filetrans_host_rcache',`
-+ gen_require(`
-+ type krb5_host_rcache_t;
-+ ')
++ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 kerberos_initrc_exec_t system_r;
++ allow $2 system_r;
+
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++ logging_list_logs($1)
++ admin_pattern($1, kadmind_log_t)
++
++ files_list_tmp($1)
++ admin_pattern($1, kadmind_tmp_t)
++
++ files_list_pids($1)
++ admin_pattern($1, kadmind_var_run_t)
++
++ admin_pattern($1, krb5_conf_t)
++
++ admin_pattern($1, krb5_host_rcache_t)
++
++ admin_pattern($1, krb5_keytab_t)
++
++ admin_pattern($1, krb5kdc_principal_t)
++
++ admin_pattern($1, krb5kdc_tmp_t)
++
++ admin_pattern($1, krb5kdc_var_run_t)
+')
+
+########################################
+## <summary>
-+## read kerberos homedir content (.k5login)
++## Type transition files created in /tmp
++## to the krb5_host_rcache type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -452,12 +410,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+ type krb5_host_rcache_t;
+ ')
+
+- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to krb524 service.
++## read kerberos homedir content (.k5login)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -465,82 +424,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_connect_524',`
+- tunable_policy(`allow_kerberos',`
+- allow $1 self:udp_socket create_socket_perms;
+-
+- corenet_all_recvfrom_unlabeled($1)
+- corenet_all_recvfrom_netlabel($1)
+- corenet_udp_sendrecv_generic_if($1)
+- corenet_udp_sendrecv_generic_node($1)
+-
+- corenet_sendrecv_kerberos_master_client_packets($1)
+- corenet_udp_sendrecv_kerberos_master_port($1)
+interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
-+ ')
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an kerberos environment.
+## create kerberos content in the in the /root directory
+## with an correct label.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
@@ -29420,19 +29012,54 @@ index 604f67b..138e1e2 100644
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kerberos_admin',`
+interface(`kerberos_filetrans_home_content',`
-+ gen_require(`
+ gen_require(`
+- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+- type krb5kdc_var_run_t, krb5_host_rcache_t;
+ type krb5_home_t;
-+ ')
-+
+ ')
+
+- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
+- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+-
+- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 kerberos_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- logging_list_logs($1)
+- admin_pattern($1, kadmind_log_t)
+-
+- files_list_tmp($1)
+- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
+-
+- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+-
+- files_list_pids($1)
+- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
+')
-+
+
+- files_list_etc($1)
+- admin_pattern($1, krb5_conf_t)
+########################################
+## <summary>
+## Transition to kerberos named content
@@ -29448,12 +29075,17 @@ index 604f67b..138e1e2 100644
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
-+
-+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+-
+- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
+-
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
-+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+-
+- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab")
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
@@ -29468,21 +29100,34 @@ index 604f67b..138e1e2 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
-+')
+ ')
diff --git a/kerberos.te b/kerberos.te
-index 6a95faf..6127834 100644
+index 3465a9a..6127834 100644
--- a/kerberos.te
+++ b/kerberos.te
-@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
- ## Allow confined applications to run with kerberos.
- ## </p>
+@@ -1,4 +1,4 @@
+-policy_module(kerberos, 1.11.7)
++policy_module(kerberos, 1.11.0)
+
+ ########################################
+ #
+@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether kerberos is supported.
+-## </p>
++## <p>
++## Allow confined applications to run with kerberos.
++## </p>
## </desc>
-gen_tunable(allow_kerberos, false)
+gen_tunable(kerberos_enabled, false)
type kadmind_t;
type kadmind_exec_t;
-@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
@@ -29496,10 +29141,11 @@ index 6a95faf..6127834 100644
+type krb5_host_rcache_t alias saslauthd_tmp_t;
files_tmp_file(krb5_host_rcache_t)
- # types for general configuration files in /etc
-@@ -49,10 +49,11 @@ files_security_file(krb5_keytab_t)
++# types for general configuration files in /etc
+ type krb5_keytab_t;
+ files_security_file(krb5_keytab_t)
- # types for KDC configs and principal file(s)
++# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
-files_type(krb5kdc_conf_t)
+files_config_file(krb5kdc_conf_t)
@@ -29507,36 +29153,60 @@ index 6a95faf..6127834 100644
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
+files_lock_file(krb5kdc_lock_t)
-+
- # types for KDC principal file(s)
++
++# types for KDC principal file(s)
type krb5kdc_principal_t;
-@@ -79,8 +80,9 @@ files_pid_file(krb5kdc_var_run_t)
+ files_type(krb5kdc_principal_t)
+
+@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
+ # kadmind local policy
+ #
- # Use capabilities. Surplus capabilities may be allowed.
++# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-+allow kadmind_t self:capability2 block_suspend;
- dontaudit kadmind_t self:capability sys_tty_config;
--allow kadmind_t self:process { setfscreate signal_perms };
-+allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
+-dontaudit kadmind_t self:capability sys_tty_config;
+ allow kadmind_t self:capability2 block_suspend;
++dontaudit kadmind_t self:capability sys_tty_config;
+ allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
- allow kadmind_t self:unix_dgram_socket { connect create write };
- allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -92,10 +94,9 @@ logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+-allow kadmind_t self:tcp_socket { accept listen };
++allow kadmind_t self:unix_dgram_socket { connect create write };
++allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+ allow kadmind_t self:udp_socket create_socket_perms;
+
+-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow kadmind_t kadmind_log_t:file manage_file_perms;
+ logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+
allow kadmind_t krb5_conf_t:file read_file_perms;
- dontaudit kadmind_t krb5_conf_t:file write;
+-dontaudit kadmind_t krb5_conf_t:file write_file_perms;
++dontaudit kadmind_t krb5_conf_t:file write;
-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
--dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
--allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
-+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+ allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
-@@ -115,7 +116,9 @@ kernel_read_network_state(kadmind_t)
- kernel_read_proc_symlinks(kadmind_t)
+
++can_exec(kadmind_t, kadmind_exec_t)
++
+ manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+ manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+ manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
+ files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
+
+-can_exec(kadmind_t, kadmind_exec_t)
+-
+ kernel_read_kernel_sysctls(kadmind_t)
++kernel_list_proc(kadmind_t)
+ kernel_read_network_state(kadmind_t)
++kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-corenet_all_recvfrom_unlabeled(kadmind_t)
@@ -29546,22 +29216,25 @@ index 6a95faf..6127834 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -126,10 +129,14 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
+@@ -119,20 +128,28 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+ corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
+-
+-corenet_sendrecv_all_server_packets(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
corenet_tcp_bind_reserved_port(kadmind_t)
- corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
- corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
++corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
++corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+corenet_tcp_connect_kprop_port(kadmind_t)
dev_read_sysfs(kadmind_t)
- dev_read_rand(kadmind_t)
-@@ -137,6 +144,7 @@ dev_read_urand(kadmind_t)
++dev_read_rand(kadmind_t)
++dev_read_urand(kadmind_t)
fs_getattr_all_fs(kadmind_t)
fs_search_auto_mountpoints(kadmind_t)
@@ -29569,7 +29242,12 @@ index 6a95faf..6127834 100644
domain_use_interactive_fds(kadmind_t)
-@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t)
+ files_read_etc_files(kadmind_t)
++files_read_usr_symlinks(kadmind_t)
+ files_read_usr_files(kadmind_t)
+ files_read_var_files(kadmind_t)
+
+@@ -140,10 +157,12 @@ selinux_validate_context(kadmind_t)
logging_send_syslog_msg(kadmind_t)
@@ -29579,8 +29257,11 @@ index 6a95faf..6127834 100644
+seutil_read_config(kadmind_t)
seutil_read_file_contexts(kadmind_t)
- sysnet_read_config(kadmind_t)
-@@ -164,10 +173,18 @@ optional_policy(`
++sysnet_read_config(kadmind_t)
+ sysnet_use_ldap(kadmind_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+@@ -154,6 +173,10 @@ optional_policy(`
')
optional_policy(`
@@ -29591,39 +29272,50 @@ index 6a95faf..6127834 100644
nis_use_ypbind(kadmind_t)
')
- optional_policy(`
-+ sssd_read_public_files(kadmind_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(kadmind_t)
- ')
-
-@@ -182,6 +199,7 @@ optional_policy(`
+@@ -174,24 +197,27 @@ optional_policy(`
+ # Krb5kdc local policy
+ #
- # Use capabilities. Surplus capabilities may be allowed.
++# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-+allow krb5kdc_t self:capability2 block_suspend;
- dontaudit krb5kdc_t self:capability sys_tty_config;
+-dontaudit krb5kdc_t self:capability sys_tty_config;
+ allow krb5kdc_t self:capability2 block_suspend;
++dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+-allow krb5kdc_t self:tcp_socket { accept listen };
++allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+ allow krb5kdc_t self:udp_socket create_socket_perms;
+ allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
+
+ allow krb5kdc_t krb5_conf_t:file read_file_perms;
+ dontaudit krb5kdc_t krb5_conf_t:file write;
+
++can_exec(krb5kdc_t, krb5kdc_exec_t)
++
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
- dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
++dontaudit krb5kdc_t krb5kdc_conf_t:file write;
--allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
-+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+ allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
- allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
--allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
--dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
+ allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
+@@ -203,38 +229,36 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+ manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+ files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
- manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
- manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t)
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
+-
+ kernel_read_system_state(krb5kdc_t)
+ kernel_read_kernel_sysctls(krb5kdc_t)
++kernel_list_proc(krb5kdc_t)
++kernel_read_proc_symlinks(krb5kdc_t)
+ kernel_read_network_state(krb5kdc_t)
+ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
@@ -29631,7 +29323,27 @@ index 6a95faf..6127834 100644
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
-@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t)
+ corenet_tcp_sendrecv_generic_node(krb5kdc_t)
+ corenet_udp_sendrecv_generic_node(krb5kdc_t)
++corenet_tcp_sendrecv_all_ports(krb5kdc_t)
++corenet_udp_sendrecv_all_ports(krb5kdc_t)
+ corenet_tcp_bind_generic_node(krb5kdc_t)
+ corenet_udp_bind_generic_node(krb5kdc_t)
+-
+-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+ corenet_tcp_bind_kerberos_port(krb5kdc_t)
+ corenet_udp_bind_kerberos_port(krb5kdc_t)
+-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t)
+-corenet_udp_sendrecv_kerberos_port(krb5kdc_t)
+-
+-corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
+ corenet_tcp_connect_ocsp_port(krb5kdc_t)
+-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t)
++corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
++corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
+
+ dev_read_sysfs(krb5kdc_t)
++dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
@@ -29639,27 +29351,33 @@ index 6a95faf..6127834 100644
domain_use_interactive_fds(krb5kdc_t)
-@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t)
-
+@@ -247,10 +271,10 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
+ miscfiles_read_generic_certs(krb5kdc_t)
-miscfiles_read_localization(krb5kdc_t)
-+miscfiles_read_generic_certs(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
-@@ -268,6 +285,10 @@ optional_policy(`
++sysnet_read_config(krb5kdc_t)
+ sysnet_use_ldap(krb5kdc_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+@@ -261,11 +285,11 @@ optional_policy(`
')
optional_policy(`
+- nis_use_ypbind(krb5kdc_t)
+ dirsrv_stream_connect(krb5kdc_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(krb5kdc_t)
')
-@@ -276,6 +297,10 @@ optional_policy(`
+ optional_policy(`
+- sssd_read_public_files(krb5kdc_t)
++ nis_use_ypbind(krb5kdc_t)
+ ')
+
+ optional_policy(`
+@@ -273,6 +297,10 @@ optional_policy(`
')
optional_policy(`
@@ -29670,15 +29388,39 @@ index 6a95faf..6127834 100644
udev_read_db(krb5kdc_t)
')
-@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -281,10 +309,12 @@ optional_policy(`
+ # kpropd local policy
+ #
+
++allow kpropd_t self:capability net_bind_service;
+ allow kpropd_t self:process setfscreate;
+-allow kpropd_t self:fifo_file rw_fifo_file_perms;
+-allow kpropd_t self:unix_stream_socket { accept listen };
+-allow kpropd_t self:tcp_socket { accept listen };
++
++allow kpropd_t self:fifo_file rw_file_perms;
++allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
++allow kpropd_t self:tcp_socket create_stream_socket_perms;
+
+ allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
+
+@@ -303,14 +333,11 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
-corenet_all_recvfrom_unlabeled(kpropd_t)
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
- corenet_tcp_sendrecv_all_ports(kpropd_t)
-@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t)
++corenet_tcp_sendrecv_all_ports(kpropd_t)
+ corenet_tcp_bind_generic_node(kpropd_t)
+-
+-corenet_sendrecv_kprop_server_packets(kpropd_t)
+ corenet_tcp_bind_kprop_port(kpropd_t)
+-corenet_tcp_sendrecv_kprop_port(kpropd_t)
+
+ dev_read_urand(kpropd_t)
+
+@@ -321,8 +348,6 @@ selinux_validate_context(kpropd_t)
logging_send_syslog_msg(kpropd_t)
@@ -29688,10 +29430,10 @@ index 6a95faf..6127834 100644
sysnet_dns_name_resolve(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
-index 835b16b..5992eb1 100644
+index 714448f..656a998 100644
--- a/kerneloops.if
+++ b/kerneloops.if
-@@ -99,17 +99,21 @@ interface(`kerneloops_manage_tmp_files',`
+@@ -101,13 +101,17 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
@@ -29704,38 +29446,27 @@ index 835b16b..5992eb1 100644
- allow $1 kerneloops_t:process { ptrace signal_perms };
+ allow $1 kerneloops_t:process signal_perms;
ps_process_pattern($1, kerneloops_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kerneloops_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kerneloops_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_tmp($1)
- admin_pattern($1, kerneloops_tmp_t)
- ')
diff --git a/kerneloops.te b/kerneloops.te
-index 6b35547..5c641b9 100644
+index 1101985..7f1061d 100644
--- a/kerneloops.te
+++ b/kerneloops.te
-@@ -32,7 +32,6 @@ kernel_read_ring_buffer(kerneloops_t)
- # Init script handling
+@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
+
domain_use_interactive_fds(kerneloops_t)
-corenet_all_recvfrom_unlabeled(kerneloops_t)
corenet_all_recvfrom_netlabel(kerneloops_t)
corenet_tcp_sendrecv_generic_if(kerneloops_t)
corenet_tcp_sendrecv_generic_node(kerneloops_t)
-@@ -40,15 +39,12 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t)
- corenet_tcp_bind_http_port(kerneloops_t)
- corenet_tcp_connect_http_port(kerneloops_t)
-
--files_read_etc_files(kerneloops_t)
-
- auth_use_nsswitch(kerneloops_t)
-
+@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
@@ -29744,35 +29475,33 @@ index 6b35547..5c641b9 100644
optional_policy(`
dbus_system_domain(kerneloops_t, kerneloops_exec_t)
')
-diff --git a/keyboardd.fc b/keyboardd.fc
-new file mode 100644
-index 0000000..485aacc
---- /dev/null
-+++ b/keyboardd.fc
-@@ -0,0 +1,2 @@
-+
-+/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
diff --git a/keyboardd.if b/keyboardd.if
-new file mode 100644
-index 0000000..6134ef2
---- /dev/null
+index 8982b91..6134ef2 100644
+--- a/keyboardd.if
+++ b/keyboardd.if
-@@ -0,0 +1,39 @@
-+
+@@ -1,19 +1,39 @@
+-## <summary>Xorg.conf keyboard layout callout.</summary>
+
+-######################################
+## <summary>policy for system-setup-keyboard daemon</summary>
+
+########################################
-+## <summary>
+ ## <summary>
+-## Read keyboardd unnamed pipes.
+## Execute a domain transition to run keyboard setup daemon.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed access.
+-## </summary>
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`keyboardd_read_pipes',`
+interface(`keyboardd_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type keyboardd_t;
+ type keyboardd_t, keyboardd_exec_t;
+ ')
+
@@ -29793,65 +29522,45 @@ index 0000000..6134ef2
+interface(`keyboardd_read_pipes',`
+ gen_require(`
+ type keyboardd_t;
-+ ')
-+
+ ')
+
+- allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
-+')
+ ')
diff --git a/keyboardd.te b/keyboardd.te
-new file mode 100644
-index 0000000..081ae84
---- /dev/null
+index adfe3dc..a60b664 100644
+--- a/keyboardd.te
+++ b/keyboardd.te
-@@ -0,0 +1,25 @@
-+
-+policy_module(keyboardd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type keyboardd_t;
-+type keyboardd_exec_t;
-+init_daemon_domain(keyboardd_t, keyboardd_exec_t)
-+
-+########################################
-+#
-+# keyboardd local policy
-+#
-+
-+allow keyboardd_t self:fifo_file rw_fifo_file_perms;
-+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_manage_etc_runtime_files(keyboardd_t)
-+files_etc_filetrans_etc_runtime(keyboardd_t, file)
-+
-+files_read_etc_files(keyboardd_t)
-+
+@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
+
+ files_manage_etc_runtime_files(keyboardd_t)
+ files_etc_filetrans_etc_runtime(keyboardd_t, file)
+-files_read_etc_files(keyboardd_t)
+-
+-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
-new file mode 100644
-index 0000000..408d6c0
---- /dev/null
+index b273d80..186cd86 100644
+--- a/keystone.fc
+++ b/keystone.fc
-@@ -0,0 +1,7 @@
-+/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
-+
+@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
+
-+/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
-+
-+/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
+ /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
+
+ /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
diff --git a/keystone.if b/keystone.if
-new file mode 100644
-index 0000000..f20248c
---- /dev/null
+index d3e7fc9..f20248c 100644
+--- a/keystone.if
+++ b/keystone.if
-@@ -0,0 +1,218 @@
+@@ -1,42 +1,218 @@
+-## <summary>Python implementation of the OpenStack identity service API.</summary>
+
+## <summary>policy for keystone</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an keystone environment.
+## Transition to keystone.
+## </summary>
+## <param name="domain">
@@ -29871,12 +29580,13 @@ index 0000000..f20248c
+########################################
+## <summary>
+## Read keystone's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+## <rolecap/>
+#
+interface(`keystone_read_log',`
@@ -29893,7 +29603,8 @@ index 0000000..f20248c
+## Append to keystone log files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -30037,26 +29748,37 @@ index 0000000..f20248c
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`keystone_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`keystone_admin',`
+ gen_require(`
+- type keystone_t, keystone_initrc_exec_t, keystone_log_t;
+- type keystone_var_lib_t, keystone_tmp_t;
+ type keystone_t;
+ type keystone_log_t;
+ type keystone_var_lib_t;
+ type keystone_unit_file_t;
-+ ')
-+
-+ allow $1 keystone_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, keystone_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, keystone_log_t)
-+
+ ')
+
+ allow $1 keystone_t:process { ptrace signal_perms };
+ ps_process_pattern($1, keystone_t)
+
+- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 keystone_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+ logging_search_logs($1)
+ admin_pattern($1, keystone_log_t)
+
+- files_search_var_lib($1
+ files_search_var_lib($1)
-+ admin_pattern($1, keystone_var_lib_t)
-+
+ admin_pattern($1, keystone_var_lib_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, keystone_tmp_t)
+ keystone_systemctl($1)
+ admin_pattern($1, keystone_unit_file_t)
+ allow $1 keystone_unit_file_t:service all_service_perms;
@@ -30064,102 +29786,59 @@ index 0000000..f20248c
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/keystone.te b/keystone.te
-new file mode 100644
-index 0000000..a6606f3
---- /dev/null
+index 3494d9b..4c4fe02 100644
+--- a/keystone.te
+++ b/keystone.te
-@@ -0,0 +1,68 @@
-+policy_module(keystone, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type keystone_t;
-+type keystone_exec_t;
-+init_daemon_domain(keystone_t, keystone_exec_t)
-+
-+type keystone_log_t;
-+logging_log_file(keystone_log_t)
-+
-+type keystone_var_lib_t;
-+files_type(keystone_var_lib_t)
-+
-+type keystone_tmp_t;
-+files_tmp_file(keystone_tmp_t)
-+
+@@ -21,6 +21,9 @@ files_type(keystone_var_lib_t)
+ type keystone_tmp_t;
+ files_tmp_file(keystone_tmp_t)
+
+type keystone_unit_file_t;
+systemd_unit_file(keystone_unit_file_t)
+
-+########################################
-+#
-+# keystone local policy
-+#
-+allow keystone_t self:fifo_file rw_fifo_file_perms;
-+allow keystone_t self:unix_stream_socket create_stream_socket_perms;
-+allow keystone_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t)
-+manage_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
-+logging_log_filetrans(keystone_t, keystone_log_t, { dir file })
-+
-+manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-+manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-+manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
-+files_tmp_filetrans(keystone_t, keystone_tmp_t, { file dir lnk_file })
-+can_exec(keystone_t, keystone_tmp_t)
-+
-+manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
-+manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
-+files_var_lib_filetrans(keystone_t, keystone_var_lib_t, { dir file })
-+
-+kernel_read_system_state(keystone_t)
-+
-+corecmd_exec_bin(keystone_t)
-+corecmd_exec_shell(keystone_t)
-+
+ ########################################
+ #
+ # Local policy
+@@ -62,14 +65,12 @@ corenet_sendrecv_commplex_main_server_packets(keystone_t)
+ corenet_tcp_bind_commplex_main_port(keystone_t)
+ corenet_tcp_sendrecv_commplex_main_port(keystone_t)
+
+-files_read_usr_files(keystone_t)
+corenet_tcp_bind_keystone_port(keystone_t)
-+corenet_tcp_bind_generic_node(keystone_t)
-+
-+dev_read_urand(keystone_t)
-+
-+domain_use_interactive_fds(keystone_t)
-+
-+files_read_etc_files(keystone_t)
-+files_read_usr_files(keystone_t)
-+
-+auth_use_pam(keystone_t)
-+
-+libs_exec_ldconfig(keystone_t)
-+
-+
-+optional_policy(`
-+ mysql_stream_connect(keystone_t)
-+')
+
+ auth_use_pam(keystone_t)
+
+ libs_exec_ldconfig(keystone_t)
+
+-miscfiles_read_localization(keystone_t)
+-
+ optional_policy(`
+ mysql_stream_connect(keystone_t)
+ mysql_tcp_connect(keystone_t)
diff --git a/kismet.if b/kismet.if
-index c18c920..582f7f3 100644
+index aa2a337..bb09e3c 100644
--- a/kismet.if
+++ b/kismet.if
-@@ -239,7 +239,10 @@ interface(`kismet_admin',`
- ')
+@@ -292,7 +292,11 @@ interface(`kismet_admin',`
+ allow $2 system_r;
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kismet_t:process ptrace;
+ ')
- kismet_manage_pid_files($1)
- kismet_manage_lib($1)
+ files_search_var_lib($1)
+ admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
-index 9dd6880..77c768b 100644
+index ea64ed5..fb28673 100644
--- a/kismet.te
+++ b/kismet.te
-@@ -74,24 +74,21 @@ kernel_read_network_state(kismet_t)
+@@ -81,25 +81,24 @@ kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
@@ -30167,53 +29846,56 @@ index 9dd6880..77c768b 100644
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
- corenet_tcp_sendrecv_all_ports(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
+
+-corenet_sendrecv_kismet_server_packets(kismet_t)
-corenet_tcp_bind_kismet_port(kismet_t)
+-corenet_sendrecv_kismet_client_packets(kismet_t)
-corenet_tcp_connect_kismet_port(kismet_t)
+-corenet_tcp_sendrecv_kismet_port(kismet_t)
+corenet_tcp_bind_rtsclient_port(kismet_t)
+corenet_tcp_connect_rtsclient_port(kismet_t)
- corenet_tcp_connect_pulseaudio_port(kismet_t)
++corenet_tcp_connect_pulseaudio_port(kismet_t)
- auth_use_nsswitch(kismet_t)
-
--files_read_etc_files(kismet_t)
- files_read_usr_files(kismet_t)
+-auth_use_nsswitch(kismet_t)
+-
+-files_read_usr_files(kismet_t)
++corenet_sendrecv_rtsclient_server_packets(kismet_t)
++corenet_tcp_bind_rtsclient_port(kismet_t)
++corenet_sendrecv_rtsclient_client_packets(kismet_t)
++corenet_tcp_connect_rtsclient_port(kismet_t)
-miscfiles_read_localization(kismet_t)
++auth_use_nsswitch(kismet_t)
-userdom_use_user_terminals(kismet_t)
+userdom_use_inherited_user_terminals(kismet_t)
- userdom_read_user_tmpfs_files(kismet_t)
++userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
-diff --git a/ksmtuned.fc b/ksmtuned.fc
-index 9c0c835..8360166 100644
---- a/ksmtuned.fc
-+++ b/ksmtuned.fc
-@@ -3,3 +3,5 @@
- /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
-
- /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
-+
-+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
+ dbus_system_bus_client(kismet_t)
diff --git a/ksmtuned.if b/ksmtuned.if
-index 6fd0b4c..568f842 100644
+index c530214..b949a9f 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
-@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -57,17 +57,15 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
-- type ksmtuned_initrc_exec_t;
+- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
')
-- allow $1 ksmtuned_t:process { ptrace signal_perms };
-- ps_process_pattern(ksmtumed_t)
+- ksmtuned_initrc_domtrans($1)
+- domain_system_change_exemption($1)
+- role_transition $2 ksmtuned_initrc_exec_t system_r;
+- allow $2 system_r;
+ allow $1 ksmtuned_t:process signal_perms;
+ ps_process_pattern($1, ksmtuned_t)
+
+- allow $1 ksmtuned_t:process { ptrace signal_perms };
+- ps_process_pattern(ksmtumed_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
@@ -30221,26 +29903,12 @@ index 6fd0b4c..568f842 100644
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
diff --git a/ksmtuned.te b/ksmtuned.te
-index a73b7a1..d143b12 100644
+index c1539b5..0af603d 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
-@@ -9,6 +9,9 @@ type ksmtuned_t;
- type ksmtuned_exec_t;
- init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
-
-+type ksmtuned_log_t;
-+logging_log_file(ksmtuned_log_t)
-+
- type ksmtuned_initrc_exec_t;
- init_script_file(ksmtuned_initrc_exec_t)
-
-@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t)
- # ksmtuned local policy
- #
-
--allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
-+allow ksmtuned_t self:capability sys_tty_config;
- allow ksmtuned_t self:fifo_file rw_file_perms;
+@@ -32,6 +32,10 @@ create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+ setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+ logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
@@ -30249,45 +29917,42 @@ index a73b7a1..d143b12 100644
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+@@ -43,6 +47,7 @@ corecmd_exec_shell(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
- corecmd_exec_bin(ksmtuned_t)
-+corecmd_exec_shell(ksmtuned_t)
-+
-+
-+mls_file_read_to_clearance(ksmtuned_t)
-+
-+term_use_all_inherited_terms(ksmtuned_t)
+ mls_file_read_to_clearance(ksmtuned_t)
--files_read_etc_files(ksmtuned_t)
-+auth_use_nsswitch(ksmtuned_t)
+@@ -51,5 +56,3 @@ term_use_all_terms(ksmtuned_t)
+ auth_use_nsswitch(ksmtuned_t)
+ logging_send_syslog_msg(ksmtuned_t)
+-
-miscfiles_read_localization(ksmtuned_t)
-+logging_send_syslog_msg(ksmtuned_t)
diff --git a/ktalk.te b/ktalk.te
-index ca5cfdf..a4457d0 100644
+index 2cf3815..2c4c979 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
--corenet_all_recvfrom_unlabeled(ktalkd_t)
- corenet_all_recvfrom_netlabel(ktalkd_t)
- corenet_tcp_sendrecv_generic_if(ktalkd_t)
- corenet_udp_sendrecv_generic_if(ktalkd_t)
-@@ -65,15 +64,12 @@ dev_read_urand(ktalkd_t)
++corenet_all_recvfrom_netlabel(ktalkd_t)
++corenet_tcp_sendrecv_generic_if(ktalkd_t)
++corenet_udp_sendrecv_generic_if(ktalkd_t)
++corenet_tcp_sendrecv_generic_node(ktalkd_t)
++corenet_udp_sendrecv_generic_node(ktalkd_t)
++corenet_tcp_sendrecv_all_ports(ktalkd_t)
++corenet_udp_sendrecv_all_ports(ktalkd_t)
++
+ dev_read_urand(ktalkd_t)
fs_getattr_xattr_fs(ktalkd_t)
--files_read_etc_files(ktalkd_t)
-
- term_search_ptys(ktalkd_t)
-term_use_all_terms(ktalkd_t)
++term_search_ptys(ktalkd_t)
+term_use_all_inherited_terms(ktalkd_t)
auth_use_nsswitch(ktalkd_t)
@@ -30297,40 +29962,34 @@ index ca5cfdf..a4457d0 100644
logging_send_syslog_msg(ktalkd_t)
-
-miscfiles_read_localization(ktalkd_t)
-diff --git a/kudzu.fc b/kudzu.fc
-index dd88f74..3317a0c 100644
---- a/kudzu.fc
-+++ b/kudzu.fc
-@@ -2,4 +2,5 @@
- /sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
- /sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
-
-+/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
- /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+diff --git a/kudzu.if b/kudzu.if
+index 5297064..6ba8108 100644
+--- a/kudzu.if
++++ b/kudzu.if
+@@ -86,9 +86,13 @@ interface(`kudzu_admin',`
+ type kudzu_tmp_t;
+ ')
+
+- allow $1 kudzu_t:process { ptrace signal_perms };
++ allow $1 kudzu_t:process { signal_perms };
+ ps_process_pattern($1, kudzu_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 kudzu_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
-index 4f7bd3c..74cc11d 100644
+index 9725f1a..0ed9942 100644
--- a/kudzu.te
+++ b/kudzu.te
-@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
- # Local policy
- #
-
--allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
-+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
- dontaudit kudzu_t self:capability sys_tty_config;
- allow kudzu_t self:process { signal_perms execmem };
- allow kudzu_t self:fifo_file rw_fifo_file_perms;
-@@ -109,17 +109,10 @@ libs_read_lib_files(kudzu_t)
+@@ -101,11 +101,10 @@ libs_read_lib_files(kudzu_t)
logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
-miscfiles_read_localization(kudzu_t)
--
--modutils_read_module_config(kudzu_t)
--modutils_read_module_deps(kudzu_t)
--modutils_rename_module_config(kudzu_t)
--modutils_delete_module_config(kudzu_t)
--modutils_domtrans_insmod(kudzu_t)
sysnet_read_config(kudzu_t)
@@ -30339,55 +29998,29 @@ index 4f7bd3c..74cc11d 100644
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
-@@ -128,6 +121,14 @@ optional_policy(`
+@@ -122,10 +121,6 @@ optional_policy(`
')
optional_policy(`
-+ modutils_read_module_config(kudzu_t)
-+ modutils_read_module_deps(kudzu_t)
-+ modutils_rename_module_config(kudzu_t)
-+ modutils_delete_module_config(kudzu_t)
-+ modutils_domtrans_insmod(kudzu_t)
-+')
-+
-+optional_policy(`
- nscd_socket_use(kudzu_t)
+- nscd_use(kudzu_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(kudzu_t)
')
-diff --git a/l2tpd.fc b/l2tpd.fc
-new file mode 100644
-index 0000000..6b27066
---- /dev/null
-+++ b/l2tpd.fc
-@@ -0,0 +1,18 @@
-+/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
-+
-+/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0)
-+
-+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+
-+/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
-diff --git a/l2tpd.if b/l2tpd.if
-new file mode 100644
-index 0000000..562d25b
---- /dev/null
-+++ b/l2tpd.if
-@@ -0,0 +1,178 @@
+diff --git a/l2tp.if b/l2tp.if
+index 73e2803..562d25b 100644
+--- a/l2tp.if
++++ b/l2tp.if
+@@ -1,9 +1,45 @@
+-## <summary>Layer 2 Tunneling Protocol.</summary>
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Send to l2tpd with a unix
+-## domain dgram socket.
+## Transition to l2tpd.
+## </summary>
+## <param name="domain">
@@ -30426,40 +30059,21 @@ index 0000000..562d25b
+########################################
+## <summary>
+## Send to l2tpd via a unix dgram socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`l2tpd_dgram_send',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
-+ ')
-+
-+ files_search_tmp($1)
-+ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read and write l2tpd sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`l2tpd_rw_socket',`
-+ gen_require(`
-+ type l2tpd_t;
-+ ')
-+
-+ allow $1 l2tpd_t:socket rw_socket_perms;
-+')
-+
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',`
+ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
+ ')
+
+- files_search_pids($1)
+ files_search_tmp($1)
+ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
+ ')
+@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',`
+ allow $1 l2tpd_t:socket rw_socket_perms;
+ ')
+
+########################################
+## <summary>
+## Read l2tpd PID files.
@@ -30479,218 +30093,144 @@ index 0000000..562d25b
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
-+#####################################
-+## <summary>
+ #####################################
+ ## <summary>
+-## Connect to l2tpd with a unix
+-## domain stream socket.
+## Connect to l2tpd over a unix domain
+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`l2tpd_stream_connect',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
-+ ')
-+
-+ files_search_pids($1)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -56,14 +110,32 @@ interface(`l2tpd_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- files_search_tmp($1)
+- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an l2tp environment.
+## Read and write l2tpd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`l2tpd_rw_pipes',`
-+ gen_require(`
-+ type l2tpd_t;
-+ ')
-+
-+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an l2tpd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`l2tpd_admin',`
-+ gen_require(`
-+ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
-+ type l2tp_etc_t, l2tpd_tmp_t;
-+ ')
-+
-+ allow $1 l2tpd_t:process signal_perms;
-+ ps_process_pattern($1, l2tpd_t)
-+
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 l2tpd_t:process ptrace;
-+ ')
-+
-+ l2tpd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 l2tpd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_etc($1)
-+ admin_pattern($1, l2tp_etc_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, l2tpd_var_run_t)
-+
-+ files_search_tmp($1)
-+ admin_pattern($1, l2tpd_tmp_t)
-+')
-diff --git a/l2tpd.te b/l2tpd.te
-new file mode 100644
-index 0000000..1e292d4
---- /dev/null
-+++ b/l2tpd.te
-@@ -0,0 +1,99 @@
-+policy_module(l2tpd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type l2tpd_t;
-+type l2tpd_exec_t;
-+init_daemon_domain(l2tpd_t, l2tpd_exec_t)
-+
-+type l2tpd_initrc_exec_t;
-+init_script_file(l2tpd_initrc_exec_t)
-+
-+type l2tp_etc_t;
-+files_config_file(l2tp_etc_t)
-+
-+type l2tpd_tmp_t;
-+files_tmp_file(l2tpd_tmp_t)
-+
-+type l2tpd_var_run_t;
-+files_pid_file(l2tpd_var_run_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow l2tpd_t self:capability { net_admin net_bind_service };
-+allow l2tpd_t self:process signal;
-+allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-+allow l2tpd_t self:netlink_socket create_socket_perms;
-+allow l2tpd_t self:rawip_socket create_socket_perms;
-+allow l2tpd_t self:socket create_socket_perms;
-+allow l2tpd_t self:tcp_socket create_stream_socket_perms;
-+allow l2tpd_t self:unix_dgram_socket sendto;
-+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
-+
-+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
-+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
-+
-+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
-+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
-+
-+corenet_all_recvfrom_netlabel(l2tpd_t)
-+corenet_raw_sendrecv_generic_if(l2tpd_t)
-+corenet_tcp_sendrecv_generic_if(l2tpd_t)
-+corenet_udp_sendrecv_generic_if(l2tpd_t)
-+corenet_raw_bind_generic_node(l2tpd_t)
-+corenet_tcp_bind_generic_node(l2tpd_t)
-+corenet_udp_bind_generic_node(l2tpd_t)
-+corenet_raw_sendrecv_generic_node(l2tpd_t)
-+corenet_tcp_sendrecv_generic_node(l2tpd_t)
-+corenet_udp_sendrecv_generic_node(l2tpd_t)
-+
-+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
-+corenet_udp_bind_all_rpc_ports(l2tpd_t)
-+corenet_udp_bind_generic_port(l2tpd_t)
-+
-+corenet_udp_bind_l2tp_port(l2tpd_t)
-+corenet_udp_sendrecv_l2tp_port(l2tpd_t)
-+corenet_sendrecv_l2tp_server_packets(l2tpd_t)
-+
-+kernel_read_system_state(l2tpd_t)
-+kernel_read_network_state(l2tpd_t)
-+# net-pf-24 (pppox)
-+kernel_request_load_module(l2tpd_t)
-+
-+term_use_ptmx(l2tpd_t)
-+term_use_generic_ptys(l2tpd_t)
-+term_setattr_generic_ptys(l2tpd_t)
-+
-+# prol2tpc
-+corecmd_exec_bin(l2tpd_t)
-+
-+dev_read_urand(l2tpd_t)
-+
-+domain_use_interactive_fds(l2tpd_t)
-+
-+files_read_etc_files(l2tpd_t)
-+
-+term_use_ptmx(l2tpd_t)
-+
-+auth_read_passwd(l2tpd_t)
++## </param>
++#
++interface(`l2tpd_rw_pipes',`
++ gen_require(`
++ type l2tpd_t;
++ ')
+
-+logging_send_syslog_msg(l2tpd_t)
++ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
++')
+
-+sysnet_dns_name_resolve(l2tpd_t)
++########################################
++## <summary>
++## All of the rules required to administrate
++## an l2tpd environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -77,22 +149,26 @@ interface(`l2tpd_stream_connect',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`l2tp_admin',`
++interface(`l2tpd_admin',`
+ gen_require(`
+ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
+- type l2tp_conf_t, l2tpd_tmp_t;
++ type l2tp_etc_t, l2tpd_tmp_t;
+ ')
+
+- allow $1 l2tpd_t:process { ptrace signal_perms };
++ allow $1 l2tpd_t:process signal_perms;
+ ps_process_pattern($1, l2tpd_t)
+
+- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 l2tpd_t:process ptrace;
++ ')
+
-+optional_policy(`
-+ ppp_domtrans(l2tpd_t)
-+ ppp_signal(l2tpd_t)
-+ ppp_kill(l2tpd_t)
-+')
++ l2tpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 l2tpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+- admin_pattern($1, l2tp_conf_t)
++ admin_pattern($1, l2tp_etc_t)
+
+ files_search_pids($1)
+ admin_pattern($1, l2tpd_var_run_t)
+diff --git a/l2tp.te b/l2tp.te
+index 19f2b97..134b150 100644
+--- a/l2tp.te
++++ b/l2tp.te
+@@ -75,16 +75,12 @@ corecmd_exec_bin(l2tpd_t)
+
+ dev_read_urand(l2tpd_t)
+
+-files_read_etc_files(l2tpd_t)
+-
+ term_setattr_generic_ptys(l2tpd_t)
+ term_use_generic_ptys(l2tpd_t)
+ term_use_ptmx(l2tpd_t)
+
+ logging_send_syslog_msg(l2tpd_t)
+
+-miscfiles_read_localization(l2tpd_t)
+-
+ sysnet_dns_name_resolve(l2tpd_t)
+
+ optional_policy(`
diff --git a/ldap.fc b/ldap.fc
-index c62f23e..40c6b4d 100644
+index bc25c95..dcdbe9b 100644
--- a/ldap.fc
+++ b/ldap.fc
-@@ -1,6 +1,11 @@
-
+@@ -1,8 +1,11 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
--/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
-+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+
++/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
+ /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
+-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
- /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-
+ /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+@@ -17,8 +20,7 @@
+ /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
+ /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
+
+-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
++/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/ldap.if b/ldap.if
-index d6b7b2d..bc0ccb3 100644
+index ee0c7cc..6ec5f73 100644
--- a/ldap.if
+++ b/ldap.if
-@@ -1,5 +1,64 @@
- ## <summary>OpenLDAP directory server</summary>
-
+@@ -1,8 +1,68 @@
+-## <summary>OpenLDAP directory server.</summary>
++## <summary>OpenLDAP directory server</summary>
++
+#######################################
+## <summary>
+## Execute OpenLDAP in the ldap domain.
@@ -30726,9 +30266,10 @@ index d6b7b2d..bc0ccb3 100644
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## List ldap database directories.
+## Execute slapd server in the slapd domain.
+## </summary>
+## <param name="domain">
@@ -30750,13 +30291,24 @@ index d6b7b2d..bc0ccb3 100644
+ ps_process_pattern($1, slapd_t)
+')
+
- ########################################
- ## <summary>
- ## Read the contents of the OpenLDAP
-@@ -21,6 +80,25 @@ interface(`ldap_list_db',`
++########################################
++## <summary>
++## Read the contents of the OpenLDAP
++## database directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -15,13 +75,31 @@ interface(`ldap_list_db',`
+ type slapd_db_t;
+ ')
+
+- files_search_etc($1)
+ allow $1 slapd_db_t:dir list_dir_perms;
+ ')
########################################
## <summary>
+-## Read ldap configuration files.
+## Read the contents of the OpenLDAP
+## database files.
+## </summary>
@@ -30776,34 +30328,100 @@ index d6b7b2d..bc0ccb3 100644
+
+########################################
+## <summary>
- ## Read the OpenLDAP configuration files.
++## Read the OpenLDAP configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -55,8 +133,7 @@ interface(`ldap_use',`
+
+ ########################################
+ ## <summary>
+-## Connect to slapd over an unix
+-## stream socket.
++## Connect to slapd over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -75,29 +152,8 @@ interface(`ldap_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## Connect to ldap over the network.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`ldap_tcp_connect',`
+- gen_require(`
+- type slapd_t;
+- ')
+-
+- corenet_sendrecv_ldap_client_packets($1)
+- corenet_tcp_connect_ldap_port($1)
+- corenet_tcp_recvfrom_labeled($1, slapd_t)
+- corenet_tcp_sendrecv_ldap_port($1)
+-')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an ldap environment.
++## All of the rules required to administrate
++## an ldap environment
## </summary>
## <param name="domain">
-@@ -94,10 +172,14 @@ interface(`ldap_admin',`
+ ## <summary>
+@@ -106,7 +162,7 @@ interface(`ldap_tcp_connect',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the ldap domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -115,28 +171,28 @@ interface(`ldap_admin',`
+ gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
- type slapd_initrc_exec_t;
+- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+- type slapd_db_t;
++ type slapd_initrc_exec_t;
+ type ldap_unit_file_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
+ allow $1 slapd_t:process signal_perms;
ps_process_pattern($1, slapd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 slapd_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -109,6 +191,7 @@ interface(`ldap_admin',`
+ role_transition $2 slapd_initrc_exec_t system_r;
+ allow $2 system_r;
+ files_list_etc($1)
+- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
++ admin_pattern($1, slapd_etc_t)
+
+- files_list_locks($1)
admin_pattern($1, slapd_lock_t)
+- logging_list_logs($1)
+- admin_pattern($1, slapd_log_t)
+-
+- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -116,4 +199,8 @@ interface(`ldap_admin',`
+@@ -144,4 +200,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -30813,19 +30431,10 @@ index d6b7b2d..bc0ccb3 100644
+ allow $1 ldap_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 64fd1ff..3ee778a 100644
+index d7d9b09..bfc2aa2 100644
--- a/ldap.te
+++ b/ldap.te
-@@ -10,7 +10,7 @@ type slapd_exec_t;
- init_daemon_domain(slapd_t, slapd_exec_t)
-
- type slapd_cert_t;
--files_type(slapd_cert_t)
-+miscfiles_cert_type(slapd_cert_t)
-
- type slapd_db_t;
- files_type(slapd_db_t)
-@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t)
+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
@@ -30835,22 +30444,7 @@ index 64fd1ff..3ee778a 100644
type slapd_lock_t;
files_lock_file(slapd_lock_t)
- type slapd_replog_t;
- files_type(slapd_replog_t)
-
-+type slapd_log_t;
-+logging_log_file(slapd_log_t)
-+
- type slapd_tmp_t;
- files_tmp_file(slapd_tmp_t)
-
-+type slapd_tmpfs_t;
-+files_tmpfs_file(slapd_tmpfs_t)
-+
- type slapd_var_run_t;
- files_pid_file(slapd_var_run_t)
-
-@@ -67,18 +76,25 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -73,6 +76,10 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -30861,30 +30455,19 @@ index 64fd1ff..3ee778a 100644
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-
-+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
-+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
-+
-+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
- manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
- manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
--files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
-+files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
-
+@@ -88,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_all_recvfrom_unlabeled(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
- corenet_udp_sendrecv_generic_if(slapd_t)
-@@ -100,23 +116,25 @@ fs_search_auto_mountpoints(slapd_t)
-
- domain_use_interactive_fds(slapd_t)
+ corenet_tcp_sendrecv_generic_node(slapd_t)
+@@ -110,25 +116,23 @@ fs_getattr_all_fs(slapd_t)
+ fs_search_auto_mountpoints(slapd_t)
--files_read_etc_files(slapd_t)
files_read_etc_runtime_files(slapd_t)
- files_read_usr_files(slapd_t)
+-files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
@@ -30900,52 +30483,192 @@ index 64fd1ff..3ee778a 100644
optional_policy(`
kerberos_keytab_template(slapd, slapd_t)
+- kerberos_manage_host_rcache(slapd_t)
+- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
+- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
+- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
')
optional_policy(`
-diff --git a/likewise.fc b/likewise.fc
-index 057a4e4..57491fc 100644
---- a/likewise.fc
-+++ b/likewise.fc
-@@ -20,7 +20,8 @@
- /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
- /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+diff --git a/lightsquid.if b/lightsquid.if
+index 33a28b9..33ffe24 100644
+--- a/lightsquid.if
++++ b/lightsquid.if
+@@ -76,5 +76,7 @@ interface(`lightsquid_admin',`
+ files_search_var_lib($1)
+ admin_pattern($1, lightsquid_rw_content_t)
+
+- apache_list_sys_content($1)
++ optional_policy(`
++ apache_list_sys_content($1)
++ ')
+ ')
+diff --git a/lightsquid.te b/lightsquid.te
+index 40a2607..308accb 100644
+--- a/lightsquid.te
++++ b/lightsquid.te
+@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
+
+ dev_read_urand(lightsquid_t)
+
+-files_read_etc_files(lightsquid_t)
+-files_read_usr_files(lightsquid_t)
+-
+-miscfiles_read_localization(lightsquid_t)
+-
+ squid_read_config(lightsquid_t)
+ squid_read_log(lightsquid_t)
--/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
-+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
-+/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
- /var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
- /var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
- /var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
diff --git a/likewise.if b/likewise.if
-index 771e04b..1072aea 100644
+index bd20e8c..3393a01 100644
--- a/likewise.if
+++ b/likewise.if
-@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
+@@ -1,9 +1,22 @@
+ ## <summary>Likewise Active Directory support for UNIX.</summary>
++## <desc>
++## <p>
++## Likewise Open is a free, open source application that joins Linux, Unix,
++## and Mac machines to Microsoft Active Directory to securely authenticate
++## users with their domain credentials.
++## </p>
++## </desc>
+
+ #######################################
+ ## <summary>
+ ## The template to define a likewise domain.
+ ## </summary>
++## <desc>
++## <p>
++## This template creates a domain to be used for
++## a new likewise daemon.
++## </p>
++## </desc>
+ ## <param name="userdomain_prefix">
+ ## <summary>
+ ## The type of daemon to be used.
+@@ -11,6 +24,7 @@
+ ## </param>
+ #
+ template(`likewise_domain_template',`
++
+ gen_require(`
+ attribute likewise_domains;
+ type likewise_var_lib_t;
+@@ -24,6 +38,7 @@ template(`likewise_domain_template',`
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
++ domain_use_interactive_fds($1_t)
+
+ typeattribute $1_t likewise_domains;
+
+@@ -38,15 +53,18 @@ template(`likewise_domain_template',`
+
+ ####################################
+ #
+- # Policy
++ # Local Policy
+ #
+
+ allow $1_t self:process { signal_perms getsched setsched };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+- allow $1_t self:unix_stream_socket { accept listen };
++ allow $1_t self:unix_dgram_socket create_socket_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-- allow $1_t likewise_var_lib_t:dir setattr;
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
-
++
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
-@@ -82,7 +82,6 @@ template(`likewise_domain_template',`
- logging_send_syslog_msg($1_t)
+@@ -55,12 +73,15 @@ template(`likewise_domain_template',`
-- miscfiles_read_localization($1_t)
+ manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
++
++ kernel_read_system_state($1_t)
++
++ logging_send_syslog_msg($1_t)
')
########################################
+ ## <summary>
+-## Connect to lsassd with a unix domain
+-## stream socket.
++## Connect to lsassd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',`
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+ ')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an likewise environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`likewise_admin',`
+- gen_require(`
+- attribute likewise_domains;
+- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
+- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
+- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
+- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
+- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
+- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
+- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
+- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
+- ')
+-
+- allow $1 likewise_domains:process { ptrace signal_perms };
+- ps_process_pattern($1, likewise_domains)
+-
+- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 likewise_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_list_etc($1)
+- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
+-
+- files_search_var_lib($1)
+- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
+- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
+- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
+- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
+- admin_pattern($1, dcerpcd_var_lib_t)
+-
+- files_list_tmp($1)
+- admin_pattern($1, lsassd_tmp_t)
+-
+- files_list_pids($1)
+- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
+- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
+-')
diff --git a/likewise.te b/likewise.te
-index 5ba6cc2..e3f65d6 100644
+index 408fbe3..e86ead6 100644
--- a/likewise.te
+++ b/likewise.te
-@@ -17,7 +17,7 @@ type likewise_var_lib_t;
+@@ -26,7 +26,7 @@ type likewise_var_lib_t;
files_type(likewise_var_lib_t)
type likewise_pstore_lock_t;
@@ -30954,48 +30677,36 @@ index 5ba6cc2..e3f65d6 100644
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
-@@ -49,7 +49,6 @@ likewise_domain_template(srvsvcd)
- stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
-
- corenet_all_recvfrom_netlabel(dcerpcd_t)
--corenet_all_recvfrom_unlabeled(dcerpcd_t)
- corenet_sendrecv_generic_client_packets(dcerpcd_t)
- corenet_sendrecv_generic_server_packets(dcerpcd_t)
- corenet_tcp_sendrecv_generic_if(dcerpcd_t)
-@@ -73,7 +72,6 @@ stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dc
- stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
-
- corenet_all_recvfrom_netlabel(eventlogd_t)
--corenet_all_recvfrom_unlabeled(eventlogd_t)
- corenet_sendrecv_generic_server_packets(eventlogd_t)
- corenet_tcp_sendrecv_generic_if(eventlogd_t)
- corenet_tcp_sendrecv_generic_node(eventlogd_t)
-@@ -116,7 +114,6 @@ corecmd_exec_bin(lsassd_t)
+@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t)
+
+ allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms;
+
+-kernel_read_system_state(likewise_domains)
+-
+ dev_read_rand(likewise_domains)
+ dev_read_urand(likewise_domains)
+
+ domain_use_interactive_fds(likewise_domains)
+
+-files_read_etc_files(likewise_domains)
+ files_search_var_lib(likewise_domains)
+
+-logging_send_syslog_msg(likewise_domains)
+-
+-miscfiles_read_localization(likewise_domains)
+-
+ #################################
+ #
+ # dcerpcd local policy
+@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
corecmd_exec_shell(lsassd_t)
corenet_all_recvfrom_netlabel(lsassd_t)
-corenet_all_recvfrom_unlabeled(lsassd_t)
corenet_tcp_sendrecv_generic_if(lsassd_t)
corenet_tcp_sendrecv_generic_node(lsassd_t)
- corenet_tcp_sendrecv_generic_port(lsassd_t)
-@@ -165,7 +162,6 @@ stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
- stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
-
- corenet_all_recvfrom_netlabel(lwiod_t)
--corenet_all_recvfrom_unlabeled(lwiod_t)
- corenet_sendrecv_smbd_server_packets(lwiod_t)
- corenet_sendrecv_smbd_client_packets(lwiod_t)
- corenet_tcp_sendrecv_generic_if(lwiod_t)
-@@ -205,7 +201,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
- # Likewise DC location service local policy
- #
-
--allow netlogond_t self:capability {dac_override};
-+allow netlogond_t self:capability dac_override;
-
- manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
-@@ -226,7 +222,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
+@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
corenet_all_recvfrom_netlabel(srvsvcd_t)
@@ -31003,23 +30714,11 @@ index 5ba6cc2..e3f65d6 100644
corenet_sendrecv_generic_server_packets(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
-diff --git a/lircd.fc b/lircd.fc
-index 49e04e5..69db026 100644
---- a/lircd.fc
-+++ b/lircd.fc
-@@ -2,6 +2,7 @@
-
- /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
- /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
-+/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
-
- /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
-
diff --git a/lircd.if b/lircd.if
-index 418cc81..cdb2561 100644
+index dff21a7..b6981c8 100644
--- a/lircd.if
+++ b/lircd.if
-@@ -80,8 +80,11 @@ interface(`lircd_admin',`
+@@ -81,8 +81,11 @@ interface(`lircd_admin',`
type lircd_initrc_exec_t, lircd_etc_t;
')
@@ -31033,7 +30732,7 @@ index 418cc81..cdb2561 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 6a78de1..57f0aa2 100644
+index 98b5405..b1d3cdf 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -31045,38 +30744,7 @@ index 6a78de1..57f0aa2 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t)
- #
-
- allow lircd_t self:capability { chown kill sys_admin };
-+allow lircd_t self:process signal;
- allow lircd_t self:fifo_file rw_fifo_file_perms;
- allow lircd_t self:unix_dgram_socket create_socket_perms;
- allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,27 +39,29 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
- # /dev/lircd socket
- dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
-
-+kernel_request_load_module(lircd_t)
-+
- corenet_tcp_sendrecv_generic_if(lircd_t)
- corenet_tcp_bind_generic_node(lircd_t)
- corenet_tcp_bind_lirc_port(lircd_t)
- corenet_tcp_sendrecv_all_ports(lircd_t)
- corenet_tcp_connect_lirc_port(lircd_t)
-
--dev_read_generic_usb_dev(lircd_t)
-+dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right
- dev_read_mouse(lircd_t)
- dev_filetrans_lirc(lircd_t)
- dev_rw_lirc(lircd_t)
- dev_rw_input_dev(lircd_t)
-+dev_read_sysfs(lircd_t)
-
--files_read_etc_files(lircd_t)
-+files_read_config_files(lircd_t)
- files_list_var(lircd_t)
- files_manage_generic_locks(lircd_t)
+@@ -64,9 +64,8 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
@@ -31088,10 +30756,10 @@ index 6a78de1..57f0aa2 100644
-
sysnet_dns_name_resolve(lircd_t)
diff --git a/livecd.if b/livecd.if
-index ae29d9f..fb7869e 100644
+index e354181..da499d4 100644
--- a/livecd.if
+++ b/livecd.if
-@@ -36,11 +36,39 @@ interface(`livecd_domtrans',`
+@@ -38,11 +38,39 @@ interface(`livecd_domtrans',`
#
interface(`livecd_run',`
gen_require(`
@@ -31134,10 +30802,10 @@ index ae29d9f..fb7869e 100644
########################################
diff --git a/livecd.te b/livecd.te
-index 008f718..2a9d6c0 100644
+index 33f64b5..09b5105 100644
--- a/livecd.te
+++ b/livecd.te
-@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
+@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.1)
# Declarations
#
@@ -31156,7 +30824,7 @@ index 008f718..2a9d6c0 100644
type livecd_tmp_t;
files_tmp_file(livecd_tmp_t)
@@ -21,7 +22,7 @@ files_tmp_file(livecd_tmp_t)
- # livecd local policy
+ # Local policy
#
-dontaudit livecd_t self:capability2 mac_admin;
@@ -31164,334 +30832,87 @@ index 008f718..2a9d6c0 100644
domain_ptrace_all_domains(livecd_t)
-@@ -30,14 +31,5 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
- files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
-
+@@ -36,13 +37,5 @@ optional_policy(`
+ hal_dbus_chat(livecd_t)
+ ')
optional_policy(`
- mount_run(livecd_t, livecd_roles)
-+ unconfined_domain_noaudit(livecd_t)
- ')
--
--optional_policy(`
-- hal_dbus_chat(livecd_t)
-')
-
-optional_policy(`
-- unconfined_domain(livecd_t)
+- rpm_domtrans(livecd_t)
-')
-
-diff --git a/lldpad.fc b/lldpad.fc
-new file mode 100644
-index 0000000..83a4348
---- /dev/null
-+++ b/lldpad.fc
-@@ -0,0 +1,8 @@
-+
-+/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0)
-+
-+/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0)
-+
-+/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0)
-+
-+/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0)
+-optional_policy(`
+ unconfined_domain_noaudit(livecd_t)
+ ')
diff --git a/lldpad.if b/lldpad.if
-new file mode 100644
-index 0000000..6550968
---- /dev/null
+index d18c960..fb5b674 100644
+--- a/lldpad.if
+++ b/lldpad.if
-@@ -0,0 +1,201 @@
-+
-+## <summary>policy for lldpad</summary>
-+
-+########################################
-+## <summary>
-+## Transition to lldpad.
+@@ -2,6 +2,25 @@
+
+ #######################################
+ ## <summary>
++## Transition to lldpad.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpad_domtrans',`
-+ gen_require(`
-+ type lldpad_t, lldpad_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Execute lldpad server in the lldpad domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_initrc_domtrans',`
-+ gen_require(`
-+ type lldpad_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Search lldpad lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_search_lib',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ allow $1 lldpad_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read lldpad lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_read_lib_files',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage lldpad lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_manage_lib_files',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage lldpad lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_manage_lib_dirs',`
-+ gen_require(`
-+ type lldpad_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Read lldpad PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_read_pid_files',`
-+ gen_require(`
-+ type lldpad_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 lldpad_var_run_t:file read_file_perms;
-+')
-+
-+#####################################
-+## <summary>
-+## Send to a lldpad unix dgram socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`lldpad_dgram_send',`
-+ gen_require(`
-+ type lldpad_t;
-+ ')
++ gen_require(`
++ type lldpad_t, lldpad_exec_t;
++ ')
+
-+ allow $1 lldpad_t:unix_dgram_socket sendto;
-+ allow lldpad_t $1:unix_dgram_socket sendto;
++ corecmd_search_bin($1)
++ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
+')
+
-+########################################
++#######################################
+## <summary>
-+## All of the rules required to administrate
-+## an lldpad environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`lldpad_admin',`
-+ gen_require(`
-+ type lldpad_t;
-+ type lldpad_initrc_exec_t;
-+ type lldpad_var_lib_t;
-+ type lldpad_var_run_t;
-+ ')
-+
-+ allow $1 lldpad_t:process signal_perms;
-+ ps_process_pattern($1, lldpad_t)
+ ## Send to lldpad with a unix dgram socket.
+ ## </summary>
+ ## <param name="domain">
+@@ -42,9 +61,13 @@ interface(`lldpad_admin',`
+ type lldpad_var_run_t;
+ ')
+
+- allow $1 lldpad_t:process { ptrace signal_perms };
++ allow $1 lldpad_t:process { signal_perms };
+ ps_process_pattern($1, lldpad_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 lldpad_t:process ptrace;
+ ')
+
-+ lldpad_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 lldpad_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, lldpad_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, lldpad_var_run_t)
-+
-+')
-+
+ init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
-new file mode 100644
-index 0000000..c38f564
---- /dev/null
+index 648def0..0b6281d 100644
+--- a/lldpad.te
+++ b/lldpad.te
-@@ -0,0 +1,70 @@
-+policy_module(lldpad, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type lldpad_t;
-+type lldpad_exec_t;
-+init_daemon_domain(lldpad_t, lldpad_exec_t)
-+
-+type lldpad_initrc_exec_t;
-+init_script_file(lldpad_initrc_exec_t)
-+
-+type lldpad_tmpfs_t;
-+files_tmpfs_file(lldpad_tmpfs_t)
-+
-+type lldpad_var_lib_t;
-+files_type(lldpad_var_lib_t)
-+
-+type lldpad_var_run_t;
-+files_pid_file(lldpad_var_run_t)
-+
-+########################################
-+#
-+# lldpad local policy
-+#
-+
-+allow lldpad_t self:capability { net_admin net_raw };
-+ifdef(`hide_broken_symptoms',`
-+ # caused by some bogus kernel code
-+ dontaudit lldpad_t self:capability sys_module;
-+')
-+
-+allow lldpad_t self:shm create_shm_perms;
-+allow lldpad_t self:fifo_file rw_fifo_file_perms;
-+
-+allow lldpad_t self:unix_stream_socket create_stream_socket_perms;
-+allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
-+allow lldpad_t self:packet_socket create_socket_perms;
-+allow lldpad_t self:udp_socket create_socket_perms;
-+
-+manage_files_pattern(lldpad_t,lldpad_tmpfs_t,lldpad_tmpfs_t)
-+fs_tmpfs_filetrans(lldpad_t,lldpad_tmpfs_t,file)
-+
-+manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
-+manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t)
-+
-+manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
-+manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
-+manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t)
-+# this needs to be fixed in lldpad package
-+# bug: #
-+files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file })
-+
-+kernel_read_all_sysctls(lldpad_t)
-+kernel_read_network_state(lldpad_t)
-+kernel_request_load_module(lldpad_t)
-+
-+dev_read_sysfs(lldpad_t)
-+
-+files_read_etc_files(lldpad_t)
-+
-+logging_send_syslog_msg(lldpad_t)
-+
+@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
+
+ dev_read_sysfs(lldpad_t)
+
+-files_read_etc_files(lldpad_t)
+-
+ logging_send_syslog_msg(lldpad_t)
+
+-miscfiles_read_localization(lldpad_t)
+userdom_dgram_send(lldpad_t)
-+
-+optional_policy(`
-+ fcoemon_dgram_send(lldpad_t)
-+')
-diff --git a/loadkeys.fc b/loadkeys.fc
-index 8549f9f..68be454 100644
---- a/loadkeys.fc
-+++ b/loadkeys.fc
-@@ -1,3 +1,3 @@
--/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
--/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-+/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
-+/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+ optional_policy(`
+ fcoe_dgram_send_fcoemon(lldpad_t)
diff --git a/loadkeys.te b/loadkeys.te
-index 2523758..96308b5 100644
+index 6cbb977..fa49534 100644
--- a/loadkeys.te
+++ b/loadkeys.te
-@@ -31,14 +31,15 @@ files_read_etc_runtime_files(loadkeys_t)
+@@ -31,14 +31,14 @@ files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
@@ -31503,99 +30924,241 @@ index 2523758..96308b5 100644
locallogin_use_fds(loadkeys_t)
-miscfiles_read_localization(loadkeys_t)
-
+-
-userdom_use_user_ttys(loadkeys_t)
+userdom_use_inherited_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
-@@ -46,5 +47,9 @@ ifdef(`hide_broken_symptoms',`
- ')
-
- optional_policy(`
-+ keyboardd_read_pipes(loadkeys_t)
-+')
-+
-+optional_policy(`
- nscd_dontaudit_search_pid(loadkeys_t)
- ')
diff --git a/lockdev.te b/lockdev.te
-index 572b5db..1e55f43 100644
+index db87831..30bfb76 100644
--- a/lockdev.te
+++ b/lockdev.te
-@@ -34,4 +34,5 @@ fs_getattr_xattr_fs(lockdev_t)
+@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
logging_send_syslog_msg(lockdev_t)
-userdom_use_user_terminals(lockdev_t)
+userdom_use_inherited_user_terminals(lockdev_t)
+
+diff --git a/logrotate.fc b/logrotate.fc
+index a11d5be..36c8de7 100644
+--- a/logrotate.fc
++++ b/logrotate.fc
+@@ -1,6 +1,9 @@
+-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
++/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+ /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
++ifdef(`distro_debian', `
+ /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
++', `
++/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
++')
+diff --git a/logrotate.if b/logrotate.if
+index dd8e01a..9cd6b0b 100644
+--- a/logrotate.if
++++ b/logrotate.if
+@@ -1,4 +1,4 @@
+-## <summary>Rotates, compresses, removes and mails system log files.</summary>
++## <summary>Rotate and archive system logs</summary>
+
+ ########################################
+ ## <summary>
+@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute logrotate in the logrotate
+-## domain, and allow the specified
+-## role the logrotate domain.
++## Execute logrotate in the logrotate domain, and
++## allow the specified role the logrotate domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',`
+ #
+ interface(`logrotate_run',`
+ gen_require(`
+- attribute_role logrotate_roles;
++ type logrotate_t;
+ ')
+
+ logrotate_domtrans($1)
+- roleattribute $2 logrotate_roles;
++ role $2 types logrotate_t;
+ ')
+
+ ########################################
+@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to inherit
+-## logrotate file descriptors.
++## Do not audit attempts to inherit logrotate file descriptors.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Read logrotate temporary files.
++## Read a logrotate temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..8a2583b 100644
+index 7bab8e5..8a2583b 100644
--- a/logrotate.te
+++ b/logrotate.te
-@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
+@@ -1,20 +1,18 @@
+-policy_module(logrotate, 1.14.5)
++policy_module(logrotate, 1.14.0)
+
+ ########################################
+ #
+ # Declarations
#
- # Change ownership on log files.
--allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
--# for mailx
--dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
-+dontaudit logrotate_t self:capability sys_resource;
+-attribute_role logrotate_roles;
+-roleattribute system_r logrotate_roles;
+-
+ type logrotate_t;
+-type logrotate_exec_t;
+ domain_type(logrotate_t)
+ domain_obj_id_change_exemption(logrotate_t)
+ domain_system_change_exemption(logrotate_t)
++role system_r types logrotate_t;
++
++type logrotate_exec_t;
+ domain_entry_file(logrotate_t, logrotate_exec_t)
+-role logrotate_roles types logrotate_t;
- allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ type logrotate_lock_t;
+ files_lock_file(logrotate_lock_t)
+@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t)
+ type logrotate_var_lib_t;
+ files_type(logrotate_var_lib_t)
-@@ -39,6 +38,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
- allow logrotate_t self:process setfscreate;
+-mta_base_mail_template(logrotate)
+-role system_r types logrotate_mail_t;
+-
+ ########################################
+ #
+ # Local policy
+ #
+-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
++# Change ownership on log files.
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
++dontaudit logrotate_t self:capability sys_resource;
++
++allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++
++# Set a context other than the default one for newly created files.
++allow logrotate_t self:process setfscreate;
++
allow logrotate_t self:fd use;
-+allow logrotate_t self:key manage_key_perms;
+ allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
- allow logrotate_t self:unix_dgram_socket create_socket_perms;
- allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
-@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
- # for /var/lib/logrotate.status and /var/lib/logcheck
++allow logrotate_t self:unix_dgram_socket create_socket_perms;
++allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+ allow logrotate_t self:unix_dgram_socket sendto;
+-allow logrotate_t self:unix_stream_socket { accept connectto listen };
++allow logrotate_t self:unix_stream_socket connectto;
+ allow logrotate_t self:shm create_shm_perms;
+ allow logrotate_t self:sem create_sem_perms;
+ allow logrotate_t self:msgq create_msgq_perms;
+@@ -48,29 +52,47 @@ allow logrotate_t self:msg { send receive };
+ allow logrotate_t logrotate_lock_t:file manage_file_perms;
+ files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+
++can_exec(logrotate_t, logrotate_tmp_t)
++
+ manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+ manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+
++# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
-+read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+ read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+-can_exec(logrotate_t, logrotate_tmp_t)
+-
kernel_read_system_state(logrotate_t)
-@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t)
- mls_file_read_all_levels(logrotate_t)
- mls_file_write_all_levels(logrotate_t)
- mls_file_upgrade(logrotate_t)
-+mls_process_write_to_clearance(logrotate_t)
+ kernel_read_kernel_sysctls(logrotate_t)
- selinux_get_fs_mount(logrotate_t)
- selinux_get_enforce_mode(logrotate_t)
-@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t)
- # Run helper programs.
++dev_read_urand(logrotate_t)
++
++fs_search_auto_mountpoints(logrotate_t)
++fs_getattr_xattr_fs(logrotate_t)
++fs_list_inotifyfs(logrotate_t)
++
++mls_file_read_all_levels(logrotate_t)
++mls_file_write_all_levels(logrotate_t)
++mls_file_upgrade(logrotate_t)
++mls_process_write_to_clearance(logrotate_t)
++
++selinux_get_fs_mount(logrotate_t)
++selinux_get_enforce_mode(logrotate_t)
++
++auth_manage_login_records(logrotate_t)
++auth_use_nsswitch(logrotate_t)
++
++# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
-+corecmd_getattr_all_executables(logrotate_t)
+ corecmd_getattr_all_executables(logrotate_t)
+-dev_read_urand(logrotate_t)
+-
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
-@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t)
+ domain_getattr_all_entry_files(logrotate_t)
++# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
files_read_usr_files(logrotate_t)
--files_read_etc_files(logrotate_t)
- files_read_etc_runtime_files(logrotate_t)
+@@ -78,49 +100,44 @@ files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
-@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
+ files_read_var_lib_files(logrotate_t)
++# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-+files_dontaudit_list_mnt(logrotate_t)
+ files_dontaudit_list_mnt(logrotate_t)
- # cjp: why is this needed?
+-fs_search_auto_mountpoints(logrotate_t)
+-fs_getattr_xattr_fs(logrotate_t)
+-fs_list_inotifyfs(logrotate_t)
+-
+-mls_file_read_all_levels(logrotate_t)
+-mls_file_write_all_levels(logrotate_t)
+-mls_file_upgrade(logrotate_t)
+-mls_process_write_to_clearance(logrotate_t)
+-
+-selinux_get_fs_mount(logrotate_t)
+-selinux_get_enforce_mode(logrotate_t)
+-
+-auth_manage_login_records(logrotate_t)
+-auth_use_nsswitch(logrotate_t)
+-
++# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -112,21 +115,21 @@ logging_send_audit_msgs(logrotate_t)
- # cjp: why is this needed?
+
+ logging_manage_all_logs(logrotate_t)
+ logging_send_syslog_msg(logrotate_t)
+ logging_send_audit_msgs(logrotate_t)
++# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
-miscfiles_read_localization(logrotate_t)
@@ -31612,94 +31175,71 @@ index 7090dae..8a2583b 100644
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
--
--cron_system_entry(logrotate_t, logrotate_exec_t)
--cron_search_spool(logrotate_t)
--
--mta_send_mail(logrotate_t)
+userdom_list_admin_dir(logrotate_t)
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
- ifdef(`distro_debian', `
-- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
-+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
- # for savelog
+-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+-
+-ifdef(`distro_debian',`
++ifdef(`distro_debian', `
+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
++ # for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
- ')
-
- optional_policy(`
-- abrt_cache_manage(logrotate_t)
-+ abrt_manage_cache(logrotate_t)
+- logging_check_exec_syslog(logrotate_t)
++ # for syslogd-listfiles
+ logging_read_syslog_config(logrotate_t)
++
++ # for "test -x /sbin/syslogd"
++ logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
-@@ -154,6 +157,10 @@ optional_policy(`
+@@ -140,11 +157,11 @@ optional_policy(`
')
optional_policy(`
+- asterisk_domtrans(logrotate_t)
+ awstats_domtrans(logrotate_t)
-+')
-+
-+optional_policy(`
- asterisk_domtrans(logrotate_t)
- ')
-
-@@ -162,10 +169,20 @@ optional_policy(`
')
optional_policy(`
-+ callweaver_exec(logrotate_t)
-+ callweaver_stream_connect(logrotate_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(logrotate_t)
+- awstats_domtrans(logrotate_t)
++ asterisk_domtrans(logrotate_t)
')
optional_policy(`
-+ cron_system_entry(logrotate_t, logrotate_exec_t)
-+ cron_search_spool(logrotate_t)
-+')
-+
-+optional_policy(`
- cups_domtrans(logrotate_t)
- ')
-
-@@ -178,6 +195,10 @@ optional_policy(`
+@@ -178,7 +195,7 @@ optional_policy(`
')
optional_policy(`
+- chronyd_read_key_files(logrotate_t)
+ chronyd_read_keys(logrotate_t)
-+')
-+
-+optional_policy(`
- icecast_signal(logrotate_t)
')
-@@ -194,15 +215,19 @@ optional_policy(`
+ optional_policy(`
+@@ -198,17 +215,14 @@ optional_policy(`
')
optional_policy(`
+ mysql_read_home_content(logrotate_t)
mysql_read_config(logrotate_t)
- mysql_search_db(logrotate_t)
++ mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`
-- psad_domtrans(logrotate_t)
+- openvswitch_read_pid_files(logrotate_t)
+- openvswitch_domtrans(logrotate_t)
+-')
+-
+-optional_policy(`
+- polipo_log_filetrans_log(logrotate_t, file, "polipo")
+ polipo_named_filetrans_log_files(logrotate_t)
')
-+optional_policy(`
-+ psad_domtrans(logrotate_t)
-+')
-
optional_policy(`
- samba_exec_log(logrotate_t)
-@@ -217,6 +242,11 @@ optional_policy(`
+@@ -228,10 +242,16 @@ optional_policy(`
')
optional_policy(`
@@ -31711,98 +31251,58 @@ index 7090dae..8a2583b 100644
squid_domtrans(logrotate_t)
')
-@@ -228,3 +258,14 @@ optional_policy(`
optional_policy(`
- varnishd_manage_log(logrotate_t)
++ #Red Hat bug 564565
+ su_exec(logrotate_t)
')
-+
-+#######################################
-+#
+
+@@ -241,13 +261,11 @@ optional_policy(`
+
+ #######################################
+ #
+-# Mail local policy
+# logrotate_mail local policy
-+#
-+
+ #
+
+-allow logrotate_mail_t logrotate_t:fd use;
+-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
+-allow logrotate_mail_t logrotate_t:process sigchld;
+-
+-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+-
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
-+logging_read_all_logs(logrotate_mail_t)
+ logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
-diff --git a/logwatch.fc b/logwatch.fc
-index 3c7b1e8..1e155f5 100644
---- a/logwatch.fc
-+++ b/logwatch.fc
-@@ -1,7 +1,11 @@
- /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
-+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
-
- /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
-
- /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
- /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
-+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
- /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
-+
-+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..061b725 100644
+index 4256a4c..ba62d5b 100644
--- a/logwatch.te
+++ b/logwatch.te
-@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
+@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
type logwatch_t;
type logwatch_exec_t;
+-init_system_domain(logwatch_t, logwatch_exec_t)
+init_daemon_domain(logwatch_t, logwatch_exec_t)
- application_domain(logwatch_t, logwatch_exec_t)
- role system_r types logwatch_t;
-
-@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t)
- type logwatch_tmp_t;
- files_tmp_file(logwatch_tmp_t)
-
-+type logwatch_var_run_t;
-+files_pid_file(logwatch_var_run_t)
-+
-+mta_base_mail_template(logwatch)
-+role system_r types logwatch_mail_t;
-+
- ########################################
- #
- # Local policy
-@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
- manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
- files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
++application_domain(logwatch_t, logwatch_exec_t)
-+allow logwatch_t logwatch_var_run_t:file manage_file_perms;
-+files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
-+
- kernel_read_fs_sysctls(logwatch_t)
- kernel_read_kernel_sysctls(logwatch_t)
- kernel_read_system_state(logwatch_t)
-@@ -56,8 +66,8 @@ domain_read_all_domains_state(logwatch_t)
-
- files_list_var(logwatch_t)
+ type logwatch_cache_t;
+ files_type(logwatch_cache_t)
+@@ -67,10 +68,12 @@ files_list_var(logwatch_t)
+ files_search_all(logwatch_t)
files_read_var_symlinks(logwatch_t)
--files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
files_read_usr_files(logwatch_t)
- files_search_spool(logwatch_t)
- files_search_mnt(logwatch_t)
-@@ -67,9 +77,14 @@ files_dontaudit_search_boot(logwatch_t)
- files_dontaudit_search_all_dirs(logwatch_t)
+ fs_getattr_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
+fs_getattr_all_dirs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-+storage_dontaudit_getattr_fixed_disk_dev(logwatch_t)
-+
-+mls_file_read_to_clearance(logwatch_t)
-+
- term_dontaudit_getattr_pty_dirs(logwatch_t)
- term_dontaudit_list_ptys(logwatch_t)
-
-@@ -84,19 +99,19 @@ libs_read_lib_files(logwatch_t)
+@@ -92,17 +95,22 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
@@ -31810,82 +31310,99 @@ index 75ce30f..061b725 100644
-
selinux_dontaudit_getattr_dir(logwatch_t)
--sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
--mta_send_mail(logwatch_t)
-+#mta_send_mail(logwatch_t)
-+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+ mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+ mta_getattr_spool(logwatch_t)
- ifdef(`distro_redhat',`
- files_search_all(logwatch_t)
++ifdef(`distro_redhat',`
++ files_search_all(logwatch_t)
+ files_getattr_all_files(logwatch_t)
- files_getattr_all_file_type_fs(logwatch_t)
++ files_getattr_all_file_type_fs(logwatch_t)
++')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(logwatch_t)
')
+@@ -164,6 +172,8 @@ dev_read_sysfs(logwatch_mail_t)
+
+ logging_read_all_logs(logwatch_mail_t)
-@@ -145,3 +160,24 @@ optional_policy(`
- samba_read_log(logwatch_t)
- samba_read_share_files(logwatch_t)
- ')
-+
-+########################################
-+#
-+# Logwatch mail Local policy
-+#
-+
-+allow logwatch_mail_t self:capability { dac_read_search dac_override };
-+
-+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
-+
-+dev_read_rand(logwatch_mail_t)
-+dev_read_urand(logwatch_mail_t)
-+dev_read_sysfs(logwatch_mail_t)
-+
-+logging_read_all_logs(logwatch_mail_t)
-+
+mta_read_home(logwatch_mail_t)
+
-+optional_policy(`
-+ cron_use_system_job_fds(logwatch_mail_t)
-+')
+ optional_policy(`
+ cron_use_system_job_fds(logwatch_mail_t)
+ ')
diff --git a/lpd.fc b/lpd.fc
-index 5c9eb68..e4f3c24 100644
+index 2fb9b2e..08974e3 100644
--- a/lpd.fc
+++ b/lpd.fc
-@@ -24,7 +24,7 @@
+@@ -19,6 +19,7 @@
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
--/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+ /usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
- /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
-
-@@ -35,3 +35,4 @@
- /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
- /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
- /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
-+/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh)
+ /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
diff --git a/lpd.if b/lpd.if
-index a4f32f5..628b63c 100644
+index 6256371..628b63c 100644
--- a/lpd.if
+++ b/lpd.if
-@@ -14,6 +14,7 @@
- ## User domain for the role
+@@ -1,44 +1,37 @@
+-## <summary>Line printer daemon.</summary>
++## <summary>Line printer daemon</summary>
+
+ ########################################
+ ## <summary>
+-## Role access for lpd.
++## Role access for lpd
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`lpd_role',`
gen_require(`
-@@ -27,7 +28,10 @@ interface(`lpd_role',`
- dontaudit lpr_t $2:unix_stream_socket { read write };
+- attribute_role lpr_roles;
+- type lpr_t, lpr_exec_t;
++ type lpr_t, lpr_exec_t, print_spool_t;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+- roleattribute $1 lpr_roles;
+-
+- ########################################
+- #
+- # Policy
+- #
++ role $1 types lpr_t;
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, lpr_exec_t, lpr_t)
++ dontaudit lpr_t $2:unix_stream_socket { read write };
+
+- allow $2 lpr_t:process { ptrace signal_perms };
ps_process_pattern($2, lpr_t)
-- allow $2 lpr_t:process signull;
+-
+- dontaudit lpr_t $2:unix_stream_socket { read write };
+ allow $2 lpr_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 lpr_t:process ptrace;
@@ -31893,16 +31410,82 @@ index a4f32f5..628b63c 100644
optional_policy(`
cups_read_config($2)
-@@ -153,7 +157,7 @@ interface(`lpd_relabel_spool',`
+@@ -60,15 +53,13 @@ interface(`lpd_domtrans_checkpc',`
+ type checkpc_t, checkpc_exec_t;
')
- files_search_spool($1)
-- allow $1 print_spool_t:file { relabelto relabelfrom };
-+ allow $1 print_spool_t:file relabel_file_perms;
+- corecmd_search_bin($1)
+ domtrans_pattern($1, checkpc_exec_t, checkpc_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute amrecover in the lpd
+-## domain, and allow the specified
+-## role the lpd domain.
++## Execute amrecover in the lpd domain, and
++## allow the specified role the lpd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -84,16 +75,16 @@ interface(`lpd_domtrans_checkpc',`
+ #
+ interface(`lpd_run_checkpc',`
+ gen_require(`
+- attribute_role checkpc_roles;
++ type checkpc_t;
+ ')
+
+ lpd_domtrans_checkpc($1)
+- roleattribute $2 checkpc_roles;
++ role $2 types checkpc_t;
')
########################################
-@@ -186,7 +190,7 @@ interface(`lpd_read_config',`
+ ## <summary>
+-## List printer spool directories.
++## List the contents of the printer spool directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -112,7 +103,7 @@ interface(`lpd_list_spool',`
+
+ ########################################
+ ## <summary>
+-## Read printer spool files.
++## Read the printer spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -131,8 +122,7 @@ interface(`lpd_read_spool',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## printer spool content.
++## Create, read, write, and delete printer spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -153,7 +143,7 @@ interface(`lpd_manage_spool',`
+
+ ########################################
+ ## <summary>
+-## Relabel spool files.
++## Relabel from and to the spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -172,7 +162,7 @@ interface(`lpd_relabel_spool',`
+
+ ########################################
+ ## <summary>
+-## Read printer configuration files.
++## List the contents of the printer spool directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -200,12 +190,11 @@ interface(`lpd_read_config',`
## </summary>
## </param>
#
@@ -31911,44 +31494,44 @@ index a4f32f5..628b63c 100644
gen_require(`
type lpr_t, lpr_exec_t;
')
-@@ -196,6 +200,32 @@ template(`lpd_domtrans_lpr',`
- ########################################
- ## <summary>
-+## Execute lpr in the lpr domain, and
-+## allow the specified role the lpr domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`lpd_run_lpr',`
-+ gen_require(`
+- corecmd_search_bin($1)
+ domtrans_pattern($1, lpr_exec_t, lpr_t)
+ ')
+
+@@ -228,16 +217,17 @@ template(`lpd_domtrans_lpr',`
+ #
+ interface(`lpd_run_lpr',`
+ gen_require(`
+- attribute_role lpr_roles;
+ type lpr_t;
-+ ')
-+
-+ lpd_domtrans_lpr($1)
+ ')
+
+ lpd_domtrans_lpr($1)
+- roleattribute $2 lpr_roles;
+ role $2 types lpr_t;
-+')
-+
-+########################################
-+## <summary>
- ## Allow the specified domain to execute lpr
- ## in the caller domain.
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute lpr in the caller domain.
++## Allow the specified domain to execute lpr
++## in the caller domain.
## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -250,6 +240,5 @@ interface(`lpd_exec_lpr',`
+ type lpr_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, lpr_exec_t)
+ ')
diff --git a/lpd.te b/lpd.te
-index a03b63a..99e8d96 100644
+index b9270f7..0fd2f4c 100644
--- a/lpd.te
+++ b/lpd.te
-@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
+@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
type print_spool_t;
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
@@ -31957,37 +31540,23 @@ index a03b63a..99e8d96 100644
ubac_constrained(print_spool_t)
type printer_t;
- files_type(printer_t)
-
- type printconf_t;
--files_type(printconf_t)
-+files_config_file(printconf_t)
-
- ########################################
- #
-@@ -78,12 +78,11 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
- delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
- files_search_spool(checkpc_t)
-
--allow checkpc_t printconf_t:file getattr;
-+allow checkpc_t printconf_t:file getattr_file_perms;
- allow checkpc_t printconf_t:dir list_dir_perms;
+@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
-corenet_all_recvfrom_unlabeled(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_generic_if(checkpc_t)
- corenet_udp_sendrecv_generic_if(checkpc_t)
-@@ -102,7 +101,6 @@ corecmd_exec_bin(checkpc_t)
+ corenet_tcp_sendrecv_generic_node(checkpc_t)
+@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t)
domain_use_interactive_fds(checkpc_t)
-files_read_etc_files(checkpc_t)
files_read_etc_runtime_files(checkpc_t)
-
- init_use_script_ptys(checkpc_t)
-@@ -111,7 +109,7 @@ init_use_fds(checkpc_t)
+ files_search_pids(checkpc_t)
+ files_search_spool(checkpc_t)
+@@ -107,7 +105,7 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
@@ -31996,32 +31565,30 @@ index a03b63a..99e8d96 100644
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
-@@ -143,9 +141,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
- manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
- files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
-
-+manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
- manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
- manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
--files_pid_filetrans(lpd_t, lpd_var_run_t, file)
-+files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
-
- # Write to /var/spool/lpd.
- manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -163,7 +162,6 @@ kernel_read_kernel_sysctls(lpd_t)
- # bash wants access to /proc/meminfo
+@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
+ kernel_read_kernel_sysctls(lpd_t)
kernel_read_system_state(lpd_t)
-corenet_all_recvfrom_unlabeled(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_generic_if(lpd_t)
- corenet_udp_sendrecv_generic_if(lpd_t)
-@@ -197,12 +195,10 @@ files_list_var_lib(lpd_t)
+ corenet_tcp_sendrecv_generic_node(lpd_t)
+@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t)
+ domain_use_interactive_fds(lpd_t)
+
+ files_read_etc_runtime_files(lpd_t)
+-files_read_usr_files(lpd_t)
+ files_list_world_readable(lpd_t)
+ files_read_world_readable_files(lpd_t)
+ files_read_world_readable_symlinks(lpd_t)
+ files_list_var_lib(lpd_t)
files_read_var_lib_files(lpd_t)
files_read_var_lib_symlinks(lpd_t)
- # config files for lpd are of type etc_t, probably should change this
-files_read_etc_files(lpd_t)
+ files_search_spool(lpd_t)
+ fs_getattr_all_fs(lpd_t)
+@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t)
logging_send_syslog_msg(lpd_t)
miscfiles_read_fonts(lpd_t)
@@ -32029,35 +31596,26 @@ index a03b63a..99e8d96 100644
sysnet_read_config(lpd_t)
-@@ -236,9 +232,9 @@ can_exec(lpr_t, lpr_exec_t)
- # Allow lpd to read, rename, and unlink spool files.
- allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
-
-+kernel_read_system_state(lpr_t)
+@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
+ kernel_read_crypto_sysctls(lpr_t)
kernel_read_kernel_sysctls(lpr_t)
-corenet_all_recvfrom_unlabeled(lpr_t)
corenet_all_recvfrom_netlabel(lpr_t)
corenet_tcp_sendrecv_generic_if(lpr_t)
- corenet_udp_sendrecv_generic_if(lpr_t)
-@@ -256,7 +252,6 @@ domain_use_interactive_fds(lpr_t)
-
- files_search_spool(lpr_t)
- # for lpd config files (should have a new type)
--files_read_etc_files(lpr_t)
- # for test print
- files_read_usr_files(lpr_t)
- #Added to cover read_content macro
-@@ -271,23 +266,25 @@ term_use_generic_ptys(lpr_t)
+ corenet_tcp_sendrecv_generic_node(lpr_t)
+@@ -249,23 +242,27 @@ term_use_generic_ptys(lpr_t)
auth_use_nsswitch(lpr_t)
+-logging_send_syslog_msg(lpr_t)
+-
+ miscfiles_read_fonts(lpr_t)
-miscfiles_read_localization(lpr_t)
-+miscfiles_read_fonts(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
- # Write to the user domain tty.
-userdom_use_user_terminals(lpr_t)
++# Write to the user domain tty.
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
@@ -32065,23 +31623,24 @@ index a03b63a..99e8d96 100644
+userdom_stream_connect(lpr_t)
tunable_policy(`use_lpd_server',`
- # lpr can run in lightweight mode, without a local print spooler.
-- allow lpr_t lpd_var_run_t:dir search;
-- allow lpr_t lpd_var_run_t:sock_file write;
+- allow lpr_t lpd_t:process signal;
+-
+- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t)
++ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
- # Connect to lpd via a Unix domain socket.
-- allow lpr_t printer_t:sock_file rw_sock_file_perms;
-- allow lpr_t lpd_t:unix_stream_socket connectto;
++ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
-+ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
- # Send SIGHUP to lpd.
- allow lpr_t lpd_t:process signal;
+ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
++ # Send SIGHUP to lpd.
++ allow lpr_t lpd_t:process signal;
-@@ -305,17 +302,7 @@ tunable_policy(`use_lpd_server',`
- read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
+ manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+@@ -279,17 +276,7 @@ tunable_policy(`use_lpd_server',`
+ allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
')
-tunable_policy(`use_nfs_home_dirs',`
@@ -32099,141 +31658,353 @@ index a03b63a..99e8d96 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -324,5 +311,13 @@ optional_policy(`
+@@ -298,5 +285,13 @@ optional_policy(`
')
optional_policy(`
+- gnome_stream_connect_all_gkeyringd(lpr_t)
+ gnome_stream_connect_gkeyringd(lpr_t)
+')
+
+optional_policy(`
- logging_send_syslog_msg(lpr_t)
- ')
++ logging_send_syslog_msg(lpr_t)
++')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
-+')
-diff --git a/mailman.fc b/mailman.fc
-index 1083f98..c7daa85 100644
---- a/mailman.fc
-+++ b/mailman.fc
-@@ -1,11 +1,14 @@
--/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
--/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-
--/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
--/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
--/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
--/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
--/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
-+/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+
-+/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-+/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
-+/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
-+/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0)
-+/var/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0)
-
- #
- # distro_debian
-@@ -23,12 +26,12 @@ ifdef(`distro_debian', `
- # distro_redhat
- #
- ifdef(`distro_redhat', `
--/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-+/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
-
--/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
--/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
--/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
--/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-+/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-
--/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
-+/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
')
diff --git a/mailman.if b/mailman.if
-index 67c7fdd..2f226de 100644
+index 108c0f1..d28241c 100644
--- a/mailman.if
+++ b/mailman.if
-@@ -54,7 +54,6 @@ template(`mailman_domain_template', `
- kernel_read_kernel_sysctls(mailman_$1_t)
- kernel_read_system_state(mailman_$1_t)
+@@ -1,44 +1,66 @@
+-## <summary>Manage electronic mail discussion and e-newsletter lists.</summary>
++## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+
+ #######################################
+ ## <summary>
+-## The template to define a mailman domain.
++## The template to define a mailmain domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <desc>
++## <p>
++## This template creates a domain to be used for
++## a new mailman daemon.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## The type of daemon to be used eg, cgi would give mailman_cgi_
+ ## </summary>
+ ## </param>
+ #
+-template(`mailman_domain_template',`
+- gen_require(`
+- attribute mailman_domain;
+- ')
++template(`mailman_domain_template', `
-- corenet_all_recvfrom_unlabeled(mailman_$1_t)
- corenet_all_recvfrom_netlabel(mailman_$1_t)
- corenet_tcp_sendrecv_generic_if(mailman_$1_t)
- corenet_udp_sendrecv_generic_if(mailman_$1_t)
-@@ -74,7 +73,7 @@ template(`mailman_domain_template', `
- corecmd_exec_all_executables(mailman_$1_t)
+- ########################################
+- #
+- # Declarations
+- #
++ ########################################
++ #
++ # Declarations
++ #
- files_exec_etc_files(mailman_$1_t)
-- files_list_usr(mailman_$1_t)
-+ files_read_usr_files(mailman_$1_t)
- files_list_var(mailman_$1_t)
- files_list_var_lib(mailman_$1_t)
- files_read_var_lib_symlinks(mailman_$1_t)
-@@ -87,7 +86,6 @@ template(`mailman_domain_template', `
+ type mailman_$1_t;
+- type mailman_$1_exec_t;
+ domain_type(mailman_$1_t)
++ type mailman_$1_exec_t;
+ domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+ role system_r types mailman_$1_t;
+
+ type mailman_$1_tmp_t;
+ files_tmp_file(mailman_$1_tmp_t)
+
+- ####################################
+- #
+- # Policy
+- #
++ ####################################
++ #
++ # Policy
++ #
- logging_send_syslog_msg(mailman_$1_t)
+ manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+ manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+ files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
-- miscfiles_read_localization(mailman_$1_t)
++ kernel_read_system_state(mailman_$1_t)
++
++ corenet_all_recvfrom_unlabeled(mailman_$1_t)
++ corenet_all_recvfrom_netlabel(mailman_$1_t)
++ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
++ corenet_udp_sendrecv_generic_if(mailman_$1_t)
++ corenet_raw_sendrecv_generic_if(mailman_$1_t)
++ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
++ corenet_udp_sendrecv_generic_node(mailman_$1_t)
++ corenet_raw_sendrecv_generic_node(mailman_$1_t)
++ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
++ corenet_udp_sendrecv_all_ports(mailman_$1_t)
++ corenet_tcp_bind_generic_node(mailman_$1_t)
++ corenet_udp_bind_generic_node(mailman_$1_t)
++ corenet_tcp_connect_smtp_port(mailman_$1_t)
++ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
++
+ auth_use_nsswitch(mailman_$1_t)
++
++ logging_send_syslog_msg(mailman_$1_t)
')
#######################################
-@@ -108,6 +106,31 @@ interface(`mailman_domtrans',`
+@@ -56,15 +78,12 @@ interface(`mailman_domtrans',`
+ type mailman_mail_exec_t, mailman_mail_t;
+ ')
+
+- libs_search_lib($1)
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
')
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute the mailman program in the
+-## mailman domain and allow the
+-## specified role the mailman domain.
+## Execute the mailman program in the mailman domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -73,18 +92,18 @@ interface(`mailman_domtrans',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
+## The role to allow the mailman domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`mailman_run',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`mailman_run',`
+ gen_require(`
+- attribute_role mailman_roles;
+ type mailman_mail_t;
-+ ')
-+
-+ mailman_domtrans($1)
+ ')
+
+ mailman_domtrans($1)
+- roleattribute $2 mailman_roles;
+ role $2 types mailman_mail_t;
-+')
-+
+ ')
+
+ #######################################
+@@ -103,7 +122,6 @@ interface(`mailman_domtrans_cgi',`
+ type mailman_cgi_exec_t, mailman_cgi_t;
+ ')
+
+- libs_search_lib($1)
+ domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
+ ')
+
+@@ -122,13 +140,12 @@ interface(`mailman_exec',`
+ type mailman_mail_exec_t;
+ ')
+
+- libs_search_lib($1)
+ can_exec($1, mailman_mail_exec_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Send generic signals to mailman cgi.
++## Send generic signals to the mailman cgi domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -146,7 +163,7 @@ interface(`mailman_signal_cgi',`
+
+ #######################################
+ ## <summary>
+-## Search mailman data directories.
++## Allow domain to search data directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -159,13 +176,12 @@ interface(`mailman_search_data',`
+ type mailman_data_t;
+ ')
+
+- files_search_spool($1)
+ allow $1 mailman_data_t:dir search_dir_perms;
+ ')
+
+ #######################################
+ ## <summary>
+-## Read mailman data content.
++## Allow domain to to read mailman data files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -178,7 +194,6 @@ interface(`mailman_read_data_files',`
+ type mailman_data_t;
+ ')
+
+- files_search_spool($1)
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
+ read_files_pattern($1, mailman_data_t, mailman_data_t)
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+@@ -186,8 +201,8 @@ interface(`mailman_read_data_files',`
+
+ #######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mailman data files.
++## Allow domain to to create mailman data files
++## and write the directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -200,14 +215,13 @@ interface(`mailman_manage_data_files',`
+ type mailman_data_t;
+ ')
+
+- files_search_spool($1)
+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
+ manage_files_pattern($1, mailman_data_t, mailman_data_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## List mailman data directories.
++## List the contents of mailman data directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -220,13 +234,12 @@ interface(`mailman_list_data',`
+ type mailman_data_t;
+ ')
+
+- files_search_spool($1)
+ allow $1 mailman_data_t:dir list_dir_perms;
+ ')
+
+ #######################################
+ ## <summary>
+-## Read mailman data symbolic links.
++## Allow read acces to mailman data symbolic links.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -244,7 +257,7 @@ interface(`mailman_read_data_symlinks',`
+
+ #######################################
+ ## <summary>
+-## Read mailman log files.
++## Read mailman logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -257,13 +270,12 @@ interface(`mailman_read_log',`
+ type mailman_log_t;
+ ')
+
+- logging_search_logs($1)
+ read_files_pattern($1, mailman_log_t, mailman_log_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Append mailman log files.
++## Append to mailman logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -276,14 +288,13 @@ interface(`mailman_append_log',`
+ type mailman_log_t;
+ ')
+
+- logging_search_logs($1)
+ append_files_pattern($1, mailman_log_t, mailman_log_t)
+ ')
+
+ #######################################
+ ## <summary>
+ ## Create, read, write, and delete
+-## mailman log content.
++## mailman logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -296,14 +307,13 @@ interface(`mailman_manage_log',`
+ type mailman_log_t;
+ ')
+
+- logging_search_logs($1)
+ manage_files_pattern($1, mailman_log_t, mailman_log_t)
+ manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Read mailman archive content.
++## Allow domain to read mailman archive files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -316,7 +326,6 @@ interface(`mailman_read_archive',`
+ type mailman_archive_t;
+ ')
+
+- files_search_var_lib($1)
+ allow $1 mailman_archive_t:dir list_dir_perms;
+ read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+ read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
+@@ -324,8 +333,7 @@ interface(`mailman_read_archive',`
+
#######################################
## <summary>
- ## Execute mailman CGI scripts in the
+-## Execute mailman_queue in the
+-## mailman_queue domain.
++## Execute mailman_queue in the mailman_queue domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -338,6 +346,5 @@ interface(`mailman_domtrans_queue',`
+ type mailman_queue_exec_t, mailman_queue_t;
+ ')
+
+- libs_search_lib($1)
+ domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
+ ')
diff --git a/mailman.te b/mailman.te
-index 22265f0..da52800 100644
+index 8eaf51b..256819c 100644
--- a/mailman.te
+++ b/mailman.te
-@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
- type mailman_lock_t;
- files_lock_file(mailman_lock_t)
+@@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+ logging_log_filetrans(mailman_domain, mailman_log_t, file)
-+type mailman_var_run_t;
-+files_pid_file(mailman_var_run_t)
-+
- mailman_domain_template(mail)
- init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
+ kernel_read_kernel_sysctls(mailman_domain)
+-kernel_read_system_state(mailman_domain)
+
+-corenet_all_recvfrom_unlabeled(mailman_domain)
+-corenet_all_recvfrom_netlabel(mailman_domain)
+ corenet_tcp_sendrecv_generic_if(mailman_domain)
+ corenet_tcp_sendrecv_generic_node(mailman_domain)
-@@ -54,6 +57,9 @@ optional_policy(`
+@@ -82,10 +79,6 @@ fs_getattr_all_fs(mailman_domain)
+ libs_exec_ld_so(mailman_domain)
+ libs_exec_lib_files(mailman_domain)
+
+-logging_send_syslog_msg(mailman_domain)
+-
+-miscfiles_read_localization(mailman_domain)
+-
+ ########################################
+ #
+ # CGI local policy
+@@ -104,6 +97,9 @@ optional_policy(`
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
@@ -32242,34 +32013,38 @@ index 22265f0..da52800 100644
+
')
- ########################################
-@@ -62,13 +68,23 @@ optional_policy(`
+ optional_policy(`
+@@ -115,8 +111,9 @@ optional_policy(`
+ # Mail local policy
#
- allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
--allow mailman_mail_t self:process { signal signull };
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-+allow mailman_mail_t self:process { setsched signal signull };
+-allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
++allow mailman_mail_t self:process { setsched signal signull };
++allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
- manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
- manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
- manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
+ manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
+@@ -126,10 +123,17 @@ corenet_sendrecv_innd_client_packets(mailman_mail_t)
+ corenet_tcp_connect_innd_port(mailman_mail_t)
+ corenet_tcp_sendrecv_innd_port(mailman_mail_t)
+manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
+manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
+files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+
-+# make NNTP gateway working
+ corenet_sendrecv_spamd_client_packets(mailman_mail_t)
+ corenet_tcp_connect_spamd_port(mailman_mail_t)
+ corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
+
+corenet_tcp_connect_innd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
+
-+dev_read_urand(mailman_mail_t)
-+
- files_search_spool(mailman_mail_t)
+ dev_read_urand(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +97,16 @@ optional_policy(`
+@@ -142,6 +146,10 @@ optional_policy(`
')
optional_policy(`
@@ -32280,239 +32055,133 @@ index 22265f0..da52800 100644
cron_read_pipes(mailman_mail_t)
')
- optional_policy(`
- postfix_search_spool(mailman_mail_t)
-+ postfix_rw_master_pipes(mailman_mail_t)
- ')
-
- ########################################
-@@ -94,7 +115,7 @@ optional_policy(`
- #
-
- allow mailman_queue_t self:capability { setgid setuid };
--allow mailman_queue_t self:process signal;
-+allow mailman_queue_t self:process { setsched signal_perms };
- allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
- allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
-
-@@ -104,13 +125,12 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
-
- kernel_read_proc_symlinks(mailman_queue_t)
+@@ -163,6 +171,8 @@ corenet_sendrecv_innd_client_packets(mailman_queue_t)
+ corenet_tcp_connect_innd_port(mailman_queue_t)
+ corenet_tcp_sendrecv_innd_port(mailman_queue_t)
+corenet_tcp_connect_innd_port(mailman_queue_t)
+
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
-
--# for su
--seutil_dontaudit_search_config(mailman_queue_t)
--
- # some of the following could probably be changed to dontaudit, someone who
- # knows mailman well should test this out and send the changes
- userdom_search_user_home_dirs(mailman_queue_t)
-@@ -125,4 +145,4 @@ optional_policy(`
-
- optional_policy(`
- su_exec(mailman_queue_t)
--')
-\ No newline at end of file
-+')
-diff --git a/mailscanner.fc b/mailscanner.fc
-new file mode 100644
-index 0000000..827e22e
---- /dev/null
-+++ b/mailscanner.fc
-@@ -0,0 +1,11 @@
-+/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
-+
-+/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0)
-+
-+/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
-+
-+/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
-+
-+/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
diff --git a/mailscanner.if b/mailscanner.if
-new file mode 100644
-index 0000000..bd1d48e
---- /dev/null
+index 0293f34..bd1d48e 100644
+--- a/mailscanner.if
+++ b/mailscanner.if
-@@ -0,0 +1,61 @@
-+## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
-+
-+########################################
-+## <summary>
+@@ -2,29 +2,27 @@
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mscan spool content.
+## Execute a domain transition to run
+## MailScanner.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`mscan_manage_spool_content',`
+interface(`mailscanner_initrc_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type mscan_spool_t;
+ type mscan_initrc_exec_t;
-+ ')
-+
+ ')
+
+- files_search_spool($1)
+- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
+- manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an mscan environment
+## All of the rules required to administrate
+## an mailscanner environment.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`mscan_admin',`
+interface(`mailscanner_admin',`
-+ gen_require(`
+ gen_require(`
+- type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
+- type mscan_var_run_t, mscan_spool_t;
+ type mscan_t, mscan_var_run_t, mscan_etc_t;
+ type mscan_initrc_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 mscan_t:process { ptrace signal_perms };
+- ps_process_pattern($1, mscan_t)
+-
+- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
+ mailscanner_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 mscan_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ domain_system_change_exemption($1)
+ role_transition $2 mscan_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
+ allow $1 mscan_t:process signal_perms;
+ ps_process_pattern($1, mscan_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mscan_t:process ptrace;
+ ')
+
-+ admin_pattern($1, mscan_etc_t)
+ admin_pattern($1, mscan_etc_t)
+ files_list_etc($1)
-+
-+ admin_pattern($1, mscan_var_run_t)
+
+- files_search_pids($1
+ admin_pattern($1, mscan_var_run_t)
+-
+- files_search_spool($1)
+- admin_pattern($1, mscan_spool_t)
+ files_list_pids($1)
-+')
+ ')
diff --git a/mailscanner.te b/mailscanner.te
-new file mode 100644
-index 0000000..d2f7a62
---- /dev/null
+index 725ba32..38269ae 100644
+--- a/mailscanner.te
+++ b/mailscanner.te
-@@ -0,0 +1,86 @@
-+policy_module(mailscanner, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mscan_t;
-+type mscan_exec_t;
-+init_daemon_domain(mscan_t, mscan_exec_t)
-+
-+type mscan_initrc_exec_t;
-+init_script_file(mscan_initrc_exec_t)
-+
-+type mscan_etc_t;
-+files_config_file(mscan_etc_t)
-+
-+type mscan_tmp_t;
-+files_tmp_file(mscan_tmp_t)
-+
-+type mscan_var_run_t;
-+files_pid_file(mscan_var_run_t)
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow mscan_t self:capability { setuid chown setgid dac_override };
-+allow mscan_t self:process signal;
-+allow mscan_t self:fifo_file rw_fifo_file_perms;
-+
-+read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+@@ -34,6 +34,7 @@ allow mscan_t self:process signal;
+ allow mscan_t self:fifo_file rw_fifo_file_perms;
+
+ read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
-+
-+manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
-+files_pid_filetrans(mscan_t, mscan_var_run_t, file)
-+
-+manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-+manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-+files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file })
-+
-+can_exec(mscan_t, mscan_exec_t)
-+
-+kernel_read_system_state(mscan_t)
-+
-+corecmd_exec_bin(mscan_t)
-+corecmd_exec_shell(mscan_t)
-+
-+corenet_tcp_connect_fprot_port(mscan_t)
-+corenet_tcp_sendrecv_fprot_port(mscan_t)
-+corenet_sendrecv_fprot_client_packets(mscan_t)
-+corenet_udp_bind_generic_node(mscan_t)
-+corenet_udp_bind_generic_port(mscan_t)
-+corenet_udp_sendrecv_all_ports(mscan_t)
-+corenet_sendrecv_generic_server_packets(mscan_t)
-+
-+dev_read_urand(mscan_t)
-+
-+files_read_usr_files(mscan_t)
-+
-+fs_getattr_xattr_fs(mscan_t)
-+
-+auth_dontaudit_read_shadow(mscan_t)
-+auth_use_nsswitch(mscan_t)
-+
-+logging_send_syslog_msg(mscan_t)
-+
-+optional_policy(`
-+ clamav_domtrans_clamscan(mscan_t)
+
+ manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
+ files_pid_filetrans(mscan_t, mscan_var_run_t, file)
+@@ -81,10 +82,9 @@ auth_use_nsswitch(mscan_t)
+
+ logging_send_syslog_msg(mscan_t)
+
+-miscfiles_read_localization(mscan_t)
+-
+ optional_policy(`
+ clamav_domtrans_clamscan(mscan_t)
+ clamav_manage_clamd_pid(mscan_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(mscan_t)
-+ mta_manage_queue(mscan_t)
-+')
-+
-+optional_policy(`
-+ procmail_domtrans(mscan_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -97,5 +97,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ spamassassin_read_home_client(mscan_t)
-+ spamassassin_read_lib_files(mscan_t)
-+')
-diff --git a/man2html.fc b/man2html.fc
-new file mode 100644
-index 0000000..2907017
---- /dev/null
-+++ b/man2html.fc
-@@ -0,0 +1,5 @@
-+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
-+
-+/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
+ spamassassin_read_lib_files(mscan_t)
+ ')
diff --git a/man2html.if b/man2html.if
-new file mode 100644
-index 0000000..050157a
---- /dev/null
+index 54ec04d..fe43dea 100644
+--- a/man2html.if
+++ b/man2html.if
-@@ -0,0 +1,127 @@
-+
-+## <summary>policy for httpd_man2html_script</summary>
+@@ -1 +1,127 @@
+ ## <summary>A Unix manpage-to-HTML converter.</summary>
+
+########################################
+## <summary>
@@ -32633,36 +32302,42 @@ index 0000000..050157a
+
+ files_search_var($1)
+ admin_pattern($1, httpd_man2html_script_cache_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/man2html.te b/man2html.te
-new file mode 100644
-index 0000000..29b79eb
---- /dev/null
+index e08c55d..9e634bd 100644
+--- a/man2html.te
+++ b/man2html.te
-@@ -0,0 +1,30 @@
-+policy_module(man2html, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type httpd_man2html_script_cache_t;
-+files_type(httpd_man2html_script_cache_t)
-+
-+########################################
-+#
+@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0)
+ # Declarations
+ #
+
+-apache_content_template(man2html)
+
+ type httpd_man2html_script_cache_t;
+ files_type(httpd_man2html_script_cache_t)
+
+ ########################################
+ #
+-# Local policy
+# httpd_man2html_script local policy
-+#
-+
+ #
+
+-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+optional_policy(`
-+
+
+-files_read_etc_files(httpd_man2html_script_t)
+ apache_content_template(man2html)
-+
+
+-miscfiles_read_localization(httpd_man2html_script_t)
+-miscfiles_read_man_pages(httpd_man2html_script_t)
+ allow httpd_man2html_script_t self:process { fork };
+
+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
@@ -32670,56 +32345,57 @@ index 0000000..29b79eb
+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
+
-+ domain_use_interactive_fds(httpd_man2html_script_t)
-+
-+ files_read_etc_files(httpd_man2html_script_t)
+')
diff --git a/mandb.fc b/mandb.fc
-new file mode 100644
-index 0000000..75b9968
---- /dev/null
+index 2de0f64..03f96e3 100644
+--- a/mandb.fc
+++ b/mandb.fc
-@@ -0,0 +1,3 @@
+@@ -1 +1,5 @@
+ /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0)
++
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
diff --git a/mandb.if b/mandb.if
-new file mode 100644
-index 0000000..4a4e899
---- /dev/null
+index 327f3f7..65bfa15 100644
+--- a/mandb.if
+++ b/mandb.if
-@@ -0,0 +1,187 @@
+@@ -1,14 +1,14 @@
+-## <summary>On-line manual database.</summary>
+
+## <summary>policy for mandb</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Execute the mandb program in
+-## the mandb domain.
+## Transition to mandb.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+## <summary>
-+## Domain allowed to transition.
+ ## Domain allowed to transition.
+-## </summary>
+## </summary>
-+## </param>
-+#
-+interface(`mandb_domtrans',`
-+ gen_require(`
-+ type mandb_t, mandb_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, mandb_exec_t, mandb_t)
-+')
-+
-+########################################
-+## <summary>
+ ## </param>
+ #
+ interface(`mandb_domtrans',`
+@@ -22,33 +22,45 @@ interface(`mandb_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute mandb in the mandb
+-## domain, and allow the specified
+-## role the mandb domain.
+## Search mandb cache directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`mandb_search_cache',`
+ gen_require(`
@@ -32735,30 +32411,38 @@ index 0000000..4a4e899
+## Read mandb cache files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`mandb_run',`
+interface(`mandb_read_cache_files',`
-+ gen_require(`
+ gen_require(`
+- attribute_role mandb_roles;
+ type mandb_cache_t;
-+ ')
-+
+ ')
+
+- lightsquid_domtrans($1)
+- roleattribute $2 mandb_roles;
+ files_search_var($1)
+ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search mandb cache directories.
+## Relabel mandb cache files/directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -56,13 +68,18 @@ interface(`mandb_run',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mandb_search_cache',`
+- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_relabel_cache',`
+ gen_require(`
+ type mandb_cache_t;
@@ -32766,18 +32450,21 @@ index 0000000..4a4e899
+
+ allow $1 mandb_cache_t:dir relabel_dir_perms;
+ allow $1 mandb_cache_t:file relabel_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete mandb cache content.
+## Set attributes on mandb cache files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -70,13 +87,18 @@ interface(`mandb_search_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mandb_delete_cache_content',`
+- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_setattr_cache_dirs',`
+ gen_require(`
+ type mandb_cache_t;
@@ -32785,18 +32472,21 @@ index 0000000..4a4e899
+
+ files_search_var($1)
+ allow $1 mandb_cache_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read mandb cache content.
+## Delete mandb cache files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mandb_read_cache_content',`
+- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_delete_cache',`
+ gen_require(`
+ type mandb_cache_t;
@@ -32807,19 +32497,15 @@ index 0000000..4a4e899
+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## mandb cache files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ')
+
+ ########################################
+@@ -99,37 +129,60 @@ interface(`mandb_read_cache_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mandb_manage_cache_content',`
+- refpolicywarn(`$0($*) has been deprecated')
+interface(`mandb_manage_cache_files',`
+ gen_require(`
+ type mandb_cache_t;
@@ -32827,17 +32513,20 @@ index 0000000..4a4e899
+
+ files_search_var($1)
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an mandb environment.
+## Manage mandb cache dirs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`mandb_manage_cache_dirs',`
+ gen_require(`
@@ -32855,101 +32544,93 @@ index 0000000..4a4e899
+## an mandb environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mandb_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`mandb_admin',`
+ gen_require(`
+- type mandb_t, mandb_cache_t;
+ type mandb_t;
+ type mandb_cache_t;
-+ ')
-+
-+ allow $1 mandb_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, mandb_t)
-+
+ ')
+
+ allow $1 mandb_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mandb_t)
+
+- mandb_run($1, $2)
+ files_search_var($1)
+ admin_pattern($1, mandb_cache_t)
+
+- # pending
+- # miscfiles_manage_man_cache_content(mandb_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/mandb.te b/mandb.te
-new file mode 100644
-index 0000000..8cc45e7
---- /dev/null
+index 5a414e0..4e159c2 100644
+--- a/mandb.te
+++ b/mandb.te
-@@ -0,0 +1,35 @@
-+policy_module(mandb, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mandb_t;
-+type mandb_exec_t;
+@@ -10,9 +10,12 @@ roleattribute system_r mandb_roles;
+
+ type mandb_t;
+ type mandb_exec_t;
+-application_domain(mandb_t, mandb_exec_t)
+init_daemon_domain(mandb_t, mandb_exec_t)
-+cron_system_entry(mandb_t, mandb_exec_t)
-+
+ role mandb_roles types mandb_t;
+
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
-+########################################
-+#
-+# mandb local policy
-+#
-+allow mandb_t self:fifo_file rw_fifo_file_perms;
-+allow mandb_t self:unix_stream_socket create_stream_socket_perms;
-+allow mandb_t self:process signal;
-+
+ ########################################
+ #
+ # Local policy
+@@ -22,14 +25,17 @@ allow mandb_t self:process signal;
+ allow mandb_t self:fifo_file rw_fifo_file_perms;
+ allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
+
-+kernel_read_system_state(mandb_t)
-+
-+corecmd_exec_bin(mandb_t)
-+
-+domain_use_interactive_fds(mandb_t)
-+
-+files_read_etc_files(mandb_t)
-diff --git a/mcelog.fc b/mcelog.fc
-index 56c43c0..409bbfc 100644
---- a/mcelog.fc
-+++ b/mcelog.fc
-@@ -1 +1,5 @@
- /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
-+
-+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
-+
-+/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0)
+ kernel_read_system_state(mandb_t)
+
+ corecmd_exec_bin(mandb_t)
+
+ domain_use_interactive_fds(mandb_t)
+
+-files_read_etc_files(mandb_t)
+-
+ miscfiles_manage_man_cache(mandb_t)
+
+ optional_policy(`
diff --git a/mcelog.te b/mcelog.te
-index 5671977..99a63b2 100644
+index 13ea191..799df10 100644
--- a/mcelog.te
+++ b/mcelog.te
-@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
+@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
+ ## </desc>
+ gen_tunable(mcelog_server, false)
+-## <desc>
+-## <p>
+-## Determine whether mcelog can use syslog.
+-## </p>
+-## </desc>
+-gen_tunable(mcelog_syslog, false)
+-
type mcelog_t;
type mcelog_exec_t;
-+init_system_domain(mcelog_t, mcelog_exec_t)
- application_domain(mcelog_t, mcelog_exec_t)
--cron_system_entry(mcelog_t, mcelog_exec_t)
-+
-+type mcelog_var_run_t;
-+files_pid_file(mcelog_var_run_t)
-+
-+type mcelog_log_t;
-+logging_log_file(mcelog_log_t)
-
- ########################################
- #
-@@ -17,16 +23,33 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
-
- allow mcelog_t self:capability sys_admin;
+ init_daemon_domain(mcelog_t, mcelog_exec_t)
+@@ -82,19 +75,31 @@ manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+ manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
@@ -32967,21 +32648,31 @@ index 5671977..99a63b2 100644
+
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
-+dev_rw_sysfs(mcelog_t)
+ dev_rw_sysfs(mcelog_t)
- files_read_etc_files(mcelog_t)
-
- # for /dev/mem access
+-files_read_etc_files(mcelog_t)
+-
mls_file_read_all_levels(mcelog_t)
+auth_read_passwd(mcelog_t)
+
- logging_send_syslog_msg(mcelog_t)
+ locallogin_use_fds(mcelog_t)
-miscfiles_read_localization(mcelog_t)
-+optional_policy(`
-+ cron_system_entry(mcelog_t, mcelog_exec_t)
-+')
++logging_send_syslog_msg(mcelog_t)
+
+ tunable_policy(`mcelog_client',`
+ allow mcelog_t self:unix_stream_socket connectto;
+@@ -114,9 +119,6 @@ tunable_policy(`mcelog_server',`
+ allow mcelog_t self:unix_stream_socket { listen accept };
+ ')
+
+-tunable_policy(`mcelog_syslog',`
+- logging_send_syslog_msg(mcelog_t)
+-')
+
+ optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
diff --git a/mcollective.fc b/mcollective.fc
new file mode 100644
index 0000000..821bf88
@@ -33148,11 +32839,12 @@ index 0000000..5dd171f
+
+files_read_etc_files(mcollective_t)
diff --git a/mediawiki.if b/mediawiki.if
-index 98d28b4..1c1d012 100644
+index 9771b4b..1c1d012 100644
--- a/mediawiki.if
+++ b/mediawiki.if
@@ -1 +1,40 @@
- ## <summary>Mediawiki policy</summary>
+-## <summary>Open source wiki package written in PHP.</summary>
++## <summary>Mediawiki policy</summary>
+
+#######################################
+## <summary>
@@ -33193,7 +32885,7 @@ index 98d28b4..1c1d012 100644
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/mediawiki.te b/mediawiki.te
-index d7cb9e4..7e81838 100644
+index c528b9f..212712c 100644
--- a/mediawiki.te
+++ b/mediawiki.te
@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0)
@@ -33207,7 +32899,7 @@ index d7cb9e4..7e81838 100644
########################################
#
- # mediawiki local policy
+ # Local policy
#
-files_search_var_lib(httpd_mediawiki_script_t)
@@ -33216,72 +32908,125 @@ index d7cb9e4..7e81838 100644
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+ miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+')
-diff --git a/memcached.fc b/memcached.fc
-index 4d69477..d3b4f39 100644
---- a/memcached.fc
-+++ b/memcached.fc
-@@ -2,4 +2,5 @@
-
- /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
-
-+/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
- /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/memcached.if b/memcached.if
-index db4fd6f..650014e 100644
+index 1d4eb19..650014e 100644
--- a/memcached.if
+++ b/memcached.if
-@@ -40,6 +40,44 @@ interface(`memcached_read_pid_files',`
+@@ -1,4 +1,4 @@
+-## <summary>High-performance memory object caching system.</summary>
++## <summary>high-performance memory object caching system</summary>
+
+ ########################################
+ ## <summary>
+@@ -12,17 +12,16 @@
+ #
+ interface(`memcached_domtrans',`
+ gen_require(`
+- type memcached_t,memcached_exec_t;
++ type memcached_t;
++ type memcached_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, memcached_exec_t, memcached_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## memcached pid files.
++## Read memcached PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -30,18 +29,18 @@ interface(`memcached_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`memcached_manage_pid_files',`
++interface(`memcached_read_pid_files',`
+ gen_require(`
+ type memcached_var_run_t;
+ ')
+
+ files_search_pids($1)
+- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
++ allow $1 memcached_var_run_t:file read_file_perms;
+ ')
########################################
## <summary>
+-## Read memcached pid files.
+## Manage memcached PID files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`memcached_read_pid_files',`
+interface(`memcached_manage_pid_files',`
-+ gen_require(`
-+ type memcached_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
+ gen_require(`
+ type memcached_var_run_t;
+ ')
+
+ files_search_pids($1)
+- allow $1 memcached_var_run_t:file read_file_perms;
+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to memcached using a unix
+-## domain stream socket.
+## Connect to memcached over a unix stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`memcached_stream_connect',`
-+ gen_require(`
-+ type memcached_t, memcached_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t)
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an memcached environment
## </summary>
-@@ -57,17 +95,20 @@ interface(`memcached_read_pid_files',`
- #
- interface(`memcached_admin',`
- gen_require(`
+ ## <param name="domain">
+ ## <summary>
+@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## Connect to memcache over the network.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`memcached_tcp_connect',`
+- gen_require(`
- type memcached_t;
-- type memcached_initrc_exec_t;
-+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
+- ')
+-
+- corenet_sendrecv_memcache_client_packets($1)
+- corenet_tcp_connect_memcache_port($1)
+- corenet_tcp_recvfrom_labeled($1, memcached_t)
+- corenet_tcp_sendrecv_memcache_port($1)
+-')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an memcached environment.
++## All of the rules required to administrate
++## an memcached environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the memcached domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -121,14 +98,17 @@ interface(`memcached_admin',`
+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
- allow $1 memcached_t:process { ptrace signal_perms };
@@ -33296,119 +33041,169 @@ index db4fd6f..650014e 100644
role_transition $2 memcached_initrc_exec_t system_r;
allow $2 system_r;
+- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index b681608..9c4fc55 100644
+index 4926208..293e577 100644
--- a/memcached.te
+++ b/memcached.te
-@@ -28,7 +28,6 @@ allow memcached_t self:udp_socket { create_socket_perms listen };
- allow memcached_t self:fifo_file rw_fifo_file_perms;
- allow memcached_t self:unix_stream_socket create_stream_socket_perms;
-
--corenet_all_recvfrom_unlabeled(memcached_t)
- corenet_udp_sendrecv_generic_if(memcached_t)
- corenet_udp_sendrecv_generic_node(memcached_t)
- corenet_udp_sendrecv_all_ports(memcached_t)
-@@ -42,12 +41,12 @@ corenet_udp_bind_memcache_port(memcached_t)
-
- manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
- manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
--files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
-+manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
-+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file })
-
- kernel_read_kernel_sysctls(memcached_t)
- kernel_read_system_state(memcached_t)
-
--files_read_etc_files(memcached_t)
-
- term_dontaudit_use_all_ptys(memcached_t)
- term_dontaudit_use_all_ttys(memcached_t)
-@@ -55,4 +54,3 @@ term_dontaudit_use_console(memcached_t)
+@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t)
auth_use_nsswitch(memcached_t)
-miscfiles_read_localization(memcached_t)
diff --git a/milter.fc b/milter.fc
-index 1ec5a6c..64ac6f0 100644
+index 89409eb..64ac6f0 100644
--- a/milter.fc
+++ b/milter.fc
-@@ -1,15 +1,26 @@
+@@ -1,18 +1,26 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
--/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
++/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
- /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
- /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
++/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/milter.if b/milter.if
-index ee72cbe..bdf319a 100644
+index cba62db..bdf319a 100644
--- a/milter.if
+++ b/milter.if
-@@ -24,9 +24,13 @@ template(`milter_template',`
+@@ -1,47 +1,59 @@
+-## <summary>Milter mail filters.</summary>
++## <summary>Milter mail filters</summary>
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a milter domain.
++## Create a set of derived types for various
++## mail filter applications using the milter interface.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="milter_name">
+ ## <summary>
+-## Domain prefix to be used.
++## The name to be used for deriving type names.
+ ## </summary>
+ ## </param>
+ #
+ template(`milter_template',`
++ # attributes common to all milters
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ type $1_milter_t, milter_domains;
+ type $1_milter_exec_t;
+ init_daemon_domain($1_milter_t, $1_milter_exec_t)
++ role system_r types $1_milter_t;
- # Type for the milter data (e.g. the socket used to communicate with the MTA)
++ # Type for the milter data (e.g. the socket used to communicate with the MTA)
type $1_milter_data_t, milter_data_type;
-- files_type($1_milter_data_t)
-+ files_pid_file($1_milter_data_t)
-+
+ files_pid_file($1_milter_data_t)
+
+- ########################################
+- #
+- # Policy
+- #
+ # Allow communication with MTA over a unix-domain socket
+ # Note: usage with TCP sockets requires additional policy
- allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+- manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
++ allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+
- # Allow communication with MTA over a TCP socket
- allow $1_milter_t self:tcp_socket create_stream_socket_perms;
-
-@@ -36,12 +40,13 @@ template(`milter_template',`
- # Create other data files and directories in the data directory
- manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
++ # Allow communication with MTA over a TCP socket
++ allow $1_milter_t self:tcp_socket create_stream_socket_perms;
++
++ # Allow communication with MTA over a unix-domain socket
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+- auth_use_nsswitch($1_milter_t)
++ # Create other data files and directories in the data directory
++ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
++
+ kernel_dontaudit_read_system_state($1_milter_t)
+
- corenet_tcp_bind_generic_node($1_milter_t)
- corenet_tcp_bind_milter_port($1_milter_t)
-
- files_read_etc_files($1_milter_t)
++ corenet_tcp_bind_generic_node($1_milter_t)
++ corenet_tcp_bind_milter_port($1_milter_t)
++
++ files_read_etc_files($1_milter_t)
++
++
++ logging_send_syslog_msg($1_milter_t)
+ ')
-- miscfiles_read_localization($1_milter_t)
+ ########################################
+ ## <summary>
+-## connect to all milter domains using
+-## a unix domain stream socket.
++## MTA communication with milter sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -55,12 +67,13 @@ interface(`milter_stream_connect_all',`
+ ')
- logging_send_syslog_msg($1_milter_t)
+ files_search_pids($1)
++ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
-@@ -61,6 +66,7 @@ interface(`milter_stream_connect_all',`
- attribute milter_data_type, milter_domains;
+
+ ########################################
+ ## <summary>
+-## Get attributes of all milter sock files.
++## Allow getattr of milter sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -73,13 +86,31 @@ interface(`milter_getattr_all_sockets',`
+ attribute milter_data_type;
')
-+ files_search_pids($1)
- getattr_dirs_pattern($1, milter_data_type, milter_data_type)
- stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
++ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
-@@ -86,6 +92,24 @@ interface(`milter_getattr_all_sockets',`
########################################
## <summary>
+-## Create, read, write, and delete
+-## spamassissin milter data content.
+## Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
@@ -33427,10 +33222,11 @@ index ee72cbe..bdf319a 100644
+
+########################################
+## <summary>
- ## Manage spamassassin milter state
++## Manage spamassassin milter state
## </summary>
## <param name="domain">
-@@ -104,3 +128,22 @@ interface(`milter_manage_spamass_state',`
+ ## <summary>
+@@ -97,3 +128,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
@@ -33454,10 +33250,19 @@ index ee72cbe..bdf319a 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 26101cb..64c2969 100644
+index 92508b2..64c2969 100644
--- a/milter.te
+++ b/milter.te
-@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0)
+@@ -1,77 +1,98 @@
+-policy_module(milter, 1.4.2)
++policy_module(milter, 1.4.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
++# attributes common to all milters
attribute milter_domains;
attribute milter_data_type;
@@ -33468,86 +33273,164 @@ index 26101cb..64c2969 100644
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
- # currently-supported milters are milter-greylist, milter-regex and spamass-milter
++# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
-@@ -20,6 +27,26 @@ milter_template(spamass)
+ milter_template(spamass)
+
++# Type for the spamass-milter home directory, under which spamassassin will
++# store system-wide preferences, bayes databases etc. if not configured to
++# use per-user configuration
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
-+#######################################
-+#
+ #######################################
+ #
+-# Common local policy
+# dkim-milter local policy
-+#
-+
+ #
+
+-allow milter_domains self:fifo_file rw_fifo_file_perms;
+-allow milter_domains self:tcp_socket { accept listen };
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:process signal;
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
-+
+
+-kernel_dontaudit_read_system_state(milter_domains)
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
-+
+
+-corenet_all_recvfrom_unlabeled(milter_domains)
+-corenet_all_recvfrom_netlabel(milter_domains)
+-corenet_tcp_sendrecv_generic_if(milter_domains)
+-corenet_tcp_sendrecv_generic_node(milter_domains)
+-corenet_tcp_bind_generic_node(milter_domains)
+kernel_read_kernel_sysctls(dkim_milter_t)
-+
+
+-corenet_tcp_bind_milter_port(milter_domains)
+-corenet_tcp_sendrecv_all_ports(milter_domains)
+auth_use_nsswitch(dkim_milter_t)
-+
+
+-miscfiles_read_localization(milter_domains)
+sysnet_dns_name_resolve(dkim_milter_t)
-+
+
+-logging_send_syslog_msg(milter_domains)
+mta_read_config(dkim_milter_t)
-+
+
########################################
#
- # milter-greylist local policy
-@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t)
+-# greylist local policy
++# milter-greylist local policy
++# ensure smtp clients retry mail like real MTAs and not spamware
++# http://hcpnet.free.fr/milter-greylist/
+ #
+
++# It removes any existing socket (not owned by root) whilst running as root,
++# fixes permissions, renices itself and then calls setgid() and setuid() to
++# drop privileges
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
+
- # It creates a pid file /var/run/milter-greylist.pid
++# It creates a pid file /var/run/milter-greylist.pid
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
kernel_read_kernel_sysctls(greylist_milter_t)
+-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t)
+-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t)
+-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)
+-
+-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
+-corenet_tcp_bind_kismet_port(greylist_milter_t)
+-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
+dev_read_rand(greylist_milter_t)
+dev_read_urand(greylist_milter_t)
-+
-+corecmd_exec_bin(greylist_milter_t)
-+corecmd_exec_shell(greylist_milter_t)
-+
+
+ corecmd_exec_bin(greylist_milter_t)
+ corecmd_exec_shell(greylist_milter_t)
+
+-dev_read_rand(greylist_milter_t)
+-dev_read_urand(greylist_milter_t)
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
-+
+
+# perl getgroups() reads a bunch of files in /etc
+files_read_etc_files(greylist_milter_t)
- # Allow the milter to read a GeoIP database in /usr/share
++# Allow the milter to read a GeoIP database in /usr/share
files_read_usr_files(greylist_milter_t)
- # The milter runs from /var/lib/milter-greylist and maintains files there
-@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t)
- # Config is in /etc/mail/greylist.conf
++# The milter runs from /var/lib/milter-greylist and maintains files there
+ files_search_var_lib(greylist_milter_t)
+
++# Look up username for dropping privs
++auth_use_nsswitch(greylist_milter_t)
++
++# Config is in /etc/mail/greylist.conf
mta_read_config(greylist_milter_t)
+-miscfiles_read_localization(greylist_milter_t)
+
+sysnet_read_config(greylist_milter_t)
+
+
+ optional_policy(`
+ mysql_stream_connect(greylist_milter_t)
+@@ -79,30 +100,48 @@ optional_policy(`
+
+ ########################################
+ #
+-# regex local policy
++# milter-regex local policy
++# filter emails using regular expressions
++# http://www.benzedrine.cx/milter-regex.html
+ #
+
++# It removes any existing socket (not owned by root) whilst running as root
++# and then calls setgid() and setuid() to drop privileges
+ allow regex_milter_t self:capability { setuid setgid dac_override };
+
++# The milter's socket directory lives under /var/spool
+ files_search_spool(regex_milter_t)
+
++# Look up username for dropping privs
++auth_use_nsswitch(regex_milter_t)
+
-+optional_policy(`
-+ mysql_stream_connect(greylist_milter_t)
-+')
-+
++# Config is in /etc/mail/milter-regex.conf
+ mta_read_config(regex_milter_t)
+
########################################
#
- # milter-regex local policy
-@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t)
- corecmd_read_bin_symlinks(spamass_milter_t)
- corecmd_search_bin(spamass_milter_t)
+-# spamass local policy
++# spamass-milter local policy
++# pipe emails through SpamAssassin
++# http://savannah.nongnu.org/projects/spamass-milt/
+ #
+
++# The milter runs from /var/lib/spamass-milter
+ allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
++files_search_var_lib(spamass_milter_t)
+
+ kernel_read_system_state(spamass_milter_t)
+
++# When used with -b or -B options, the milter invokes sendmail to send mail
++# to a spamtrap address, using popen()
+ corecmd_exec_shell(spamass_milter_t)
++corecmd_read_bin_symlinks(spamass_milter_t)
++corecmd_search_bin(spamass_milter_t)
+-files_search_var_lib(spamass_milter_t)
+auth_use_nsswitch(spamass_milter_t)
-+
+
mta_send_mail(spamass_milter_t)
- # The main job of the milter is to pipe spam through spamc and act on the result
++# The main job of the milter is to pipe spam through spamc and act on the result
+ optional_policy(`
+ spamassassin_domtrans_client(spamass_milter_t)
+ ')
diff --git a/mock.fc b/mock.fc
new file mode 100644
index 0000000..8d0e473
@@ -34126,35 +34009,13 @@ index 0000000..ecfd7be
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.te b/modemmanager.te
-index b3ace16..41f9aa5 100644
+index cb4c13d..14e8f87 100644
--- a/modemmanager.te
+++ b/modemmanager.te
-@@ -7,7 +7,7 @@ policy_module(modemmanager, 1.1.0)
+@@ -31,8 +31,9 @@ files_read_etc_files(modemmanager_t)
- type modemmanager_t;
- type modemmanager_exec_t;
--dbus_system_domain(modemmanager_t, modemmanager_exec_t)
-+init_daemon_domain(modemmanager_t, modemmanager_exec_t)
- typealias modemmanager_t alias ModemManager_t;
- typealias modemmanager_exec_t alias ModemManager_exec_t;
-
-@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
- # ModemManager local policy
- #
-
--allow modemmanager_t self:process signal;
-+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-+allow modemmanager_t self:process { getsched signal };
- allow modemmanager_t self:fifo_file rw_file_perms;
- allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
- allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,29 @@ dev_rw_modem(modemmanager_t)
-
- files_read_etc_files(modemmanager_t)
-
--term_use_unallocated_ttys(modemmanager_t)
-+term_use_generic_ptys(modemmanager_t)
-+term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
+ term_use_generic_ptys(modemmanager_t)
+ term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
-miscfiles_read_localization(modemmanager_t)
@@ -34162,30 +34023,11 @@ index b3ace16..41f9aa5 100644
logging_send_syslog_msg(modemmanager_t)
--networkmanager_dbus_chat(modemmanager_t)
-+optional_policy(`
-+ dbus_system_domain(modemmanager_t, modemmanager_exec_t)
-+')
-+
-+optional_policy(`
-+ networkmanager_dbus_chat(modemmanager_t)
-+')
-+
-+optional_policy(`
-+ devicekit_dbus_chat_power(modemmanager_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(modemmanager_t)
-+')
-
- optional_policy(`
- udev_read_db(modemmanager_t)
diff --git a/mojomojo.if b/mojomojo.if
-index 657a9fc..7022903 100644
+index 73952f4..80e26d2 100644
--- a/mojomojo.if
+++ b/mojomojo.if
-@@ -10,27 +10,26 @@
+@@ -10,12 +10,6 @@
## Domain allowed access.
## </summary>
## </param>
@@ -34197,61 +34039,30 @@ index 657a9fc..7022903 100644
-## <rolecap/>
#
interface(`mojomojo_admin',`
- gen_require(`
-- type httpd_mojomojo_script_t;
-- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
-- type httpd_mojomojo_rw_content_t;
-- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
-+ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
-+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
-+ type httpd_mojomojo_script_exec_t, httpd_mojomo_script_t;
- ')
-
-- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
-+ allow $1 httpd_mojomojo_script_t:process signal_perms;
- ps_process_pattern($1, httpd_mojomojo_script_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 httpd_mojomo_script_t:process ptrace;
-+ ')
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, httpd_mojomojo_tmp_t)
-
-- files_search_var_lib(httpd_mojomojo_script_t)
-+ files_list_var_lib(httpd_mojomojo_script_t)
-
-- apache_search_sys_content($1)
-+ apache_list_sys_content($1)
- admin_pattern($1, httpd_mojomojo_script_exec_t)
- admin_pattern($1, httpd_mojomojo_script_t)
- admin_pattern($1, httpd_mojomojo_content_t)
+ refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
diff --git a/mojomojo.te b/mojomojo.te
-index 83f002c..d09878d 100644
+index 7e534cf..3652584 100644
--- a/mojomojo.te
+++ b/mojomojo.te
-@@ -5,32 +5,42 @@ policy_module(mojomojo, 1.0.0)
+@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1)
# Declarations
#
-apache_content_template(mojomojo)
-+
+type httpd_mojomojo_tmp_t;
+files_tmp_file(httpd_mojomojo_tmp_t)
########################################
#
- # mojomojo local policy
+ # Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+optional_policy(`
+ apache_content_template(mojomojo)
--corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
--corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
--corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
--corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
@@ -34270,14 +34081,9 @@ index 83f002c..d09878d 100644
-mta_send_mail(httpd_mojomojo_script_t)
+ files_search_var_lib(httpd_mojomojo_script_t)
-
--optional_policy(`
-- mysql_stream_connect(httpd_mojomojo_script_t)
--')
++
+ sysnet_dns_name_resolve(httpd_mojomojo_script_t)
-
--optional_policy(`
-- postgresql_stream_connect(httpd_mojomojo_script_t)
++
+ mta_send_mail(httpd_mojomojo_script_t)
+
+ optional_policy(`
@@ -34287,52 +34093,78 @@ index 83f002c..d09878d 100644
+ optional_policy(`
+ postgresql_stream_connect(httpd_mojomojo_script_t)
+ ')
- ')
-diff --git a/mono.te b/mono.te
-index dff0f12..ecab36d 100644
---- a/mono.te
-+++ b/mono.te
-@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
- # Local policy
- #
-
--allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
-+allow mono_t self:process { signal getsched execheap execmem execstack };
++')
+diff --git a/mongodb.te b/mongodb.te
+index 4de8949..5c237c3 100644
+--- a/mongodb.te
++++ b/mongodb.te
+@@ -54,8 +54,5 @@ corenet_tcp_bind_generic_node(mongod_t)
+ dev_read_sysfs(mongod_t)
+ dev_read_urand(mongod_t)
- init_dbus_chat_script(mono_t)
+-files_read_etc_files(mongod_t)
+-
+ fs_getattr_all_fs(mongod_t)
+-miscfiles_read_localization(mongod_t)
diff --git a/monop.te b/monop.te
-index 6647a35..f3b35e1 100644
+index 4462c0e..84944d1 100644
--- a/monop.te
+++ b/monop.te
-@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(monopd_t)
+@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_all_recvfrom_unlabeled(monopd_t)
corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
- corenet_udp_sendrecv_generic_if(monopd_t)
-@@ -65,8 +64,6 @@ fs_search_auto_mountpoints(monopd_t)
+ corenet_tcp_sendrecv_generic_node(monopd_t)
+@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t)
+
+ domain_use_interactive_fds(monopd_t)
+
+-files_read_etc_files(monopd_t)
+-
+ fs_getattr_all_fs(monopd_t)
+ fs_search_auto_mountpoints(monopd_t)
logging_send_syslog_msg(monopd_t)
-miscfiles_read_localization(monopd_t)
-
- sysnet_read_config(monopd_t)
+ sysnet_dns_name_resolve(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..0fa08be 100644
+index 6ffaba2..0fa08be 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -2,8 +2,18 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
- HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -1,38 +1,58 @@
+-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+-
+-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+-
+-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -34342,40 +34174,55 @@ index 3a73e74..0fa08be 100644
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-
- #
- # /bin
-@@ -16,6 +26,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++
++#
++# /bin
++#
++/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-
+-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+-
+-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+ /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+')
+
- ifdef(`distro_debian',`
- /usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- ')
-@@ -23,11 +39,20 @@ ifdef(`distro_debian',`
- #
- # /lib
- #
--/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++ifdef(`distro_debian',`
++/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++')
++
++#
++# /lib
++#
+
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
@@ -34386,49 +34233,228 @@ index 3a73e74..0fa08be 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..cccec7e 100644
+index 6194b80..cccec7e 100644
--- a/mozilla.if
+++ b/mozilla.if
-@@ -18,10 +18,11 @@
+@@ -1,146 +1,76 @@
+-## <summary>Policy for Mozilla and related web browsers.</summary>
++## <summary>Policy for Mozilla and related web browsers</summary>
+
+ ########################################
+ ## <summary>
+-## Role access for mozilla.
++## Role access for mozilla
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
+ #
interface(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
+- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
+- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
- attribute_role mozilla_roles;
+ #attribute_role mozilla_roles;
')
-- roleattribute $1 mozilla_roles;
+- ########################################
+- #
+- # Declarations
+- #
+ #roleattribute $1 mozilla_roles;
+ role $1 types mozilla_t;
- domain_auto_trans($2, mozilla_exec_t, mozilla_t)
- # Unrestricted inheritance from the caller.
-@@ -47,7 +48,24 @@ interface(`mozilla_role',`
- relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
- relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
-
+- roleattribute $1 mozilla_roles;
+-
+- ########################################
+- #
+- # Policy
+- #
+-
+- domtrans_pattern($2, mozilla_exec_t, mozilla_t)
++ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
++ # Unrestricted inheritance from the caller.
++ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
++ allow mozilla_t $2:fd use;
++ allow mozilla_t $2:process { sigchld signull };
++ allow mozilla_t $2:unix_stream_socket connectto;
+
+- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
++ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mozilla_t)
+-
+- allow mozilla_t $2:process signull;
+- allow mozilla_t $2:unix_stream_socket connectto;
++ allow $2 mozilla_t:process signal_perms;
+
+ allow $2 mozilla_t:fd use;
+- allow $2 mozilla_t:shm rw_shm_perms;
+-
+- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
++ allow $2 mozilla_t:shm { associate getattr };
++ allow $2 mozilla_t:shm { unix_read unix_write };
++ allow $2 mozilla_t:unix_stream_socket connectto;
+
+- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
++ # X access, Home files
++ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
++ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
++ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
++ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
++ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
++ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+ #should be remove then with adding of roleattribute
+ mozilla_run_plugin(mozilla_t, $1)
- mozilla_dbus_chat($2)
-+
++ mozilla_dbus_chat($2)
+
+- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+-
+- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, mozilla_t)
-+
-+ optional_policy(`
+
+ optional_policy(`
+- mozilla_dbus_chat($2)
+ nsplugin_role($1, mozilla_t)
-+ ')
-+
+ ')
+-')
+
+-########################################
+-## <summary>
+-## Role access for mozilla plugin.
+-## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+-## </param>
+-#
+-interface(`mozilla_role_plugin',`
+- gen_require(`
+- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
+- type mozilla_home_t;
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
+ pulseaudio_filetrans_home_content(mozilla_t)
-+ ')
-+
+ ')
+
+- mozilla_run_plugin($2, $1)
+- mozilla_run_plugin_config($2, $1)
+-
+- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
+- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
+-
+- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
+- allow $2 mozilla_plugin_t:fd use;
+-
+- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
+-
+- allow mozilla_plugin_t $2:process signull;
+- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
+- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
+- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
+- allow mozilla_plugin_t $2:sem create_sem_perms;
+-
+- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
+- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
+- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+-
+- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
+- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+-
+- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
+- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ mozilla_filetrans_home_content($2)
-+
+
+- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
+- allow $2 mozilla_plugin_rw_t:file read_file_perms;
+- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+- can_exec($2, mozilla_plugin_rw_t)
+-
+- optional_policy(`
+- mozilla_dbus_chat_plugin($2)
+- ')
+ ')
+
+ ########################################
+ ## <summary>
+-## Read mozilla home directory content.
++## Read mozilla home directory content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -153,15 +83,15 @@ interface(`mozilla_read_user_home_files',`
+ type mozilla_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
++ userdom_search_user_home_dirs($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write mozilla home directory files.
++## Write mozilla home directory content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -174,14 +104,13 @@ interface(`mozilla_write_user_home_files',`
+ type mozilla_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+ write_files_pattern($1, mozilla_home_t, mozilla_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
-@@ -105,7 +123,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
+ ## <summary>
+-## Do not audit attempts to read and
+-## write mozilla home directory files.
++## Dontaudit attempts to read/write mozilla home directory content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -194,14 +123,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
@@ -34437,17 +34463,125 @@ index b397fde..cccec7e 100644
')
########################################
-@@ -193,11 +211,35 @@ interface(`mozilla_domtrans',`
+ ## <summary>
+-## Do not audit attempt to Create,
+-## read, write, and delete mozilla
+-## home directory content.
++## Dontaudit attempts to write mozilla home directory content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -216,12 +143,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
+
+ dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+ dontaudit $1 mozilla_home_t:file manage_file_perms;
+- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute mozilla home directory files. (Deprecated)
++## Execute mozilla home directory content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -230,33 +156,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
+ ## </param>
+ #
+ interface(`mozilla_exec_user_home_files',`
+- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
+- mozilla_exec_user_plugin_home_files($1)
+-')
+-
+-########################################
+-## <summary>
+-## Execute mozilla plugin home directory files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`mozilla_exec_user_plugin_home_files',`
+ gen_require(`
+- type mozilla_home_t, mozilla_plugin_home_t;
++ type mozilla_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
++ can_exec($1, mozilla_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Mozilla home directory file
+-## text relocation. (Deprecated)
++## Execmod mozilla home directory content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -265,27 +174,11 @@ interface(`mozilla_exec_user_plugin_home_files',`
+ ## </param>
+ #
+ interface(`mozilla_execmod_user_home_files',`
+- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
+- mozilla_execmod_user_plugin_home_files($1)
+-')
+-
+-########################################
+-## <summary>
+-## Mozilla plugin home directory file
+-## text relocation.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`mozilla_execmod_user_plugin_home_files',`
+ gen_require(`
+- type mozilla_plugin_home_t;
++ type mozilla_home_t;
+ ')
+
+- allow $1 mozilla_plugin_home_t:file execmod;
++ allow $1 mozilla_home_t:file execmod;
+ ')
+
+ ########################################
+@@ -303,102 +196,102 @@ interface(`mozilla_domtrans',`
+ type mozilla_t, mozilla_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run mozilla plugin.
++## Execute a domain transition to run mozilla_plugin.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
-- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
-+ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ type mozilla_plugin_rw_t;
- class dbus send_msg;
++ class dbus send_msg;
')
+- corecmd_search_bin($1)
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+ allow mozilla_plugin_t $1:process signull;
@@ -34471,33 +34605,99 @@ index b397fde..cccec7e 100644
+ allow $1 mozilla_plugin_t:dbus send_msg;
+ allow mozilla_plugin_t $1:dbus send_msg;
+
- allow mozilla_plugin_t $1:process signull;
++ allow mozilla_plugin_t $1:process signull;
')
-@@ -224,6 +266,32 @@ interface(`mozilla_run_plugin',`
+ ########################################
+ ## <summary>
+-## Execute mozilla plugin in the
+-## mozilla plugin domain, and allow
+-## the specified role the mozilla
+-## plugin domain.
++## Execute mozilla_plugin in the mozilla_plugin domain, and
++## allow the specified role the mozilla_plugin domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed the mozilla_plugin domain.
+ ## </summary>
+ ## </param>
+ #
+ interface(`mozilla_run_plugin',`
+ gen_require(`
+- attribute_role mozilla_plugin_roles;
++ type mozilla_plugin_t;
+ ')
mozilla_domtrans_plugin($1)
- role $2 types mozilla_plugin_t;
+- roleattribute $2 mozilla_plugin_roles;
++ role $2 types mozilla_plugin_t;
+ role $2 types mozilla_plugin_config_t;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Execute a domain transition to
+-## run mozilla plugin config.
+## Execute qemu unconfined programs in the role.
-+## </summary>
-+## <param name="role">
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`mozilla_domtrans_plugin_config',`
+- gen_require(`
+- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+-')
+-
+-########################################
+-## <summary>
+-## Execute mozilla plugin config in
+-## the mozilla plugin config domain,
+-## and allow the specified role the
+-## mozilla plugin config domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+ ## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+## <summary>
+## The role to allow the mozilla_plugin domain.
+## </summary>
-+## </param>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`mozilla_run_plugin_config',`
+- gen_require(`
+- attribute_role mozilla_plugin_config_roles;
+- ')
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ type mozilla_plugin_config_t;
+ ')
-+
+
+- mozilla_domtrans_plugin_config($1)
+- roleattribute $2 mozilla_plugin_config_roles;
+ role $1 types mozilla_plugin_t;
+ role $1 types mozilla_plugin_config_t;
+
@@ -34507,69 +34707,107 @@ index b397fde..cccec7e 100644
')
########################################
-@@ -265,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',`
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## Send and receive messages from
+-## mozilla plugin over dbus.
++## read/write mozilla per user tcp_socket
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -433,76 +325,90 @@ interface(`mozilla_dbus_chat',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mozilla_dbus_chat_plugin',`
++interface(`mozilla_rw_tcp_sockets',`
+ gen_require(`
+- type mozilla_plugin_t;
+- class dbus send_msg;
++ type mozilla_t;
+ ')
+
+- allow $1 mozilla_plugin_t:dbus send_msg;
+- allow mozilla_plugin_t $1:dbus send_msg;
++ allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Read and write mozilla TCP sockets.
+## Read mozilla_plugin tmpfs files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`mozilla_rw_tcp_sockets',`
+- gen_require(`
+- type mozilla_t;
+- ')
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
-+
+
+- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
-+')
-+
+ ')
+
########################################
## <summary>
--## Read mozilla_plugin tmpfs files
+-## Create, read, write, and delete
+-## mozilla plugin rw files.
+## Delete mozilla_plugin tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
--interface(`mozilla_plugin_read_tmpfs_files',`
+-interface(`mozilla_manage_plugin_rw_files',`
+interface(`mozilla_plugin_delete_tmpfs_files',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+- type mozilla_plugin_rw_t;
++ type mozilla_plugin_tmpfs_t;
')
-- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+- libs_search_lib($1)
+- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
')
########################################
## <summary>
--## Delete mozilla_plugin tmpfs files
+-## Read mozilla_plugin tmpfs files.
+## Dontaudit read/write to a mozilla_plugin leaks
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access
+-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
--interface(`mozilla_plugin_delete_tmpfs_files',`
+-interface(`mozilla_plugin_read_tmpfs_files',`
+interface(`mozilla_plugin_dontaudit_leaks',`
gen_require(`
- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t;
')
-- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+- fs_search_tmpfs($1)
+- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
+
@@ -34590,62 +34828,93 @@ index b397fde..cccec7e 100644
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Delete mozilla_plugin tmpfs files.
+## Create, read, write, and delete
+## mozilla_plugin rw files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -510,19 +416,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mozilla_plugin_delete_tmpfs_files',`
+interface(`mozilla_plugin_manage_rw_files',`
-+ gen_require(`
+ gen_require(`
+- type mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_rw_t;
-+ ')
-+
+ ')
+
+- fs_search_tmpfs($1)
+- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## generic mozilla plugin home content.
+## read mozilla_plugin rw files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -530,45 +435,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mozilla_manage_generic_plugin_home_content',`
+interface(`mozilla_plugin_read_rw_files',`
-+ gen_require(`
+ gen_require(`
+- type mozilla_plugin_home_t;
+ type mozilla_plugin_rw_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
+- allow $1 mozilla_plugin_home_t:file manage_file_perms;
+- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the generic mozilla
+-## plugin home type.
+## Create mozilla content in the user home directory
+## with an correct label.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`mozilla_home_filetrans_plugin_home',`
+interface(`mozilla_filetrans_home_content',`
+
-+ gen_require(`
+ gen_require(`
+- type mozilla_plugin_home_t;
+ type mozilla_home_t;
-+ ')
-+
+ ')
+
+- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
@@ -34661,29 +34930,43 @@ index b397fde..cccec7e 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
-+')
+ ')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..8cf0087 100644
+index 6a306ee..8247246 100644
--- a/mozilla.te
+++ b/mozilla.te
-@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
+@@ -1,4 +1,4 @@
+-policy_module(mozilla, 2.7.4)
++policy_module(mozilla, 2.6.0)
+
+ ########################################
+ #
+@@ -6,23 +6,38 @@ policy_module(mozilla, 2.7.4)
+ #
## <desc>
- ## <p>
+-## <p>
+-## Determine whether mozilla can
+-## make its stack executable.
+-## </p>
++## <p>
+## Allow mozilla plugin domain to connect to the network using TCP.
+## </p>
-+## </desc>
-+gen_tunable(mozilla_plugin_can_network_connect, false)
-+
-+## <desc>
-+## <p>
- ## Allow confined web browsers to read home directory content
- ## </p>
## </desc>
- gen_tunable(mozilla_read_content, false)
+-gen_tunable(mozilla_execstack, false)
++gen_tunable(mozilla_plugin_can_network_connect, false)
-attribute_role mozilla_roles;
+-attribute_role mozilla_plugin_roles;
+-attribute_role mozilla_plugin_config_roles;
++## <desc>
++## <p>
++## Allow confined web browsers to read home directory content
++## </p>
++## </desc>
++gen_tunable(mozilla_read_content, false)
++
+## <desc>
+## <p>
+## Allow mozilla_plugins to create random content in the users home directory
@@ -34701,14 +34984,22 @@ index d4fcb75..8cf0087 100644
-role mozilla_roles types mozilla_t;
+#role mozilla_roles types mozilla_t;
+role system_r types mozilla_t;
++
++type mozilla_conf_t;
++files_config_file(mozilla_conf_t)
+
+ type mozilla_home_t;
+ typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+@@ -31,29 +46,26 @@ userdom_user_home_content(mozilla_home_t)
- type mozilla_conf_t;
- files_config_file(mozilla_conf_t)
-@@ -32,14 +47,26 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
- application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
--role mozilla_roles types mozilla_plugin_t;
+-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+-role mozilla_plugin_roles types mozilla_plugin_t;
+-
+-type mozilla_plugin_home_t;
+-userdom_user_home_content(mozilla_plugin_home_t)
++application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+#role mozilla_roles types mozilla_plugin_t;
+role system_r types mozilla_plugin_t;
@@ -34720,44 +35011,174 @@ index d4fcb75..8cf0087 100644
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
-+type mozilla_plugin_rw_t;
-+files_type(mozilla_plugin_rw_t)
-+
-+type mozilla_plugin_config_t;
-+type mozilla_plugin_config_exec_t;
+-optional_policy(`
+- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
+-')
+-
+ type mozilla_plugin_rw_t;
+ files_type(mozilla_plugin_rw_t)
+
+ type mozilla_plugin_config_t;
+ type mozilla_plugin_config_exec_t;
+-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+-role mozilla_plugin_config_roles types mozilla_plugin_config_t;
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+#role mozilla_roles types mozilla_plugin_config_t;
+role system_r types mozilla_plugin_config_t;
-+
+
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
+@@ -63,10 +75,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+ userdom_user_tmpfs_file(mozilla_tmpfs_t)
-@@ -100,7 +127,6 @@ corecmd_exec_shell(mozilla_t)
+-optional_policy(`
+- pulseaudio_tmpfs_content(mozilla_tmpfs_t)
+-')
+-
+ ########################################
+ #
+ # Local policy
+@@ -75,23 +83,26 @@ optional_policy(`
+ allow mozilla_t self:capability { sys_nice setgid setuid };
+ allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+ allow mozilla_t self:fifo_file rw_fifo_file_perms;
+-allow mozilla_t self:shm create_shm_perms;
++allow mozilla_t self:shm { unix_read unix_write read write destroy create };
+ allow mozilla_t self:sem create_sem_perms;
+ allow mozilla_t self:socket create_socket_perms;
+-allow mozilla_t self:unix_stream_socket { accept listen };
++allow mozilla_t self:unix_stream_socket { listen accept };
++# Browse the web, connect to printer
++allow mozilla_t self:tcp_socket create_socket_perms;
++allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
+-allow mozilla_t mozilla_plugin_t:fd use;
++# for bash - old mozilla binary
++can_exec(mozilla_t, mozilla_exec_t)
+
+-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
+-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
+-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
+-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
+-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
+-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
+-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
++# X access, Home files
++manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
++manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
++manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
++userdom_search_user_home_dirs(mozilla_t)
++userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+
+-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
++# Mozpluggerrc
++allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+ manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+ manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+@@ -103,76 +114,70 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+ manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+ fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
+-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
+-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
+-
+-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
+-
+ kernel_read_kernel_sysctls(mozilla_t)
+ kernel_read_network_state(mozilla_t)
++# Access /proc, sysctl
+ kernel_read_system_state(mozilla_t)
+ kernel_read_net_sysctls(mozilla_t)
+
++# Look for plugins
+ corecmd_list_bin(mozilla_t)
++# for bash - old mozilla binary
+ corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)
- # Browse the web, connect to printer
-corenet_all_recvfrom_unlabeled(mozilla_t)
++# Browse the web, connect to printer
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
- corenet_raw_sendrecv_generic_if(mozilla_t)
-@@ -110,6 +136,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
++corenet_raw_sendrecv_generic_if(mozilla_t)
+ corenet_tcp_sendrecv_generic_node(mozilla_t)
+-
+-corenet_sendrecv_http_client_packets(mozilla_t)
+-corenet_tcp_connect_http_port(mozilla_t)
++corenet_raw_sendrecv_generic_node(mozilla_t)
+ corenet_tcp_sendrecv_http_port(mozilla_t)
+-
+-corenet_sendrecv_http_cache_client_packets(mozilla_t)
+-corenet_tcp_connect_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+-
+-corenet_sendrecv_squid_client_packets(mozilla_t)
+-corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
+-
+-corenet_sendrecv_ftp_client_packets(mozilla_t)
+-corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
+-
+-corenet_sendrecv_ipp_client_packets(mozilla_t)
+-corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
- corenet_tcp_connect_http_port(mozilla_t)
- corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -140,7 +167,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
+-
+-corenet_sendrecv_soundd_client_packets(mozilla_t)
++corenet_tcp_connect_http_port(mozilla_t)
++corenet_tcp_connect_http_cache_port(mozilla_t)
++corenet_tcp_connect_squid_port(mozilla_t)
++corenet_tcp_connect_ftp_port(mozilla_t)
++corenet_tcp_connect_ipp_port(mozilla_t)
++corenet_tcp_connect_generic_port(mozilla_t)
+ corenet_tcp_connect_soundd_port(mozilla_t)
+-corenet_tcp_sendrecv_soundd_port(mozilla_t)
+-
+-corenet_sendrecv_speech_client_packets(mozilla_t)
++corenet_sendrecv_http_client_packets(mozilla_t)
++corenet_sendrecv_http_cache_client_packets(mozilla_t)
++corenet_sendrecv_squid_client_packets(mozilla_t)
++corenet_sendrecv_ftp_client_packets(mozilla_t)
++corenet_sendrecv_ipp_client_packets(mozilla_t)
++corenet_sendrecv_generic_client_packets(mozilla_t)
++# Should not need other ports
++corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
++corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+ corenet_tcp_connect_speech_port(mozilla_t)
+-corenet_tcp_sendrecv_speech_port(mozilla_t)
+
+-dev_getattr_sysfs_dirs(mozilla_t)
+-dev_read_sound(mozilla_t)
+-dev_read_rand(mozilla_t)
+ dev_read_urand(mozilla_t)
+-dev_rw_dri(mozilla_t)
++dev_read_rand(mozilla_t)
+ dev_write_sound(mozilla_t)
++dev_read_sound(mozilla_t)
++dev_dontaudit_rw_dri(mozilla_t)
++dev_getattr_sysfs_dirs(mozilla_t)
+
+ domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
--files_read_etc_files(mozilla_t)
- # /var/lib
+-files_read_var_files(mozilla_t)
++# /var/lib
files_read_var_lib_files(mozilla_t)
- # interacting with gstreamer
-@@ -151,42 +177,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
- fs_dontaudit_getattr_all_fs(mozilla_t)
++# interacting with gstreamer
++files_read_var_files(mozilla_t)
+ files_read_var_symlinks(mozilla_t)
+ files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+-fs_getattr_all_fs(mozilla_t)
++fs_dontaudit_getattr_all_fs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
-fs_rw_tmpfs_files(mozilla_t)
@@ -34765,94 +35186,241 @@ index d4fcb75..8cf0087 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-+auth_use_nsswitch(mozilla_t)
-+
+@@ -181,56 +186,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
--# Browse the web, connect to printer
--sysnet_dns_name_resolve(mozilla_t)
--
-userdom_use_user_ptys(mozilla_t)
+-
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_manage_user_home_content_dirs(mozilla_t)
+-userdom_manage_user_home_content_files(mozilla_t)
+-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
+-
+-userdom_write_user_tmp_sockets(mozilla_t)
+-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
+-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
--tunable_policy(`allow_execmem',`
-- allow mozilla_t self:process { execmem execstack };
+-ifndef(`enable_mls',`
+- fs_list_dos(mozilla_t)
+- fs_read_dos_files(mozilla_t)
+-
+- fs_search_removable(mozilla_t)
+- fs_read_removable_files(mozilla_t)
+- fs_read_removable_symlinks(mozilla_t)
+-
+- fs_read_iso9660_files(mozilla_t)
+tunable_policy(`selinuxuser_execstack',`
+ allow mozilla_t self:process execstack;
')
+-tunable_policy(`allow_execmem',`
++tunable_policy(`deny_execmem',`',`
+ allow mozilla_t self:process execmem;
+ ')
+
+-tunable_policy(`mozilla_execstack',`
+- allow mozilla_t self:process { execmem execstack };
+-')
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
-+tunable_policy(`deny_execmem',`',`
-+ allow mozilla_t self:process execmem;
- ')
-
+-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_t)
- fs_manage_cifs_files(mozilla_t)
- fs_manage_cifs_symlinks(mozilla_t)
--')
+userdom_home_manager(mozilla_t)
++
++# Uploads, local html
++tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(mozilla_t)
++ files_list_home(mozilla_t)
++ fs_read_nfs_files(mozilla_t)
++ fs_read_nfs_symlinks(mozilla_t)
++
++',`
++ files_dontaudit_list_home(mozilla_t)
++ fs_dontaudit_list_auto_mountpoints(mozilla_t)
++ fs_dontaudit_read_nfs_files(mozilla_t)
++ fs_dontaudit_list_nfs(mozilla_t)
++')
++
++tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
++ fs_list_auto_mountpoints(mozilla_t)
++ files_list_home(mozilla_t)
++ fs_read_cifs_files(mozilla_t)
++ fs_read_cifs_symlinks(mozilla_t)
++',`
++ files_dontaudit_list_home(mozilla_t)
++ fs_dontaudit_list_auto_mountpoints(mozilla_t)
++ fs_dontaudit_read_cifs_files(mozilla_t)
++ fs_dontaudit_list_cifs(mozilla_t)
++')
++
++tunable_policy(`mozilla_read_content',`
++ userdom_list_user_tmp(mozilla_t)
++ userdom_read_user_tmp_files(mozilla_t)
++ userdom_read_user_tmp_symlinks(mozilla_t)
++ userdom_read_user_home_content_files(mozilla_t)
++ userdom_read_user_home_content_symlinks(mozilla_t)
++
++ ifndef(`enable_mls',`
++ fs_search_removable(mozilla_t)
++ fs_read_removable_files(mozilla_t)
++ fs_read_removable_symlinks(mozilla_t)
++ ')
++',`
++ files_dontaudit_list_tmp(mozilla_t)
++ files_dontaudit_list_home(mozilla_t)
++ fs_dontaudit_list_removable(mozilla_t)
++ fs_dontaudit_read_removable_files(mozilla_t)
++ userdom_dontaudit_list_user_tmp(mozilla_t)
++ userdom_dontaudit_read_user_tmp_files(mozilla_t)
++ userdom_dontaudit_list_user_home_dirs(mozilla_t)
++ userdom_dontaudit_read_user_home_content_files(mozilla_t)
+ ')
+
+ optional_policy(`
+@@ -244,19 +266,12 @@ optional_policy(`
+
+ optional_policy(`
+ cups_read_rw_config(mozilla_t)
++ cups_dbus_chat(mozilla_t)
+ ')
+
+ optional_policy(`
+- dbus_all_session_bus_client(mozilla_t)
+ dbus_system_bus_client(mozilla_t)
+-
+- optional_policy(`
+- cups_dbus_chat(mozilla_t)
+- ')
+-
+- optional_policy(`
+- mozilla_dbus_chat_plugin(mozilla_t)
+- ')
++ dbus_session_bus_client(mozilla_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+@@ -265,33 +280,32 @@ optional_policy(`
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -263,6 +281,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
- gnome_manage_config(mozilla_t)
+- gnome_manage_generic_gconf_home_content(mozilla_t)
+- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
+- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
+- gnome_manage_generic_home_content(mozilla_t)
+- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
+- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
+- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
++ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
')
optional_policy(`
-@@ -283,7 +302,8 @@ optional_policy(`
+- java_exec(mozilla_t)
+- java_manage_generic_home_content(mozilla_t)
+- java_home_filetrans_java_home(mozilla_t, dir, ".java")
++ java_domtrans(mozilla_t)
')
optional_policy(`
-- pulseaudio_role(mozilla_roles, mozilla_t)
+- lpd_run_lpr(mozilla_t, mozilla_roles)
++ lpd_domtrans_lpr(mozilla_t)
+ ')
+
+ optional_policy(`
+- mplayer_exec(mozilla_t)
+- mplayer_manage_generic_home_content(mozilla_t)
+- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
+ ')
+
+ optional_policy(`
+- pulseaudio_run(mozilla_t, mozilla_roles)
++ nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
- pulseaudio_stream_connect(mozilla_t)
- pulseaudio_manage_home_files(mozilla_t)
++ pulseaudio_stream_connect(mozilla_t)
++ pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +317,102 @@ optional_policy(`
- # mozilla_plugin local policy
+
+ optional_policy(`
+@@ -300,63 +314,53 @@ optional_policy(`
+
+ ########################################
+ #
+-# Plugin local policy
++# mozilla_plugin local policy
#
--dontaudit mozilla_plugin_t self:capability { sys_ptrace };
--allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
+-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
--allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config };
+
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
- allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
- allow mozilla_plugin_t self:udp_socket create_socket_perms;
--allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
++allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
+-allow mozilla_plugin_t self:tcp_socket { accept listen };
+-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
+-
+-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
+-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
+-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
+-allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
+-
+-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
+-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+-
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
+-
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
+-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+-
+-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+allow mozilla_plugin_t self:msgq create_msgq_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
-
- can_exec(mozilla_plugin_t, mozilla_home_t)
--read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++
++can_exec(mozilla_plugin_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
@@ -34877,19 +35445,22 @@ index d4fcb75..8cf0087 100644
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-+
-+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+
+ allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
+-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
- can_exec(mozilla_plugin_t, mozilla_exec_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
+-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
++can_exec(mozilla_plugin_t, mozilla_exec_t)
--kernel_read_kernel_sysctls(mozilla_plugin_t)
-+kernel_read_all_sysctls(mozilla_plugin_t)
+ kernel_read_all_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
- kernel_read_network_state(mozilla_plugin_t)
- kernel_request_load_module(mozilla_plugin_t)
-+kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+@@ -366,155 +370,110 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -34899,29 +35470,73 @@ index d4fcb75..8cf0087 100644
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-+corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
- corenet_tcp_connect_generic_port(mozilla_plugin_t)
--corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
+ corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
-+corenet_tcp_connect_ftp_port(mozilla_plugin_t)
+ corenet_tcp_connect_ftp_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
+-corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
--corenet_tcp_connect_squid_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-+corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
+ corenet_tcp_connect_ircd_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
+ corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
+-corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
+-corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-+corenet_tcp_connect_squid_port(mozilla_plugin_t)
-+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
+ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
+-
+-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-+corenet_tcp_connect_tor_socks_port(mozilla_plugin_t)
-+corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-+corenet_tcp_connect_commplex_port(mozilla_plugin_t)
++corenet_tcp_connect_tor_port(mozilla_plugin_t)
+ corenet_tcp_connect_vnc_port(mozilla_plugin_t)
+-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
@@ -34929,46 +35544,63 @@ index d4fcb75..8cf0087 100644
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
+-dev_read_generic_usb_dev(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
+-dev_read_realtime_clock(mozilla_plugin_t)
+-dev_read_sound(mozilla_plugin_t)
+-dev_read_sysfs(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
+dev_read_generic_usb_dev(mozilla_plugin_t)
dev_read_video_dev(mozilla_plugin_t)
+-dev_write_sound(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
+-dev_rw_dri(mozilla_plugin_t)
+dev_read_realtime_clock(mozilla_plugin_t)
- dev_read_sysfs(mozilla_plugin_t)
- dev_read_sound(mozilla_plugin_t)
- dev_write_sound(mozilla_plugin_t)
- # for nvidia driver
++dev_read_sysfs(mozilla_plugin_t)
++dev_read_sound(mozilla_plugin_t)
++dev_write_sound(mozilla_plugin_t)
++# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
- dev_dontaudit_rw_dri(mozilla_plugin_t)
+-
+-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
+-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
+-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
+-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
++dev_dontaudit_rw_dri(mozilla_plugin_t)
+dev_dontaudit_getattr_all(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +420,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+-files_exec_usr_files(mozilla_plugin_t)
+-files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
- files_list_mnt(mozilla_plugin_t)
++files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
- fs_list_dos(mozilla_plugin_t)
--fs_read_dos_files(mozilla_plugin_t)
+-# fs_read_hugetlbfs_files(mozilla_plugin_t)
+-fs_search_auto_mountpoints(mozilla_plugin_t)
+-
+-term_getattr_all_ttys(mozilla_plugin_t)
+-term_getattr_all_ptys(mozilla_plugin_t)
++fs_list_dos(mozilla_plugin_t)
+fs_read_noxattr_fs_files(mozilla_plugin_t)
+fs_read_hugetlbfs_files(mozilla_plugin_t)
-+application_exec(mozilla_plugin_t)
- application_dontaudit_signull(mozilla_plugin_t)
+ application_exec(mozilla_plugin_t)
++application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
+init_read_all_script_files(mozilla_plugin_t)
+
-+libs_exec_ld_so(mozilla_plugin_t)
-+libs_exec_lib_files(mozilla_plugin_t)
-+
+ libs_exec_ld_so(mozilla_plugin_t)
+ libs_exec_lib_files(mozilla_plugin_t)
+
logging_send_syslog_msg(mozilla_plugin_t)
-miscfiles_read_localization(mozilla_plugin_t)
@@ -34977,40 +35609,55 @@ index d4fcb75..8cf0087 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
--sysnet_dns_name_resolve(mozilla_plugin_t)
+-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+-userdom_manage_user_tmp_files(mozilla_plugin_t)
-
- term_getattr_all_ttys(mozilla_plugin_t)
- term_getattr_all_ptys(mozilla_plugin_t)
+-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
+-userdom_manage_user_home_content_files(mozilla_plugin_t)
+-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
+-
+-userdom_write_user_tmp_sockets(mozilla_plugin_t)
++term_getattr_all_ttys(mozilla_plugin_t)
++term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
- userdom_rw_user_tmpfs_files(mozilla_plugin_t)
++userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
- userdom_manage_user_tmp_sockets(mozilla_plugin_t)
- userdom_manage_user_tmp_dirs(mozilla_plugin_t)
--userdom_read_user_tmp_files(mozilla_plugin_t)
++userdom_manage_user_tmp_sockets(mozilla_plugin_t)
++userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
+userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
- userdom_read_user_tmp_symlinks(mozilla_plugin_t)
++userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
-+
- userdom_read_user_home_content_files(mozilla_plugin_t)
- userdom_read_user_home_content_symlinks(mozilla_plugin_t)
-+userdom_read_home_certs(mozilla_plugin_t)
-+userdom_read_home_audio_files(mozilla_plugin_t)
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_t self:process { execmem execstack };
+-ifndef(`enable_mls',`
+- fs_list_dos(mozilla_plugin_t)
+- fs_read_dos_files(mozilla_plugin_t)
+-
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+-
+- fs_read_iso9660_files(mozilla_plugin_t)
-')
-
--tunable_policy(`allow_execstack',`
-- allow mozilla_plugin_t self:process { execstack };
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process execmem;
-')
-
+-tunable_policy(`mozilla_execstack',`
+- allow mozilla_plugin_t self:process { execmem execstack };
+-')
++userdom_read_user_home_content_files(mozilla_plugin_t)
++userdom_read_user_home_content_symlinks(mozilla_plugin_t)
++userdom_read_home_certs(mozilla_plugin_t)
++userdom_read_home_audio_files(mozilla_plugin_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
@@ -35027,35 +35674,39 @@ index d4fcb75..8cf0087 100644
')
optional_policy(`
-@@ -422,24 +483,39 @@ optional_policy(`
+@@ -523,36 +482,43 @@ optional_policy(`
+ ')
+
optional_policy(`
- dbus_system_bus_client(mozilla_plugin_t)
- dbus_session_bus_client(mozilla_plugin_t)
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
++ dbus_system_bus_client(mozilla_plugin_t)
++ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
- dbus_read_lib_files(mozilla_plugin_t)
++ dbus_read_lib_files(mozilla_plugin_t)
')
optional_policy(`
-+ git_dontaudit_read_session_content_files(mozilla_plugin_t)
-+')
-+
-+
-+optional_policy(`
- gnome_manage_config(mozilla_plugin_t)
+- dbus_all_session_bus_client(mozilla_plugin_t)
+- dbus_connect_all_session_bus(mozilla_plugin_t)
+- dbus_system_bus_client(mozilla_plugin_t)
++ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
-- java_exec(mozilla_plugin_t)
+- gnome_manage_generic_home_content(mozilla_plugin_t)
+- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
+- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
+- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
optional_policy(`
-- mplayer_exec(mozilla_plugin_t)
-- mplayer_read_user_home_files(mozilla_plugin_t)
-+ java_exec(mozilla_plugin_t)
+ java_exec(mozilla_plugin_t)
+- java_manage_generic_home_content(mozilla_plugin_t)
+- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
')
+#optional_policy(`
@@ -35063,114 +35714,173 @@ index d4fcb75..8cf0087 100644
+#')
+
optional_policy(`
-- pcscd_stream_connect(mozilla_plugin_t)
-+ mplayer_exec(mozilla_plugin_t)
-+ mplayer_filetrans_home_content(mozilla_plugin_t)
-+ mplayer_manage_user_home_dirs(mozilla_plugin_t)
-+ mplayer_manage_user_home_files(mozilla_plugin_t)
+- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_manage_generic_home_content(mozilla_plugin_t)
++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
-@@ -447,10 +523,116 @@ optional_policy(`
- pulseaudio_stream_connect(mozilla_plugin_t)
- pulseaudio_setattr_home_dir(mozilla_plugin_t)
- pulseaudio_manage_home_files(mozilla_plugin_t)
+- mplayer_exec(mozilla_plugin_t)
+- mplayer_manage_generic_home_content(mozilla_plugin_t)
+- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
++ pulseaudio_exec(mozilla_plugin_t)
++ pulseaudio_stream_connect(mozilla_plugin_t)
++ pulseaudio_setattr_home_dir(mozilla_plugin_t)
++ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -560,7 +526,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ rtkit_scheduled(mozilla_plugin_t)
')
optional_policy(`
-+ udev_read_db(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
+@@ -568,108 +534,100 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
+- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Plugin config local policy
+# mozilla_plugin_config local policy
-+#
-+
-+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+ #
+
+ allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
+-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
+-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+-
+-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
+-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
+-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-+
+
+-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
+-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+
+
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-+
+
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
+-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
-+
+
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
-+
+
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
-+
+
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+-
+-kernel_read_system_state(mozilla_plugin_config_t)
+-kernel_request_load_module(mozilla_plugin_config_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-+
-+corecmd_exec_bin(mozilla_plugin_config_t)
-+corecmd_exec_shell(mozilla_plugin_config_t)
-+
+
+ corecmd_exec_bin(mozilla_plugin_config_t)
+ corecmd_exec_shell(mozilla_plugin_config_t)
+
+-dev_read_urand(mozilla_plugin_config_t)
+-dev_rw_dri(mozilla_plugin_config_t)
+-dev_search_sysfs(mozilla_plugin_config_t)
+-dev_dontaudit_read_rand(mozilla_plugin_config_t)
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
-+
-+domain_use_interactive_fds(mozilla_plugin_config_t)
-+
-+files_read_usr_files(mozilla_plugin_config_t)
-+files_dontaudit_search_home(mozilla_plugin_config_t)
+
+ domain_use_interactive_fds(mozilla_plugin_config_t)
+
+-files_list_tmp(mozilla_plugin_config_t)
+ files_read_usr_files(mozilla_plugin_config_t)
+ files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
-+
-+fs_getattr_all_fs(mozilla_plugin_config_t)
-+
-+auth_use_nsswitch(mozilla_plugin_config_t)
-+
-+miscfiles_read_fonts(mozilla_plugin_config_t)
-+
+
+ fs_getattr_all_fs(mozilla_plugin_config_t)
+-fs_search_auto_mountpoints(mozilla_plugin_config_t)
+-fs_list_inotifyfs(mozilla_plugin_config_t)
+
+ auth_use_nsswitch(mozilla_plugin_config_t)
+
+-miscfiles_read_localization(mozilla_plugin_config_t)
+ miscfiles_read_fonts(mozilla_plugin_config_t)
+
+userdom_search_user_home_content(mozilla_plugin_config_t)
-+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
-+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+ userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
+ userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-+
+
+-userdom_use_user_ptys(mozilla_plugin_config_t)
+-
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
-+
+
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_config_t self:process execmem;
+-')
+-
+-tunable_policy(`mozilla_execstack',`
+- allow mozilla_plugin_config_t self:process { execmem execstack };
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
-+')
-+
+ ')
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_config_t)
+- fs_manage_nfs_files(mozilla_plugin_config_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
-+')
-+
+ ')
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -35179,68 +35889,53 @@ index d4fcb75..8cf0087 100644
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
-+')
-+
+ ')
+
+-optional_policy(`
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_enable_homedirs',`
+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
-+')
-+
+ ')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
-diff --git a/mpd.fc b/mpd.fc
-index ddc14d6..c74bf3d 100644
---- a/mpd.fc
-+++ b/mpd.fc
-@@ -6,3 +6,5 @@
- /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
- /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
- /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
-+
-+/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
diff --git a/mpd.if b/mpd.if
-index d72276f..cb8c563 100644
+index 5fa77c7..a0e8661 100644
--- a/mpd.if
+++ b/mpd.if
-@@ -244,8 +244,11 @@ interface(`mpd_admin',`
- type mpd_tmpfs_t;
+@@ -344,9 +344,13 @@ interface(`mpd_admin',`
+ type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
')
- allow $1 mpd_t:process { ptrace signal_perms };
+ allow $1 mpd_t:process signal_perms;
ps_process_pattern($1, mpd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mpd_t:process ptrace;
+ ')
-
++
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
+ role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7f68872..d92aaa8 100644
+index 7c8afcc..bf055f0 100644
--- a/mpd.te
+++ b/mpd.te
-@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow mpd_t self:tcp_socket create_stream_socket_perms;
+@@ -74,6 +74,9 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+ allow mpd_t self:unix_dgram_socket sendto;
+ allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
- manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
- manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-
- read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
-
-+manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t)
-+manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
-+logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file })
-+
- manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
- manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
- manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
-@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t)
+ allow mpd_t mpd_data_t:dir manage_dir_perms;
+ allow mpd_t mpd_data_t:file manage_file_perms;
+@@ -110,7 +113,6 @@ kernel_read_kernel_sysctls(mpd_t)
corecmd_exec_bin(mpd_t)
@@ -35248,15 +35943,7 @@ index 7f68872..d92aaa8 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t)
- corenet_sendrecv_pulseaudio_client_packets(mpd_t)
- corenet_sendrecv_soundd_client_packets(mpd_t)
-
-+dev_read_urand(mpd_t)
- dev_read_sound(mpd_t)
- dev_write_sound(mpd_t)
- dev_read_sysfs(mpd_t)
-@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,7 +152,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -35265,9 +35952,9 @@ index 7f68872..d92aaa8 100644
+userdom_read_user_tmpfs_files(mpd_t)
+userdom_home_reader(mpd_t)
- optional_policy(`
- alsa_read_rw_config(mpd_t)
-@@ -122,5 +131,20 @@ optional_policy(`
+ tunable_policy(`mpd_enable_homedirs',`
+ userdom_search_user_home_dirs(mpd_t)
+@@ -199,6 +203,16 @@ optional_policy(`
')
optional_policy(`
@@ -35283,260 +35970,48 @@ index 7f68872..d92aaa8 100644
+optional_policy(`
udev_read_db(mpd_t)
')
-+
-+optional_policy(`
-+ xserver_dontaudit_stream_connect(mpd_t)
-+ xserver_dontaudit_read_xdm_pid(mpd_t)
-+')
-diff --git a/mplayer.if b/mplayer.if
-index d8ea41d..87c7046 100644
---- a/mplayer.if
-+++ b/mplayer.if
-@@ -102,3 +102,96 @@ interface(`mplayer_read_user_home_files',`
- read_files_pattern($1, mplayer_home_t, mplayer_home_t)
- userdom_search_user_home_dirs($1)
- ')
-+
-+########################################
-+## <summary>
-+## Manage mplayer per user homedir
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mplayer_manage_user_home_dirs',`
-+ gen_require(`
-+ type mplayer_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1, mplayer_home_t, mplayer_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## Manage mplayer per user homedir
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mplayer_manage_user_home_files',`
-+ gen_require(`
-+ type mplayer_home_t;
-+ ')
-+
-+ manage_files_pattern($1, mplayer_home_t, mplayer_home_t)
-+ manage_lnk_files_pattern($1, mplayer_home_t, mplayer_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## Transition to mplayer named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mplayer_filetrans_home_content',`
-+ gen_require(`
-+ type mplayer_home_t;
-+ ')
-+
-+ userdom_user_home_dir_filetrans($1, mplayer_home_t, file, ".mplayer")
-+')
-+
-+########################################
-+## <summary>
-+## Execute mplayer_exec_t
-+## in the specified domain.
-+## </summary>
-+## <desc>
-+## <p>
-+## Execute a mplayer_exec_t
-+## in the specified domain.
-+## </p>
-+## <p>
-+## No interprocess communication (signals, pipes,
-+## etc.) is provided by this interface since
-+## the domains are not owned by this module.
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="target_domain">
-+## <summary>
-+## The type of the new process.
-+## </summary>
-+## </param>
-+#
-+interface(`mplayer_exec_domtrans',`
-+ gen_require(`
-+ type mplayer_exec_t;
-+ ')
-+
-+ allow $2 mplayer_exec_t:file entrypoint;
-+ domtrans_pattern($1, mplayer_exec_t, $2)
-+')
+
diff --git a/mplayer.te b/mplayer.te
-index 0cdea57..321a21a 100644
+index 9aca704..e8e71cb 100644
--- a/mplayer.te
-+++ b/mplayer.te
-@@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0)
- ## Allow mplayer executable stack
- ## </p>
- ## </desc>
--gen_tunable(allow_mplayer_execstack, false)
-+gen_tunable(mplayer_execstack, false)
-
- type mencoder_t;
- type mencoder_exec_t;
-@@ -71,15 +71,15 @@ fs_search_auto_mountpoints(mencoder_t)
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device(mencoder_t)
-
--miscfiles_read_localization(mencoder_t)
-
--userdom_use_user_terminals(mencoder_t)
-+userdom_use_inherited_user_terminals(mencoder_t)
- # Handle removable media, /tmp, and /home
- userdom_list_user_tmp(mencoder_t)
- userdom_read_user_tmp_files(mencoder_t)
- userdom_read_user_tmp_symlinks(mencoder_t)
- userdom_read_user_home_content_files(mencoder_t)
- userdom_read_user_home_content_symlinks(mencoder_t)
-+userdom_home_manager(mencoder_t)
-
- # Read content to encode
- ifndef(`enable_mls',`
-@@ -88,58 +88,18 @@ ifndef(`enable_mls',`
- fs_read_removable_symlinks(mencoder_t)
- ')
-
--tunable_policy(`allow_execmem',`
-+tunable_policy(`deny_execmem',`',`
- allow mencoder_t self:process execmem;
- ')
-
--tunable_policy(`allow_execmod',`
-+tunable_policy(`selinuxuser_execmod',`
- dev_execmod_zero(mencoder_t)
- ')
-
--tunable_policy(`allow_mplayer_execstack',`
-+tunable_policy(`mplayer_execstack',`
- allow mencoder_t self:process { execmem execstack };
- ')
-
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mencoder_t)
-- fs_manage_nfs_files(mencoder_t)
-- fs_manage_nfs_symlinks(mencoder_t)
--
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mencoder_t)
-- fs_manage_cifs_files(mencoder_t)
-- fs_manage_cifs_symlinks(mencoder_t)
--
--')
--
--# Read content to encode
--tunable_policy(`use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(mencoder_t)
-- files_list_home(mencoder_t)
-- fs_read_nfs_files(mencoder_t)
-- fs_read_nfs_symlinks(mencoder_t)
--
--',`
-- files_dontaudit_list_home(mencoder_t)
-- fs_dontaudit_list_auto_mountpoints(mencoder_t)
-- fs_dontaudit_read_nfs_files(mencoder_t)
-- fs_dontaudit_list_nfs(mencoder_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_list_auto_mountpoints(mencoder_t)
-- files_list_home(mencoder_t)
-- fs_read_cifs_files(mencoder_t)
-- fs_read_cifs_symlinks(mencoder_t)
--',`
-- files_dontaudit_list_home(mencoder_t)
-- fs_dontaudit_list_auto_mountpoints(mencoder_t)
-- fs_dontaudit_read_cifs_files(mencoder_t)
-- fs_dontaudit_list_cifs(mencoder_t)
--')
--
- ########################################
- #
- # mplayer local policy
-@@ -156,6 +116,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
- manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
- manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
- userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
-+userdom_search_user_home_dirs(mplayer_t)
-
- manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
- manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -177,7 +138,6 @@ kernel_read_system_state(mplayer_t)
- kernel_read_kernel_sysctls(mplayer_t)
-
- corenet_all_recvfrom_netlabel(mplayer_t)
--corenet_all_recvfrom_unlabeled(mplayer_t)
- corenet_tcp_sendrecv_generic_if(mplayer_t)
- corenet_tcp_sendrecv_generic_node(mplayer_t)
- corenet_tcp_bind_generic_node(mplayer_t)
-@@ -206,7 +166,6 @@ domain_use_interactive_fds(mplayer_t)
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device(mplayer_t)
++++ b/mplayer.te
+@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4)
+ ## its stack executable.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_mplayer_execstack, false)
++gen_tunable(mplayer_execstack, false)
--files_read_etc_files(mplayer_t)
- files_dontaudit_list_non_security(mplayer_t)
- files_dontaudit_getattr_non_security_files(mplayer_t)
- files_read_non_security_files(mplayer_t)
-@@ -222,10 +181,13 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
- fs_search_auto_mountpoints(mplayer_t)
- fs_list_inotifyfs(mplayer_t)
+ attribute_role mencoder_roles;
+ attribute_role mplayer_roles;
+@@ -95,15 +95,15 @@ ifndef(`enable_mls',`
+ fs_read_iso9660_files(mencoder_t)
+ ')
--miscfiles_read_localization(mplayer_t)
-+auth_use_nsswitch(mplayer_t)
-+
-+logging_send_syslog_msg(mplayer_t)
-+
- miscfiles_read_fonts(mplayer_t)
+-tunable_policy(`allow_execmem',`
+- allow mencoder_t self:process execmem;
++tunable_policy(`deny_execmem',`',`
++ allow mencoder_t self:process execmem;
+ ')
--userdom_use_user_terminals(mplayer_t)
-+userdom_use_inherited_user_terminals(mplayer_t)
- # Read media files
- userdom_list_user_tmp(mplayer_t)
- userdom_read_user_tmp_files(mplayer_t)
-@@ -233,6 +195,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
- userdom_read_user_home_content_files(mplayer_t)
- userdom_read_user_home_content_symlinks(mplayer_t)
- userdom_write_user_tmp_sockets(mplayer_t)
-+userdom_home_manager(mplayer_t)
+-tunable_policy(`allow_execmod',`
++tunable_policy(`selinuxuser_execmod',`
+ dev_execmod_zero(mencoder_t)
+ ')
- xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+-tunable_policy(`allow_mplayer_execstack',`
++tunable_policy(`mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+ ')
-@@ -243,62 +206,31 @@ ifdef(`enable_mls',`',`
- fs_read_removable_symlinks(mplayer_t)
+@@ -211,15 +211,15 @@ ifndef(`enable_mls',`
+ fs_read_iso9660_files(mplayer_t)
')
-tunable_policy(`allow_execmem',`
+- allow mplayer_t self:process execmem;
+tunable_policy(`deny_execmem',`',`
- allow mplayer_t self:process execmem;
++ allow mplayer_t self:process execmem;
')
-tunable_policy(`allow_execmod',`
@@ -35549,103 +36024,37 @@ index 0cdea57..321a21a 100644
allow mplayer_t self:process { execmem execstack };
')
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mplayer_t)
-- fs_manage_nfs_files(mplayer_t)
-- fs_manage_nfs_symlinks(mplayer_t)
--')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mplayer_t)
-- fs_manage_cifs_files(mplayer_t)
-- fs_manage_cifs_symlinks(mplayer_t)
--')
--
- # Legacy domain issues
+@@ -235,7 +235,7 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_symlinks(mplayer_t)
+ ')
+
-tunable_policy(`allow_mplayer_execstack',`
+tunable_policy(`mplayer_execstack',`
allow mplayer_t mplayer_tmpfs_t:file execute;
')
--# Read songs
--tunable_policy(`use_nfs_home_dirs',`
-- fs_list_auto_mountpoints(mplayer_t)
-- files_list_home(mplayer_t)
-- fs_read_nfs_files(mplayer_t)
-- fs_read_nfs_symlinks(mplayer_t)
--
--',`
-- files_dontaudit_list_home(mplayer_t)
-- fs_dontaudit_list_auto_mountpoints(mplayer_t)
-- fs_dontaudit_read_nfs_files(mplayer_t)
-- fs_dontaudit_list_nfs(mplayer_t)
--')
-+userdom_home_manager(mplayer_t)
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_list_auto_mountpoints(mplayer_t)
-- files_list_home(mplayer_t)
-- fs_read_cifs_files(mplayer_t)
-- fs_read_cifs_symlinks(mplayer_t)
--',`
-- files_dontaudit_list_home(mplayer_t)
-- fs_dontaudit_list_auto_mountpoints(mplayer_t)
-- fs_dontaudit_read_cifs_files(mplayer_t)
-- fs_dontaudit_list_cifs(mplayer_t)
-+optional_policy(`
-+ alsa_read_rw_config(mplayer_t)
- ')
-
- optional_policy(`
-- alsa_read_rw_config(mplayer_t)
-+ gnome_setattr_config_dirs(mplayer_t)
- ')
-
- optional_policy(`
-diff --git a/mrtg.fc b/mrtg.fc
-index 37fb953..7e9773a 100644
---- a/mrtg.fc
-+++ b/mrtg.fc
-@@ -14,5 +14,6 @@
- #
- /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
- /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
-+/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
- /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
- /var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/mrtg.te b/mrtg.te
-index 0e19d80..c203717 100644
+index c97c177..273b714 100644
--- a/mrtg.te
+++ b/mrtg.te
-@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
- dontaudit mrtg_t mrtg_etc_t:dir write;
- dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-
-+manage_dirs_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
- manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
- manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
-+files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file })
-
-+manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
- manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
- logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
-
-@@ -62,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
+@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
- corenet_udp_sendrecv_generic_if(mrtg_t)
-@@ -88,7 +90,6 @@ files_getattr_tmp_dirs(mrtg_t)
- # for uptime
- files_read_etc_runtime_files(mrtg_t)
- # read config files
--files_read_etc_files(mrtg_t)
+ corenet_tcp_sendrecv_generic_node(mrtg_t)
+@@ -87,6 +86,8 @@ files_search_var(mrtg_t)
+ files_search_locks(mrtg_t)
+ files_search_var_lib(mrtg_t)
+ files_search_spool(mrtg_t)
++files_getattr_tmp_dirs(mrtg_t)
++files_read_etc_runtime_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
- fs_getattr_xattr_fs(mrtg_t)
-@@ -108,13 +109,12 @@ libs_read_lib_files(mrtg_t)
+ fs_getattr_all_fs(mrtg_t)
+@@ -105,13 +106,12 @@ libs_read_lib_files(mrtg_t)
logging_send_syslog_msg(mrtg_t)
@@ -35662,30 +36071,32 @@ index 0e19d80..c203717 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index afa18c8..2f102b2 100644
+index f42896c..2f102b2 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -1,30 +1,41 @@
--HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-+HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
-+HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+@@ -2,33 +2,40 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+ HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+ HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+ HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
- /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
++/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
- /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
--/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
--/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-+/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
- ifdef(`distro_redhat',`
- /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
- ')
+-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
++/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+ /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
+-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
++ifdef(`distro_redhat',`
++/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
++')
--/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -35693,191 +36104,317 @@ index afa18c8..2f102b2 100644
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
--/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
++/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
--/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
- /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
++/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+ /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
++/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..0005ac0 100644
+index ed81cac..0005ac0 100644
--- a/mta.if
+++ b/mta.if
-@@ -37,6 +37,7 @@ interface(`mta_stub',`
- ## is the prefix for user_t).
+@@ -1,4 +1,4 @@
+-## <summary>Common e-mail transfer agent policy.</summary>
++## <summary>Policy common to all email tranfer agents.</summary>
+
+ ########################################
+ ## <summary>
+@@ -18,23 +18,37 @@ interface(`mta_stub',`
+
+ #######################################
+ ## <summary>
+-## The template to define a mail domain.
++## Basic mail transfer agent domain template.
+ ## </summary>
++## <desc>
++## <p>
++## This template creates a derived domain which is
++## a email transfer agent, which sends mail on
++## behalf of the user.
++## </p>
++## <p>
++## This is the basic types and rules, common
++## to the system agent and user agents.
++## </p>
++## </desc>
+ ## <param name="domain_prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
## </summary>
## </param>
+## <rolecap/>
#
template(`mta_base_mail_template',`
++
+ gen_require(`
+ attribute user_mail_domain;
+ type sendmail_exec_t;
+ ')
+
+- ########################################
++ ##############################
+ #
+- # Declarations
++ # $1_mail_t declarations
+ #
-@@ -56,92 +57,19 @@ template(`mta_base_mail_template',`
+ type $1_mail_t, user_mail_domain;
+@@ -43,17 +57,16 @@ template(`mta_base_mail_template',`
type $1_mail_tmp_t;
files_tmp_file($1_mail_tmp_t)
-- ##############################
+- ########################################
- #
-- # $1_mail_t local policy
+- # Declarations
- #
-
-- allow $1_mail_t self:capability { setuid setgid chown };
-- allow $1_mail_t self:process { signal_perms setrlimit };
-- allow $1_mail_t self:tcp_socket create_socket_perms;
--
-- # re-exec itself
-- can_exec($1_mail_t, sendmail_exec_t)
-- allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
-+ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-+ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
-
- kernel_read_system_state($1_mail_t)
-- kernel_read_kernel_sysctls($1_mail_t)
--
-- corenet_all_recvfrom_unlabeled($1_mail_t)
-- corenet_all_recvfrom_netlabel($1_mail_t)
-- corenet_tcp_sendrecv_generic_if($1_mail_t)
-- corenet_tcp_sendrecv_generic_node($1_mail_t)
-- corenet_tcp_sendrecv_all_ports($1_mail_t)
-- corenet_tcp_connect_all_ports($1_mail_t)
-- corenet_tcp_connect_smtp_port($1_mail_t)
-- corenet_sendrecv_smtp_client_packets($1_mail_t)
--
-- corecmd_exec_bin($1_mail_t)
--
-- files_read_etc_files($1_mail_t)
-- files_search_spool($1_mail_t)
-- # It wants to check for nscd
-- files_dontaudit_search_pids($1_mail_t)
+ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
++ kernel_read_system_state($1_mail_t)
++
auth_use_nsswitch($1_mail_t)
-- init_dontaudit_rw_utmp($1_mail_t)
--
- logging_send_syslog_msg($1_mail_t)
-
-- miscfiles_read_localization($1_mail_t)
--
-- optional_policy(`
-- exim_read_log($1_mail_t)
-- exim_append_log($1_mail_t)
-- exim_manage_spool_files($1_mail_t)
-- ')
--
++ logging_send_syslog_msg($1_mail_t)
++
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
--
-- optional_policy(`
-- procmail_exec($1_mail_t)
-- ')
--
-- optional_policy(`
-- qmail_domtrans_inject($1_mail_t)
-- ')
--
-- optional_policy(`
-- gen_require(`
-- type etc_mail_t, mail_spool_t, mqueue_spool_t;
-- ')
--
-- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
-- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
--
-- allow $1_mail_t etc_mail_t:dir search_dir_perms;
--
-- # Write to /var/spool/mail and /var/spool/mqueue.
-- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
-- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
--
-- # Check available space.
-- fs_getattr_xattr_fs($1_mail_t)
--
-- files_read_etc_runtime_files($1_mail_t)
--
-- # Write to /var/log/sendmail.st
-- sendmail_manage_log($1_mail_t)
-- sendmail_create_log($1_mail_t)
-- ')
--
-- optional_policy(`
-- uucp_manage_spool($1_mail_t)
-- ')
- ')
+@@ -61,61 +74,41 @@ template(`mta_base_mail_template',`
########################################
-@@ -169,11 +97,19 @@ interface(`mta_role',`
+ ## <summary>
+-## Role access for mta.
++## Role access for mta
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
+ #
+ interface(`mta_role',`
+ gen_require(`
+ attribute mta_user_agent;
+- attribute_role user_mail_roles;
+- type user_mail_t, sendmail_exec_t, mail_home_t;
+- type user_mail_tmp_t, mail_home_rw_t;
++ type user_mail_t, sendmail_exec_t;
+ ')
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, sendmail_exec_t, user_mail_t)
-- allow $2 sendmail_exec_t:lnk_file { getattr read };
-+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+- roleattribute $1 user_mail_roles;
+-
+- # this is something i need to fix
+- # i dont know if and why it is needed
+- # will role attribute work?
+- role $1 types mta_user_agent;
++ role $1 types { user_mail_t mta_user_agent };
- allow mta_user_agent $2:fd use;
- allow mta_user_agent $2:process sigchld;
-- allow mta_user_agent $2:fifo_file { read write };
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
+- ps_process_pattern($2, { user_mail_t mta_user_agent })
+-
+- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
+- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
+- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
+- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
+- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
+-
+- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
+- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
+-
+- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
++ allow mta_user_agent $2:fd use;
++ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
-+
-+ optional_policy(`
-+ exim_run($2, $1)
-+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+ exim_run($2, $1)
+ ')
+
+ optional_policy(`
+- mailman_run($2, $1)
+ mailman_run(mta_user_agent, $1)
-+ ')
+ ')
')
- ########################################
-@@ -220,6 +156,25 @@ interface(`mta_agent_executable',`
+@@ -163,125 +156,23 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
+-#######################################
+-## <summary>
+-## Read mta mail home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`mta_read_mail_home_files',`
+- gen_require(`
+- type mail_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 mail_home_t:file read_file_perms;
+-')
+-
+-#######################################
+-## <summary>
+-## Create, read, write, and delete
+-## mta mail home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`mta_manage_mail_home_files',`
+- gen_require(`
+- type mail_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 mail_home_t:file manage_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create specified objects in user home
+-## directories with the generic mail
+-## home type.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+-#
+-interface(`mta_home_filetrans_mail_home',`
+- gen_require(`
+- type mail_home_t;
+- ')
+-
+- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
+-')
+-
+-#######################################
+-## <summary>
+-## Create, read, write, and delete
+-## mta mail home rw content.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`mta_manage_mail_home_rw_content',`
+- gen_require(`
+- type mail_home_rw_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
+- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+-')
+-
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Create specified objects in user home
+-## directories with the generic mail
+-## home rw type.
+## Dontaudit read and write an leaked file descriptors
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`mta_home_filetrans_mail_home_rw',`
+interface(`mta_dontaudit_leaks_system_mail',`
-+ gen_require(`
+ gen_require(`
+- type mail_home_rw_t;
+ type system_mail_t;
-+ ')
-+
+ ')
+
+- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Make the specified type by a system MTA.
-@@ -306,10 +261,15 @@ interface(`mta_mailserver_sender',`
- interface(`mta_mailserver_delivery',`
- gen_require(`
- attribute mailserver_delivery;
-- type mail_spool_t;
+@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',`
+ ')
+
+ init_system_domain($1, sendmail_exec_t)
+-
+ typeattribute $1 mailserver_domain;
+ ')
+
+@@ -374,6 +264,12 @@ interface(`mta_mailserver_delivery',`
')
typeattribute $1 mailserver_delivery;
@@ -35890,17 +36427,42 @@ index 4e2a5ba..0005ac0 100644
')
#######################################
-@@ -361,8 +321,7 @@ interface(`mta_send_mail',`
+@@ -394,6 +290,12 @@ interface(`mta_mailserver_user_agent',`
+ ')
- allow mta_user_agent $1:fd use;
- allow mta_user_agent $1:process sigchld;
-- allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
--
+ typeattribute $1 mta_user_agent;
++
++ optional_policy(`
++ # apache should set close-on-exec
++ apache_dontaudit_rw_stream_sockets($1)
++ apache_dontaudit_rw_sys_script_stream_sockets($1)
++ ')
+ ')
+
+ ########################################
+@@ -408,14 +310,19 @@ interface(`mta_mailserver_user_agent',`
+ #
+ interface(`mta_send_mail',`
+ gen_require(`
++ attribute mta_user_agent;
+ type system_mail_t;
+ attribute mta_exec_type;
+ ')
+
+- corecmd_search_bin($1)
++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
++ corecmd_read_bin_symlinks($1)
+ domtrans_pattern($1, mta_exec_type, system_mail_t)
+
+- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
++ allow mta_user_agent $1:fd use;
++ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
- dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
++ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
')
-@@ -393,12 +352,19 @@ interface(`mta_send_mail',`
+ ########################################
+@@ -445,18 +352,24 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -35909,11 +36471,13 @@ index 4e2a5ba..0005ac0 100644
+ attribute mta_user_agent;
')
- files_search_usr($1)
-+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
- corecmd_read_bin_symlinks($1)
+- corecmd_search_bin($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
-+
++ files_search_usr($1)
++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
++ corecmd_read_bin_symlinks($1)
+
+- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
+ allow mta_user_agent $1:fd use;
@@ -35922,7 +36486,13 @@ index 4e2a5ba..0005ac0 100644
')
########################################
-@@ -411,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
+ ## <summary>
+-## Send signals to system mail.
++## Send system mail client a signal
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -464,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -35930,10 +36500,11 @@ index 4e2a5ba..0005ac0 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -422,6 +387,60 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +387,43 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
+-## Send kill signals to system mail.
+## Send all user mail client a signal
+## </summary>
+## <param name="domain">
@@ -35971,30 +36542,20 @@ index 4e2a5ba..0005ac0 100644
+########################################
+## <summary>
+## Send system mail client a kill signal
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mta_kill_system_mail',`
-+ gen_require(`
-+ type system_mail_t;
-+ ')
-+
-+ allow $1 system_mail_t:process sigkill;
-+')
-+
-+########################################
-+## <summary>
- ## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -440,6 +459,26 @@ interface(`mta_sendmail_exec',`
+ ## <summary>
+@@ -506,13 +454,32 @@ interface(`mta_sendmail_exec',`
+ type sendmail_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, sendmail_exec_t)
+ ')
########################################
## <summary>
+-## Read mail server configuration content.
+## Check whether sendmail executable
+## files are executable.
+## </summary>
@@ -36015,83 +36576,187 @@ index 4e2a5ba..0005ac0 100644
+
+########################################
+## <summary>
- ## Read mail server configuration.
++## Read mail server configuration.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -528,13 +495,13 @@ interface(`mta_read_config',`
+
+ files_search_etc($1)
+ allow $1 etc_mail_t:dir list_dir_perms;
+- allow $1 etc_mail_t:file read_file_perms;
+- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
++ read_files_pattern($1, etc_mail_t, etc_mail_t)
++ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write mail server configuration files.
++## write mail server configuration.
## </summary>
## <param name="domain">
-@@ -481,6 +520,25 @@ interface(`mta_write_config',`
+ ## <summary>
+@@ -548,33 +515,31 @@ interface(`mta_write_config',`
+ type etc_mail_t;
+ ')
+
+- files_search_etc($1)
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+ ')
########################################
## <summary>
+-## Read mail address alias files.
+## Manage mail server configuration.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`mta_read_aliases',`
+interface(`mta_manage_config',`
-+ gen_require(`
+ gen_require(`
+- type etc_aliases_t;
+ type etc_mail_t;
-+ ')
-+
+ ')
+
+- files_search_etc($1)
+- allow $1 etc_aliases_t:file read_file_perms;
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read mail address aliases.
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mail address alias content.
++## Read mail address aliases.
## </summary>
## <param name="domain">
-@@ -496,6 +554,7 @@ interface(`mta_read_aliases',`
+ ## <summary>
+@@ -582,84 +547,66 @@ interface(`mta_read_aliases',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mta_manage_aliases',`
++interface(`mta_read_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
files_search_etc($1)
- allow $1 etc_aliases_t:file read_file_perms;
+- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
++ allow $1 etc_aliases_t:file read_file_perms;
+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
')
########################################
-@@ -516,6 +575,9 @@ interface(`mta_manage_aliases',`
- files_search_etc($1)
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ ## <summary>
+-## Create specified object in generic
+-## etc directories with the mail address
+-## alias type.
++## Create, read, write, and delete mail address aliases.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`mta_etc_filetrans_aliases',`
++interface(`mta_manage_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+- files_etc_filetrans($1, etc_aliases_t, $2, $3)
++ files_search_etc($1)
++ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
++ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ mta_etc_filetrans_aliases($1, "aliases")
+ mta_etc_filetrans_aliases($1, "aliases.db")
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
')
########################################
-@@ -528,13 +590,18 @@ interface(`mta_manage_aliases',`
+ ## <summary>
+-## Create specified objects in specified
+-## directories with a type transition to
+-## the mail address alias type.
++## Type transition files created in /etc
++## to the mail address aliases type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
## Domain allowed access.
## </summary>
## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
+-## <param name="file_type">
+-## <summary>
+-## Directory to transition on.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+ ## <param name="name" optional="true">
+ ## <summary>
+ ## The name of the object being created.
+ ## </summary>
+ ## </param>
#
- interface(`mta_etc_filetrans_aliases',`
+-interface(`mta_spec_filetrans_aliases',`
++interface(`mta_etc_filetrans_aliases',`
gen_require(`
type etc_aliases_t;
')
-- files_etc_filetrans($1, etc_aliases_t, file)
+- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
+ files_etc_filetrans($1, etc_aliases_t, file, $2)
')
########################################
-@@ -554,7 +621,7 @@ interface(`mta_rw_aliases',`
+ ## <summary>
+-## Read and write mail alias files.
++## Read and write mail aliases.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -674,14 +621,13 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
-- allow $1 etc_aliases_t:file { rw_file_perms setattr };
+- allow $1 etc_aliases_t:file rw_file_perms;
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
')
#######################################
-@@ -576,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+ ## <summary>
+-## Do not audit attempts to read
+-## and write TCP sockets of mail
+-## delivery domains.
++## Do not audit attempts to read and write TCP
++## sockets of mail delivery domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -697,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -36117,78 +36782,227 @@ index 4e2a5ba..0005ac0 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -648,8 +734,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -713,8 +678,8 @@ interface(`mta_tcp_connect_all_mailservers',`
- files_dontaudit_search_spool($1)
- dontaudit $1 mail_spool_t:dir search_dir_perms;
-- dontaudit $1 mail_spool_t:lnk_file read;
-- dontaudit $1 mail_spool_t:file getattr;
-+ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 mail_spool_t:file getattr_file_perms;
- ')
+ #######################################
+ ## <summary>
+-## Do not audit attempts to read
+-## mail spool symlinks.
++## Do not audit attempts to read a symlink
++## in the mail spool.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -732,7 +697,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+
+ ########################################
+ ## <summary>
+-## Get attributes of mail spool content.
++## Get the attributes of mail spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -753,8 +718,8 @@ interface(`mta_getattr_spool',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get
+-## attributes of mail spool files.
++## Do not audit attempts to get the attributes
++## of mail spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -775,9 +740,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
#######################################
-@@ -672,6 +758,11 @@ interface(`mta_dontaudit_getattr_spool_files',`
- ## The object class of the object being created.
- ## </summary>
- ## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
- #
- interface(`mta_spool_filetrans',`
- gen_require(`
-@@ -679,7 +770,26 @@ interface(`mta_spool_filetrans',`
- ')
+ ## <summary>
+-## Create specified objects in the
+-## mail spool directory with a
+-## private type.
++## Create private objects in the
++## mail spool directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -811,7 +775,7 @@ interface(`mta_spool_filetrans',`
- files_search_spool($1)
-- filetrans_pattern($1, mail_spool_t, $2, $3)
-+ filetrans_pattern($1, mail_spool_t, $2, $3, $4)
-+')
-+
-+#######################################
-+## <summary>
+ #######################################
+ ## <summary>
+-## Read mail spool files.
+## Read the mail spool.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -819,10 +783,10 @@ interface(`mta_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mta_read_spool_files',`
+- gen_require(`
+- type mail_spool_t;
+- ')
+interface(`mta_read_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
-+
-+ files_search_spool($1)
-+ read_files_pattern($1, mail_spool_t, mail_spool_t)
- ')
+
+ files_search_spool($1)
+ read_files_pattern($1, mail_spool_t, mail_spool_t)
+@@ -830,7 +794,7 @@ interface(`mta_read_spool_files',`
########################################
-@@ -699,8 +809,8 @@ interface(`mta_rw_spool',`
+ ## <summary>
+-## Read and write mail spool files.
++## Read and write the mail spool.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -845,13 +809,14 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
-- allow $1 mail_spool_t:file setattr;
-- rw_files_pattern($1, mail_spool_t, mail_spool_t)
+- allow $1 mail_spool_t:file rw_file_perms;
+- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
- read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Create, read, and write mail spool files.
++## Create, read, and write the mail spool.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -866,13 +831,14 @@ interface(`mta_append_spool',`
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+- manage_files_pattern($1, mail_spool_t, mail_spool_t)
+- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
++ create_files_pattern($1, mail_spool_t, mail_spool_t)
++ write_files_pattern($1, mail_spool_t, mail_spool_t)
++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Delete mail spool files.
++## Delete from the mail spool.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -891,8 +857,7 @@ interface(`mta_delete_spool',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mail spool content.
++## Create, read, write, and delete mail spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -911,45 +876,9 @@ interface(`mta_manage_spool',`
+ manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+ ')
+
+-#######################################
+-## <summary>
+-## Create specified objects in the
+-## mail queue spool directory with a
+-## private type.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+-#
+-interface(`mta_queue_filetrans',`
+- gen_require(`
+- type mqueue_spool_t;
+- ')
+-
+- files_search_spool($1)
+- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
+-')
+-
+ ########################################
+ ## <summary>
+-## Search mail queue directories.
++## Search mail queue dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -968,7 +897,7 @@ interface(`mta_search_queue',`
+
+ #######################################
+ ## <summary>
+-## List mail queue directories.
++## List the mail queue.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -981,13 +910,13 @@ interface(`mta_list_queue',`
+ type mqueue_spool_t;
+ ')
+
+- files_search_spool($1)
+ allow $1 mqueue_spool_t:dir list_dir_perms;
++ files_search_spool($1)
')
-@@ -840,7 +950,7 @@ interface(`mta_dontaudit_rw_queue',`
+ #######################################
+ ## <summary>
+-## Read mail queue files.
++## Read the mail queue.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1000,14 +929,14 @@ interface(`mta_read_queue',`
+ type mqueue_spool_t;
')
- dontaudit $1 mqueue_spool_t:dir search_dir_perms;
-- dontaudit $1 mqueue_spool_t:file { getattr read write };
-+ dontaudit $1 mqueue_spool_t:file rw_file_perms;
+- files_search_spool($1)
+ read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
++ files_search_spool($1)
')
+ #######################################
+ ## <summary>
+ ## Do not audit attempts to read and
+-## write mail queue content.
++## write the mail queue.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1027,7 +956,7 @@ interface(`mta_dontaudit_rw_queue',`
########################################
-@@ -866,6 +976,41 @@ interface(`mta_manage_queue',`
+ ## <summary>
+ ## Create, read, write, and delete
+-## mail queue content.
++## mail queue files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1047,6 +976,41 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -36230,7 +37044,26 @@ index 4e2a5ba..0005ac0 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1055,6 +1019,7 @@ interface(`mta_manage_queue',`
+ ## </summary>
+ ## </param>
+ #
++# cjp: added for postfix
+ interface(`mta_read_sendmail_bin',`
+ gen_require(`
+ type sendmail_exec_t;
+@@ -1065,8 +1030,8 @@ interface(`mta_read_sendmail_bin',`
+
+ #######################################
+ ## <summary>
+-## Read and write unix domain stream
+-## sockets of all base mail domains.
++## Read and write unix domain stream sockets
++## of user mail domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1081,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -36405,20 +37238,25 @@ index 4e2a5ba..0005ac0 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index 84a7d66..61f95e2 100644
+index afd2fad..ed44eaf 100644
--- a/mta.te
+++ b/mta.te
-@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
- type etc_mail_t;
- files_config_file(etc_mail_t)
+@@ -1,4 +1,4 @@
+-policy_module(mta, 2.6.5)
++policy_module(mta, 2.5.0)
--type mail_forward_t;
--files_type(mail_forward_t)
-+type mail_home_t alias mail_forward_t;
-+userdom_user_home_content(mail_home_t)
-+
-+type mail_home_rw_t;
-+userdom_user_home_content(mail_home_rw_t)
+ ########################################
+ #
+@@ -14,8 +14,6 @@ attribute mailserver_sender;
+
+ attribute user_mail_domain;
+
+-attribute_role user_mail_roles;
+-
+ type etc_aliases_t;
+ files_type(etc_aliases_t)
+
+@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -36430,44 +37268,176 @@ index 84a7d66..61f95e2 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -50,21 +55,12 @@ userdom_user_tmp_file(user_mail_tmp_t)
+@@ -43,178 +43,79 @@ role system_r types system_mail_t;
+ mta_base_mail_template(user)
+ typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
+ typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
+-userdom_user_application_type(user_mail_t)
+-role user_mail_roles types user_mail_t;
+-
+ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+ typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
++userdom_user_application_type(user_mail_t)
+ userdom_user_tmp_file(user_mail_tmp_t)
+
+ ########################################
+ #
+-# Common base mail policy
+-#
+-
+-allow user_mail_domain self:capability { setuid setgid chown };
+-allow user_mail_domain self:process { signal_perms setrlimit };
+-allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+-
+-allow user_mail_domain mta_exec_type:file entrypoint;
+-
+-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
+-
+-manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+-manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+-manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
+-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
+-
+-read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
+-
+-manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
+-read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
+-
+-allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
+-
+-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
+-
+-kernel_read_system_state(user_mail_domain)
+-kernel_read_kernel_sysctls(user_mail_domain)
+-kernel_read_network_state(user_mail_domain)
+-kernel_request_load_module(user_mail_domain)
+-
+-corenet_all_recvfrom_netlabel(user_mail_domain)
+-corenet_tcp_sendrecv_generic_if(user_mail_domain)
+-corenet_tcp_sendrecv_generic_node(user_mail_domain)
+-
+-corenet_sendrecv_all_client_packets(user_mail_domain)
+-corenet_tcp_connect_all_ports(user_mail_domain)
+-corenet_tcp_sendrecv_all_ports(user_mail_domain)
+-
+-corecmd_exec_bin(user_mail_domain)
+-
+-dev_read_urand(user_mail_domain)
+-
+-domain_use_interactive_fds(user_mail_domain)
+-
+-files_read_etc_runtime_files(user_mail_domain)
+-files_read_usr_files(user_mail_domain)
+-files_search_spool(user_mail_domain)
+-files_dontaudit_search_pids(user_mail_domain)
+-
+-fs_getattr_all_fs(user_mail_domain)
+-
+-init_dontaudit_rw_utmp(user_mail_domain)
+-
+-logging_send_syslog_msg(user_mail_domain)
+-
+-miscfiles_read_localization(user_mail_domain)
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(user_mail_domain)
+- fs_manage_cifs_files(user_mail_domain)
+- fs_read_cifs_symlinks(user_mail_domain)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(user_mail_domain)
+- fs_manage_nfs_files(user_mail_domain)
+- fs_read_nfs_symlinks(user_mail_domain)
+-')
+-
+-optional_policy(`
+- courier_manage_spool_dirs(user_mail_domain)
+- courier_manage_spool_files(user_mail_domain)
+- courier_rw_spool_pipes(user_mail_domain)
+-')
+-
+-optional_policy(`
+- exim_domtrans(user_mail_domain)
+- exim_manage_log(user_mail_domain)
+- exim_manage_spool_files(user_mail_domain)
+-')
+-
+-optional_policy(`
+- files_getattr_tmp_dirs(user_mail_domain)
+-
+- postfix_exec_master(user_mail_domain)
+- postfix_read_config(user_mail_domain)
+- postfix_search_spool(user_mail_domain)
+- postfix_rw_inherited_master_pipes(user_mail_domain)
+-
+- ifdef(`distro_redhat',`
+- postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+- ')
+-')
+-
+-optional_policy(`
+- procmail_exec(user_mail_domain)
+-')
+-
+-optional_policy(`
+- qmail_domtrans_inject(user_mail_domain)
+-')
+-
+-optional_policy(`
+- sendmail_manage_log(user_mail_domain)
+- sendmail_log_filetrans_sendmail_log(user_mail_domain, file)
+-')
+-
+-optional_policy(`
+- uucp_manage_spool(user_mail_domain)
+-')
+-
+-########################################
+-#
+-# System local policy
++# System mail local policy
+ #
- # newalias required this, not sure if it is needed in 'if' file
++# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
--allow system_mail_t self:fifo_file rw_fifo_file_perms;
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-+allow system_mail_t mail_home_t:file manage_file_perms;
-
- read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
--allow system_mail_t mail_forward_t:file read_file_perms;
-
--allow system_mail_t mta_exec_type:file entrypoint;
+-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
--can_exec(system_mail_t, mta_exec_type)
--
--kernel_read_system_state(system_mail_t)
--kernel_read_network_state(system_mail_t)
--kernel_request_load_module(system_mail_t)
-+corecmd_exec_shell(system_mail_t)
+ allow system_mail_t mail_home_t:file manage_file_perms;
+-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
+-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
+-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
+-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
+
+-allow system_mail_t user_mail_domain:dir list_dir_perms;
+-allow system_mail_t user_mail_domain:file read_file_perms;
+-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
++read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+ corecmd_exec_shell(system_mail_t)
+
+-dev_read_rand(system_mail_t)
dev_read_sysfs(system_mail_t)
- dev_read_rand(system_mail_t)
-@@ -74,14 +70,25 @@ files_read_usr_files(system_mail_t)
++dev_read_rand(system_mail_t)
++dev_read_urand(system_mail_t)
- fs_rw_anon_inodefs_files(system_mail_t)
+-fs_rw_anon_inodefs_files(system_mail_t)
++files_read_usr_files(system_mail_t)
-selinux_getattr_fs(system_mail_t)
--
++fs_rw_anon_inodefs_files(system_mail_t)
+
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
-
--userdom_use_user_terminals(system_mail_t)
++
+userdom_use_inherited_user_terminals(system_mail_t)
- userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -36475,7 +37445,8 @@ index 84a7d66..61f95e2 100644
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
+
@@ -36483,7 +37454,10 @@ index 84a7d66..61f95e2 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,25 +99,40 @@ optional_policy(`
+ apache_append_squirrelmail_data(system_mail_t)
++
++ # apache should set close-on-exec
+ apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -36500,7 +37474,7 @@ index 84a7d66..61f95e2 100644
optional_policy(`
arpwatch_manage_tmp_files(system_mail_t)
-- ifdef(`hide_broken_symptoms', `
+- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- ')
+ ifdef(`hide_broken_symptoms', `
@@ -36510,13 +37484,12 @@ index 84a7d66..61f95e2 100644
')
optional_policy(`
+@@ -223,18 +124,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
- clamav_stream_connect(system_mail_t)
- clamav_append_log(system_mail_t)
-+ bugzilla_search_content(system_mail_t)
-+ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-+')
-+
-+optional_policy(`
+ courier_stream_connect_authdaemon(system_mail_t)
')
@@ -36529,7 +37502,11 @@ index 84a7d66..61f95e2 100644
')
optional_policy(`
-@@ -124,12 +146,9 @@ optional_policy(`
+- courier_stream_connect_authdaemon(system_mail_t)
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
+@@ -245,13 +146,8 @@ optional_policy(`
')
optional_policy(`
@@ -36538,13 +37515,18 @@ index 84a7d66..61f95e2 100644
-')
-
-optional_policy(`
+- fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
-+ fail2ban_rw_inherited_tmp_files(system_mail_t)
+ fail2ban_rw_inherited_tmp_files(system_mail_t)
+ ')
+
+@@ -264,10 +160,15 @@ optional_policy(`
')
optional_policy(`
-@@ -146,6 +165,10 @@ optional_policy(`
++ # newaliases runs as system_mail_t when the sendmail initscript does a restart
+ milter_getattr_all_sockets(system_mail_t)
')
optional_policy(`
@@ -36555,48 +37537,52 @@ index 84a7d66..61f95e2 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +181,13 @@ optional_policy(`
+@@ -278,6 +179,15 @@ optional_policy(`
+ manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
-
- domain_use_interactive_fds(system_mail_t)
--
-- # postfix needs this for newaliases
-- files_getattr_tmp_dirs(system_mail_t)
--
-- postfix_exec_master(system_mail_t)
-- postfix_read_config(system_mail_t)
-- postfix_search_spool(system_mail_t)
--
-- ifdef(`distro_redhat',`
-- # compatability for old default main.cf
-- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-- ')
- ')
-
- optional_policy(`
- qmail_domtrans_inject(system_mail_t)
++
++ domain_use_interactive_fds(system_mail_t)
++')
++
++optional_policy(`
++ qmail_domtrans_inject(system_mail_t)
+ qmail_manage_spool_dirs(system_mail_t)
+ qmail_manage_spool_files(system_mail_t)
+ qmail_rw_spool_pipes(system_mail_t)
')
optional_policy(`
-@@ -189,6 +203,10 @@ optional_policy(`
+@@ -293,42 +203,36 @@ optional_policy(`
')
optional_policy(`
+- spamassassin_stream_connect_spamd(system_mail_t)
+ spamd_stream_connect(system_mail_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,20 +217,23 @@ optional_policy(`
- arpwatch_search_data(mailserver_delivery)
+-########################################
+-#
+-# MTA user agent local policy
+-#
+-
+-userdom_use_user_terminals(mta_user_agent)
+-
+-optional_policy(`
+- apache_append_log(mta_user_agent)
+-')
++# should break this up among sections:
+
+ optional_policy(`
++ # why is mail delivered to a directory of type arpwatch_data_t?
++ arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
-- ifdef(`hide_broken_symptoms', `
+- ifdef(`hide_broken_symptoms',`
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
- ')
-
@@ -36615,96 +37601,113 @@ index 84a7d66..61f95e2 100644
# Mailserver delivery local policy
#
+-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
-+
+
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
- read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -220,21 +241,14 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
--read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
++
+ manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
+-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
++manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
+ manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
+-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
+-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
+-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
+-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
+-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
+-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
+
+ read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
--read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
--
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
-- fs_manage_cifs_symlinks(mailserver_delivery)
+- fs_read_cifs_symlinks(mailserver_delivery)
-')
-+manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-+manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
-
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mailserver_delivery)
- fs_manage_nfs_files(mailserver_delivery)
-- fs_manage_nfs_symlinks(mailserver_delivery)
+- fs_read_nfs_symlinks(mailserver_delivery)
-')
-+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-
+-
optional_policy(`
- dovecot_manage_spool(mailserver_delivery)
-@@ -242,6 +256,10 @@ optional_policy(`
+- arpwatch_search_data(mailserver_delivery)
++ dovecot_manage_spool(mailserver_delivery)
++ dovecot_domtrans_deliver(mailserver_delivery)
')
optional_policy(`
+- dovecot_manage_spool(mailserver_delivery)
+- dovecot_domtrans_deliver(mailserver_delivery)
+ logwatch_search_cache_dir(mailserver_delivery)
-+')
-+
-+optional_policy(`
- # so MTA can access /var/lib/mailman/mail/wrapper
+ ')
+
+ optional_policy(`
++ # so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,6 +267,14 @@ optional_policy(`
- mailman_read_data_symlinks(mailserver_delivery)
- ')
+ mailman_domtrans(mailserver_delivery)
+@@ -387,24 +277,168 @@ optional_policy(`
-+optional_policy(`
-+ postfix_rw_master_pipes(mailserver_delivery)
-+')
-+
-+optional_policy(`
-+ uucp_domtrans_uux(mailserver_delivery)
-+')
-+
########################################
#
- # User send mail local policy
-@@ -256,9 +282,9 @@ optional_policy(`
-
- domain_use_interactive_fds(user_mail_t)
+-# User local policy
++# User send mail local policy
+ #
--userdom_use_user_terminals(user_mail_t)
+-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
+-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
+-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
+-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
+-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
++domain_use_interactive_fds(user_mail_t)
++
+userdom_use_inherited_user_terminals(user_mail_t)
- # Write to the user domain tty. cjp: why?
--userdom_use_user_terminals(mta_user_agent)
++# Write to the user domain tty. cjp: why?
+userdom_use_inherited_user_terminals(mta_user_agent)
- # Create dead.letter in user home directories.
- userdom_manage_user_home_content_files(user_mail_t)
- userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -270,6 +296,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery)
- userdom_manage_user_home_content_pipes(mailserver_delivery)
- userdom_manage_user_home_content_sockets(mailserver_delivery)
- userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
++# Create dead.letter in user home directories.
++userdom_manage_user_home_content_files(user_mail_t)
++userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
++# for reading .forward - maybe we need a new type for it?
++# also for delivering mail to maildir
++userdom_manage_user_home_content_dirs(mailserver_delivery)
++userdom_manage_user_home_content_files(mailserver_delivery)
++userdom_manage_user_home_content_symlinks(mailserver_delivery)
++userdom_manage_user_home_content_pipes(mailserver_delivery)
++userdom_manage_user_home_content_sockets(mailserver_delivery)
++userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+
- # Read user temporary files.
- userdom_read_user_tmp_files(user_mail_t)
- userdom_dontaudit_append_user_tmp_files(user_mail_t)
-@@ -277,6 +305,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
- # files in an appropriate place for mta_user_agent
- userdom_read_user_tmp_files(mta_user_agent)
++# Read user temporary files.
++userdom_read_user_tmp_files(user_mail_t)
++userdom_dontaudit_append_user_tmp_files(user_mail_t)
++# cjp: this should probably be read all user tmp
++# files in an appropriate place for mta_user_agent
++userdom_read_user_tmp_files(mta_user_agent)
+
+ dev_read_sysfs(user_mail_t)
+
+-userdom_use_user_terminals(user_mail_t)
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(user_mail_t)
++ fs_manage_cifs_symlinks(user_mail_t)
++')
+
+ optional_policy(`
+ allow user_mail_t self:capability dac_override;
+
++ # Read user temporary files.
++ # postfix seems to need write access if the file handle is opened read/write
+ userdom_rw_user_tmp_files(user_mail_t)
-+dev_read_sysfs(user_mail_t)
-+
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files(user_mail_t)
- fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +322,123 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -36794,7 +37797,7 @@ index 84a7d66..61f95e2 100644
+ postfix_exec_master(user_mail_domain)
+ postfix_read_config(user_mail_domain)
+ postfix_search_spool(user_mail_domain)
-+ postfix_rw_master_pipes(user_mail_domain)
++ postfix_rw_inherited_master_pipes(user_mail_domain)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
@@ -36829,113 +37832,219 @@ index 84a7d66..61f95e2 100644
+ clamav_stream_connect(mta_user_agent)
+')
diff --git a/munin.fc b/munin.fc
-index fd71d69..123ee4c 100644
+index eb4b72a..123ee4c 100644
--- a/munin.fc
+++ b/munin.fc
-@@ -4,7 +4,9 @@
- /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
- /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+@@ -1,77 +1,78 @@
+-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+-
++/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+ /etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
+
+-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+-
+-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+-
++/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
++/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
--/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
-+
-+# label all plugins as unconfined_munin_plugin_exec_t
-+/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
- # disk plugins
- /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
-@@ -41,6 +43,9 @@
- /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++# label all plugins as unconfined_munin_plugin_exec_t
+ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
+
+-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
++# disk plugins
++/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+
+-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++# mail plugins
++/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+
+-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++# services plugins
++/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+# selinux plugins
-+/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
-+
- # system plugins
+ /usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
+
++# system plugins
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -51,6 +56,7 @@
- /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-+/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -58,12 +64,15 @@
- /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-+/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
- /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-+/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
- /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
- /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
- /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
- /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+ /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
+-
+-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+-
+-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0)
+-
+-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
++/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
++/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
-index c358d8f..1cc176c 100644
+index b744fe3..4c1b6a8 100644
--- a/munin.if
+++ b/munin.if
-@@ -13,10 +13,11 @@
+@@ -1,12 +1,13 @@
+-## <summary>Munin network-wide load graphing.</summary>
++## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a munin plugin domain.
++## Create a set of derived types for various
++## munin plugins,
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## The name to be used for deriving type names.
+ ## </summary>
+ ## </param>
#
- template(`munin_plugin_template',`
+@@ -14,12 +15,8 @@ template(`munin_plugin_template',`
gen_require(`
-- type munin_t, munin_exec_t, munin_etc_t;
-+ type munin_t;
-+ attribute munin_plugin_domain;
- ')
+ attribute munin_plugin_domain, munin_plugin_tmp_content;
+ type munin_t;
+- ')
+
+- ########################################
+- #
+- # Declarations
+- #
++ ')
-- type $1_munin_plugin_t;
-+ type $1_munin_plugin_t, munin_plugin_domain;
+ type $1_munin_plugin_t, munin_plugin_domain;
type $1_munin_plugin_exec_t;
- typealias $1_munin_plugin_t alias munin_$1_plugin_t;
- typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
-@@ -36,17 +37,9 @@ template(`munin_plugin_template',`
- # automatic transition rules from munin domain
- # to specific munin plugin domain
+@@ -33,15 +30,22 @@ template(`munin_plugin_template',`
+ files_tmp_file($1_munin_plugin_tmp_t)
+
+ ########################################
+- #
+- # Policy
+- #
++ #
++ # Policy
++ #
+
++ # automatic transition rules from munin domain
++ # to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
--
-- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
-- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
--
-- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
-+ allow munin_t $1_munin_plugin_t:process signal_perms;
- kernel_read_system_state($1_munin_plugin_t)
--
-- corecmd_exec_bin($1_munin_plugin_t)
--
-- miscfiles_read_localization($1_munin_plugin_t)
+ manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
++
++ kernel_read_system_state($1_munin_plugin_t)
++
++ corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
++ corenet_all_recvfrom_netlabel($1_munin_plugin_t)
')
########################################
-@@ -65,9 +58,8 @@ interface(`munin_stream_connect',`
- type munin_var_run_t, munin_t;
- ')
-
-- allow $1 munin_t:unix_stream_socket connectto;
-- allow $1 munin_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-+ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
- ')
+@@ -66,7 +70,7 @@ interface(`munin_stream_connect',`
#######################################
-@@ -88,12 +80,50 @@ interface(`munin_read_config',`
+ ## <summary>
+-## Read munin configuration content.
++## Read munin configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -80,15 +84,53 @@ interface(`munin_read_config',`
+ type munin_etc_t;
+ ')
+- files_search_etc($1)
allow $1 munin_etc_t:dir list_dir_perms;
allow $1 munin_etc_t:file read_file_perms;
-- allow $1 munin_etc_t:lnk_file { getattr read };
-+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
- files_search_etc($1)
+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
++ files_search_etc($1)
')
#######################################
## <summary>
+-## Append munin log files.
+## Read munin library files.
+## </summary>
+## <param name="domain">
@@ -36974,21 +38083,39 @@ index c358d8f..1cc176c 100644
+
+#######################################
+## <summary>
- ## Append to the munin log.
++## Append to the munin log.
## </summary>
## <param name="domain">
-@@ -172,12 +202,14 @@ interface(`munin_admin',`
- gen_require(`
- type munin_t, munin_etc_t, munin_tmp_t;
- type munin_log_t, munin_var_lib_t, munin_var_run_t;
-- type httpd_munin_content_t;
-- type munin_initrc_exec_t;
-+ type httpd_munin_content_t, munin_initrc_exec_t;
+ ## <summary>
+@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an munin environment.
++## All of the rules required to administrate
++## an munin environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the munin domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -170,8 +212,12 @@ interface(`munin_admin',`
+ type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
-- allow $1 munin_t:process { ptrace signal_perms };
+- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { munin_plugin_domain munin_t })
+ allow $1 munin_t:process signal_perms;
- ps_process_pattern($1, munin_t)
++ ps_process_pattern($1, munin_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 munin_t:process ptrace;
+ ')
@@ -36996,90 +38123,77 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..addfbf2 100644
+index 97370e4..be752a6 100644
--- a/munin.te
+++ b/munin.te
-@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
- # Declarations
+@@ -45,7 +45,7 @@ munin_plugin_template(unconfined)
+ # Common munin plugin local policy
#
-+attribute munin_plugin_domain;
-+
- type munin_t alias lrrd_t;
- type munin_exec_t alias lrrd_exec_t;
- init_daemon_domain(munin_t, munin_exec_t)
-@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
- type munin_var_lib_t alias lrrd_var_lib_t;
- files_type(munin_var_lib_t)
+-allow munin_plugin_domain self:process signal;
++allow munin_plugin_domain self:process signal_perms;
+ allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
-+type munin_plugin_state_t;
-+files_type(munin_plugin_state_t)
-+
- type munin_var_run_t alias lrrd_var_run_t;
- files_pid_file(munin_var_run_t)
+ allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
+@@ -58,24 +58,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
-@@ -31,16 +36,20 @@ munin_plugin_template(disk)
+ manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
- munin_plugin_template(mail)
+-kernel_read_system_state(munin_plugin_domain)
+-
+-corenet_all_recvfrom_unlabeled(munin_plugin_domain)
+-corenet_all_recvfrom_netlabel(munin_plugin_domain)
+ corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
+ corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
-+munin_plugin_template(selinux)
-+
- munin_plugin_template(services)
+ corecmd_exec_bin(munin_plugin_domain)
+ corecmd_exec_shell(munin_plugin_domain)
- munin_plugin_template(system)
+-files_read_etc_files(munin_plugin_domain)
+-files_read_usr_files(munin_plugin_domain)
+ files_search_var_lib(munin_plugin_domain)
-+munin_plugin_template(unconfined)
-+
- ########################################
- #
- # Local policy
- #
+ fs_getattr_all_fs(munin_plugin_domain)
--allow munin_t self:capability { chown dac_override setgid setuid };
-+allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
- dontaudit munin_t self:capability sys_tty_config;
- allow munin_t self:process { getsched setsched signal_perms };
- allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +80,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+-miscfiles_read_localization(munin_plugin_domain)
+-
+ optional_policy(`
+ nscd_use(munin_plugin_domain)
+ ')
+@@ -114,7 +106,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
- files_search_var_lib(munin_t)
-+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
- manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
- manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
--files_pid_filetrans(munin_t, munin_var_run_t, file)
-+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
-+
+-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
- kernel_read_system_state(munin_t)
- kernel_read_network_state(munin_t)
-@@ -82,7 +94,6 @@ kernel_read_all_sysctls(munin_t)
+ manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+ manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+@@ -130,7 +122,6 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
-corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
- corenet_udp_sendrecv_generic_if(munin_t)
-@@ -101,7 +112,6 @@ dev_read_urand(munin_t)
- domain_use_interactive_fds(munin_t)
+ corenet_tcp_sendrecv_generic_node(munin_t)
+@@ -153,7 +144,6 @@ domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
--files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
- files_read_usr_files(munin_t)
+-files_read_usr_files(munin_t)
files_list_spool(munin_t)
-@@ -115,7 +125,7 @@ logging_send_syslog_msg(munin_t)
+
+ fs_getattr_all_fs(munin_t)
+@@ -165,7 +155,6 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
-miscfiles_read_localization(munin_t)
-+miscfiles_setattr_fonts_cache_dirs(munin_t)
+ miscfiles_setattr_fonts_cache_dirs(munin_t)
sysnet_exec_ifconfig(munin_t)
-
-@@ -128,6 +138,11 @@ optional_policy(`
+@@ -179,6 +168,11 @@ optional_policy(`
manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
apache_search_sys_content(munin_t)
@@ -37091,275 +38205,227 @@ index f17583b..addfbf2 100644
')
optional_policy(`
-@@ -145,6 +160,7 @@ optional_policy(`
- optional_policy(`
- mta_read_config(munin_t)
- mta_send_mail(munin_t)
-+ mta_list_queue(munin_t)
- mta_read_queue(munin_t)
- ')
-
-@@ -155,10 +171,13 @@ optional_policy(`
-
- optional_policy(`
- netutils_domtrans_ping(munin_t)
-+ netutils_signal_ping(munin_t)
-+ netutils_kill_ping(munin_t)
- ')
+@@ -213,7 +207,6 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
-+ postfix_getattr_spool_files(munin_t)
+- postfix_getattr_all_spool_files(munin_t)
')
optional_policy(`
-@@ -182,6 +201,7 @@ optional_policy(`
- # local policy for disk plugins
- #
-
-+allow disk_munin_plugin_t self:capability { sys_admin sys_rawio };
- allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
-
- rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t)
-
- corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+@@ -252,11 +245,17 @@ dev_read_sysfs(disk_munin_plugin_t)
+ dev_read_urand(disk_munin_plugin_t)
--files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
+files_read_usr_files(disk_munin_plugin_t)
-
--fs_getattr_all_fs(disk_munin_plugin_t)
--
++
+dev_getattr_lvm_control(disk_munin_plugin_t)
- dev_read_sysfs(disk_munin_plugin_t)
- dev_read_urand(disk_munin_plugin_t)
++dev_read_sysfs(disk_munin_plugin_t)
++dev_read_urand(disk_munin_plugin_t)
+dev_read_all_blk_files(munin_disk_plugin_t)
+ fs_getattr_all_fs(disk_munin_plugin_t)
+ fs_getattr_all_dirs(disk_munin_plugin_t)
+
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
-+fs_getattr_all_fs(disk_munin_plugin_t)
-+fs_getattr_all_dirs(disk_munin_plugin_t)
-+
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +244,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -275,27 +274,36 @@ optional_policy(`
+
+ allow mail_munin_plugin_t self:capability dac_override;
+
++allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
++allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++
+ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
--files_read_etc_files(mail_munin_plugin_t)
-+logging_read_generic_logs(mail_munin_plugin_t)
+ logging_read_generic_logs(mail_munin_plugin_t)
--fs_getattr_all_fs(mail_munin_plugin_t)
++sysnet_read_config(mail_munin_plugin_t)
++
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
-
--logging_read_generic_logs(mail_munin_plugin_t)
-+optional_policy(`
-+ mta_read_config(mail_munin_plugin_t)
-+ mta_send_mail(mail_munin_plugin_t)
++
+ optional_policy(`
+- mta_list_queue(mail_munin_plugin_t)
+ mta_read_config(mail_munin_plugin_t)
+- mta_read_queue(mail_munin_plugin_t)
+ mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
-+')
+ ')
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
-+optional_policy(`
+ optional_policy(`
+- nscd_use(mail_munin_plugin_t)
+ nscd_socket_use(mail_munin_plugin_t)
-+')
+ ')
optional_policy(`
+- postfix_getattr_all_spool_files(mail_munin_plugin_t)
postfix_read_config(mail_munin_plugin_t)
postfix_list_spool(mail_munin_plugin_t)
+ postfix_getattr_spool_files(mail_munin_plugin_t)
')
optional_policy(`
- sendmail_read_log(mail_munin_plugin_t)
- ')
-
-+##################################
-+#
-+# local policy for selinux plugins
-+#
-+
-+selinux_get_enforce_mode(selinux_munin_plugin_t)
-+
- ###################################
- #
- # local policy for service plugins
- #
-
-+allow services_munin_plugin_t self:shm create_sem_perms;
-+allow services_munin_plugin_t self:sem create_sem_perms;
- allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +295,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
- dev_read_urand(services_munin_plugin_t)
- dev_read_rand(services_munin_plugin_t)
-
--fs_getattr_all_fs(services_munin_plugin_t)
--
--files_read_etc_files(services_munin_plugin_t)
--
- sysnet_read_config(services_munin_plugin_t)
-
- optional_policy(`
-+ cups_read_config(services_munin_plugin_t)
- cups_stream_connect(services_munin_plugin_t)
- ')
-
-@@ -279,6 +316,14 @@ optional_policy(`
+@@ -353,7 +361,11 @@ optional_policy(`
')
optional_policy(`
+- nscd_use(services_munin_plugin_t)
+ nscd_socket_use(services_munin_plugin_t)
+')
+
+optional_policy(`
+ ntp_exec(services_munin_plugin_t)
-+')
-+
-+optional_policy(`
- postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +331,18 @@ optional_policy(`
- snmp_read_snmp_var_lib_files(services_munin_plugin_t)
+ optional_policy(`
+@@ -413,3 +425,4 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(unconfined_munin_plugin_t)
')
-
-+optional_policy(`
-+ sssd_stream_connect(services_munin_plugin_t)
-+')
-+
-+optional_policy(`
-+ varnishd_read_lib_files(services_munin_plugin_t)
-+')
-+
-+optional_policy(`
-+ bind_read_config(munin_services_plugin_t)
-+')
+
- ##################################
- #
- # local policy for system plugins
-@@ -295,12 +352,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
-
- rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-
--kernel_read_network_state(system_munin_plugin_t)
--kernel_read_all_sysctls(system_munin_plugin_t)
+diff --git a/mysql.fc b/mysql.fc
+index c48dc17..43f60de 100644
+--- a/mysql.fc
++++ b/mysql.fc
+@@ -1,11 +1,24 @@
+-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
--corecmd_exec_shell(system_munin_plugin_t)
-+# needed by munin_* plugins
-+read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
-
--fs_getattr_all_fs(system_munin_plugin_t)
-+kernel_read_network_state(system_munin_plugin_t)
-
- dev_read_sysfs(system_munin_plugin_t)
- dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +368,47 @@ init_read_utmp(system_munin_plugin_t)
- sysnet_exec_ifconfig(system_munin_plugin_t)
-
- term_getattr_unallocated_ttys(system_munin_plugin_t)
-+term_getattr_all_ttys(system_munin_plugin_t)
-+term_getattr_all_ptys(system_munin_plugin_t)
-+
-+optional_policy(`
-+ bind_read_config(system_munin_plugin_t)
-+')
+-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+-
+-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+-
++# mysql database server
+
-+#######################################
+#
-+# Unconfined plugin policy
++# /HOME
+#
++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
+
-+optional_policy(`
-+ unconfined_domain(unconfined_munin_plugin_t)
-+')
++/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
+
-+################################
+#
-+# local policy for munin plugin domains
++# /etc
+#
++/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
++/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
++/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
-+allow munin_plugin_domain self:process signal;
-+
-+allow munin_plugin_domain munin_exec_t:file read_file_perms;
-+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-+
-+# creates plugin state files
-+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
-+
-+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
-+
-+corecmd_exec_bin(munin_plugin_domain)
-+corecmd_exec_shell(munin_plugin_domain)
-+
-+files_search_var_lib(munin_plugin_domain)
-+files_read_usr_files(munin_plugin_domain)
-+
-+fs_getattr_all_fs(munin_plugin_domain)
-+
-+auth_read_passwd(munin_plugin_domain)
-+
-+optional_policy(`
-+ nscd_socket_use(munin_plugin_domain)
-+')
-diff --git a/mysql.fc b/mysql.fc
-index 716d666..43f60de 100644
---- a/mysql.fc
-+++ b/mysql.fc
-@@ -1,6 +1,14 @@
- # mysql database server
++#
++# /usr
++#
+ /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+ /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
- #
-+# /HOME
+@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
+
+ /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+ /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
++/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+#
-+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
-+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
-+
-+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
-+
++# /var
+#
- # /etc
- #
- /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
++/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
++/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+
+-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
+-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
++/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
++/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
-index e9c0982..404ed6d 100644
+index 687af38..404ed6d 100644
--- a/mysql.if
+++ b/mysql.if
-@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
+@@ -1,23 +1,4 @@
+-## <summary>Open source database.</summary>
+-
+-########################################
+-## <summary>
+-## Role access for mysql.
+-## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+-## </param>
+-#
+-interface(`mysql_role',`
+- refpolicywarn(`$0($*) has been deprecated')
+-')
++## <summary>Policy for MySQL</summary>
+
+ ######################################
+ ## <summary>
+@@ -34,38 +15,30 @@ interface(`mysql_domtrans',`
+ type mysqld_t, mysqld_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Execute mysqld in the mysqld domain, and
+-## allow the specified role the mysqld domain.
+## Execute MySQL in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`mysql_run_mysqld',`
+interface(`mysql_exec',`
-+ gen_require(`
+ gen_require(`
+- attribute_role mysqld_roles;
+ type mysqld_exec_t;
-+ ')
-+
+ ')
+
+- mysql_domtrans($1)
+- roleattribute $2 mysqld_roles;
+ can_exec($1, mysqld_exec_t)
-+')
-+
+ ')
+
########################################
## <summary>
- ## Send a generic signal to MySQL.
-@@ -36,6 +54,24 @@ interface(`mysql_signal',`
+-## Send generic signals to mysqld.
++## Send a generic signal to MySQL.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -81,9 +54,27 @@ interface(`mysql_signal',`
allow $1 mysqld_t:process signal;
')
@@ -37383,19 +38449,69 @@ index e9c0982..404ed6d 100644
+
########################################
## <summary>
- ## Allow the specified domain to connect to postgresql with a tcp socket.
-@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
- type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+-## Connect to mysqld with a tcp socket.
++## Allow the specified domain to connect to postgresql with a tcp socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',`
+
+ ########################################
+ ## <summary>
+-## Connect to mysqld with a unix
+-# domain stream socket.
++## Connect to MySQL using a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',`
')
-+ files_search_pids($1)
- stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
- stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+ files_search_pids($1)
+- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
++ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
++ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -122,6 +159,26 @@ interface(`mysql_search_db',`
########################################
## <summary>
+-## Read mysqld configuration content.
++## Read MySQL configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -139,7 +130,6 @@ interface(`mysql_read_config',`
+ type mysqld_etc_t;
+ ')
+
+- files_search_etc($1)
+ allow $1 mysqld_etc_t:dir list_dir_perms;
+ allow $1 mysqld_etc_t:file read_file_perms;
+ allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
+@@ -147,7 +137,8 @@ interface(`mysql_read_config',`
+
+ ########################################
+ ## <summary>
+-## Search mysqld db directories.
++## Search the directories that contain MySQL
++## database storage.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -155,6 +146,8 @@ interface(`mysql_read_config',`
+ ## </summary>
+ ## </param>
+ #
++# cjp: "_dir" in the name is added to clarify that this
++# is not searching the database itself.
+ interface(`mysql_search_db',`
+ gen_require(`
+ type mysqld_db_t;
+@@ -166,7 +159,27 @@ interface(`mysql_search_db',`
+
+ ########################################
+ ## <summary>
+-## Read and write mysqld database directories.
+## List the directories that contain MySQL
+## database storage.
+## </summary>
@@ -37416,37 +38532,139 @@ index e9c0982..404ed6d 100644
+
+########################################
+## <summary>
- ## Read and write to the MySQL database directory.
++## Read and write to the MySQL database directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mysqld database directories.
++## Create, read, write, and delete MySQL database directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',`
+
+ #######################################
+ ## <summary>
+-## Append mysqld database files.
++## Append to the MySQL database directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',`
+
+ #######################################
+ ## <summary>
+-## Read and write mysqld database files.
++## Read and write to the MySQL database directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',`
+
+ #######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mysqld database files.
++## Create, read, write, and delete MySQL database files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',`
+
+ ########################################
+ ## <summary>
+-## Read and write mysqld database sockets.
++## Read and write to the MySQL database
+ ## named socket.
+ ## </summary>
+ ## <param name="domain">
+@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',`
+ ## </param>
+ #
+ interface(`mysql_rw_db_sockets',`
+- refpolicywarn(`$0($*) has been deprecated.')
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 mysqld_db_t:dir search_dir_perms;
++ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## mysqld home files.
++## Write to the MySQL log.
## </summary>
## <param name="domain">
-@@ -252,12 +309,12 @@ interface(`mysql_write_log',`
+ ## <summary>
+@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mysql_manage_mysqld_home_files',`
++interface(`mysql_write_log',`
+ gen_require(`
+- type mysqld_home_t;
++ type mysqld_log_t;
')
- logging_search_logs($1)
-- allow $1 mysqld_log_t:file { write_file_perms setattr };
+- userdom_search_user_home_dirs($1)
+- allow $1 mysqld_home_t:file manage_file_perms;
++ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
')
- ######################################
+-########################################
++######################################
## <summary>
--## Execute MySQL server in the mysql domain.
+-## Relabel mysqld home files.
+## Execute MySQL safe script in the mysql safe domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -273,6 +330,24 @@ interface(`mysql_domtrans_mysql_safe',`
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`mysql_relabel_mysqld_home_files',`
++interface(`mysql_domtrans_mysql_safe',`
+ gen_require(`
+- type mysqld_home_t;
++ type mysqld_safe_t, mysqld_safe_exec_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 mysqld_home_t:file relabel_file_perms;
++ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Create objects in user home
+-## directories with the mysqld home type.
+## Execute MySQL_safe in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+#
+interface(`mysql_safe_exec',`
+ gen_require(`
@@ -37456,118 +38674,203 @@ index e9c0982..404ed6d 100644
+ can_exec($1, mysqld_safe_exec_t)
+')
+
- #####################################
++#####################################
++## <summary>
++## Read MySQL PID files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`mysql_home_filetrans_mysqld_home',`
++interface(`mysql_read_pid_files',`
+ gen_require(`
+- type mysqld_home_t;
++ type mysqld_var_run_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3)
++ mysql_search_pid_files($1)
++ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ ')
+
+-########################################
++#####################################
## <summary>
- ## Read MySQL PID files.
-@@ -313,6 +388,67 @@ interface(`mysql_search_pid_files',`
+-## Write mysqld log files.
++## Search MySQL PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++##
+ #
+-interface(`mysql_write_log',`
++interface(`mysql_search_pid_files',`
+ gen_require(`
+- type mysqld_log_t;
++ type mysqld_var_run_t;
+ ')
- ########################################
+- logging_search_logs($1)
+- allow $1 mysqld_log_t:file write_file_perms;
++ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ ')
+
+-######################################
++########################################
## <summary>
+-## Execute mysqld safe in the
+-## mysqld safe domain.
+## Execute mysqld server in the mysqld domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -374,18 +396,22 @@ interface(`mysql_write_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mysql_domtrans_mysql_safe',`
+interface(`mysql_systemctl',`
-+ gen_require(`
+ gen_require(`
+- type mysqld_safe_t, mysqld_safe_exec_t;
+ type mysqld_unit_file_t;
+ type mysqld_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ systemd_exec_systemctl($1)
+ allow $1 mysqld_unit_file_t:file read_file_perms;
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, mysqld_t)
-+')
-+
+ ')
+
+-#####################################
+########################################
-+## <summary>
+ ## <summary>
+-## Read mysqld pid files.
+## read mysqld homedir content (.k5login)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`mysql_read_pid_files',`
+interface(`mysql_read_home_content',`
-+ gen_require(`
+ gen_require(`
+- type mysqld_var_run_t;
+ type mysqld_home_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
-+')
-+
+ ')
+
+-#####################################
+########################################
-+## <summary>
+ ## <summary>
+-## Search mysqld pid files.
+## Transition to mysqld named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-##
+ #
+-interface(`mysql_search_pid_files',`
+interface(`mysql_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type mysqld_var_run_t;
+ type mysqld_home_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate an mysql environment
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an mysqld environment.
++## All of the rules required to administrate an mysql environment
## </summary>
## <param name="domain">
-@@ -329,27 +465,45 @@ interface(`mysql_search_pid_files',`
+ ## <summary>
+@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the mysql domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
#
interface(`mysql_admin',`
gen_require(`
-- type mysqld_t, mysqld_var_run_t;
-- type mysqld_tmp_t, mysqld_db_t;
-- type mysqld_etc_t, mysqld_log_t;
-- type mysqld_initrc_exec_t;
+- type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
-+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
+- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
+ type mysqld_etc_t;
+ type mysqld_home_t;
+ type mysqld_unit_file_t;
')
-- allow $1 mysqld_t:process { ptrace signal_perms };
+- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
+ allow $1 mysqld_t:process signal_perms;
- ps_process_pattern($1, mysqld_t)
++ ps_process_pattern($1, mysqld_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mysqld_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
++ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 mysqld_initrc_exec_t system_r;
+- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
++ role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
+- files_search_pids($1)
+- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
+ files_list_pids($1)
- admin_pattern($1, mysqld_var_run_t)
++ admin_pattern($1, mysqld_var_run_t)
+- files_search_var_lib($1)
admin_pattern($1, mysqld_db_t)
+- files_search_etc($1)
+- admin_pattern($1, { mysqld_etc_t mysqld_home_t })
+ files_list_etc($1)
- admin_pattern($1, mysqld_etc_t)
++ admin_pattern($1, mysqld_etc_t)
+- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, mysqld_log_t)
+- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, mysqld_tmp_t)
-+
+
+- mysql_run_mysqld($1, $2)
+ userdom_search_user_home_dirs($1)
+ files_list_root($1)
+ admin_pattern($1, mysqld_home_t)
@@ -37579,23 +38882,72 @@ index e9c0982..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 1cf05a3..8855ea2 100644
+index 9f6179e..8855ea2 100644
--- a/mysql.te
+++ b/mysql.te
-@@ -29,6 +29,12 @@ files_type(mysqld_db_t)
- type mysqld_etc_t alias etc_mysqld_t;
- files_config_file(mysqld_etc_t)
+@@ -1,4 +1,4 @@
+-policy_module(mysql, 1.13.5)
++policy_module(mysql, 1.13.0)
+
+ ########################################
+ #
+@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether mysqld can
+-## connect to all TCP ports.
+-## </p>
++## <p>
++## Allow mysqld to connect to all ports
++## </p>
+ ## </desc>
+ gen_tunable(mysql_connect_any, false)
+
+-attribute_role mysqld_roles;
+-
+ type mysqld_t;
+ type mysqld_exec_t;
+ init_daemon_domain(mysqld_t, mysqld_exec_t)
+-application_domain(mysqld_t, mysqld_exec_t)
+-role mysqld_roles types mysqld_t;
+
+ type mysqld_safe_t;
+ type mysqld_safe_exec_t;
+@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+
+ type mysqld_var_run_t;
+ files_pid_file(mysqld_var_run_t)
+-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
+
+ type mysqld_db_t;
+ files_type(mysqld_db_t)
+@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t)
+ type mysqld_home_t;
+ userdom_user_home_content(mysqld_home_t)
-+type mysqld_home_t;
-+userdom_user_home_content(mysqld_home_t)
-+
+type mysqld_unit_file_t;
+systemd_unit_file(mysqld_unit_file_t)
+
type mysqld_initrc_exec_t;
init_script_file(mysqld_initrc_exec_t)
-@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms;
+@@ -62,26 +59,26 @@ files_pid_file(mysqlmanagerd_var_run_t)
+ # Local policy
+ #
+
+-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
++allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+ allow mysqld_t self:fifo_file rw_fifo_file_perms;
+ allow mysqld_t self:shm create_shm_perms;
+-allow mysqld_t self:unix_stream_socket { accept listen };
+-allow mysqld_t self:tcp_socket { accept listen };
++allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
++allow mysqld_t self:tcp_socket create_stream_socket_perms;
++allow mysqld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -37603,114 +38955,189 @@ index 1cf05a3..8855ea2 100644
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
- allow mysqld_t mysqld_etc_t:file read_file_perms;
--allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
-+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
- allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+-
+-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
++allow mysqld_t mysqld_etc_t:file read_file_perms;
+ allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
++allow mysqld_t mysqld_etc_t:dir list_dir_perms;
- allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,14 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
- manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
- files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+-allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow mysqld_t mysqld_log_t:file manage_file_perms;
+ logging_log_filetrans(mysqld_t, mysqld_log_t, file)
-+manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
- manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -93,50 +90,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
--files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
-+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-+
-+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
-+kernel_read_network_state(mysqld_t)
+-kernel_read_kernel_sysctls(mysqld_t)
++userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
++
+ kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_network_state(mysqld_t)
- kernel_read_kernel_sysctls(mysqld_t)
-
--corenet_all_recvfrom_unlabeled(mysqld_t)
++kernel_read_kernel_sysctls(mysqld_t)
++
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
-+
+
+-corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
- corenet_udp_sendrecv_generic_if(mysqld_t)
-@@ -110,7 +124,6 @@ domain_use_interactive_fds(mysqld_t)
++corenet_udp_sendrecv_generic_if(mysqld_t)
+ corenet_tcp_sendrecv_generic_node(mysqld_t)
++corenet_udp_sendrecv_generic_node(mysqld_t)
++corenet_tcp_sendrecv_all_ports(mysqld_t)
++corenet_udp_sendrecv_all_ports(mysqld_t)
+ corenet_tcp_bind_generic_node(mysqld_t)
+-
+-corenet_sendrecv_mysqld_server_packets(mysqld_t)
+ corenet_tcp_bind_mysqld_port(mysqld_t)
+-corenet_sendrecv_mysqld_client_packets(mysqld_t)
+ corenet_tcp_connect_mysqld_port(mysqld_t)
+-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
+-
+-corecmd_exec_bin(mysqld_t)
+-corecmd_exec_shell(mysqld_t)
++corenet_sendrecv_mysqld_client_packets(mysqld_t)
++corenet_sendrecv_mysqld_server_packets(mysqld_t)
+
+ dev_read_sysfs(mysqld_t)
+ dev_read_urand(mysqld_t)
+
+-domain_use_interactive_fds(mysqld_t)
+-
+ fs_getattr_all_fs(mysqld_t)
+ fs_search_auto_mountpoints(mysqld_t)
+ fs_rw_hugetlbfs_files(mysqld_t)
- files_getattr_var_lib_dirs(mysqld_t)
++domain_use_interactive_fds(mysqld_t)
++
++files_getattr_var_lib_dirs(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
--files_read_etc_files(mysqld_t)
files_read_usr_files(mysqld_t)
- files_search_var_lib(mysqld_t)
++files_search_var_lib(mysqld_t)
-@@ -118,17 +131,10 @@ auth_use_nsswitch(mysqld_t)
+ auth_use_nsswitch(mysqld_t)
logging_send_syslog_msg(mysqld_t)
-miscfiles_read_localization(mysqld_t)
--
- sysnet_read_config(mysqld_t)
++sysnet_read_config(mysqld_t)
+-userdom_search_user_home_dirs(mysqld_t)
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
--# for /root/.my.cnf - should not be needed:
--userdom_read_user_home_content_files(mysqld_t)
--
- ifdef(`distro_redhat',`
-- # because Fedora has the sock_file in the database directory
-- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
++ifdef(`distro_redhat',`
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
- ')
++')
tunable_policy(`mysql_connect_any',`
-@@ -154,10 +160,11 @@ optional_policy(`
+- corenet_sendrecv_all_client_packets(mysqld_t)
+ corenet_tcp_connect_all_ports(mysqld_t)
+- corenet_tcp_sendrecv_all_ports(mysqld_t)
++ corenet_sendrecv_all_client_packets(mysqld_t)
+ ')
+
+ optional_policy(`
+@@ -153,29 +156,22 @@ optional_policy(`
+
+ #######################################
+ #
+-# Safe local policy
++# Local mysqld_safe policy
#
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
--dontaudit mysqld_safe_t self:capability sys_ptrace;
-+allow mysqld_safe_t self:process { setsched getsched setrlimit };
+ allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+-allow mysqld_safe_t mysqld_t:process signull;
+-
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
- domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
+-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
+-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
++domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +177,33 @@ kernel_read_system_state(mysqld_safe_t)
- kernel_read_kernel_sysctls(mysqld_safe_t)
+-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
- corecmd_exec_bin(mysqld_safe_t)
-+corecmd_exec_shell(mysqld_safe_t)
+ manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
+-
+-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
- dev_list_sysfs(mysqld_safe_t)
+ kernel_read_system_state(mysqld_safe_t)
+ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,17 +183,22 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
-files_read_etc_files(mysqld_safe_t)
+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
+-files_search_pids(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+-files_dontaudit_search_all_mountpoints(mysqld_safe_t)
- logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-+logging_send_syslog_msg(mysqld_safe_t)
++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+ logging_send_syslog_msg(mysqld_safe_t)
--hostname_exec(mysqld_safe_t)
+-miscfiles_read_localization(mysqld_safe_t)
+auth_read_passwd(mysqld_safe_t)
--miscfiles_read_localization(mysqld_safe_t)
+-userdom_search_user_home_dirs(mysqld_safe_t)
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
-
- mysql_manage_db_files(mysqld_safe_t)
- mysql_read_config(mysqld_safe_t)
- mysql_search_pid_files(mysqld_safe_t)
++
++mysql_manage_db_files(mysqld_safe_t)
++mysql_read_config(mysqld_safe_t)
++mysql_search_pid_files(mysqld_safe_t)
+mysql_signull(mysqld_safe_t)
- mysql_write_log(mysqld_safe_t)
++mysql_write_log(mysqld_safe_t)
+
+ optional_policy(`
+ hostname_exec(mysqld_safe_t)
+@@ -205,7 +206,7 @@ optional_policy(`
-+optional_policy(`
-+ hostname_exec(mysqld_safe_t)
-+')
-+
########################################
#
- # MySQL Manager Policy
-@@ -218,7 +232,6 @@ kernel_read_system_state(mysqlmanagerd_t)
+-# Manager local policy
++# MySQL Manager Policy
+ #
+
+ allow mysqlmanagerd_t self:capability { dac_override kill };
+@@ -214,11 +215,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+ allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
+ allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
+
+-allow mysqlmanagerd_t mysqld_t:process signal;
+-
+-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
+-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
+-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
++mysql_read_config(initrc_t)
++mysql_read_config(mysqlmanagerd_t)
++mysql_read_pid_files(mysqlmanagerd_t)
++mysql_search_db(mysqlmanagerd_t)
++mysql_signal(mysqlmanagerd_t)
++mysql_stream_connect(mysqlmanagerd_t)
+
+ domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
+
+@@ -226,31 +228,23 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+ manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+ filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
+
+-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
+-
+ kernel_read_system_state(mysqlmanagerd_t)
corecmd_exec_shell(mysqlmanagerd_t)
@@ -37718,172 +39145,237 @@ index 1cf05a3..8855ea2 100644
corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
-@@ -231,9 +244,7 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
++corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
+ corenet_tcp_bind_generic_node(mysqlmanagerd_t)
+-
+-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+ corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
+-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
+ corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
+-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
++corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
++corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
dev_read_urand(mysqlmanagerd_t)
-files_read_etc_files(mysqlmanagerd_t)
files_read_usr_files(mysqlmanagerd_t)
+-files_search_pids(mysqlmanagerd_t)
+-files_search_var_lib(mysqlmanagerd_t)
-miscfiles_read_localization(mysqlmanagerd_t)
- userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+-userdom_search_user_home_dirs(mysqlmanagerd_t)
++userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/nagios.fc b/nagios.fc
-index 1238f2e..d80b4db 100644
+index d78dfc3..d80b4db 100644
--- a/nagios.fc
+++ b/nagios.fc
-@@ -6,7 +6,7 @@
- /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
- /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-
--/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+@@ -1,88 +1,93 @@
+-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
++/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
++/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
++/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+
+-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
- /usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
- /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-@@ -19,70 +19,75 @@
- ifdef(`distro_debian',`
- /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
- ')
--/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
--/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
+-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++ifdef(`distro_debian',`
++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++')
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
- # admin plugins
--/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
++# admin plugins
+ /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
- # check disk plugins
- /usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++# check disk plugins
++/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
- # mail plugins
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
++# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
- # system plugins
--/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++# system plugins
+ /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-
- # services plugins
--/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
--/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
- /usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-
- # unconfined plugins
--/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-+
+ /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
++# services plugins
+ /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
++# unconfined plugins
+ /usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
+-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
+-
+-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+-
+-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
+-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
+-
+-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
diff --git a/nagios.if b/nagios.if
-index 8581040..d7d9a79 100644
+index 0641e97..d7d9a79 100644
--- a/nagios.if
+++ b/nagios.if
-@@ -12,31 +12,24 @@
+@@ -1,12 +1,13 @@
+-## <summary>Network monitoring server.</summary>
++## <summary>Net Saint / NAGIOS - network monitoring server</summary>
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a nagios plugin domain.
++## Create a set of derived types for various
++## nagios plugins,
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="plugins_group_name">
+ ## <summary>
+-## Domain prefix to be used.
++## The name to be used for deriving type names.
+ ## </summary>
## </param>
#
- template(`nagios_plugin_template',`
--
- gen_require(`
-+ attribute nagios_plugin_domain;
+@@ -16,38 +17,31 @@ template(`nagios_plugin_template',`
type nagios_t, nrpe_t;
-- type nagios_log_t;
')
-- type nagios_$1_plugin_t;
-+ type nagios_$1_plugin_t, nagios_plugin_domain;
+- ########################################
+- #
+- # Declarations
+- #
+-
+ type nagios_$1_plugin_t, nagios_plugin_domain;
type nagios_$1_plugin_exec_t;
application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
role system_r types nagios_$1_plugin_t;
-- allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+- ########################################
+- #
+- # Policy
+- #
-
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-+ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
+ allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
- # needed by command.cfg
++ # needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
-
-- allow nagios_t nagios_$1_plugin_t:process signal_perms;
--
-- # cjp: leaked file descriptor
-- dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
-- dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
++
+ kernel_read_system_state(nagios_$1_plugin_t)
-
-- miscfiles_read_localization(nagios_$1_plugin_t)
++
')
########################################
-@@ -49,7 +42,6 @@ template(`nagios_plugin_template',`
+ ## <summary>
+-## Do not audit attempts to read or
+-## write nagios unnamed pipes.
++## Do not audit attempts to read or write nagios
++## unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
## Domain to not audit.
## </summary>
## </param>
@@ -37891,10 +39383,72 @@ index 8581040..d7d9a79 100644
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
-@@ -159,6 +151,26 @@ interface(`nagios_read_tmp_files',`
+@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',`
+
+ ########################################
+ ## <summary>
+-## Read nagios configuration content.
++## Allow the specified domain to read
++## nagios configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -73,15 +68,14 @@ interface(`nagios_read_config',`
+ type nagios_etc_t;
+ ')
+
+- files_search_etc($1)
+ allow $1 nagios_etc_t:dir list_dir_perms;
+ allow $1 nagios_etc_t:file read_file_perms;
+- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
++ files_search_etc($1)
+ ')
+
+ ######################################
+ ## <summary>
+-## Read nagios log files.
++## Read nagios logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -100,8 +94,7 @@ interface(`nagios_read_log',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read or
+-## write nagios log files.
++## Do not audit attempts to read or write nagios logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
+ type nagios_spool_t;
+ ')
+
+- files_search_spool($1)
+ allow $1 nagios_spool_t:dir search_dir_perms;
++ files_search_spool($1)
+ ')
########################################
## <summary>
+-## Read nagios temporary files.
++## Allow the specified domain to read
++## nagios temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
+ type nagios_tmp_t;
+ ')
+
+- files_search_tmp($1)
+ allow $1 nagios_tmp_t:file read_file_perms;
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
@@ -37911,289 +39465,256 @@ index 8581040..d7d9a79 100644
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
- ## Execute the nagios NRPE with
- ## a domain transition.
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute nrpe with a domain transition.
++## Execute the nagios NRPE with
++## a domain transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
+ type nrpe_t, nrpe_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an nagios environment.
++## All of the rules required to administrate
++## an nagios environment
## </summary>
-@@ -195,15 +207,16 @@ interface(`nagios_domtrans_nrpe',`
+ ## <param name="domain">
+ ## <summary>
+@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the nagios domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
#
interface(`nagios_admin',`
gen_require(`
-- type nagios_t, nrpe_t;
-- type nagios_tmp_t, nagios_log_t;
-- type nagios_etc_t, nrpe_etc_t;
-- type nagios_spool_t, nagios_var_run_t;
-- type nagios_initrc_exec_t;
-+ type nagios_t, nrpe_t, nagios_initrc_exec_t;
+- attribute nagios_plugin_domain;
+ type nagios_t, nrpe_t, nagios_initrc_exec_t;
+- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t;
+- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t;
+- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t;
+- type nagios_eventhandler_plugin_tmp_t;
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
-- allow $1 nagios_t:process { ptrace signal_perms };
+- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
+- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
+ allow $1 nagios_t:process signal_perms;
- ps_process_pattern($1, nagios_t)
++ ps_process_pattern($1, nagios_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nagios_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 nagios_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_tmp($1)
+- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
++ files_list_tmp($1)
++ admin_pattern($1, nagios_tmp_t)
+
+- logging_search_logs($1)
++ logging_list_logs($1)
+ admin_pattern($1, nagios_log_t)
+
+- files_search_etc($1)
+- admin_pattern($1, { nrpe_etc_t nagios_etc_t })
++ files_list_etc($1)
++ admin_pattern($1, nagios_etc_t)
+
+- files_search_spool($1)
++ files_list_spool($1)
+ admin_pattern($1, nagios_spool_t)
+
+- files_search_pids($1)
+- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t })
++ files_list_pids($1)
++ admin_pattern($1, nagios_var_run_t)
+
+- files_search_var_lib($1)
+- admin_pattern($1, nagios_var_lib_t)
++ admin_pattern($1, nrpe_etc_t)
+ ')
diff --git a/nagios.te b/nagios.te
-index c3e2a2d..f4cbdff 100644
+index 44ad3b7..fd0b6d3 100644
--- a/nagios.te
+++ b/nagios.te
-@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
- # Declarations
- #
-
-+attribute nagios_plugin_domain;
-+
- type nagios_t;
- type nagios_exec_t;
- init_daemon_domain(nagios_t, nagios_exec_t)
-@@ -25,7 +27,10 @@ type nagios_var_run_t;
+@@ -27,7 +27,7 @@ type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
-+
-+type nagios_var_lib_t;
-+files_type(nagios_var_lib_t)
- nagios_plugin_template(admin)
- nagios_plugin_template(checkdisk)
-@@ -33,6 +38,10 @@ nagios_plugin_template(mail)
- nagios_plugin_template(services)
- nagios_plugin_template(system)
- nagios_plugin_template(unconfined)
-+nagios_plugin_template(eventhandler)
-+
-+type nagios_eventhandler_plugin_tmp_t;
-+files_tmp_file(nagios_eventhandler_plugin_tmp_t)
+ type nagios_var_lib_t;
+ files_type(nagios_var_lib_t)
+@@ -63,19 +63,21 @@ files_pid_file(nrpe_var_run_t)
- type nagios_system_plugin_tmp_t;
- files_tmp_file(nagios_system_plugin_tmp_t)
-@@ -77,13 +86,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
- manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
- files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+ allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
-+manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-+manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir })
++allow nrpe_t nagios_plugin_domain:process { signal sigkill };
++
++allow nagios_t nagios_plugin_domain:process signal_perms;
+
- kernel_read_system_state(nagios_t)
- kernel_read_kernel_sysctls(nagios_t)
-+kernel_read_software_raid_state(nagios_t)
++# cjp: leaked file descriptor
+ dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
+ dontaudit nagios_plugin_domain nagios_log_t:file { read write };
+
+-kernel_read_system_state(nagios_plugin_domain)
+-
+ dev_read_urand(nagios_plugin_domain)
+ dev_read_rand(nagios_plugin_domain)
+
+ files_read_usr_files(nagios_plugin_domain)
+
+-miscfiles_read_localization(nagios_plugin_domain)
+-
+-userdom_use_user_terminals(nagios_plugin_domain)
++userdom_use_inherited_user_ptys(nagios_plugin_domain)
++userdom_use_inherited_user_ttys(nagios_plugin_domain)
+ ########################################
+ #
+@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_all_recvfrom_unlabeled(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
- corenet_udp_sendrecv_generic_if(nagios_t)
-@@ -103,31 +116,27 @@ domain_use_interactive_fds(nagios_t)
- # for ps
- domain_read_all_domains_state(nagios_t)
+ corenet_tcp_sendrecv_generic_node(nagios_t)
+@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t)
--files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
+-files_read_usr_files(nagios_t)
files_search_spool(nagios_t)
-+files_read_usr_files(nagios_t)
fs_getattr_all_fs(nagios_t)
- fs_search_auto_mountpoints(nagios_t)
-
--# for who
--init_read_utmp(nagios_t)
--
- auth_use_nsswitch(nagios_t)
+@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-miscfiles_read_localization(nagios_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
- mta_send_mail(nagios_t)
-+mta_signal_system_mail(nagios_t)
-+mta_kill_system_mail(nagios_t)
-
- optional_policy(`
-- netutils_domtrans_ping(nagios_t)
-- netutils_signal_ping(nagios_t)
- netutils_kill_ping(nagios_t)
- ')
-
-@@ -143,6 +152,7 @@ optional_policy(`
+@@ -178,6 +176,7 @@ optional_policy(`
#
- # Nagios CGI local policy
+ # CGI local policy
#
+
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -180,29 +190,31 @@ optional_policy(`
- #
-
- allow nrpe_t self:capability { setuid setgid };
--dontaudit nrpe_t self:capability {sys_tty_config sys_resource};
-+dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
- allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
- allow nrpe_t self:fifo_file rw_fifo_file_perms;
- allow nrpe_t self:tcp_socket create_stream_socket_perms;
-
-+read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t)
-+
- domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
-
--read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t)
-+read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
- files_search_etc(nrpe_t)
+@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
- manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
- files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
-
-+kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
-kernel_read_system_state(nrpe_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-
- corenet_tcp_bind_generic_node(nrpe_t)
- corenet_tcp_bind_inetd_child_port(nrpe_t)
--corenet_sendrecv_unlabeled_packets(nrpe_t)
-+corenet_all_recvfrom_netlabel(nrpe_t)
-
- dev_read_sysfs(nrpe_t)
- dev_read_urand(nrpe_t)
-@@ -211,7 +223,7 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
--files_read_etc_files(nrpe_t)
-+files_read_usr_files(nrpe_t)
+-files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -220,7 +232,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
-miscfiles_read_localization(nrpe_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
-@@ -252,11 +263,9 @@ optional_policy(`
- corecmd_read_bin_files(nagios_admin_plugin_t)
- corecmd_read_bin_symlinks(nagios_admin_plugin_t)
-
--dev_read_urand(nagios_admin_plugin_t)
- dev_getattr_all_chr_files(nagios_admin_plugin_t)
- dev_getattr_all_blk_files(nagios_admin_plugin_t)
-
--files_read_etc_files(nagios_admin_plugin_t)
- # for check_file_age plugin
- files_getattr_all_dirs(nagios_admin_plugin_t)
- files_getattr_all_files(nagios_admin_plugin_t)
-@@ -271,20 +280,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+ optional_policy(`
+@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
--
- allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
- allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
- allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
++allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
--kernel_read_system_state(nagios_mail_plugin_t)
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
corecmd_read_bin_symlinks(nagios_mail_plugin_t)
--dev_read_urand(nagios_mail_plugin_t)
--
-files_read_etc_files(nagios_mail_plugin_t)
-
+-
logging_send_syslog_msg(nagios_mail_plugin_t)
-@@ -300,7 +304,7 @@ optional_policy(`
-
- optional_policy(`
- postfix_stream_connect_master(nagios_mail_plugin_t)
-- posftix_exec_postqueue(nagios_mail_plugin_t)
-+ postfix_exec_postqueue(nagios_mail_plugin_t)
- ')
+ sysnet_dns_name_resolve(nagios_mail_plugin_t)
+@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
- ######################################
-@@ -311,7 +315,9 @@ optional_policy(`
- # needed by ioctl()
- allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+ kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
--files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
-+kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
-+
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
+ files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
- fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,11 +329,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
- # local policy for service check plugins
+@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+ # Services local policy
#
--allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+-allow nagios_services_plugin_t self:capability net_raw;
+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
--
- allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
- allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+-allow nagios_services_plugin_t self:tcp_socket { accept listen };
++allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
++allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -342,6 +348,8 @@ files_read_usr_files(nagios_services_plugin_t)
-
- optional_policy(`
- netutils_domtrans_ping(nagios_services_plugin_t)
-+ netutils_signal_ping(nagios_services_plugin_t)
-+ netutils_kill_ping(nagios_services_plugin_t)
- ')
-
- optional_policy(`
-@@ -365,6 +373,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
-+read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
-+
- kernel_read_system_state(nagios_system_plugin_t)
++kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -372,11 +382,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
- corecmd_exec_shell(nagios_system_plugin_t)
-
- dev_read_sysfs(nagios_system_plugin_t)
--dev_read_urand(nagios_system_plugin_t)
+ corecmd_exec_bin(nagios_system_plugin_t)
+@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
-files_read_etc_files(nagios_system_plugin_t)
-+
-+fs_getattr_all_fs(nagios_system_plugin_t)
-+
-+auth_read_passwd(nagios_system_plugin_t)
+-
+ fs_getattr_all_fs(nagios_system_plugin_t)
- # needed by check_users plugin
++auth_read_passwd(nagios_system_plugin_t)
++
optional_policy(`
-@@ -391,3 +403,48 @@ optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
+ ')
+@@ -450,3 +449,26 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -38220,28 +39741,6 @@ index c3e2a2d..f4cbdff 100644
+ unconfined_domain(nagios_eventhandler_plugin_t)
+')
+
-+######################################
-+#
-+# nagios plugin domain policy
-+#
-+
-+allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
-+
-+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
-+
-+allow nagios_t nagios_plugin_domain:process signal_perms;
-+
-+# cjp: leaked file descriptor
-+dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
-+dontaudit nagios_plugin_domain nagios_log_t:file { read write };
-+
-+dev_read_urand(nagios_plugin_domain)
-+dev_read_rand(nagios_plugin_domain)
-+
-+files_read_usr_files(nagios_plugin_domain)
-+
-+userdom_use_inherited_user_ptys(nagios_plugin_domain)
-+userdom_use_inherited_user_ttys(nagios_plugin_domain)
diff --git a/namespace.fc b/namespace.fc
new file mode 100644
index 0000000..ce51c8d
@@ -38355,10 +39854,10 @@ index 0000000..ef7b846
+userdom_relabelto_user_home_files(namespace_init_t)
+userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
diff --git a/ncftool.if b/ncftool.if
-index a648982..59f096b 100644
+index db9578f..96e5824 100644
--- a/ncftool.if
+++ b/ncftool.if
-@@ -36,9 +36,19 @@ interface(`ncftool_domtrans',`
+@@ -38,9 +38,19 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
@@ -38382,10 +39881,10 @@ index a648982..59f096b 100644
')
+
diff --git a/ncftool.te b/ncftool.te
-index f19ca0b..3eadfbb 100644
+index b13c0b1..1161ce1 100644
--- a/ncftool.te
+++ b/ncftool.te
-@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0)
+@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.2)
# Declarations
#
@@ -38405,21 +39904,15 @@ index f19ca0b..3eadfbb 100644
########################################
#
- # ncftool local policy
- #
+@@ -22,6 +23,7 @@ role ncftool_roles types ncftool_t;
--allow ncftool_t self:capability { net_admin sys_ptrace };
-+allow ncftool_t self:capability net_admin;
+ allow ncftool_t self:capability net_admin;
allow ncftool_t self:process signal;
+
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
- allow ncftool_t self:tcp_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
-
-@@ -41,24 +45,33 @@ domain_read_all_domains_state(ncftool_t)
+@@ -41,27 +43,32 @@ domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
@@ -38450,14 +39943,16 @@ index f19ca0b..3eadfbb 100644
userdom_use_user_terminals(ncftool_t)
userdom_read_user_tmp_files(ncftool_t)
+-optional_policy(`
+- brctl_run(ncftool_t, ncftool_roles)
+-')
+#optional_policy(`
+# brctl_run(ncftool_t, ncftool_roles)
+#')
-+
+
optional_policy(`
consoletype_exec(ncftool_t)
- ')
-@@ -69,13 +82,18 @@ optional_policy(`
+@@ -73,13 +80,18 @@ optional_policy(`
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
@@ -38479,77 +39974,149 @@ index f19ca0b..3eadfbb 100644
+ #netutils_run(ncftool_t, ncftool_roles)
')
diff --git a/nessus.te b/nessus.te
-index abf25da..bad6973 100644
+index 56c0fbd..173a2c0 100644
--- a/nessus.te
+++ b/nessus.te
-@@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t)
- # for nmap etc
+@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
+
corecmd_exec_bin(nessusd_t)
-corenet_all_recvfrom_unlabeled(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
-@@ -85,7 +84,6 @@ fs_search_auto_mountpoints(nessusd_t)
+@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t)
+ domain_use_interactive_fds(nessusd_t)
+
+ files_list_var_lib(nessusd_t)
+-files_read_etc_files(nessusd_t)
+ files_read_etc_runtime_files(nessusd_t)
+
+ fs_getattr_all_fs(nessusd_t)
+@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t)
logging_send_syslog_msg(nessusd_t)
-miscfiles_read_localization(nessusd_t)
-
+-
sysnet_read_config(nessusd_t)
+ userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index 386543b..8fe1d63 100644
+index a1fb3c3..8fe1d63 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,6 +1,19 @@
- /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-
--/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
-+/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
-+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-+
+@@ -1,43 +1,43 @@
+-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+ /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
+ /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+ /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
+ /etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+
+
+-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
-+
+
+-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
- /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -12,15 +25,19 @@
- /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+-/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-+/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-
- /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
- /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+ /usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
--/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
-+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
++/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
++/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+
++/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 2324d9e..96dbf6f 100644
+index 0e8508c..96dbf6f 100644
--- a/networkmanager.if
+++ b/networkmanager.if
-@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
- ## Allow caller to relabel tun_socket
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Read and write networkmanager udp sockets.
++## Read and write NetworkManager UDP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,6 +10,7 @@
+ ## </summary>
+ ## </param>
+ #
++# cjp: added for named.
+ interface(`networkmanager_rw_udp_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',`
+
+ ########################################
+ ## <summary>
+-## Read and write networkmanager packet sockets.
++## Read and write NetworkManager packet sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',`
+ ## </summary>
+ ## </param>
+ #
++# cjp: added for named.
+ interface(`networkmanager_rw_packet_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',`
+
+ #######################################
+ ## <summary>
+-## Relabel networkmanager tun socket.
++## Allow caller to relabel tun_socket
## </summary>
## <param name="domain">
-## <summary>
@@ -38561,7 +40128,43 @@ index 2324d9e..96dbf6f 100644
## </param>
#
interface(`networkmanager_attach_tun_iface',`
-@@ -116,6 +116,29 @@ interface(`networkmanager_initrc_domtrans',`
+@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',`
+
+ ########################################
+ ## <summary>
+-## Read and write networkmanager netlink
++## Read and write NetworkManager netlink
+ ## routing sockets.
+ ## </summary>
+ ## <param name="domain">
+@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',`
+ ## </summary>
+ ## </param>
+ #
++# cjp: added for named.
+ interface(`networkmanager_rw_routing_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',`
+
+ ########################################
+ ## <summary>
+-## Execute networkmanager with a domain transition.
++## Execute NetworkManager with a domain transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute networkmanager scripts with
+-## an automatic domain transition to initrc.
++## Execute NetworkManager scripts with an automatic domain transition to initrc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',`
########################################
## <summary>
@@ -38589,12 +40192,16 @@ index 2324d9e..96dbf6f 100644
+########################################
+## <summary>
## Send and receive messages from
- ## NetworkManager over dbus.
+-## networkmanager over dbus.
++## NetworkManager over dbus.
## </summary>
-@@ -137,6 +160,28 @@ interface(`networkmanager_dbus_chat',`
+ ## <param name="domain">
+ ## <summary>
+@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
+-## Send generic signals to networkmanager.
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
@@ -38617,66 +40224,103 @@ index 2324d9e..96dbf6f 100644
+
+########################################
+## <summary>
- ## Send a generic signal to NetworkManager
++## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -173,6 +218,25 @@ interface(`networkmanager_read_lib_files',`
+ ## <summary>
+@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
+
+ ########################################
+ ## <summary>
+-## Read networkmanager lib files.
++## Read NetworkManager lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -171,29 +218,28 @@ interface(`networkmanager_read_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Append networkmanager log files.
+## Read NetworkManager conf files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`networkmanager_append_log_files',`
+- gen_require(`
+- type NetworkManager_log_t;
+- ')
+interface(`networkmanager_read_conf',`
+ gen_require(`
+ type NetworkManager_etc_t;
+ ')
-+
+
+- logging_search_logs($1)
+- allow $1 NetworkManager_log_t:dir list_dir_perms;
+- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
-+')
-+
+ ')
+
########################################
## <summary>
- ## Read NetworkManager PID files.
-@@ -191,3 +255,110 @@ interface(`networkmanager_read_pid_files',`
- files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
- ')
-+
-+########################################
-+## <summary>
+-## Read networkmanager pid files.
++## Read NetworkManager PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -212,12 +258,12 @@ interface(`networkmanager_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an networkmanager environment.
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## </param>
+ ## <param name="role">
+@@ -227,33 +273,92 @@ interface(`networkmanager_read_pid_files',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`networkmanager_admin',`
+interface(`networkmanager_run',`
-+ gen_require(`
+ gen_require(`
+- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
+- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
+- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
+ type NetworkManager_t, NetworkManager_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
+-
+- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 NetworkManager_initrc_exec_t system_r;
+- allow $2 system_r;
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
-+
+
+- logging_search_etc($1)
+- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
+########################################
+## <summary>
+## Allow the specified domain to append
@@ -38692,12 +40336,15 @@ index 2324d9e..96dbf6f 100644
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
-+
-+ logging_search_logs($1)
+
+ logging_search_logs($1)
+- admin_pattern($1, NetworkManager_log_t)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, NetworkManager_var_lib_t)
+#######################################
+## <summary>
+## Allow the specified domain to manage
@@ -38713,7 +40360,9 @@ index 2324d9e..96dbf6f 100644
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
-+
+
+- files_search_pids($1)
+- admin_pattern($1, NetworkManager_var_run_t)
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
@@ -38733,7 +40382,9 @@ index 2324d9e..96dbf6f 100644
+ type NetworkManager_var_run_t;
+ type NetworkManager_var_lib_t;
+ ')
-+
+
+- files_search_tmp($1)
+- admin_pattern($1, NetworkManager_tmp_t)
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
@@ -38756,34 +40407,48 @@ index 2324d9e..96dbf6f 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
-+')
+ ')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..a953cf1 100644
+index 0b48a30..c0e8f13 100644
--- a/networkmanager.te
+++ b/networkmanager.te
-@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
- type NetworkManager_initrc_exec_t;
- init_script_file(NetworkManager_initrc_exec_t)
+@@ -1,4 +1,4 @@
+-policy_module(networkmanager, 1.14.7)
++policy_module(networkmanager, 1.14.0)
+ ########################################
+ #
+@@ -9,15 +9,18 @@ type NetworkManager_t;
+ type NetworkManager_exec_t;
+ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+
++type NetworkManager_initrc_exec_t;
++init_script_file(NetworkManager_initrc_exec_t)
++
+type NetworkManager_unit_file_t;
+systemd_unit_file(NetworkManager_unit_file_t)
+
-+type NetworkManager_etc_t;
-+files_config_file(NetworkManager_etc_t)
-+
-+type NetworkManager_etc_rw_t;
-+files_config_file(NetworkManager_etc_rw_t)
-+
+ type NetworkManager_etc_t;
+ files_config_file(NetworkManager_etc_t)
+
+ type NetworkManager_etc_rw_t;
+ files_config_file(NetworkManager_etc_rw_t)
+
+-type NetworkManager_initrc_exec_t;
+-init_script_file(NetworkManager_initrc_exec_t)
+-
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,35 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+ # Local policy
+ #
- # networkmanager will ptrace itself if gdb is installed
- # and it receives a unexpected signal (rh bug #204161)
--allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
--dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
+-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
++# networkmanager will ptrace itself if gdb is installed
++# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms',`
@@ -38797,41 +40462,60 @@ index 0619395..a953cf1 100644
+')
+
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
- allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
- allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+-allow NetworkManager_t self:unix_dgram_socket sendto;
+-allow NetworkManager_t self:unix_stream_socket { accept listen };
++allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
++allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
-+allow NetworkManager_t self:netlink_socket create_socket_perms;
+ allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
--allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
-+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
- allow NetworkManager_t self:udp_socket create_socket_perms;
+-allow NetworkManager_t self:tcp_socket { accept listen };
++allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+ allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
++allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
- can_exec(NetworkManager_t, NetworkManager_exec_t)
+-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
+-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
+-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
++can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+
-+manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-+manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-+filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-+
-+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
- manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+ manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
+ manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
+ filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
+
+-allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms;
+-append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+-create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+-setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
++manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
++
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -75,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -81,9 +100,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
+
+-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+-
+-kernel_read_crypto_sysctls(NetworkManager_t)
+ kernel_read_system_state(NetworkManager_t)
+ kernel_read_network_state(NetworkManager_t)
+ kernel_read_kernel_sysctls(NetworkManager_t)
+@@ -91,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
@@ -38839,34 +40523,65 @@ index 0619395..a953cf1 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -95,11 +126,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+@@ -102,22 +117,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+ corenet_tcp_sendrecv_all_ports(NetworkManager_t)
+ corenet_udp_sendrecv_all_ports(NetworkManager_t)
+ corenet_udp_bind_generic_node(NetworkManager_t)
+-
+-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+ corenet_udp_bind_isakmp_port(NetworkManager_t)
+-
+-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+ corenet_udp_bind_dhcpc_port(NetworkManager_t)
+-
+-corenet_sendrecv_all_client_packets(NetworkManager_t)
+ corenet_tcp_connect_all_ports(NetworkManager_t)
+-
++corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
++corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
++corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
--dev_read_sysfs(NetworkManager_t)
-+dev_rw_sysfs(NetworkManager_t)
+-corecmd_exec_shell(NetworkManager_t)
+-corecmd_exec_bin(NetworkManager_t)
+-
+ dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
- dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +133,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
-+dev_rw_wireless(NetworkManager_t)
+ dev_rw_wireless(NetworkManager_t)
+-domain_use_interactive_fds(NetworkManager_t)
+-domain_read_all_domains_state(NetworkManager_t)
+-
+-files_read_etc_runtime_files(NetworkManager_t)
+-files_read_usr_files(NetworkManager_t)
+-files_read_usr_src_files(NetworkManager_t)
+-
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +145,10 @@ corecmd_exec_shell(NetworkManager_t)
- corecmd_exec_bin(NetworkManager_t)
+ fs_list_inotifyfs(NetworkManager_t)
+@@ -140,6 +141,17 @@ mls_file_read_all_levels(NetworkManager_t)
- domain_use_interactive_fds(NetworkManager_t)
--domain_read_confined_domains_state(NetworkManager_t)
-+domain_read_all_domains_state(NetworkManager_t)
+ selinux_dontaudit_search_fs(NetworkManager_t)
--files_read_etc_files(NetworkManager_t)
- files_read_etc_runtime_files(NetworkManager_t)
++corecmd_exec_shell(NetworkManager_t)
++corecmd_exec_bin(NetworkManager_t)
++
++domain_use_interactive_fds(NetworkManager_t)
++domain_read_all_domains_state(NetworkManager_t)
++
++files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
- files_read_usr_files(NetworkManager_t)
- files_read_usr_src_files(NetworkManager_t)
++files_read_usr_files(NetworkManager_t)
++files_read_usr_src_files(NetworkManager_t)
++
+ storage_getattr_fixed_disk_dev(NetworkManager_t)
-@@ -128,35 +160,51 @@ init_domtrans_script(NetworkManager_t)
+ init_read_utmp(NetworkManager_t)
+@@ -148,10 +160,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -38874,34 +40589,29 @@ index 0619395..a953cf1 100644
+
logging_send_syslog_msg(NetworkManager_t)
--miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
+-miscfiles_read_localization(NetworkManager_t)
--modutils_domtrans_insmod(NetworkManager_t)
--
seutil_read_config(NetworkManager_t)
- sysnet_domtrans_ifconfig(NetworkManager_t)
- sysnet_domtrans_dhcpc(NetworkManager_t)
- sysnet_signal_dhcpc(NetworkManager_t)
-+sysnet_signull_dhcpc(NetworkManager_t)
- sysnet_read_dhcpc_pid(NetworkManager_t)
-+sysnet_read_dhcp_config(NetworkManager_t)
- sysnet_delete_dhcpc_pid(NetworkManager_t)
-+sysnet_kill_dhcpc(NetworkManager_t)
-+sysnet_read_dhcpc_state(NetworkManager_t)
-+sysnet_delete_dhcpc_state(NetworkManager_t)
+@@ -166,21 +179,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+ sysnet_read_dhcpc_state(NetworkManager_t)
+ sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
- # in /etc created by NetworkManager will be labelled net_conf_t.
++# in /etc created by NetworkManager will be labelled net_conf_t.
sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
+-# certificates in user home directories (cert_home_t in ~/\.pki)
+-userdom_read_user_home_content_files(NetworkManager_t)
+-
+-userdom_write_user_tmp_sockets(NetworkManager_t)
+userdom_stream_connect(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_user_ttys(NetworkManager_t)
- # Read gnome-keyring
++# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
- userdom_read_user_home_content_files(NetworkManager_t)
++userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -38921,25 +40631,37 @@ index 0619395..a953cf1 100644
')
optional_policy(`
-@@ -176,10 +224,17 @@ optional_policy(`
+@@ -196,10 +220,6 @@ optional_policy(`
')
optional_policy(`
-+ cron_read_system_job_lib_files(NetworkManager_t)
-+')
-+
-+optional_policy(`
+- consolekit_read_pid_files(NetworkManager_t)
+-')
+-
+-optional_policy(`
+ consoletype_exec(NetworkManager_t)
+ ')
+
+@@ -210,16 +230,11 @@ optional_policy(`
+ optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+- optional_policy(`
+- avahi_dbus_chat(NetworkManager_t)
+- ')
+ init_dbus_chat(NetworkManager_t)
-+
+
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+- ')
+-
+- optional_policy(`
+- policykit_dbus_chat(NetworkManager_t)
+ consolekit_read_pid_files(NetworkManager_t)
')
')
-@@ -191,6 +246,7 @@ optional_policy(`
+@@ -231,18 +246,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -38947,31 +40669,35 @@ index 0619395..a953cf1 100644
')
optional_policy(`
-@@ -202,23 +258,45 @@ optional_policy(`
+- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
++ hal_write_log(NetworkManager_t)
+ ')
+
+ optional_policy(`
+- hal_write_log(NetworkManager_t)
++ howl_signal(NetworkManager_t)
')
optional_policy(`
+- howl_signal(NetworkManager_t)
+ gnome_dontaudit_search_config(NetworkManager_t)
-+')
-+
-+optional_policy(`
-+ ipsec_domtrans_mgmt(NetworkManager_t)
-+ ipsec_kill_mgmt(NetworkManager_t)
-+ ipsec_signal_mgmt(NetworkManager_t)
-+ ipsec_signull_mgmt(NetworkManager_t)
-+')
-+
-+optional_policy(`
- iptables_domtrans(NetworkManager_t)
')
optional_policy(`
-+ netutils_exec_ping(NetworkManager_t)
-+')
-+
-+optional_policy(`
- nscd_domtrans(NetworkManager_t)
- nscd_signal(NetworkManager_t)
+@@ -257,11 +273,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- libs_exec_ldconfig(NetworkManager_t)
+-')
+-
+-optional_policy(`
+- modutils_domtrans_insmod(NetworkManager_t)
++ l2tpd_domtrans(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -274,10 +286,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -38979,32 +40705,34 @@ index 0619395..a953cf1 100644
')
optional_policy(`
- # Dispatcher starting and stoping ntp
++ # Dispatcher starting and stoping ntp
ntp_initrc_domtrans(NetworkManager_t)
+ ntp_systemctl(NetworkManager_t)
- ')
-
- optional_policy(`
-+ modutils_domtrans_insmod(NetworkManager_t)
+')
+
+optional_policy(`
-+ openvpn_read_config(NetworkManager_t)
- openvpn_domtrans(NetworkManager_t)
- openvpn_kill(NetworkManager_t)
- openvpn_signal(NetworkManager_t)
-@@ -234,6 +312,10 @@ optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -289,6 +308,7 @@ optional_policy(`
')
optional_policy(`
++ policykit_dbus_chat(NetworkManager_t)
+ policykit_domtrans_auth(NetworkManager_t)
+ policykit_read_lib(NetworkManager_t)
+ policykit_read_reload(NetworkManager_t)
+@@ -296,7 +316,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- polipo_initrc_domtrans(NetworkManager_t)
+ polipo_systemctl(NetworkManager_t)
-+')
-+
-+optional_policy(`
- ppp_initrc_domtrans(NetworkManager_t)
- ppp_domtrans(NetworkManager_t)
- ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +323,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -307,6 +327,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -39012,28 +40740,26 @@ index 0619395..a953cf1 100644
')
optional_policy(`
-@@ -254,6 +337,12 @@ optional_policy(`
+@@ -320,13 +341,14 @@ optional_policy(`
')
optional_policy(`
+- udev_exec(NetworkManager_t)
+- udev_read_db(NetworkManager_t)
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
-+')
-+
-+optional_policy(`
- udev_exec(NetworkManager_t)
- udev_read_db(NetworkManager_t)
')
-@@ -263,6 +352,7 @@ optional_policy(`
- vpn_kill(NetworkManager_t)
- vpn_signal(NetworkManager_t)
- vpn_signull(NetworkManager_t)
-+ vpn_relabelfrom_tun_socket(NetworkManager_t)
+
+ optional_policy(`
+- # unconfined_dgram_send(NetworkManager_t)
+- unconfined_stream_connect(NetworkManager_t)
++ udev_exec(NetworkManager_t)
++ udev_read_db(NetworkManager_t)
')
- ########################################
-@@ -284,6 +374,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+ optional_policy(`
+@@ -356,6 +378,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -39041,20 +40767,32 @@ index 0619395..a953cf1 100644
term_dontaudit_use_console(wpa_cli_t)
diff --git a/nis.fc b/nis.fc
-index 632a565..cd0e015 100644
+index 8aa1bfa..cd0e015 100644
--- a/nis.fc
+++ b/nis.fc
-@@ -9,7 +9,9 @@
+@@ -2,21 +2,26 @@
+ /etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+-
+ /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+
+-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
++/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
- /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
++/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-+/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+ /usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
- /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
-@@ -18,3 +20,8 @@
+-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
++/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+
+ /var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
@@ -39064,9 +40802,15 @@ index 632a565..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index abe3f7f..1112fae 100644
+index 46e55c3..1112fae 100644
--- a/nis.if
+++ b/nis.if
+@@ -1,4 +1,4 @@
+-## <summary>Policy for NIS (YP) servers and clients.</summary>
++## <summary>Policy for NIS (YP) servers and clients</summary>
+
+ ########################################
+ ## <summary>
@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',`
gen_require(`
type var_yp_t;
@@ -39078,9 +40822,9 @@ index abe3f7f..1112fae 100644
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir list_dir_perms;
-- allow $1 var_yp_t:lnk_file { getattr read };
-+ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
- allow $1 var_yp_t:file read_file_perms;
+- allow $1 var_yp_t:file read_file_perms;
+ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
++ allow $1 var_yp_t:file read_file_perms;
- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
@@ -39105,7 +40849,7 @@ index abe3f7f..1112fae 100644
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
-@@ -88,7 +82,7 @@ interface(`nis_use_ypbind_uncond',`
+@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
## <rolecap/>
#
interface(`nis_use_ypbind',`
@@ -39114,6 +40858,14 @@ index abe3f7f..1112fae 100644
nis_use_ypbind_uncond($1)
')
')
+
+ ########################################
+ ## <summary>
+-## Use nis to authenticate passwords.
++## Use the nis to authenticate passwords
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
## <rolecap/>
#
@@ -39123,35 +40875,77 @@ index abe3f7f..1112fae 100644
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
-@@ -131,6 +125,24 @@ interface(`nis_domtrans_ypbind',`
- domtrans_pattern($1, ypbind_exec_t, ypbind_t)
- ')
+@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
-+#######################################
-+## <summary>
+ #######################################
+ ## <summary>
+-## Execute ypbind in the caller domain.
+## Execute ypbind in the caller domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
-+interface(`nis_exec_ypbind',`
+ ## </param>
+ #
+ interface(`nis_exec_ypbind',`
+- gen_require(`
+- type ypbind_exec_t;
+- ')
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
-+
-+ can_exec($1, ypbind_exec_t)
-+')
-+
+
+- corecmd_search_bin($1)
+ can_exec($1, ypbind_exec_t)
+ ')
+
+@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
+ #
+ interface(`nis_run_ypbind',`
+ gen_require(`
+- attribute_role ypbind_roles;
++ type ypbind_t;
+ ')
+
+ nis_domtrans_ypbind($1)
+- roleattribute $2 ypbind_roles;
++ role $2 types ypbind_t;
+ ')
+
+ ########################################
+@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
+
########################################
## <summary>
- ## Execute ypbind in the ypbind domain, and
-@@ -337,6 +349,55 @@ interface(`nis_initrc_domtrans_ypbind',`
+-## List nis data directories.
++## List the contents of the NIS data directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
+ #
+ interface(`nis_delete_ypbind_pid',`
+ gen_require(`
+- type ypbind_var_run_t;
++ type ypbind_t;
+ ')
+
+- allow $1 ypbind_var_run_t:file delete_file_perms;
++ # TODO: add delete pid from dir call to files
++ allow $1 ypbind_t:file unlink;
+ ')
+
+ ########################################
+@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
+-## All of the rules required to
+-## administrate an nis environment.
+## Execute ypbind server in the ypbind domain.
+## </summary>
+## <param name="domain">
@@ -39201,10 +40995,12 @@ index abe3f7f..1112fae 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an nis environment
++## All of the rules required to administrate
++## an nis environment
## </summary>
-@@ -354,22 +415,31 @@ interface(`nis_initrc_domtrans_ypbind',`
+ ## <param name="domain">
+ ## <summary>
+@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -39213,68 +41009,91 @@ index abe3f7f..1112fae 100644
+ type ypbind_t, yppasswdd_t, ypserv_t;
+ type ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
-- type ypbind_initrc_exec_t, nis_initrc_exec_t;
+- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t;
+ type ypserv_tmp_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ type nis_unit_file_t;
+ type ypbind_unit_file_t;
- ')
-
-- allow $1 ypbind_t:process { ptrace signal_perms };
++ ')
++
+ allow $1 ypbind_t:process signal_perms;
- ps_process_pattern($1, ypbind_t)
++ ps_process_pattern($1, ypbind_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ypbind_t:process ptrace;
+ allow $1 yppasswdd_t:process ptrace;
+ allow $1 ypserv_t:process ptrace;
+ allow $1 ypxfr_t:process ptrace;
-+ ')
+ ')
-- allow $1 yppasswdd_t:process { ptrace signal_perms };
+- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
+ allow $1 yppasswdd_t:process signal_perms;
- ps_process_pattern($1, yppasswdd_t)
-
-- allow $1 ypserv_t:process { ptrace signal_perms };
++ ps_process_pattern($1, yppasswdd_t)
++
+ allow $1 ypserv_t:process signal_perms;
- ps_process_pattern($1, ypserv_t)
-
-- allow $1 ypxfr_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ypserv_t)
++
+ allow $1 ypxfr_t:process signal_perms;
- ps_process_pattern($1, ypxfr_t)
++ ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -379,18 +449,22 @@ interface(`nis_admin',`
- role_transition $2 ypbind_initrc_exec_t system_r;
+ nis_initrc_domtrans_ypbind($1)
+ domain_system_change_exemption($1)
+- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
++ role_transition $2 nis_initrc_exec_t system_r;
++ role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
- files_list_tmp($1)
-- admin_pattern($1, ypbind_tmp_t)
+- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
-
files_list_pids($1)
- admin_pattern($1, ypbind_var_run_t)
+- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t })
++ admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
+ admin_pattern($1, ypbind_unit_file_t)
+ allow $1 ypbind_unit_file_t:service all_service_perms;
-
- admin_pattern($1, yppasswdd_var_run_t)
++
++ admin_pattern($1, yppasswdd_var_run_t)
files_list_etc($1)
admin_pattern($1, ypserv_conf_t)
+- files_search_var($1)
+- admin_pattern($1, var_yp_t)
+ admin_pattern($1, ypserv_var_run_t)
+
- admin_pattern($1, ypserv_tmp_t)
++ admin_pattern($1, ypserv_tmp_t)
-- admin_pattern($1, ypserv_var_run_t)
+- nis_run_ypbind($1, $2)
+ nis_systemctl($1)
+ admin_pattern($1, nis_unit_file_t)
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index f27899c..f1dd1fa 100644
+index 3e4a31c..f1dd1fa 100644
--- a/nis.te
+++ b/nis.te
-@@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
+@@ -1,12 +1,10 @@
+-policy_module(nis, 1.11.1)
++policy_module(nis, 1.11.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-attribute_role ypbind_roles;
+-
+ type nis_initrc_exec_t;
+ init_script_file(nis_initrc_exec_t)
+
+@@ -16,16 +14,18 @@ files_type(var_yp_t)
+ type ypbind_t;
+ type ypbind_exec_t;
+ init_daemon_domain(ypbind_t, ypbind_exec_t)
+-role ypbind_roles types ypbind_t;
+
type ypbind_initrc_exec_t;
init_script_file(ypbind_initrc_exec_t)
@@ -39291,7 +41110,7 @@ index f27899c..f1dd1fa 100644
type yppasswdd_t;
type yppasswdd_exec_t;
-@@ -37,7 +40,7 @@ type ypserv_exec_t;
+@@ -40,7 +40,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
@@ -39300,7 +41119,7 @@ index f27899c..f1dd1fa 100644
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
-@@ -52,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
@@ -39310,7 +41129,15 @@ index f27899c..f1dd1fa 100644
########################################
#
# ypbind local policy
-@@ -76,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t)
+ dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+ allow ypbind_t self:fifo_file rw_fifo_file_perms;
+ allow ypbind_t self:process signal_perms;
++allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+ allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ypbind_t self:tcp_socket create_stream_socket_perms;
+ allow ypbind_t self:udp_socket create_socket_perms;
+@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
kernel_read_system_state(ypbind_t)
kernel_read_kernel_sysctls(ypbind_t)
@@ -39318,7 +41145,29 @@ index f27899c..f1dd1fa 100644
corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_generic_if(ypbind_t)
corenet_udp_sendrecv_generic_if(ypbind_t)
-@@ -108,9 +113,9 @@ domain_use_interactive_fds(ypbind_t)
+@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t)
+ corenet_udp_sendrecv_all_ports(ypbind_t)
+ corenet_tcp_bind_generic_node(ypbind_t)
+ corenet_udp_bind_generic_node(ypbind_t)
+-
+ corenet_tcp_bind_generic_port(ypbind_t)
+ corenet_udp_bind_generic_port(ypbind_t)
+ corenet_tcp_bind_reserved_port(ypbind_t)
+@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t)
+ corenet_tcp_bind_all_rpc_ports(ypbind_t)
+ corenet_udp_bind_all_rpc_ports(ypbind_t)
+ corenet_tcp_connect_all_ports(ypbind_t)
+-corenet_sendrecv_all_client_packets(ypbind_t)
+-corenet_sendrecv_generic_server_packets(ypbind_t)
+-
+ corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
++corenet_sendrecv_all_client_packets(ypbind_t)
++corenet_sendrecv_generic_server_packets(ypbind_t)
+
+ dev_read_sysfs(ypbind_t)
+
+@@ -112,9 +113,9 @@ domain_use_interactive_fds(ypbind_t)
files_read_etc_files(ypbind_t)
files_list_var(ypbind_t)
@@ -39330,12 +41179,31 @@ index f27899c..f1dd1fa 100644
sysnet_read_config(ypbind_t)
-@@ -156,12 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+@@ -124,7 +125,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
+ optional_policy(`
+ dbus_system_bus_client(ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+-
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+@@ -149,7 +149,8 @@ allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+-allow yppasswdd_t self:unix_stream_socket { accept listen };
++allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
++allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+ allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
+ allow yppasswdd_t self:udp_socket create_socket_perms;
+@@ -160,14 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+-can_exec(yppasswdd_t, yppasswdd_exec_t)
+can_exec(yppasswdd_t,yppasswdd_exec_t)
-+
+
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
@@ -39345,23 +41213,53 @@ index f27899c..f1dd1fa 100644
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
-@@ -186,6 +192,7 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -177,22 +177,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+ corenet_udp_sendrecv_all_ports(yppasswdd_t)
+ corenet_tcp_bind_generic_node(yppasswdd_t)
+ corenet_udp_bind_generic_node(yppasswdd_t)
+-
+ corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+ corenet_udp_bind_all_rpc_ports(yppasswdd_t)
+-corenet_sendrecv_generic_server_packets(yppasswdd_t)
+-
+ corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+-
+-corecmd_exec_bin(yppasswdd_t)
+-corecmd_exec_shell(yppasswdd_t)
+-
+-domain_use_interactive_fds(yppasswdd_t)
+-
+-files_read_etc_files(yppasswdd_t)
+-files_read_etc_runtime_files(yppasswdd_t)
+-files_relabel_etc_files(yppasswdd_t)
++corenet_sendrecv_generic_server_packets(yppasswdd_t)
+
+ dev_read_sysfs(yppasswdd_t)
+
+@@ -203,11 +192,20 @@ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
+auth_read_passwd(yppasswdd_t)
auth_etc_filetrans_shadow(yppasswdd_t)
- corecmd_exec_bin(yppasswdd_t)
-@@ -199,7 +206,6 @@ files_relabel_etc_files(yppasswdd_t)
-
++corecmd_exec_bin(yppasswdd_t)
++corecmd_exec_shell(yppasswdd_t)
++
++domain_use_interactive_fds(yppasswdd_t)
++
++files_read_etc_files(yppasswdd_t)
++files_read_etc_runtime_files(yppasswdd_t)
++files_relabel_etc_files(yppasswdd_t)
++
logging_send_syslog_msg(yppasswdd_t)
-miscfiles_read_localization(yppasswdd_t)
sysnet_read_config(yppasswdd_t)
-@@ -211,6 +217,10 @@ optional_policy(`
+@@ -219,6 +217,10 @@ optional_policy(`
')
optional_policy(`
@@ -39372,7 +41270,17 @@ index f27899c..f1dd1fa 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -247,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -234,7 +236,8 @@ optional_policy(`
+ dontaudit ypserv_t self:capability sys_tty_config;
+ allow ypserv_t self:fifo_file rw_fifo_file_perms;
+ allow ypserv_t self:process signal_perms;
+-allow ypserv_t self:unix_stream_socket { accept listen };
++allow ypserv_t self:unix_dgram_socket create_socket_perms;
++allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
+ allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ypserv_t self:tcp_socket connected_stream_socket_perms;
+ allow ypserv_t self:udp_socket create_socket_perms;
+@@ -254,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -39380,7 +41288,38 @@ index f27899c..f1dd1fa 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -279,7 +288,6 @@ files_read_etc_files(ypserv_t)
+@@ -264,31 +266,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+ corenet_udp_sendrecv_all_ports(ypserv_t)
+ corenet_tcp_bind_generic_node(ypserv_t)
+ corenet_udp_bind_generic_node(ypserv_t)
+-
+ corenet_tcp_bind_reserved_port(ypserv_t)
+ corenet_udp_bind_reserved_port(ypserv_t)
+ corenet_tcp_bind_all_rpc_ports(ypserv_t)
+ corenet_udp_bind_all_rpc_ports(ypserv_t)
+-corenet_sendrecv_generic_server_packets(ypserv_t)
+-
+ corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
++corenet_sendrecv_generic_server_packets(ypserv_t)
+
+-corecmd_exec_bin(ypserv_t)
++dev_read_sysfs(ypserv_t)
+
+-files_read_etc_files(ypserv_t)
+-files_read_var_files(ypserv_t)
++fs_getattr_all_fs(ypserv_t)
++fs_search_auto_mountpoints(ypserv_t)
+
+-dev_read_sysfs(ypserv_t)
++corecmd_exec_bin(ypserv_t)
+
+ domain_use_interactive_fds(ypserv_t)
+
+-fs_getattr_all_fs(ypserv_t)
+-fs_search_auto_mountpoints(ypserv_t)
++files_read_var_files(ypserv_t)
++files_read_etc_files(ypserv_t)
logging_send_syslog_msg(ypserv_t)
@@ -39388,7 +41327,18 @@ index f27899c..f1dd1fa 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -317,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -310,8 +309,8 @@ optional_policy(`
+ # ypxfr local policy
+ #
+
+-allow ypxfr_t self:unix_stream_socket { accept listen };
+-allow ypxfr_t self:unix_dgram_socket { accept listen };
++allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
++allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
+ allow ypxfr_t self:tcp_socket create_stream_socket_perms;
+ allow ypxfr_t self:udp_socket create_socket_perms;
+ allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -326,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -39396,7 +41346,26 @@ index f27899c..f1dd1fa 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -342,6 +349,5 @@ files_search_usr(ypxfr_t)
+@@ -336,23 +334,20 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+ corenet_udp_sendrecv_all_ports(ypxfr_t)
+ corenet_tcp_bind_generic_node(ypxfr_t)
+ corenet_udp_bind_generic_node(ypxfr_t)
+-
+ corenet_tcp_bind_reserved_port(ypxfr_t)
+ corenet_udp_bind_reserved_port(ypxfr_t)
+ corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+ corenet_udp_bind_all_rpc_ports(ypxfr_t)
++corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+ corenet_tcp_connect_all_ports(ypxfr_t)
+ corenet_sendrecv_generic_server_packets(ypxfr_t)
+ corenet_sendrecv_all_client_packets(ypxfr_t)
+
+-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+-
+ files_read_etc_files(ypxfr_t)
+ files_search_usr(ypxfr_t)
logging_send_syslog_msg(ypxfr_t)
@@ -39814,75 +41783,237 @@ index 0000000..f0aaecf
+')
+
diff --git a/nscd.fc b/nscd.fc
-index 623b731..429bd79 100644
+index ba64485..429bd79 100644
--- a/nscd.fc
+++ b/nscd.fc
-@@ -11,3 +11,5 @@
- /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+@@ -1,13 +1,15 @@
+ /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+
+-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
++/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
+-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+-
+-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
++/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
++/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
- /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+ /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
+ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
++
++/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 85188dc..2b37836 100644
+index 8f2ab09..685270c 100644
--- a/nscd.if
+++ b/nscd.if
-@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
+@@ -1,8 +1,8 @@
+-## <summary>Name service cache daemon.</summary>
++## <summary>Name service cache daemon</summary>
+
+ ########################################
+ ## <summary>
+-## Send generic signals to nscd.
++## Send generic signals to NSCD.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -20,7 +20,7 @@ interface(`nscd_signal',`
+
+ ########################################
+ ## <summary>
+-## Send kill signals to nscd.
++## Send NSCD the kill signal.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -38,7 +38,7 @@ interface(`nscd_kill',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to nscd.
++## Send signulls to NSCD.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -56,7 +56,7 @@ interface(`nscd_signull',`
+
+ ########################################
+ ## <summary>
+-## Execute nscd in the nscd domain.
++## Execute NSCD in the nscd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -75,7 +75,8 @@ interface(`nscd_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute nscd in the caller domain.
++## Allow the specified domain to execute nscd
++## in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -88,14 +89,13 @@ interface(`nscd_exec',`
+ type nscd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, nscd_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Use nscd services by connecting using
+-## a unix domain stream socket.
++## Use NSCD services by connecting using
++## a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -112,22 +112,17 @@ interface(`nscd_socket_use',`
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+-
+ dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+-
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
-- dontaudit $1 nscd_var_run_t:file { getattr read };
-+ dontaudit $1 nscd_var_run_t:file read_file_perms;
-+ ps_process_pattern(nscd_t, $1)
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+-
+ ps_process_pattern(nscd_t, $1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Use nscd services by mapping the
+-## database from an inherited nscd
+-## file descriptor.
++## Use nscd services
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -135,28 +130,36 @@ interface(`nscd_socket_use',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`nscd_shm_use',`
+- gen_require(`
+- type nscd_t, nscd_var_run_t;
+- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
++interface(`nscd_use',`
++ tunable_policy(`nscd_use_shm',`
++ nscd_shm_use($1)
++ ',`
++ nscd_socket_use($1)
+ ')
+')
-+
+
+- allow $1 self:unix_stream_socket create_stream_socket_perms;
+-
+- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+- allow $1 nscd_t:fd use;
+-
+- files_search_pids($1)
+- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+- dontaudit $1 nscd_var_run_t:file read_file_perms;
+########################################
+## <summary>
-+## Use nscd services
++## Do not audit attempts to write nscd sock files
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`nscd_use',`
-+ tunable_policy(`nscd_use_shm',`
-+ nscd_shm_use($1)
-+ ',`
-+ nscd_socket_use($1)
++interface(`nscd_dontaudit_write_sock_file',`
++ gen_require(`
++ type nscd_t;
+ ')
+
+- allow $1 nscd_var_run_t:dir list_dir_perms;
+- allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
++ dontaudit $1 nscd_t:sock_file write;
')
########################################
-@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
- # nscd_socket_domain macro. need to investigate
- # if they are all actually required
- allow $1 self:unix_stream_socket create_stream_socket_perms;
-- allow $1 nscd_t:unix_stream_socket connectto;
-- allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ ## <summary>
+-## Use nscd services.
++## Use NSCD services by mapping the database from
++## an inherited NSCD file descriptor.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -164,18 +167,35 @@ interface(`nscd_shm_use',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`nscd_use',`
+- tunable_policy(`nscd_use_shm',`
+- nscd_shm_use($1)
+- ',`
+- nscd_socket_use($1)
++interface(`nscd_shm_use',`
++ gen_require(`
++ type nscd_t, nscd_var_run_t;
++ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ ')
++
++ allow $1 nscd_var_run_t:dir list_dir_perms;
++ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
++
++ # Receive fd from nscd and map the backing file with read access.
++ allow $1 nscd_t:fd use;
++
++ # cjp: these were originally inherited from the
++ # nscd_socket_domain macro. need to investigate
++ # if they are all actually required
++ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ # dg: This may not be required.
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- files_search_pids($1)
- allow $1 nscd_t:nscd { getpwd getgrp gethost };
-- dontaudit $1 nscd_var_run_t:file { getattr read };
++ files_search_pids($1)
++ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
')
########################################
-@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
- type nscd_var_run_t;
- ')
+ ## <summary>
+-## Do not audit attempts to search
+-## nscd pid directories.
++## Do not audit attempts to search the NSCD pid directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -193,7 +213,7 @@ interface(`nscd_dontaudit_search_pid',`
-- dontaudit $1 nscd_var_run_t:dir search;
-+ dontaudit $1 nscd_var_run_t:dir search_dir_perms;
- ')
+ ########################################
+ ## <summary>
+-## Read nscd pid files.
++## Read NSCD pid file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -212,7 +232,7 @@ interface(`nscd_read_pid',`
########################################
-@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
+ ## <summary>
+-## Unconfined access to nscd services.
++## Unconfined access to NSCD services.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -244,20 +264,20 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
@@ -39890,10 +42021,29 @@ index 85188dc..2b37836 100644
#
interface(`nscd_run',`
gen_require(`
-@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',`
+- attribute_role nscd_roles;
++ type nscd_t;
+ ')
+
+ nscd_domtrans($1)
+- roleattribute $2 nscd_roles;
++ role $2 types nscd_t;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute the nscd server init
+-## script in the initrc domain.
++## Execute the nscd server init script.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -275,8 +295,31 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
+-## All of the rules required to
+-## administrate an nscd environment.
+## Execute nscd server in the nscd domain.
+## </summary>
+## <param name="domain">
@@ -39917,10 +42067,21 @@ index 85188dc..2b37836 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an nscd environment
++## All of the rules required to administrate
++## an nscd environment
## </summary>
-@@ -273,10 +319,14 @@ interface(`nscd_admin',`
+ ## <param name="domain">
+ ## <summary>
+@@ -285,7 +328,7 @@ interface(`nscd_initrc_domtrans',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the nscd domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -294,10 +337,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
@@ -39936,34 +42097,59 @@ index 85188dc..2b37836 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -288,4 +338,8 @@ interface(`nscd_admin',`
-
+@@ -310,5 +357,7 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
-+
+
+- nscd_run($1, $2)
+ nscd_systemctl($1)
+ admin_pattern($1, nscd_unit_file_t)
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index 7936e09..2814186 100644
+index df4c10f..2814186 100644
--- a/nscd.te
+++ b/nscd.te
-@@ -4,6 +4,13 @@ gen_require(`
+@@ -1,36 +1,37 @@
+-policy_module(nscd, 1.10.3)
++policy_module(nscd, 1.10.0)
+
+ gen_require(`
class nscd all_nscd_perms;
')
-+## <desc>
-+## <p>
+-########################################
+-#
+-# Declarations
+-#
+-
+ ## <desc>
+ ## <p>
+-## Determine whether confined applications
+-## can use nscd shared memory.
+## Allow confined applications to use nscd shared memory.
-+## </p>
-+## </desc>
-+gen_tunable(nscd_use_shm, false)
-+
- ########################################
- #
- # Declarations
-@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t)
+ ## </p>
+ ## </desc>
+ gen_tunable(nscd_use_shm, false)
+
+-attribute_role nscd_roles;
++########################################
++#
++# Declarations
++#
+
++# cjp: this is out of order because of an
++# ordering problem with loadable modules
+ type nscd_var_run_t;
+ files_pid_file(nscd_var_run_t)
+-init_daemon_run_dir(nscd_var_run_t, "nscd")
+
++# nscd is both the client program and the daemon.
+ type nscd_t;
+ type nscd_exec_t;
+ init_daemon_domain(nscd_t, nscd_exec_t)
+-role nscd_roles types nscd_t;
+
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
@@ -39973,8 +42159,23 @@ index 7936e09..2814186 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
- allow nscd_t nscd_log_t:file manage_file_perms;
+@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
+ dontaudit nscd_t self:capability sys_tty_config;
+ allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
+ allow nscd_t self:fifo_file read_fifo_file_perms;
+-allow nscd_t self:unix_stream_socket { accept listen };
++allow nscd_t self:unix_stream_socket create_stream_socket_perms;
++allow nscd_t self:unix_dgram_socket create_socket_perms;
+ allow nscd_t self:netlink_selinux_socket create_socket_perms;
++allow nscd_t self:tcp_socket create_socket_perms;
++allow nscd_t self:udp_socket create_socket_perms;
+
++# For client program operation, invoked from sysadm_t.
++# Transition occurs to nscd_t due to direct_sysadm_daemon.
+ allow nscd_t self:nscd { admin getstat };
+
+-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
@@ -39983,32 +42184,65 @@ index 7936e09..2814186 100644
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
- corecmd_search_bin(nscd_t)
++corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-+kernel_read_network_state(nscd_t)
- kernel_read_kernel_sysctls(nscd_t)
- kernel_list_proc(nscd_t)
+-kernel_list_proc(nscd_t)
+-kernel_read_kernel_sysctls(nscd_t)
+ kernel_read_network_state(nscd_t)
++kernel_read_kernel_sysctls(nscd_t)
++kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-@@ -70,7 +82,6 @@ fs_list_inotifyfs(nscd_t)
+
+-corecmd_search_bin(nscd_t)
+-
+ dev_read_sysfs(nscd_t)
+ dev_read_rand(nscd_t)
+ dev_read_urand(nscd_t)
+
+-domain_search_all_domains_state(nscd_t)
+-domain_use_interactive_fds(nscd_t)
+-
+-files_read_generic_tmp_symlinks(nscd_t)
+-files_read_etc_runtime_files(nscd_t)
+-
+ fs_getattr_all_fs(nscd_t)
+ fs_search_auto_mountpoints(nscd_t)
+ fs_list_inotifyfs(nscd_t)
+
++# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_all_recvfrom_unlabeled(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_generic_if(nscd_t)
- corenet_udp_sendrecv_generic_if(nscd_t)
-@@ -90,8 +101,8 @@ selinux_compute_create_context(nscd_t)
++corenet_udp_sendrecv_generic_if(nscd_t)
+ corenet_tcp_sendrecv_generic_node(nscd_t)
+-
+-corenet_sendrecv_all_client_packets(nscd_t)
+-corenet_tcp_connect_all_ports(nscd_t)
++corenet_udp_sendrecv_generic_node(nscd_t)
+ corenet_tcp_sendrecv_all_ports(nscd_t)
+-
++corenet_udp_sendrecv_all_ports(nscd_t)
++corenet_udp_bind_generic_node(nscd_t)
++corenet_tcp_connect_all_ports(nscd_t)
++corenet_sendrecv_all_client_packets(nscd_t)
+ corenet_rw_tun_tap_dev(nscd_t)
+
+ selinux_get_fs_mount(nscd_t)
+@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
+ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
- domain_use_interactive_fds(nscd_t)
++domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
++
++files_read_generic_tmp_symlinks(nscd_t)
++# Needed to read files created by firstboot "/etc/hesiod.conf"
++files_read_etc_runtime_files(nscd_t)
--files_read_etc_files(nscd_t)
- files_read_generic_tmp_symlinks(nscd_t)
- # Needed to read files created by firstboot "/etc/hesiod.conf"
- files_read_etc_runtime_files(nscd_t)
-@@ -99,7 +110,6 @@ files_read_etc_runtime_files(nscd_t)
logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
@@ -40016,71 +42250,99 @@ index 7936e09..2814186 100644
seutil_read_config(nscd_t)
seutil_read_default_contexts(nscd_t)
-@@ -112,6 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+ seutil_sigchld_newrole(nscd_t)
+
++sysnet_read_config(nscd_t)
++
+ userdom_dontaudit_use_user_terminals(nscd_t)
+ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
+@@ -121,20 +130,30 @@ optional_policy(`
+ ')
optional_policy(`
-+ accountsd_dontaudit_rw_fifo_file(nscd_t)
++ kerberos_use(nscd_t)
+')
+
+optional_policy(`
- cron_read_system_job_tmp_files(nscd_t)
- ')
-
-@@ -127,3 +141,19 @@ optional_policy(`
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
- xen_append_log(nscd_t)
- ')
++ udev_read_db(nscd_t)
++')
+
+optional_policy(`
-+ tunable_policy(`samba_domain_controller',`
-+ samba_append_log(nscd_t)
-+ samba_dontaudit_use_fds(nscd_t)
-+ ')
++ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
++ xen_append_log(nscd_t)
+')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+-
+- samba_read_config(nscd_t)
+- samba_read_var_files(nscd_t)
+ ')
+
+ optional_policy(`
+- udev_read_db(nscd_t)
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+- xen_append_log(nscd_t)
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
-+')
+ ')
diff --git a/nsd.fc b/nsd.fc
-index 53cc800..5348e92 100644
+index 4f2b1b6..5348e92 100644
--- a/nsd.fc
+++ b/nsd.fc
-@@ -1,6 +1,6 @@
+@@ -1,16 +1,13 @@
+-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
- /etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
++/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
- /etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
++/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-@@ -10,5 +10,4 @@
- /usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
-
- /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
++/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
++/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+ /usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+-
+-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
++/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
++/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/nsd.if b/nsd.if
-index a1371d5..ad4f14a 100644
+index a9c60ff..ad4f14a 100644
--- a/nsd.if
+++ b/nsd.if
-@@ -2,6 +2,25 @@
+@@ -1,8 +1,8 @@
+-## <summary>Authoritative only name server.</summary>
++## <summary>Authoritative only name server</summary>
########################################
## <summary>
+-## Send and receive datagrams from NSD. (Deprecated)
+## Read NSD pid file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,13 +10,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`nsd_udp_chat',`
+- refpolicywarn(`$0($*) has been deprecated.')
+interface(`nsd_read_pid',`
+ gen_require(`
+ type nsd_var_run_t;
@@ -40088,67 +42350,129 @@ index a1371d5..ad4f14a 100644
+
+ files_search_pids($1)
+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
- ## Send and receive datagrams from NSD. (Deprecated)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to NSD over a TCP socket (Deprecated)
++## Send and receive datagrams from NSD. (Deprecated)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`nsd_tcp_connect',`
++interface(`nsd_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an nsd environment.
++## Connect to NSD over a TCP socket (Deprecated)
## </summary>
## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+-interface(`nsd_admin',`
+- gen_require(`
+- type nsd_t, nsd_conf_t, nsd_var_run_t;
+- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t;
+- ')
+-
+- allow $1 nsd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, nsd_t)
+-
+- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 nsd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, { nsd_conf_t nsd_db_t })
+-
+- files_search_var_lib($1)
+- admin_pattern($1, nsd_zone_t)
+-
+- files_list_pids($1)
+- admin_pattern($1, nsd_var_run_t)
++interface(`nsd_tcp_connect',`
++ refpolicywarn(`$0($*) has been deprecated.')
+ ')
diff --git a/nsd.te b/nsd.te
-index 4b15536..82e97aa 100644
+index dde7f42..82e97aa 100644
--- a/nsd.te
+++ b/nsd.te
-@@ -18,15 +18,11 @@ domain_type(nsd_crond_t)
+@@ -1,4 +1,4 @@
+-policy_module(nsd, 1.7.1)
++policy_module(nsd, 1.7.0)
+
+ ########################################
+ #
+@@ -9,9 +9,7 @@ type nsd_t;
+ type nsd_exec_t;
+ init_daemon_domain(nsd_t, nsd_exec_t)
+
+-type nsd_initrc_exec_t;
+-init_script_file(nsd_initrc_exec_t)
+-
++# A type for configuration files of nsd
+ type nsd_conf_t;
+ files_type(nsd_conf_t)
+
+@@ -20,32 +18,28 @@ domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t, nsd_exec_t)
role system_r types nsd_crond_t;
--# a type for nsd.db
-type nsd_db_t;
-files_type(nsd_db_t)
-
type nsd_var_run_t;
files_pid_file(nsd_var_run_t)
- # A type for zone files
-type nsd_zone_t;
++# A type for zone files
+type nsd_zone_t alias nsd_db_t;
files_type(nsd_zone_t)
########################################
-@@ -34,25 +30,24 @@ files_type(nsd_zone_t)
- # NSD Local policy
+ #
+-# Local policy
++# NSD Local policy
#
--allow nsd_t self:capability { dac_override chown setuid setgid };
-+allow nsd_t self:capability { chown dac_override kill setgid setuid };
+ allow nsd_t self:capability { chown dac_override kill setgid setuid };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
- allow nsd_t self:tcp_socket create_stream_socket_perms;
- allow nsd_t self:udp_socket create_socket_perms;
-+allow nsd_t self:fifo_file rw_fifo_file_perms;
++allow nsd_t self:tcp_socket create_stream_socket_perms;
++allow nsd_t self:udp_socket create_socket_perms;
+ allow nsd_t self:fifo_file rw_fifo_file_perms;
+-allow nsd_t self:tcp_socket { accept listen };
allow nsd_t nsd_conf_t:dir list_dir_perms;
- read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
- read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
-
+-allow nsd_t nsd_conf_t:file read_file_perms;
+-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
+-
-allow nsd_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
--
++read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
++read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
-
--allow nsd_t nsd_zone_t:dir list_dir_perms;
--read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
--read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
-+files_var_lib_filetrans(nsd_t, nsd_zone_t, dir)
-
- can_exec(nsd_t, nsd_exec_t)
-
-@@ -61,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
+@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
@@ -40156,141 +42480,276 @@ index 4b15536..82e97aa 100644
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
-@@ -79,17 +73,17 @@ dev_read_sysfs(nsd_t)
+@@ -72,16 +65,16 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
+ corenet_udp_sendrecv_all_ports(nsd_t)
+ corenet_tcp_bind_generic_node(nsd_t)
+ corenet_udp_bind_generic_node(nsd_t)
+-
+-corenet_sendrecv_dns_server_packets(nsd_t)
+ corenet_tcp_bind_dns_port(nsd_t)
+ corenet_udp_bind_dns_port(nsd_t)
++corenet_sendrecv_dns_server_packets(nsd_t)
+
+ dev_read_sysfs(nsd_t)
domain_use_interactive_fds(nsd_t)
--files_read_etc_files(nsd_t)
files_read_etc_runtime_files(nsd_t)
+files_search_var_lib(nsd_t)
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
+@@ -90,12 +83,16 @@ auth_use_nsswitch(nsd_t)
--logging_send_syslog_msg(nsd_t)
-+auth_use_nsswitch(nsd_t)
+ logging_send_syslog_msg(nsd_t)
-miscfiles_read_localization(nsd_t)
-+logging_send_syslog_msg(nsd_t)
-
--sysnet_read_config(nsd_t)
+sysnet_dns_name_resolve(nsd_t)
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -121,8 +115,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
+ optional_policy(`
++ nis_use_ypbind(nsd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(nsd_t)
+ ')
+
+@@ -105,23 +102,24 @@ optional_policy(`
+
+ ########################################
+ #
+-# Cron local policy
++# Zone update cron job local policy
+ #
+
++# kill capability for root cron job and non-root daemon
+ allow nsd_crond_t self:capability { dac_override kill };
+ dontaudit nsd_crond_t self:capability sys_nice;
+ allow nsd_crond_t self:process { setsched signal_perms };
+ allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
++allow nsd_crond_t self:tcp_socket create_socket_perms;
++allow nsd_crond_t self:udp_socket create_socket_perms;
+
+-allow nsd_crond_t nsd_t:process signal;
+-ps_process_pattern(nsd_crond_t, nsd_t)
+-
+-allow nsd_crond_t nsd_conf_t:dir list_dir_perms;
allow nsd_crond_t nsd_conf_t:file read_file_perms;
+-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms;
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
- files_search_var_lib(nsd_crond_t)
++files_search_var_lib(nsd_crond_t)
++
++allow nsd_crond_t nsd_t:process signal;
++
++ps_process_pattern(nsd_crond_t, nsd_t)
- allow nsd_crond_t nsd_t:process signal;
-@@ -139,7 +131,6 @@ kernel_read_system_state(nsd_crond_t)
+ manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
+ filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+@@ -133,29 +131,41 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_all_recvfrom_unlabeled(nsd_crond_t)
corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
- corenet_udp_sendrecv_generic_if(nsd_crond_t)
-@@ -155,13 +146,13 @@ dev_read_urand(nsd_crond_t)
++corenet_udp_sendrecv_generic_if(nsd_crond_t)
+ corenet_tcp_sendrecv_generic_node(nsd_crond_t)
+-
+-corenet_sendrecv_all_client_packets(nsd_crond_t)
+-corenet_tcp_connect_all_ports(nsd_crond_t)
++corenet_udp_sendrecv_generic_node(nsd_crond_t)
+ corenet_tcp_sendrecv_all_ports(nsd_crond_t)
++corenet_udp_sendrecv_all_ports(nsd_crond_t)
++corenet_tcp_connect_all_ports(nsd_crond_t)
++corenet_sendrecv_all_client_packets(nsd_crond_t)
+
++# for SSP
+ dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
--files_read_etc_files(nsd_crond_t)
files_read_etc_runtime_files(nsd_crond_t)
- files_search_var_lib(nsd_t)
++files_search_var_lib(nsd_t)
+
+ auth_use_nsswitch(nsd_crond_t)
-+auth_use_nsswitch(nsd_crond_t)
-+
logging_send_syslog_msg(nsd_crond_t)
-miscfiles_read_localization(nsd_crond_t)
++
++sysnet_read_config(nsd_crond_t)
- sysnet_read_config(nsd_crond_t)
+ userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
+ optional_policy(`
+ cron_system_entry(nsd_crond_t, nsd_exec_t)
+ ')
++
++optional_policy(`
++ nis_use_ypbind(nsd_crond_t)
++')
++
++optional_policy(`
++ nscd_read_pid(nsd_crond_t)
++')
+diff --git a/nslcd.fc b/nslcd.fc
+index 402100e..ce913b2 100644
+--- a/nslcd.fc
++++ b/nslcd.fc
+@@ -1,7 +1,4 @@
+-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+-
+-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+-
+-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+-
+-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
++/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
++/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
++/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
++/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/nslcd.if b/nslcd.if
-index 23c769c..0398e70 100644
+index 97df768..0398e70 100644
--- a/nslcd.if
+++ b/nslcd.if
-@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',`
- #
- interface(`nslcd_admin',`
- gen_require(`
-- type nslcd_t, nslcd_initrc_exec_t;
-- type nslcd_conf_t, nslcd_var_run_t;
-+ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
-+ type nslcd_conf_t;
+@@ -1,4 +1,4 @@
+-## <summary>Local LDAP name service daemon.</summary>
++## <summary>nslcd - local LDAP name service daemon.</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',`
+ type nslcd_t, nslcd_exec_t;
+ ')
+
+- corecmd_searh_bin($1)
+ domtrans_pattern($1, nslcd_exec_t, nslcd_t)
+ ')
+
+@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Read nslcd pid files.
++## Read nslcd PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -58,8 +57,7 @@ interface(`nslcd_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Connect to nslcd over an unix
+-## domain stream socket.
++## Connect to nslcd over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -72,14 +70,14 @@ interface(`nslcd_stream_connect',`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+- files_search_pids($1)
+ stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
++ files_search_pids($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an nslcd environment.
++## All of the rules required to administrate
++## an nslcd environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -99,17 +97,21 @@ interface(`nslcd_admin',`
+ type nslcd_conf_t;
')
- ps_process_pattern($1, nslcd_t)
- allow $1 nslcd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nslcd_t)
+ allow $1 nslcd_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 nslcd_t:process ptrace;
+ ')
- # Allow nslcd_t to restart the apache service
++ # Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
-@@ -106,9 +109,9 @@ interface(`nslcd_admin',`
+ domain_system_change_exemption($1)
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
-- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
+- files_search_etc($1)
+ files_list_etc($1)
-+ admin_pattern($1, nslcd_conf_t)
+ admin_pattern($1, nslcd_conf_t)
-- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- files_search_pids($1)
+- admin_pattern($1, nslcd_var_run_t)
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index 01594c8..bcc61b5 100644
+index a3e56f0..bcc61b5 100644
--- a/nslcd.te
+++ b/nslcd.te
-@@ -16,15 +16,15 @@ type nslcd_var_run_t;
- files_pid_file(nslcd_var_run_t)
+@@ -1,4 +1,4 @@
+-policy_module(nslcd, 1.3.1)
++policy_module(nslcd, 1.3.0)
- type nslcd_conf_t;
--files_type(nslcd_conf_t)
-+files_config_file(nslcd_conf_t)
+ ########################################
+ #
+@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
########################################
#
- # nslcd local policy
+-# Local policy
++# nslcd local policy
#
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
+-allow nslcd_t self:unix_stream_socket { accept listen };
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal };
- allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
++allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -42,13 +42,21 @@ corenet_tcp_connect_ldap_port(nslcd_t)
- corenet_sendrecv_ldap_client_packets(nslcd_t)
- files_read_etc_files(nslcd_t)
-+files_read_usr_symlinks(nslcd_t)
-+files_list_tmp(nslcd_t)
+@@ -38,13 +38,10 @@ kernel_read_system_state(nslcd_t)
+
+ corenet_all_recvfrom_unlabeled(nslcd_t)
+ corenet_all_recvfrom_netlabel(nslcd_t)
+-corenet_tcp_sendrecv_generic_if(nslcd_t)
+-corenet_tcp_sendrecv_generic_node(nslcd_t)
+-
+-corenet_sendrecv_ldap_client_packets(nslcd_t)
+ corenet_tcp_connect_ldap_port(nslcd_t)
+-corenet_tcp_sendrecv_ldap_port(nslcd_t)
++corenet_sendrecv_ldap_client_packets(nslcd_t)
+
++files_read_etc_files(nslcd_t)
+ files_read_usr_symlinks(nslcd_t)
+ files_list_tmp(nslcd_t)
- auth_use_nsswitch(nslcd_t)
+@@ -52,10 +49,14 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
-miscfiles_read_localization(nslcd_t)
-+
-+userdom_read_user_tmp_files(nslcd_t)
-+
-+optional_policy(`
-+ dirsrv_stream_connect(nslcd_t)
-+')
+
+ userdom_read_user_tmp_files(nslcd_t)
optional_policy(`
++ dirsrv_stream_connect(nslcd_t)
++')
++
++optional_policy(`
ldap_stream_connect(nslcd_t)
')
+
@@ -40791,10 +43250,10 @@ index 0000000..fce899a
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
-index 0000000..a333e40
+index 0000000..caac07d
--- /dev/null
+++ b/nsplugin.te
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,324 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -40892,7 +43351,8 @@ index 0000000..a333e40
+
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
-+corenet_tcp_connect_streaming_port(nsplugin_t)
++corenet_tcp_connect_ms_streaming_port(nsplugin_t)
++corenet_tcp_connect_rtsp_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
@@ -41119,56 +43579,40 @@ index 0000000..a333e40
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index ded9fb6..6b11681 100644
+index 52757d8..6519e8f 100644
--- a/ntop.te
+++ b/ntop.te
-@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(ntop_t)
- kernel_list_proc(ntop_t)
- kernel_read_proc_symlinks(ntop_t)
+@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t)
+ kernel_read_network_state(ntop_t)
+ kernel_read_kernel_sysctls(ntop_t)
-corenet_all_recvfrom_unlabeled(ntop_t)
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
- corenet_udp_sendrecv_generic_if(ntop_t)
-@@ -85,7 +84,6 @@ dev_rw_generic_usb_dev(ntop_t)
-
- domain_use_interactive_fds(ntop_t)
-
--files_read_etc_files(ntop_t)
- files_read_usr_files(ntop_t)
-
- fs_getattr_all_fs(ntop_t)
-@@ -95,7 +93,6 @@ auth_use_nsswitch(ntop_t)
-
- logging_send_syslog_msg(ntop_t)
-
--miscfiles_read_localization(ntop_t)
- miscfiles_read_fonts(ntop_t)
-
- userdom_dontaudit_use_unpriv_user_fds(ntop_t)
+ corenet_raw_sendrecv_generic_if(ntop_t)
diff --git a/ntp.fc b/ntp.fc
-index e79dccc..2a3c6af 100644
+index af3c91e..6882a3f 100644
--- a/ntp.fc
+++ b/ntp.fc
-@@ -10,10 +10,14 @@
-
- /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+@@ -13,6 +13,8 @@
+ /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+ /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
- /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
- /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+ /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+ /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
- /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
- /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
- /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
-index e80f8c0..d60b451 100644
+index b59196f..d60b451 100644
--- a/ntp.if
+++ b/ntp.if
+@@ -1,4 +1,4 @@
+-## <summary>Network time protocol daemon.</summary>
++## <summary>Network time protocol daemon</summary>
+
+ ########################################
+ ## <summary>
@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
########################################
@@ -41195,6 +43639,20 @@ index e80f8c0..d60b451 100644
## Execute ntp in the ntp domain, and
## allow the specified role the ntp domain.
## </summary>
+@@ -54,11 +73,11 @@ interface(`ntp_domtrans',`
+ #
+ interface(`ntp_run',`
+ gen_require(`
+- attribute_role ntpd_roles;
++ type ntpd_t;
+ ')
+
+ ntp_domtrans($1)
+- roleattribute $2 ntpd_roles;
++ role $2 types ntpd_t;
+ ')
+
+ ########################################
@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -41244,10 +43702,12 @@ index e80f8c0..d60b451 100644
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -122,6 +183,25 @@ interface(`ntp_rw_shm',`
+@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
+-## All of the rules required to
+-## administrate an ntp environment.
+## Allow the domain to read ntpd state files in /proc.
+## </summary>
+## <param name="domain">
@@ -41267,20 +43727,31 @@ index e80f8c0..d60b451 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an ntp environment
++## All of the rules required to administrate
++## an ntp environment
## </summary>
-@@ -140,12 +220,15 @@ interface(`ntp_rw_shm',`
+ ## <param name="domain">
+ ## <summary>
+@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the ntp domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-- type ntpd_key_t, ntpd_var_run_t;
-- type ntpd_initrc_exec_t;
+- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
+- type ntpd_initrc_exec_t, ntp_drift_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+ type ntpd_unit_file_t;
')
-- allow $1 ntpd_t:process { ptrace signal_perms getattr };
+- allow $1 ntpd_t:process { ptrace signal_perms };
+ allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -41289,38 +43760,39 @@ index e80f8c0..d60b451 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -162,4 +245,8 @@ interface(`ntp_admin',`
+ role_transition $2 ntpd_initrc_exec_t system_r;
+ allow $2 system_r;
+- files_list_etc($1)
+- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
++ admin_pattern($1, ntpd_key_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ntpd_log_t)
+@@ -164,5 +246,7 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
-+
+
+- ntp_run($1, $2)
+ ntp_systemctl($1)
+ admin_pattern($1, ntpd_unit_file_t)
+ allow $1 ntpd_unit_file_t:service all_service_perms;
')
diff --git a/ntp.te b/ntp.te
-index c61adc8..cb20a9d 100644
+index b90e343..b969766 100644
--- a/ntp.te
+++ b/ntp.te
-@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
+@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
+type ntpd_unit_file_t;
+systemd_unit_file(ntpd_unit_file_t)
+
- type ntpd_key_t;
- files_type(ntpd_key_t)
-
-@@ -50,6 +53,7 @@ allow ntpd_t self:unix_stream_socket create_socket_perms;
- allow ntpd_t self:tcp_socket create_stream_socket_perms;
- allow ntpd_t self:udp_socket create_socket_perms;
-
-+manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
- manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ type ntp_conf_t;
+ files_config_file(ntp_conf_t)
- can_exec(ntpd_t, ntpd_exec_t)
-@@ -78,7 +82,6 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
@@ -41328,11 +43800,23 @@ index c61adc8..cb20a9d 100644
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_generic_if(ntpd_t)
corenet_udp_sendrecv_generic_if(ntpd_t)
-@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
- dev_read_sysfs(ntpd_t)
- # for SSP
- dev_read_urand(ntpd_t)
-+dev_rw_realtime_clock(ntpd_t)
+ corenet_tcp_sendrecv_generic_node(ntpd_t)
+ corenet_udp_sendrecv_generic_node(ntpd_t)
+ corenet_udp_bind_generic_node(ntpd_t)
+-
+-corenet_sendrecv_ntp_server_packets(ntpd_t)
+ corenet_udp_bind_ntp_port(ntpd_t)
+-corenet_udp_sendrecv_ntp_port(ntpd_t)
+-
+-corenet_sendrecv_ntp_client_packets(ntpd_t)
+ corenet_tcp_connect_ntp_port(ntpd_t)
+-corenet_tcp_sendrecv_ntp_port(ntpd_t)
++corenet_sendrecv_ntp_server_packets(ntpd_t)
++corenet_sendrecv_ntp_client_packets(ntpd_t)
+
+ corecmd_exec_bin(ntpd_t)
+ corecmd_exec_shell(ntpd_t)
+@@ -115,8 +113,11 @@ files_list_var_lib(ntpd_t)
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
@@ -41344,42 +43828,38 @@ index c61adc8..cb20a9d 100644
auth_use_nsswitch(ntpd_t)
-@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t)
- domain_use_interactive_fds(ntpd_t)
- domain_dontaudit_list_all_domains_state(ntpd_t)
-
--files_read_etc_files(ntpd_t)
- files_read_etc_runtime_files(ntpd_t)
- files_read_usr_files(ntpd_t)
- files_list_var_lib(ntpd_t)
-@@ -119,7 +125,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +125,6 @@ init_exec_script_files(ntpd_t)
logging_send_syslog_msg(ntpd_t)
-miscfiles_read_localization(ntpd_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+
diff --git a/numad.fc b/numad.fc
-new file mode 100644
-index 0000000..1f97624
---- /dev/null
+index 3488bb0..1f97624 100644
+--- a/numad.fc
+++ b/numad.fc
-@@ -0,0 +1,7 @@
+@@ -1,7 +1,7 @@
+-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0)
+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
-+
+
+-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
-+
+
+-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0)
+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
-+
+
+-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
diff --git a/numad.if b/numad.if
-new file mode 100644
-index 0000000..709dda1
---- /dev/null
+index 0d3c270..709dda1 100644
+--- a/numad.if
+++ b/numad.if
-@@ -0,0 +1,72 @@
-+
+@@ -1,39 +1,72 @@
+-## <summary>Non-Uniform Memory Alignment Daemon.</summary>
+
+## <summary>policy for numad</summary>
+
+########################################
@@ -41400,15 +43880,19 @@ index 0000000..709dda1
+ corecmd_search_bin($1)
+ domtrans_pattern($1, numad_exec_t, numad_t)
+')
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an numad environment.
+## Execute numad server in the numad domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`numad_systemctl',`
+ gen_require(`
@@ -41431,171 +43915,429 @@ index 0000000..709dda1
+## an numad environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`numad_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`numad_admin',`
+ gen_require(`
+- type numad_t, numad_initrc_exec_t, numad_log_t;
+- type numad_var_run_t;
+ type numad_t;
+ type numad_unit_file_t;
-+ ')
-+
-+ allow $1 numad_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, numad_t)
-+
+ ')
+
+ allow $1 numad_t:process { ptrace signal_perms };
+ ps_process_pattern($1, numad_t)
+
+- init_labeled_script_domtrans($1, numad_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 numad_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- logging_search_logs($1)
+- admin_pattern($1, numad_log_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, numad_var_run_t)
+ numad_systemctl($1)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/numad.te b/numad.te
-new file mode 100644
-index 0000000..c2d4196
---- /dev/null
+index f5d145d..c2d4196 100644
+--- a/numad.te
+++ b/numad.te
-@@ -0,0 +1,46 @@
+@@ -1,4 +1,4 @@
+-policy_module(numad, 1.0.3)
+policy_module(numad, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type numad_t;
-+type numad_exec_t;
-+init_daemon_domain(numad_t, numad_exec_t)
-+
+
+ ########################################
+ #
+@@ -8,37 +8,39 @@ policy_module(numad, 1.0.3)
+ type numad_t;
+ type numad_exec_t;
+ init_daemon_domain(numad_t, numad_exec_t)
+-application_executable_file(numad_exec_t)
+
+-type numad_initrc_exec_t;
+-init_script_file(numad_initrc_exec_t)
+type numad_unit_file_t;
+systemd_unit_file(numad_unit_file_t)
-+
+
+-type numad_log_t;
+-logging_log_file(numad_log_t)
+type numad_var_log_t;
+logging_log_file(numad_var_log_t)
-+
-+type numad_var_run_t;
-+files_pid_file(numad_var_run_t)
-+
-+########################################
-+#
+
+ type numad_var_run_t;
+ files_pid_file(numad_var_run_t)
+
+ ########################################
+ #
+-# Local policy
+# numad local policy
-+#
-+
+ #
+
+allow numad_t self:process { fork };
-+allow numad_t self:fifo_file rw_fifo_file_perms;
-+allow numad_t self:msgq create_msgq_perms;
+ allow numad_t self:fifo_file rw_fifo_file_perms;
+-allow numad_t self:msg { send receive };
+ allow numad_t self:msgq create_msgq_perms;
+allow numad_t self:msg { send receive };
-+allow numad_t self:unix_stream_socket create_stream_socket_perms;
-+
+ allow numad_t self:unix_stream_socket create_stream_socket_perms;
+
+-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(numad_t, numad_log_t, file)
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
+logging_log_filetrans(numad_t, numad_var_log_t, { file })
-+
-+manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
+
+ manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
+-files_pid_filetrans(numad_t, numad_var_run_t, file)
+files_pid_filetrans(numad_t, numad_var_run_t, { file })
-+
-+kernel_read_system_state(numad_t)
-+
-+dev_read_sysfs(numad_t)
-+
+
+ kernel_read_system_state(numad_t)
+
+ dev_read_sysfs(numad_t)
+
+domain_use_interactive_fds(numad_t)
+
-+files_read_etc_files(numad_t)
-+
+ files_read_etc_files(numad_t)
+
+-miscfiles_read_localization(numad_t)
+fs_search_cgroup_dirs(numad_t)
diff --git a/nut.fc b/nut.fc
-index 0a929ef..371119d 100644
+index 379af96..371119d 100644
--- a/nut.fc
+++ b/nut.fc
-@@ -3,6 +3,7 @@
+@@ -1,23 +1,13 @@
+-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
++/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+
+-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
+-
+-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+-
+-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
-+/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
- /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+ /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
++/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+
+-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+diff --git a/nut.if b/nut.if
+index 57c0161..56660c5 100644
+--- a/nut.if
++++ b/nut.if
+@@ -1,39 +1 @@
+-## <summary>Network UPS Tools </summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an nut environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`nut_admin',`
+- gen_require(`
+- attribute nut_domain;
+- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
+- ')
+-
+- allow $1 nut_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, nut_domain_t)
+-
+- init_labeled_script_domtrans($1, nut_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 nut_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, nut_conf_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, nut_var_run_t)
+-')
++## <summary>nut - Network UPS Tools </summary>
diff --git a/nut.te b/nut.te
-index ff962dd..7c6ea74 100644
+index 0c9deb7..7c6ea74 100644
--- a/nut.te
+++ b/nut.te
-@@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t)
+@@ -1,121 +1,106 @@
+-policy_module(nut, 1.2.4)
++policy_module(nut, 1.2.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-attribute nut_domain;
+-
+ type nut_conf_t;
+ files_config_file(nut_conf_t)
+
+-type nut_upsd_t, nut_domain;
++type nut_upsd_t;
+ type nut_upsd_exec_t;
+ init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
+
+-type nut_upsmon_t, nut_domain;
++type nut_upsmon_t;
+ type nut_upsmon_exec_t;
+ init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
+
+-type nut_upsdrvctl_t, nut_domain;
++type nut_upsdrvctl_t;
+ type nut_upsdrvctl_exec_t;
+ init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+
+-type nut_initrc_exec_t;
+-init_script_file(nut_initrc_exec_t)
+-
+ type nut_var_run_t;
+ files_pid_file(nut_var_run_t)
+-init_daemon_run_dir(nut_var_run_t, "nut")
+
+ ########################################
+ #
+-# Common nut domain local policy
++# Local policy for upsd
#
- allow nut_upsd_t self:capability { setgid setuid dac_override };
+-allow nut_domain self:capability { setgid setuid dac_override kill };
+-allow nut_domain self:process signal_perms;
+-allow nut_domain self:fifo_file rw_fifo_file_perms;
+-allow nut_domain self:unix_dgram_socket sendto;
+-
+-allow nut_domain nut_conf_t:dir list_dir_perms;
+-allow nut_domain nut_conf_t:file read_file_perms;
+-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
+-
+-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
++allow nut_upsd_t self:capability { setgid setuid dac_override };
+allow nut_upsd_t self:process signal_perms;
- allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-@@ -55,7 +56,6 @@ auth_use_nsswitch(nut_upsd_t)
+-kernel_read_kernel_sysctls(nut_domain)
++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+
+-logging_send_syslog_msg(nut_domain)
++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+
+-miscfiles_read_localization(nut_domain)
+-
+-########################################
+-#
+-# Upsd local policy
+-#
+-
+-allow nut_upsd_t self:tcp_socket { accept listen };
++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
++# pid file
++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+ manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
+-
+-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
+-corenet_all_recvfrom_unlabeled(nut_upsd_t)
+-corenet_all_recvfrom_netlabel(nut_upsd_t)
+-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
+-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
+-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
+-corenet_tcp_bind_generic_node(nut_upsd_t)
++kernel_read_kernel_sysctls(nut_upsd_t)
- logging_send_syslog_msg(nut_upsd_t)
+-corenet_sendrecv_ups_server_packets(nut_upsd_t)
+ corenet_tcp_bind_ups_port(nut_upsd_t)
+-
+-corenet_sendrecv_generic_server_packets(nut_upsd_t)
+ corenet_tcp_bind_generic_port(nut_upsd_t)
++corenet_tcp_bind_all_nodes(nut_upsd_t)
--miscfiles_read_localization(nut_upsd_t)
+ files_read_usr_files(nut_upsd_t)
+ auth_use_nsswitch(nut_upsd_t)
+
++logging_send_syslog_msg(nut_upsd_t)
++
++
########################################
#
-@@ -100,7 +100,6 @@ logging_send_syslog_msg(nut_upsmon_t)
+-# Upsmon local policy
++# Local policy for upsmon
+ #
- auth_use_nsswitch(nut_upsmon_t)
+-allow nut_upsmon_t self:capability dac_read_search;
+-allow nut_upsmon_t self:unix_stream_socket connectto;
++allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
++allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
++allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
++allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
++
++# pid file
++manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
++
++kernel_read_kernel_sysctls(nut_upsmon_t)
+ kernel_read_system_state(nut_upsmon_t)
--miscfiles_read_localization(nut_upsmon_t)
+ corecmd_exec_bin(nut_upsmon_t)
+ corecmd_exec_shell(nut_upsmon_t)
+-corenet_all_recvfrom_unlabeled(nut_upsmon_t)
+-corenet_all_recvfrom_netlabel(nut_upsmon_t)
+-corenet_tcp_sendrecv_generic_if(nut_upsmon_t)
+-corenet_tcp_sendrecv_generic_node(nut_upsmon_t)
+-corenet_tcp_sendrecv_all_ports(nut_upsmon_t)
+-corenet_tcp_bind_generic_node(nut_upsmon_t)
+-
+-corenet_sendrecv_ups_client_packets(nut_upsmon_t)
+ corenet_tcp_connect_ups_port(nut_upsmon_t)
+-
+-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
+ corenet_tcp_connect_generic_port(nut_upsmon_t)
+
++# Creates /etc/killpower
+ files_manage_etc_runtime_files(nut_upsmon_t)
+ files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+ files_search_usr(nut_upsmon_t)
+
++# /usr/bin/wall
+ term_write_all_terms(nut_upsmon_t)
+
++# upsmon runs shutdown, probably need a shutdown domain
++init_rw_utmp(nut_upsmon_t)
++init_telinit(nut_upsmon_t)
++
++logging_send_syslog_msg(nut_upsmon_t)
++
+ auth_use_nsswitch(nut_upsmon_t)
+
++
mta_send_mail(nut_upsmon_t)
-@@ -133,6 +132,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
- # /sbin/upsdrvctl executes other drivers
- corecmd_exec_bin(nut_upsdrvctl_t)
+ optional_policy(`
+@@ -124,14 +109,27 @@ optional_policy(`
-+dev_read_sysfs(nut_upsdrvctl_t)
- dev_read_urand(nut_upsdrvctl_t)
- dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+ ########################################
+ #
+-# Upsdrvctl local policy
++# Local policy for upsdrvctl
+ #
-@@ -144,7 +144,6 @@ init_sigchld(nut_upsdrvctl_t)
++allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
++allow nut_upsdrvctl_t self:process { sigchld signal signull };
+ allow nut_upsdrvctl_t self:fd use;
++allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
++allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
++
++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
++# pid file
++manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+ manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
++files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
++
++kernel_read_kernel_sysctls(nut_upsdrvctl_t)
- logging_send_syslog_msg(nut_upsdrvctl_t)
++# /sbin/upsdrvctl executes other drivers
+ corecmd_exec_bin(nut_upsdrvctl_t)
--miscfiles_read_localization(nut_upsdrvctl_t)
+ dev_read_sysfs(nut_upsdrvctl_t)
+@@ -144,17 +142,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
+ init_sigchld(nut_upsdrvctl_t)
+
++logging_send_syslog_msg(nut_upsdrvctl_t)
++
++
#######################################
#
-@@ -157,7 +156,6 @@ optional_policy(`
+-# Cgi local policy
++# Local policy for upscgi scripts
++# requires httpd_enable_cgi and httpd_can_network_connect
+ #
+
+ optional_policy(`
+ apache_content_template(nutups_cgi)
- read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
+- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
+- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
++ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
++
++ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
++ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
-- corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
- corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
- corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
- corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+ ')
diff --git a/nx.if b/nx.if
-index 79a225c..d82b231 100644
+index 251d681..50ae2a9 100644
--- a/nx.if
+++ b/nx.if
-@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
- type nx_server_home_ssh_t, nx_server_var_lib_t;
+@@ -35,7 +35,9 @@ interface(`nx_read_home_files',`
')
-+ files_search_var_lib($1)
- allow $1 nx_server_var_lib_t:dir search_dir_perms;
- read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ files_search_var_lib($1)
+- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t)
++ allow $1 nx_server_var_lib_t:dir search_dir_perms;
++ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
')
########################################
-@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',`
- type nx_server_var_lib_t;
- ')
+@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',`
-+ files_search_var_lib($1)
- allow $1 nx_server_var_lib_t:dir search_dir_perms;
- ')
-
-@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',`
- type nx_server_var_lib_t;
- ')
-
-+ files_search_var_lib($1)
- filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
')
+
+########################################
@@ -41616,10 +44358,10 @@ index 79a225c..d82b231 100644
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
+')
diff --git a/nx.te b/nx.te
-index 58e2972..4633dd2 100644
+index b1832ca..df4fbb8 100644
--- a/nx.te
+++ b/nx.te
-@@ -28,6 +28,9 @@ files_type(nx_server_var_lib_t)
+@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -41628,17 +44370,8 @@ index 58e2972..4633dd2 100644
+
########################################
#
- # NX server local policy
-@@ -37,7 +40,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms;
- allow nx_server_t self:tcp_socket create_socket_perms;
- allow nx_server_t self:udp_socket create_socket_perms;
-
--allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
- term_create_pty(nx_server_t, nx_server_devpts_t)
-
- manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
-@@ -51,6 +54,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+ # Local policy
+@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
@@ -41648,16 +44381,15 @@ index 58e2972..4633dd2 100644
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-@@ -58,7 +64,6 @@ kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_all_recvfrom_unlabeled(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
- corenet_udp_sendrecv_generic_if(nx_server_t)
-@@ -77,10 +82,6 @@ files_read_etc_runtime_files(nx_server_t)
- # but users need to be able to also read the config
+ corenet_tcp_sendrecv_generic_node(nx_server_t)
+@@ -71,10 +76,6 @@ files_read_etc_files(nx_server_t)
+ files_read_etc_runtime_files(nx_server_t)
files_read_usr_files(nx_server_t)
-miscfiles_read_localization(nx_server_t)
@@ -41666,118 +44398,123 @@ index 58e2972..4633dd2 100644
-
sysnet_read_config(nx_server_t)
- ifdef(`TODO',`
-diff --git a/oav.fc b/oav.fc
-index 0a66474..cf90b6e 100644
---- a/oav.fc
-+++ b/oav.fc
-@@ -6,4 +6,4 @@
-
- /var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
- /var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
--/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
-+/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
-diff --git a/oav.te b/oav.te
-index b4c5f86..9ecd4a3 100644
---- a/oav.te
-+++ b/oav.te
-@@ -48,7 +48,6 @@ read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
-
- corecmd_exec_all_executables(oav_update_t)
-
--corenet_all_recvfrom_unlabeled(oav_update_t)
- corenet_all_recvfrom_netlabel(oav_update_t)
- corenet_tcp_sendrecv_generic_if(oav_update_t)
- corenet_udp_sendrecv_generic_if(oav_update_t)
-@@ -66,7 +65,7 @@ logging_send_syslog_msg(oav_update_t)
-
- sysnet_read_config(oav_update_t)
-
--userdom_use_user_terminals(oav_update_t)
-+userdom_use_inherited_user_terminals(oav_update_t)
-
- optional_policy(`
- cron_system_entry(oav_update_t, oav_update_exec_t)
-@@ -101,7 +100,6 @@ kernel_read_kernel_sysctls(scannerdaemon_t)
- # Can run kaffe
- corecmd_exec_all_executables(scannerdaemon_t)
-
--corenet_all_recvfrom_unlabeled(scannerdaemon_t)
- corenet_all_recvfrom_netlabel(scannerdaemon_t)
- corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
- corenet_udp_sendrecv_generic_if(scannerdaemon_t)
-@@ -130,7 +128,6 @@ libs_exec_lib_files(scannerdaemon_t)
-
- logging_send_syslog_msg(scannerdaemon_t)
-
--miscfiles_read_localization(scannerdaemon_t)
-
- sysnet_read_config(scannerdaemon_t)
-
+ ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
diff --git a/obex.fc b/obex.fc
-new file mode 100644
-index 0000000..7b31529
---- /dev/null
+index 03fa560..000c5fe 100644
+--- a/obex.fc
+++ b/obex.fc
-@@ -0,0 +1,3 @@
-+
-+
-+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
+@@ -1 +1 @@
+-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
++/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
diff --git a/obex.if b/obex.if
-new file mode 100644
-index 0000000..d3b9544
---- /dev/null
+index 8635ea2..6012235 100644
+--- a/obex.if
+++ b/obex.if
-@@ -0,0 +1,77 @@
-+## <summary>SELinux policy for obex-data-server</summary>
-+
+@@ -1,88 +1,89 @@
+ ## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
+
+-#######################################
+########################################
-+## <summary>
+ ## <summary>
+-## The role template for obex.
+## Transition to obex.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+-## </param>
+-## <param name="user_role">
+-## <summary>
+-## The role associated with the user domain.
+-## </summary>
+-## </param>
+-## <param name="user_domain">
+-## <summary>
+-## The type of the user domain.
+-## </summary>
+ ## </param>
+ #
+-template(`obex_role_template',`
+- gen_require(`
+- attribute_role obex_roles;
+- type obex_t, obex_exec_exec_t;
+- ')
+-
+- ########################################
+- #
+- # Declarations
+- #
+-
+- roleattribute $2 obex_roles;
+-
+- ########################################
+- #
+- # Policy
+- #
+-
+- allow $3 obex_t:process { ptrace signal_perms };
+- ps_process_pattern($3, obex_t)
+-
+- dbus_spec_session_domain($1, obex_exec_t, obex_t)
+interface(`obex_domtrans',`
+ gen_require(`
+ type obex_t, obex_exec_t;
+ ')
-+
+
+- obex_dbus_chat($3)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, obex_exec_t, obex_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute obex in the obex domain.
+## Send and receive messages from
+## obex over dbus.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`obex_domtrans',`
+- gen_require(`
+- type obex_t, obex_exec_t;
+- ')
+interface(`obex_dbus_chat',`
+ gen_require(`
+ type obex_t;
+ class dbus send_msg;
+ ')
-+
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, obex_exec_t, obex_t)
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
-+')
-+
+ ')
+
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Send and receive messages from
+-## obex over dbus.
+## Role access for obex domains
+## that executes via dbus-session
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="user_role">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## The role associated with the user domain.
+## </summary>
+## </param>
@@ -41789,15 +44526,32 @@ index 0000000..d3b9544
+## <param name="domain_prefix">
+## <summary>
+## User domain prefix to be used.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`obex_dbus_chat',`
+template(`obex_role',`
-+ gen_require(`
+ gen_require(`
+- type obex_t;
+- class dbus send_msg;
++ attribute_role obex_roles;
+ type obex_t, obex_exec_t;
-+ ')
+ ')
+
+- allow $1 obex_t:dbus send_msg;
+- allow obex_t $1:dbus send_msg;
++ ########################################
++ #
++ # Declarations
++ #
++
++ roleattribute $1 obex_roles;
++ #role $1 types obex_t;
+
-+ role $1 types obex_t;
++ ########################################
++ #
++ # Policy
++ #
+
+ allow $2 obex_t:process signal_perms;
+ ps_process_pattern($2, obex_t)
@@ -41805,69 +44559,87 @@ index 0000000..d3b9544
+ dbus_session_domain($3, obex_exec_t, obex_t)
+
+ obex_dbus_chat($2)
-+')
+ ')
diff --git a/obex.te b/obex.te
-new file mode 100644
-index 0000000..e9f259e
---- /dev/null
+index cd29ea8..1a7e853 100644
+--- a/obex.te
+++ b/obex.te
-@@ -0,0 +1,37 @@
+@@ -1,4 +1,4 @@
+-policy_module(obex, 1.0.0)
+policy_module(obex,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type obex_t;
-+type obex_exec_t;
-+application_domain(obex_t, obex_exec_t)
-+ubac_constrained(obex_t)
-+
-+########################################
-+#
+
+ ########################################
+ #
+@@ -14,7 +14,7 @@ role obex_roles types obex_t;
+
+ ########################################
+ #
+-# Local policy
+# obex local policy
-+#
-+
-+allow obex_t self:fifo_file rw_fifo_file_perms;
-+allow obex_t self:socket create_stream_socket_perms;
-+
-+dev_read_urand(obex_t)
-+
-+files_read_etc_files(obex_t)
-+
-+logging_send_syslog_msg(obex_t)
-+
-+
-+userdom_search_user_home_content(obex_t)
-+
-+optional_policy(`
-+ bluetooth_stream_connect(obex_t)
-+ bluetooth_dbus_chat(obex_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(obex_t)
-+')
+ #
+
+ allow obex_t self:fifo_file rw_fifo_file_perms;
+@@ -22,22 +22,15 @@ allow obex_t self:socket create_stream_socket_perms;
+
+ dev_read_urand(obex_t)
+
+-files_read_etc_files(obex_t)
+-
+ logging_send_syslog_msg(obex_t)
+
+-miscfiles_read_localization(obex_t)
+-
+ userdom_search_user_home_content(obex_t)
+
+ optional_policy(`
+- bluetooth_stream_connect(obex_t)
+-')
+-
+-optional_policy(`
+ dbus_system_bus_client(obex_t)
+
+ optional_policy(`
++ bluetooth_stream_connect(obex_t)
+ bluetooth_dbus_chat(obex_t)
+ ')
+ ')
diff --git a/oddjob.fc b/oddjob.fc
-index 9c272c2..7e2287c 100644
+index dd1d9ef..7e2287c 100644
--- a/oddjob.fc
+++ b/oddjob.fc
-@@ -1,7 +1,7 @@
+@@ -1,10 +1,7 @@
+-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+-
/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+-
+ /usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
- /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
++/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
--/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
--
- /var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
++/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index bd76ec2..dec6bc7 100644
+index c87bd2a..dec6bc7 100644
--- a/oddjob.if
+++ b/oddjob.if
-@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
+@@ -1,4 +1,8 @@
+-## <summary>D-BUS service which runs odd jobs on behalf of client applications.</summary>
++## <summary>
++## Oddjob provides a mechanism by which unprivileged applications can
++## request that specified privileged operations be performed on their
++## behalf.
++## </summary>
+
+ ########################################
+ ## <summary>
+@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',`
+ type oddjob_t, oddjob_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
@@ -41892,8 +44664,14 @@ index bd76ec2..dec6bc7 100644
+
########################################
## <summary>
- ## Make the specified program domain accessable
-@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',`
+-## Make the specified program domain
+-## accessable from the oddjob.
++## Make the specified program domain accessable
++## from the oddjob.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',`
')
domtrans_pattern(oddjob_t, $2, $1)
@@ -41901,20 +44679,24 @@ index bd76ec2..dec6bc7 100644
')
########################################
-@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',`
+@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',`
allow oddjob_t $1:dbus send_msg;
')
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Execute a domain transition to
+-## run oddjob mkhomedir.
+## Send a SIGCHLD signal to oddjob.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+interface(`oddjob_sigchld',`
+ gen_require(`
+ type oddjob_t;
@@ -41923,40 +44705,95 @@ index bd76ec2..dec6bc7 100644
+ allow $1 oddjob_t:process sigchld;
+')
+
++########################################
++## <summary>
++## Execute a domain transition to run oddjob_mkhomedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
+ interface(`oddjob_domtrans_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+ ')
+
########################################
## <summary>
- ## Execute a domain transition to run oddjob_mkhomedir.
-@@ -109,3 +147,41 @@ interface(`oddjob_run_mkhomedir',`
+-## Execute oddjob mkhomedir in the
+-## oddjob mkhomedir domain and allow
+-## the specified role the oddjob
+-## mkhomedir domain.
++## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -105,46 +141,47 @@ interface(`oddjob_domtrans_mkhomedir',`
+ #
+ interface(`oddjob_run_mkhomedir',`
+ gen_require(`
+- attribute_role oddjob_mkhomedir_roles;
++ type oddjob_mkhomedir_t;
+ ')
+
oddjob_domtrans_mkhomedir($1)
- role $2 types oddjob_mkhomedir_t;
+- roleattribute $2 oddjob_mkhomedir_roles;
++ role $2 types oddjob_mkhomedir_t;
')
-+
+
+-#####################################
+########################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to read and write
+-## oddjob fifo files.
+## Create a domain which can be started by init,
+## with a range transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Type to be used as a domain.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-#
+-interface(`oddjob_dontaudit_rw_fifo_files',`
+- gen_require(`
+- type oddjob_t;
+- ')
+-
+- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
+-')
+-
+-######################################
+-## <summary>
+-## Send child terminated signals to oddjob.
+-## </summary>
+-## <param name="domain">
+## <param name="entry_point">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`oddjob_sigchld',`
+interface(`oddjob_ranged_domain',`
-+ gen_require(`
-+ type oddjob_t;
-+ ')
-+
+ gen_require(`
+ type oddjob_t;
+ ')
+
+- allow $1 oddjob_t:process sigchld;
+ oddjob_system_entry($1, $2)
+
+ ifdef(`enable_mcs',`
@@ -41967,30 +44804,82 @@ index bd76ec2..dec6bc7 100644
+ range_transition oddjob_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
-+')
+ ')
diff --git a/oddjob.te b/oddjob.te
-index a17ba31..467700e 100644
+index 296a1d3..467700e 100644
--- a/oddjob.te
+++ b/oddjob.te
-@@ -51,9 +51,9 @@ mcs_process_set_categories(oddjob_t)
+@@ -1,12 +1,10 @@
+-policy_module(oddjob, 1.9.2)
++policy_module(oddjob, 1.9.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-attribute_role oddjob_mkhomedir_roles;
+-
+ type oddjob_t;
+ type oddjob_exec_t;
+ domain_type(oddjob_t)
+@@ -20,8 +18,9 @@ type oddjob_mkhomedir_exec_t;
+ domain_type(oddjob_mkhomedir_t)
+ domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+ init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t;
++oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
++# pid files
+ type oddjob_var_run_t;
+ files_pid_file(oddjob_var_run_t)
+
+@@ -31,7 +30,7 @@ ifdef(`enable_mcs',`
+
+ ########################################
+ #
+-# Local policy
++# oddjob local policy
+ #
+
+ allow oddjob_t self:capability setgid;
+@@ -43,8 +42,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+ manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+ files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
+
+-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+-
+ kernel_read_system_state(oddjob_t)
+
+ corecmd_exec_bin(oddjob_t)
+@@ -54,9 +51,9 @@ mcs_process_set_categories(oddjob_t)
selinux_compute_create_context(oddjob_t)
--files_read_etc_files(oddjob_t)
++
+ auth_use_nsswitch(oddjob_t)
-miscfiles_read_localization(oddjob_t)
-+auth_use_nsswitch(oddjob_t)
-+
locallogin_dontaudit_use_fds(oddjob_t)
-@@ -78,13 +78,10 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+@@ -71,13 +68,13 @@ optional_policy(`
+
+ ########################################
+ #
+-# Mkhomedir local policy
++# oddjob_mkhomedir local policy
+ #
+
+ allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+ allow oddjob_mkhomedir_t self:process setfscreate;
+ allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
+-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
++allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(oddjob_mkhomedir_t)
--files_read_etc_files(oddjob_mkhomedir_t)
--
- auth_use_nsswitch(oddjob_mkhomedir_t)
+@@ -85,7 +82,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
@@ -41998,9 +44887,11 @@ index a17ba31..467700e 100644
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
-@@ -99,8 +96,9 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t)
+ seutil_read_file_contexts(oddjob_mkhomedir_t)
+ seutil_read_default_contexts(oddjob_mkhomedir_t)
- # Add/remove user home directories
++# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
@@ -42010,114 +44901,21 @@ index a17ba31..467700e 100644
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+userdom_home_manager(oddjob_mkhomedir_t)
+userdom_stream_connect(oddjob_mkhomedir_t)
-
-diff --git a/oident.if b/oident.if
-index bb4fae5..4dfed8a 100644
---- a/oident.if
-+++ b/oident.if
-@@ -66,3 +66,40 @@ interface(`oident_relabel_user_content', `
- allow $1 oidentd_home_t:file relabel_file_perms;
- userdom_search_user_home_dirs($1)
- ')
+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an oident environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`oident_admin',`
-+ gen_require(`
-+ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
-+ ')
-+
-+ allow $1 oidentd_t:process signal_perms;
-+ ps_process_pattern($1, oidentd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 oidentd_t:process ptrace;
-+ ')
-+
-+ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 oidentd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_etc($1)
-+ admin_pattern($1, oidentd_config_t)
-+')
-diff --git a/oident.te b/oident.te
-index 8845174..f7b073f 100644
---- a/oident.te
-+++ b/oident.te
-@@ -26,15 +26,14 @@ files_config_file(oidentd_config_t)
- #
-
- allow oidentd_t self:capability { setuid setgid };
--allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
--allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
--allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
--allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
-+allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
-+allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow oidentd_t self:tcp_socket create_stream_socket_perms;
-+allow oidentd_t self:udp_socket create_socket_perms;
- allow oidentd_t self:unix_dgram_socket { create connect };
-
- allow oidentd_t oidentd_config_t:file read_file_perms;
-
--corenet_all_recvfrom_unlabeled(oidentd_t)
- corenet_all_recvfrom_netlabel(oidentd_t)
- corenet_tcp_sendrecv_generic_if(oidentd_t)
- corenet_tcp_sendrecv_generic_node(oidentd_t)
-@@ -54,22 +53,7 @@ kernel_request_load_module(oidentd_t)
-
- logging_send_syslog_msg(oidentd_t)
-
--miscfiles_read_localization(oidentd_t)
--
- sysnet_read_config(oidentd_t)
-
- oident_read_user_content(oidentd_t)
--
--optional_policy(`
-- nis_use_ypbind(oidentd_t)
--')
--
--tunable_policy(`use_samba_home_dirs', `
-- fs_list_cifs(oidentd_t)
-- fs_read_cifs_files(oidentd_t)
--')
--
--tunable_policy(`use_nfs_home_dirs', `
-- fs_list_nfs(oidentd_t)
-- fs_read_nfs_files(oidentd_t)
--')
-+userdom_home_reader(oidentd_t)
diff --git a/openct.te b/openct.te
-index 7f8fdc2..bc14bc4 100644
+index 8467596..866bd6a 100644
--- a/openct.te
+++ b/openct.te
-@@ -29,6 +29,8 @@ kernel_read_kernel_sysctls(openct_t)
+@@ -34,6 +34,8 @@ kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
kernel_read_proc_symlinks(openct_t)
+can_exec(openct_t, openct_exec_t)
+
dev_read_sysfs(openct_t)
- # openct asks for this
dev_rw_usbfs(openct_t)
-@@ -45,12 +47,12 @@ fs_search_auto_mountpoints(openct_t)
+ dev_rw_smartcard(openct_t)
+@@ -48,8 +50,6 @@ fs_search_auto_mountpoints(openct_t)
logging_send_syslog_msg(openct_t)
@@ -42126,13 +44924,6 @@ index 7f8fdc2..bc14bc4 100644
userdom_dontaudit_use_unpriv_user_fds(openct_t)
userdom_dontaudit_search_user_home_dirs(openct_t)
--openct_exec(openct_t)
-+optional_policy(`
-+ pcscd_stream_connect(openct_t)
-+')
-
- optional_policy(`
- seutil_sigchld_newrole(openct_t)
diff --git a/openhpid.fc b/openhpid.fc
new file mode 100644
index 0000000..9441fd7
@@ -42434,7 +45225,7 @@ index 0000000..c9a5f74
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..6e20e72
+index 0000000..98ce2c3
--- /dev/null
+++ b/openshift.if
@@ -0,0 +1,644 @@
@@ -42875,7 +45666,7 @@ index 0000000..6e20e72
+ typeattribute $1_t openshift_domain, openshift_user_domain;
+ domain_type($1_t)
+ role system_r types $1_t;
-+ mcs_untrusted_proc($1_t)
++ mcs_constrained($1_t)
+ domain_user_exemption_target($1_t)
+ auth_use_nsswitch($1_t)
+ domain_subj_id_change_exemption($1_t)
@@ -42890,7 +45681,7 @@ index 0000000..6e20e72
+ typeattribute $1_app_t openshift_domain;
+ domain_type($1_app_t)
+ role system_r types $1_app_t;
-+ mcs_untrusted_proc($1_app_t)
++ mcs_constrained($1_app_t)
+ domain_user_exemption_target($1_app_t)
+ domain_obj_id_change_exemption($1_app_t)
+ domain_dyntrans_type($1_app_t)
@@ -43472,27 +46263,29 @@ index 0000000..d97b009
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
diff --git a/openvpn.if b/openvpn.if
-index d883214..d6afa87 100644
+index 6837e9a..af8f9d0 100644
--- a/openvpn.if
+++ b/openvpn.if
-@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
- type openvpn_var_run_t, openvpn_initrc_exec_t;
+@@ -147,9 +147,13 @@ interface(`openvpn_admin',`
+ type openvpn_status_t;
')
- allow $1 openvpn_t:process { ptrace signal_perms };
+ allow $1 openvpn_t:process signal_perms;
ps_process_pattern($1, openvpn_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 openvpn_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 66a52ee..6db0311 100644
+index 3270ff9..67da060 100644
--- a/openvpn.te
+++ b/openvpn.te
-@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
+@@ -26,6 +26,9 @@ files_config_file(openvpn_etc_t)
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -43502,48 +46295,26 @@ index 66a52ee..6db0311 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
-@@ -40,15 +43,15 @@ files_pid_file(openvpn_var_run_t)
- # openvpn local policy
+@@ -43,7 +46,7 @@ files_pid_file(openvpn_var_run_t)
+ # Local policy
#
--allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
--allow openvpn_t self:process { signal getsched };
+-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
-+allow openvpn_t self:process { signal getsched setsched };
+ allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
+ allow openvpn_t self:unix_dgram_socket sendto;
+@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+ allow openvpn_t openvpn_status_t:file manage_file_perms;
+ logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
- allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
- allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow openvpn_t self:udp_socket create_socket_perms;
- allow openvpn_t self:tcp_socket server_stream_socket_perms;
--allow openvpn_t self:tun_socket create;
-+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
- allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
-
- can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +61,14 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
- manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
- filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
-
--allow openvpn_t openvpn_var_log_t:file manage_file_perms;
--logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
-+manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-+logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file })
-
-+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
- manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
- files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-
-@@ -68,11 +76,11 @@ kernel_read_kernel_sysctls(openvpn_t)
- kernel_read_net_sysctls(openvpn_t)
- kernel_read_network_state(openvpn_t)
- kernel_read_system_state(openvpn_t)
-+kernel_request_load_module(openvpn_t)
-
+ manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+ append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+ create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+@@ -83,7 +89,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -43551,34 +46322,34 @@ index 66a52ee..6db0311 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -87,6 +95,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
- corenet_tcp_bind_http_port(openvpn_t)
- corenet_tcp_connect_openvpn_port(openvpn_t)
+@@ -105,11 +110,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+ corenet_sendrecv_http_client_packets(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
-+corenet_tcp_connect_tor_socks_port(openvpn_t)
+ corenet_tcp_sendrecv_http_port(openvpn_t)
+-
+ corenet_sendrecv_http_cache_client_packets(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
- corenet_rw_tun_tap_dev(openvpn_t)
- corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,33 +109,39 @@ dev_read_urand(openvpn_t)
- files_read_etc_files(openvpn_t)
- files_read_etc_runtime_files(openvpn_t)
+ corenet_tcp_sendrecv_http_cache_port(openvpn_t)
-+fs_getattr_xattr_fs(openvpn_t)
++corenet_tcp_connect_tor_port(openvpn_t)
+
- auth_use_pam(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
-+init_read_utmp(openvpn_t)
-+
- logging_send_syslog_msg(openvpn_t)
+ dev_read_rand(openvpn_t)
+@@ -121,18 +127,24 @@ fs_search_auto_mountpoints(openvpn_t)
+
+ auth_use_pam(openvpn_t)
-miscfiles_read_localization(openvpn_t)
++logging_send_syslog_msg(openvpn_t)
++
miscfiles_read_all_certs(openvpn_t)
- sysnet_dns_name_resolve(openvpn_t)
-+sysnet_use_ldap(openvpn_t)
++sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
+ sysnet_use_ldap(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
+userdom_use_inherited_user_terminals(openvpn_t)
@@ -43593,77 +46364,68 @@ index 66a52ee..6db0311 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-- fs_read_nfs_files(openvpn_t)
-- fs_read_nfs_symlinks(openvpn_t)
--')
-+ fs_read_nfs_files(openvpn_t)
-+')
-
- tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
-- fs_read_cifs_files(openvpn_t)
-- fs_read_cifs_symlinks(openvpn_t)
--')
-+ fs_read_cifs_files(openvpn_t)
-+')
-
- optional_policy(`
- daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +153,7 @@ optional_policy(`
-
- networkmanager_dbus_chat(openvpn_t)
+@@ -155,3 +167,7 @@ optional_policy(`
+ networkmanager_dbus_chat(openvpn_t)
+ ')
')
+
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
diff --git a/openvswitch.fc b/openvswitch.fc
-new file mode 100644
-index 0000000..baf8d21
---- /dev/null
+index 45d7cc5..baf8d21 100644
+--- a/openvswitch.fc
+++ b/openvswitch.fc
-@@ -0,0 +1,15 @@
+@@ -1,12 +1,15 @@
+-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
-+
+
+-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0)
+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
-+
+
+-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
-+
+
+-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
-+
+
+-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
-+
+
+-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
-new file mode 100644
-index 0000000..14f29e4
---- /dev/null
+index 9b15730..14f29e4 100644
+--- a/openvswitch.if
+++ b/openvswitch.if
-@@ -0,0 +1,242 @@
+@@ -1,13 +1,14 @@
+-## <summary>Multilayer virtual switch.</summary>
+
+## <summary>policy for openvswitch</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Execute openvswitch in the openvswitch domain.
+## Execute TEMPLATE in the openvswitch domin.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+## <summary>
-+## Domain allowed to transition.
+ ## Domain allowed to transition.
+-## </summary>
+## </summary>
-+## </param>
-+#
-+interface(`openvswitch_domtrans',`
-+ gen_require(`
-+ type openvswitch_t, openvswitch_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
-+')
+ ## </param>
+ #
+ interface(`openvswitch_domtrans',`
+@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
+ ')
+########################################
+## <summary>
+## Read openvswitch's log files.
@@ -43780,9 +46542,10 @@ index 0000000..14f29e4
+ files_search_var_lib($1)
+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
+')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Read openvswitch pid files.
+## Manage openvswitch lib directories.
+## </summary>
+## <param name="domain">
@@ -43803,31 +46566,24 @@ index 0000000..14f29e4
+########################################
+## <summary>
+## Read openvswitch PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`openvswitch_read_pid_files',`
-+ gen_require(`
-+ type openvswitch_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -40,44 +176,67 @@ interface(`openvswitch_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an openvswitch environment.
+## Execute openvswitch server in the openvswitch domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`openvswitch_systemctl',`
+ gen_require(`
@@ -43850,32 +46606,44 @@ index 0000000..14f29e4
+## an openvswitch environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`openvswitch_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`openvswitch_admin',`
+ gen_require(`
+- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t;
+- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t;
+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
-+ ')
-+
-+ allow $1 openvswitch_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, openvswitch_t)
-+
+ ')
+
+ allow $1 openvswitch_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openvswitch_t)
+
+- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 openvswitch_initrc_exec_t system_r;
+- allow $2 system_r;
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_rw_t)
-+
+
+- files_search_etc($1)
+- admin_pattern($1, openvswitch_conf_t)
+ logging_search_logs($1)
+ admin_pattern($1, openvswitch_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, openvswitch_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, openvswitch_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, openvswitch_var_lib_t)
+
+- logging_search_logs($1)
+- admin_pattern($1, openvswitch_log_t)
+-
+ files_search_pids($1)
+ admin_pattern($1, openvswitch_var_run_t)
+
+ openvswitch_systemctl($1)
+ admin_pattern($1, openvswitch_unit_file_t)
@@ -43884,126 +46652,142 @@ index 0000000..14f29e4
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/openvswitch.te b/openvswitch.te
-new file mode 100644
-index 0000000..f6e0f04
---- /dev/null
+index 508fedf..b8995a2 100644
+--- a/openvswitch.te
+++ b/openvswitch.te
-@@ -0,0 +1,84 @@
+@@ -1,4 +1,4 @@
+-policy_module(openvswitch, 1.0.1)
+policy_module(openvswitch, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type openvswitch_t;
-+type openvswitch_exec_t;
-+init_daemon_domain(openvswitch_t, openvswitch_exec_t)
-+
+
+ ########################################
+ #
+@@ -9,11 +9,8 @@ type openvswitch_t;
+ type openvswitch_exec_t;
+ init_daemon_domain(openvswitch_t, openvswitch_exec_t)
+
+-type openvswitch_initrc_exec_t;
+-init_script_file(openvswitch_initrc_exec_t)
+-
+-type openvswitch_conf_t;
+-files_config_file(openvswitch_conf_t)
+type openvswitch_rw_t;
+files_config_file(openvswitch_rw_t)
-+
-+type openvswitch_var_lib_t;
-+files_type(openvswitch_var_lib_t)
-+
-+type openvswitch_log_t;
-+logging_log_file(openvswitch_log_t)
-+
-+type openvswitch_var_run_t;
-+files_pid_file(openvswitch_var_run_t)
-+
+
+ type openvswitch_var_lib_t;
+ files_type(openvswitch_var_lib_t)
+@@ -24,20 +21,26 @@ logging_log_file(openvswitch_log_t)
+ type openvswitch_var_run_t;
+ files_pid_file(openvswitch_var_run_t)
+
+type openvswitch_unit_file_t;
+systemd_unit_file(openvswitch_unit_file_t)
+
-+########################################
-+#
+ ########################################
+ #
+-# Local policy
+# openvswitch local policy
-+#
-+
+ #
+
+-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
+-allow openvswitch_t self:process { setrlimit setsched signal };
+allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource };
+allow openvswitch_t self:process { fork setsched setrlimit signal };
-+allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+ allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+-allow openvswitch_t self:rawip_socket create_socket_perms;
+-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
+
+-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
+can_exec(openvswitch_t, openvswitch_exec_t)
+
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-+files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
+@@ -45,9 +48,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+ files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
+
+ manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
-+logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
-+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
-+
-+kernel_read_network_state(openvswitch_t)
-+kernel_read_system_state(openvswitch_t)
-+
-+corecmd_exec_bin(openvswitch_t)
-+
-+dev_read_urand(openvswitch_t)
-+
-+domain_use_interactive_fds(openvswitch_t)
-+
-+files_read_etc_files(openvswitch_t)
-+
-+fs_getattr_all_fs(openvswitch_t)
-+fs_search_cgroup_dirs(openvswitch_t)
-+
+ manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
+ logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
+
+@@ -57,15 +58,9 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
+
+-can_exec(openvswitch_t, openvswitch_exec_t)
+-
+ kernel_read_network_state(openvswitch_t)
+ kernel_read_system_state(openvswitch_t)
+-
+-corenet_all_recvfrom_unlabeled(openvswitch_t)
+-corenet_all_recvfrom_netlabel(openvswitch_t)
+-corenet_raw_sendrecv_generic_if(openvswitch_t)
+-corenet_raw_sendrecv_generic_node(openvswitch_t)
++kernel_request_load_module(openvswitch_t)
+
+ corecmd_exec_bin(openvswitch_t)
+
+@@ -74,16 +69,22 @@ dev_read_urand(openvswitch_t)
+ domain_use_interactive_fds(openvswitch_t)
+
+ files_read_etc_files(openvswitch_t)
++files_read_kernel_modules(openvswitch_t)
+
+ fs_getattr_all_fs(openvswitch_t)
+ fs_search_cgroup_dirs(openvswitch_t)
+
+auth_read_passwd(openvswitch_t)
+
-+logging_send_syslog_msg(openvswitch_t)
-+
-+sysnet_dns_name_resolve(openvswitch_t)
-+
-+optional_policy(`
-+ iptables_domtrans(openvswitch_t)
-+')
+ logging_send_syslog_msg(openvswitch_t)
+
+-miscfiles_read_localization(openvswitch_t)
++modutils_exec_insmod(openvswitch_t)
++modutils_list_module_config(openvswitch_t)
++modutils_read_module_config(openvswitch_t)
+
+ sysnet_dns_name_resolve(openvswitch_t)
+
+ optional_policy(`
+ iptables_domtrans(openvswitch_t)
+ ')
+
diff --git a/pacemaker.fc b/pacemaker.fc
-new file mode 100644
-index 0000000..3793461
---- /dev/null
+index 2f0ad56..d4da0b8 100644
+--- a/pacemaker.fc
+++ b/pacemaker.fc
-@@ -0,0 +1,12 @@
-+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
-+
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
+
-+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
-+
-+/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
-+
-+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
-+/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
-+
-+/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
+ /usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
+
+ /var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
diff --git a/pacemaker.if b/pacemaker.if
-new file mode 100644
-index 0000000..e05c78f
---- /dev/null
+index 9682d9a..d47f913 100644
+--- a/pacemaker.if
+++ b/pacemaker.if
-@@ -0,0 +1,209 @@
-+
-+## <summary>policy for pacemaker</summary>
-+
-+########################################
-+## <summary>
+@@ -1,9 +1,166 @@
+-## <summary>A scalable high-availability cluster resource manager.</summary>
++## <summary>>A scalable high-availability cluster resource manager.</summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an pacemaker environment.
+## Transition to pacemaker.
+## </summary>
+## <param name="domain">
@@ -44163,41 +46947,33 @@ index 0000000..e05c78f
+## <summary>
+## All of the rules required to administrate
+## an pacemaker environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`pacemaker_admin',`
-+ gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -19,14 +176,17 @@
+ #
+ interface(`pacemaker_admin',`
+ gen_require(`
+- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
+ type pacemaker_t;
+ type pacemaker_initrc_exec_t;
+ type pacemaker_var_lib_t;
-+ type pacemaker_var_run_t;
+ type pacemaker_var_run_t;
+ type pacemaker_unit_file_t;
-+ ')
-+
-+ allow $1 pacemaker_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, pacemaker_t)
-+
+ ')
+
+ allow $1 pacemaker_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pacemaker_t)
+
+- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
+ pacemaker_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 pacemaker_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, pacemaker_var_lib_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, pacemaker_var_run_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pacemaker_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -36,4 +196,13 @@ interface(`pacemaker_admin',`
+
+ files_search_pids($1)
+ admin_pattern($1, pacemaker_var_run_t)
+
+ pacemaker_systemctl($1)
+ admin_pattern($1, pacemaker_unit_file_t)
@@ -44207,176 +46983,109 @@ index 0000000..e05c78f
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/pacemaker.te b/pacemaker.te
-new file mode 100644
-index 0000000..3a97ac3
---- /dev/null
+index 3dd8ada..8b8d292 100644
+--- a/pacemaker.te
+++ b/pacemaker.te
-@@ -0,0 +1,86 @@
-+policy_module(pacemaker, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pacemaker_t;
-+type pacemaker_exec_t;
-+init_daemon_domain(pacemaker_t, pacemaker_exec_t)
-+
-+type pacemaker_initrc_exec_t;
-+init_script_file(pacemaker_initrc_exec_t)
-+
+@@ -12,17 +12,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
+ type pacemaker_initrc_exec_t;
+ init_script_file(pacemaker_initrc_exec_t)
+
+type pacemaker_var_lib_t;
+files_type(pacemaker_var_lib_t)
+
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
-+type pacemaker_tmp_t;
-+files_tmp_file(pacemaker_tmp_t)
-+
-+type pacemaker_tmpfs_t;
-+files_tmpfs_file(pacemaker_tmpfs_t)
-+
+ type pacemaker_tmp_t;
+ files_tmp_file(pacemaker_tmp_t)
+
+ type pacemaker_tmpfs_t;
+ files_tmpfs_file(pacemaker_tmpfs_t)
+
+-type pacemaker_var_lib_t;
+-files_type(pacemaker_var_lib_t)
+-
+-type pacemaker_var_run_t;
+-files_pid_file(pacemaker_var_run_t)
+type pacemaker_unit_file_t;
+systemd_unit_file(pacemaker_unit_file_t)
-+
-+########################################
-+#
-+# pacemaker local policy
-+#
-+
-+allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
-+allow pacemaker_t self:process { fork setrlimit signal setpgid };
-+allow pacemaker_t self:fifo_file rw_fifo_file_perms;
-+allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
-+files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
-+manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
-+files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-+manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
-+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
-+
-+manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
-+manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
-+fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
-+
-+kernel_read_system_state(pacemaker_t)
-+kernel_read_network_state(pacemaker_t)
-+kernel_read_all_sysctls(pacemaker_t)
-+kernel_read_messages(pacemaker_t)
-+kernel_getattr_core_if(pacemaker_t)
-+kernel_read_software_raid_state(pacemaker_t)
-+
-+corecmd_exec_bin(pacemaker_t)
-+corecmd_exec_shell(pacemaker_t)
-+
+
+ ########################################
+ #
+@@ -60,13 +63,13 @@ kernel_read_system_state(pacemaker_t)
+ corecmd_exec_bin(pacemaker_t)
+ corecmd_exec_shell(pacemaker_t)
+
+domain_use_interactive_fds(pacemaker_t)
+domain_read_all_domains_state(pacemaker_t)
+
-+dev_getattr_mtrr_dev(pacemaker_t)
-+dev_read_rand(pacemaker_t)
-+dev_read_urand(pacemaker_t)
-+
-+files_read_kernel_symbol_table(pacemaker_t)
-+
-+fs_getattr_all_fs(pacemaker_t)
-+
-+auth_use_nsswitch(pacemaker_t)
-+
-+logging_send_syslog_msg(pacemaker_t)
-+
-+optional_policy(`
-+ corosync_read_log(pacemaker_t)
-+ corosync_stream_connect(pacemaker_t)
-+ corosync_rw_tmpfs(pacemaker_t)
-+')
-+
-diff --git a/pads.fc b/pads.fc
-index 0870c56..6d5fb1d 100644
---- a/pads.fc
-+++ b/pads.fc
-@@ -1,10 +1,10 @@
- /etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
- /etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
--/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
-+/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t, s0)
- /etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
+ dev_getattr_mtrr_dev(pacemaker_t)
+ dev_read_rand(pacemaker_t)
+ dev_read_urand(pacemaker_t)
- /etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+-domain_read_all_domains_state(pacemaker_t)
+-domain_use_interactive_fds(pacemaker_t)
+-
+ files_read_kernel_symbol_table(pacemaker_t)
- /usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
+ fs_getattr_all_fs(pacemaker_t)
+@@ -75,9 +78,9 @@ auth_use_nsswitch(pacemaker_t)
--/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
-+/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+ logging_send_syslog_msg(pacemaker_t)
+
+-miscfiles_read_localization(pacemaker_t)
+-
+ optional_policy(`
+ corosync_read_log(pacemaker_t)
+ corosync_stream_connect(pacemaker_t)
++ corosync_rw_tmpfs(pacemaker_t)
+ ')
++
diff --git a/pads.if b/pads.if
-index 8ac407e..45673ad 100644
+index 6e097c9..503c97a 100644
--- a/pads.if
+++ b/pads.if
-@@ -25,20 +25,26 @@
+@@ -17,15 +17,19 @@
## </param>
## <rolecap/>
#
-interface(`pads_admin', `
+interface(`pads_admin',`
gen_require(`
-- type pads_t, pads_config_t;
-- type pads_var_run_t, pads_initrc_exec_t;
-+ type pads_t, pads_config_t, pads_initrc_exec_t;
-+ type pads_var_run_t;
+ type pads_t, pads_config_t, pads_var_run_t;
+ type pads_initrc_exec_t;
')
- allow $1 pads_t:process { ptrace signal_perms };
+ allow $1 pads_t:process signal_perms;
ps_process_pattern($1, pads_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pads_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
- allow $2 system_r;
-
-+ files_list_pids($1)
- admin_pattern($1, pads_var_run_t)
-+
-+ files_list_etc($1)
- admin_pattern($1, pads_config_t)
- ')
diff --git a/pads.te b/pads.te
-index b246bdd..3cbcc49 100644
+index 29a7364..446e5ca 100644
--- a/pads.te
+++ b/pads.te
-@@ -25,10 +25,11 @@ files_pid_file(pads_var_run_t)
+@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
#
allow pads_t self:capability { dac_override net_raw };
--allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
--allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
--allow pads_t self:udp_socket { create ioctl };
--allow pads_t self:unix_dgram_socket { write create connect };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
-+allow pads_t self:packet_socket create_socket_perms;
-+allow pads_t self:socket create_socket_perms;
+ allow pads_t self:packet_socket create_socket_perms;
+ allow pads_t self:socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -37,10 +38,10 @@ allow pads_t pads_var_run_t:file manage_file_perms;
- files_pid_filetrans(pads_t, pads_var_run_t, file)
-
- kernel_read_sysctl(pads_t)
-+kernel_read_network_state(pads_t)
+@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t)
corecmd_search_bin(pads_t)
@@ -44384,13 +47093,11 @@ index b246bdd..3cbcc49 100644
corenet_all_recvfrom_netlabel(pads_t)
corenet_tcp_sendrecv_generic_if(pads_t)
corenet_tcp_sendrecv_generic_node(pads_t)
-@@ -48,12 +49,11 @@ corenet_tcp_connect_prelude_port(pads_t)
-
- dev_read_rand(pads_t)
+@@ -52,11 +54,8 @@ dev_read_rand(pads_t)
dev_read_urand(pads_t)
-+dev_read_sysfs(pads_t)
+ dev_read_sysfs(pads_t)
- files_read_etc_files(pads_t)
+-files_read_etc_files(pads_t)
files_search_spool(pads_t)
-miscfiles_read_localization(pads_t)
@@ -44399,54 +47106,61 @@ index b246bdd..3cbcc49 100644
sysnet_dns_name_resolve(pads_t)
diff --git a/passenger.fc b/passenger.fc
-index 545518d..9155bd0 100644
+index 2c389ea..9155bd0 100644
--- a/passenger.fc
+++ b/passenger.fc
-@@ -1,11 +1,12 @@
--/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
--/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
--/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
--/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+@@ -1,10 +1,12 @@
+-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
+
+-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
- /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
++/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
--/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
--/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
+-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
-
- /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
++
++/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/passenger.if b/passenger.if
-index f68b573..c050b37 100644
+index bf59ef7..c050b37 100644
--- a/passenger.if
+++ b/passenger.if
-@@ -18,6 +18,42 @@ interface(`passenger_domtrans',`
+@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
+ type passenger_t, passenger_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, passenger_exec_t, passenger_t)
')
-+######################################
-+## <summary>
+ ######################################
+ ## <summary>
+-## Execute passenger in the caller domain.
+## Execute passenger in the current domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`passenger_exec',`
-+ gen_require(`
-+ type passenger_exec_t;
-+ ')
-+
-+ can_exec($1, passenger_exec_t)
-+')
-+
+ ## </summary>
+ ## </param>
+ #
+@@ -34,13 +33,30 @@ interface(`passenger_exec',`
+ type passenger_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, passenger_exec_t)
+ ')
+
+#######################################
+## <summary>
+## Getattr passenger log files
@@ -44467,11 +47181,20 @@ index f68b573..c050b37 100644
+
########################################
## <summary>
- ## Read passenger lib files
-@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',`
- read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
- files_search_var_lib($1)
- ')
+-## Read passenger lib files.
++## Read passenger lib files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -53,6 +69,88 @@ interface(`passenger_read_lib_files',`
+ type passenger_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ files_search_var_lib($1)
++')
+
+########################################
+## <summary>
@@ -44552,39 +47275,68 @@ index f68b573..c050b37 100644
+ files_search_tmp($1)
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
-+')
+ ')
diff --git a/passenger.te b/passenger.te
-index 3470036..ca09bc0 100644
+index 4e114ff..ca09bc0 100644
--- a/passenger.te
+++ b/passenger.te
-@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t)
- # passanger local policy
+@@ -1,4 +1,4 @@
+-policy_module(passanger, 1.0.3)
++policy_module(passanger, 1.0.0)
+
+ ########################################
#
+@@ -14,6 +14,9 @@ role system_r types passenger_t;
+ type passenger_log_t;
+ logging_log_file(passenger_log_t)
--allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
-+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
++type passenger_tmp_t;
++files_tmp_file(passenger_tmp_t)
++
+ type passenger_var_lib_t;
+ files_type(passenger_var_lib_t)
+
+@@ -22,22 +25,23 @@ files_pid_file(passenger_var_run_t)
+
+ ########################################
+ #
+-# Local policy
++# passanger local policy
+ #
+
+ allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
allow passenger_t self:process { setpgid setsched sigkill signal };
allow passenger_t self:fifo_file rw_fifo_file_perms;
- allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -37,7 +37,7 @@ can_exec(passenger_t, passenger_exec_t)
+-allow passenger_t self:unix_stream_socket { accept connectto listen };
++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++can_exec(passenger_t, passenger_exec_t)
manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
- manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
-logging_log_filetrans(passenger_t, passenger_log_t, file)
++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
-@@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
++files_search_var_lib(passenger_t)
+
+ manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,19 +49,19 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+-can_exec(passenger_t, passenger_exec_t)
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
-+
+
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
@@ -44592,79 +47344,56 @@ index 3470036..ca09bc0 100644
-corenet_all_recvfrom_unlabeled(passenger_t)
corenet_tcp_sendrecv_generic_if(passenger_t)
corenet_tcp_sendrecv_generic_node(passenger_t)
+-
+-corenet_sendrecv_http_client_packets(passenger_t)
corenet_tcp_connect_http_port(passenger_t)
-@@ -63,11 +68,13 @@ corecmd_exec_shell(passenger_t)
+-corenet_tcp_sendrecv_http_port(passenger_t)
+
+ corecmd_exec_bin(passenger_t)
+ corecmd_exec_shell(passenger_t)
+@@ -66,14 +70,12 @@ dev_read_urand(passenger_t)
- dev_read_urand(passenger_t)
+ domain_read_all_domains_state(passenger_t)
-files_read_etc_files(passenger_t)
-+domain_read_all_domains_state(passenger_t)
-+
+files_read_usr_files(passenger_t)
auth_use_nsswitch(passenger_t)
--miscfiles_read_localization(passenger_t)
-+logging_send_syslog_msg(passenger_t)
+ logging_send_syslog_msg(passenger_t)
+-miscfiles_read_localization(passenger_t)
+-
userdom_dontaudit_use_user_terminals(passenger_t)
-@@ -75,3 +82,25 @@ optional_policy(`
- apache_append_log(passenger_t)
- apache_read_sys_content(passenger_t)
+ optional_policy(`
+@@ -90,14 +92,15 @@ optional_policy(`
')
-+
-+optional_policy(`
-+ hostname_exec(passenger_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(passenger_t)
-+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- puppet_manage_lib_files(passenger_t)
+ puppet_manage_lib(passenger_t)
-+ puppet_read_config(passenger_t)
+ puppet_read_config(passenger_t)
+- puppet_append_log_files(passenger_t)
+- puppet_create_log_files(passenger_t)
+- puppet_read_log_files(passenger_t)
+ puppet_append_log(passenger_t)
+ puppet_create_log(passenger_t)
+ puppet_read_log(passenger_t)
+ puppet_search_pid(passenger_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- rpm_exec(passenger_t)
+- rpm_read_db(passenger_t)
+ rpm_exec(passenger_t)
+ rpm_read_db(passenger_t)
-+')
-diff --git a/pcmcia.fc b/pcmcia.fc
-index 9cf0e56..2b5260a 100644
---- a/pcmcia.fc
-+++ b/pcmcia.fc
-@@ -4,6 +4,9 @@
- /sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
- /sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-
-+/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
-+/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
-+
- /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
-
- /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+ ')
diff --git a/pcmcia.te b/pcmcia.te
-index 4d06ae3..e1a4943 100644
+index 3ad10b5..49baca5 100644
--- a/pcmcia.te
+++ b/pcmcia.te
-@@ -62,9 +62,7 @@ dev_read_urand(cardmgr_t)
-
- domain_use_interactive_fds(cardmgr_t)
- # Read /proc/PID directories for all domains (for fuser).
--domain_read_confined_domains_state(cardmgr_t)
--domain_getattr_confined_domains(cardmgr_t)
--domain_dontaudit_ptrace_confined_domains(cardmgr_t)
-+domain_read_all_domains_state(cardmgr_t)
- # cjp: these look excessive:
- domain_dontaudit_getattr_all_pipes(cardmgr_t)
- domain_dontaudit_getattr_all_sockets(cardmgr_t)
-@@ -96,8 +94,6 @@ libs_exec_lib_files(cardmgr_t)
+@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
@@ -44673,7 +47402,6 @@ index 4d06ae3..e1a4943 100644
modutils_domtrans_insmod(cardmgr_t)
sysnet_domtrans_ifconfig(cardmgr_t)
-@@ -105,12 +101,11 @@ sysnet_domtrans_ifconfig(cardmgr_t)
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
@@ -44687,21 +47415,11 @@ index 4d06ae3..e1a4943 100644
seutil_sigchld_newrole(cardmgr_t)
')
-diff --git a/pcscd.fc b/pcscd.fc
-index 87f17e8..63ee18a 100644
---- a/pcscd.fc
-+++ b/pcscd.fc
-@@ -1,4 +1,5 @@
- /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
-+/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
- /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
- /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
- /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/pcscd.if b/pcscd.if
-index 1c2a091..3ead3cc 100644
+index 43d50f9..7f77d32 100644
--- a/pcscd.if
+++ b/pcscd.if
-@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',`
+@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
')
files_search_pids($1)
@@ -44711,18 +47429,22 @@ index 1c2a091..3ead3cc 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index ceafba6..47b690d 100644
+index 96db654..d23cd25 100644
--- a/pcscd.te
+++ b/pcscd.te
-@@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms;
- allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
- allow pcscd_t self:unix_dgram_socket create_socket_perms;
- allow pcscd_t self:tcp_socket create_stream_socket_perms;
-+allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+ allow pcscd_t self:capability { dac_override dac_read_search fsetid };
+ allow pcscd_t self:process signal;
+ allow pcscd_t self:fifo_file rw_fifo_file_perms;
+-allow pcscd_t self:unix_stream_socket { accept listen };
+-allow pcscd_t self:tcp_socket { accept listen };
++allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
++allow pcscd_t self:unix_dgram_socket create_socket_perms;
++allow pcscd_t self:tcp_socket create_stream_socket_perms;
+ allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
- manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
-@@ -34,7 +35,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
kernel_read_system_state(pcscd_t)
@@ -44730,7 +47452,15 @@ index ceafba6..47b690d 100644
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_generic_if(pcscd_t)
corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -56,8 +56,6 @@ locallogin_use_fds(pcscd_t)
+@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
+ dev_read_sysfs(pcscd_t)
+
+-files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
+
+ term_use_unallocated_ttys(pcscd_t)
+@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
logging_send_syslog_msg(pcscd_t)
@@ -44739,98 +47469,190 @@ index ceafba6..47b690d 100644
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
-@@ -77,3 +75,7 @@ optional_policy(`
- optional_policy(`
- rpm_use_script_fds(pcscd_t)
- ')
-+
-+optional_policy(`
-+ udev_read_db(pcscd_t)
-+')
+diff --git a/pegasus.fc b/pegasus.fc
+index dfd46e4..9515043 100644
+--- a/pegasus.fc
++++ b/pegasus.fc
+@@ -1,15 +1,12 @@
+-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+-/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+-
+-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+
+-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
++/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
+-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+
+-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+
+ /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+diff --git a/pegasus.if b/pegasus.if
+index d2fc677..920b13f 100644
+--- a/pegasus.if
++++ b/pegasus.if
+@@ -1,52 +1 @@
+ ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an pegasus environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`pegasus_admin',`
+- gen_require(`
+- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
+- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
+- type pegasus_mof_t, pegasus_var_run_t;
+- ')
+-
+- allow $1 pegasus_t:process { ptrace signal_perms };
+- ps_process_pattern($1, pegasus_t)
+-
+- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 pegasus_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, pegasus_conf_t)
+-
+- files_search_usr($1)
+- admin_pattern($1, pegasus_mof_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, pegasus_tmp_t)
+-
+- files_search_var($1)
+- admin_pattern($1, pegasus_cache_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, pegasus_data_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, pegasus_var_run_t)
+-')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..d459c82 100644
+index 7bcf327..d459c82 100644
--- a/pegasus.te
+++ b/pegasus.te
-@@ -9,6 +9,9 @@ type pegasus_t;
+@@ -1,4 +1,4 @@
+-policy_module(pegasus, 1.8.3)
++policy_module(pegasus, 1.8.0)
+
+ ########################################
+ #
+@@ -9,9 +9,6 @@ type pegasus_t;
type pegasus_exec_t;
init_daemon_domain(pegasus_t, pegasus_exec_t)
-+type pegasus_cache_t;
-+files_type(pegasus_cache_t)
-+
- type pegasus_data_t;
- files_type(pegasus_data_t)
-
-@@ -16,7 +19,7 @@ type pegasus_tmp_t;
- files_tmp_file(pegasus_tmp_t)
-
- type pegasus_conf_t;
--files_type(pegasus_conf_t)
-+files_config_file(pegasus_conf_t)
-
- type pegasus_mof_t;
- files_type(pegasus_mof_t)
-@@ -29,18 +32,23 @@ files_pid_file(pegasus_var_run_t)
- # Local policy
- #
+-type pegasus_initrc_exec_t;
+-init_script_file(pegasus_initrc_exec_t)
+-
+ type pegasus_cache_t;
+ files_type(pegasus_cache_t)
--allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
-+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
+@@ -39,11 +36,12 @@ allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
- allow pegasus_t self:unix_dgram_socket create_socket_perms;
--allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+-allow pegasus_t self:unix_stream_socket { connectto accept listen };
+-allow pegasus_t self:tcp_socket { accept listen };
++allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow pegasus_t self:tcp_socket create_stream_socket_perms;
++allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
--allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
+-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms };
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
-+manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-+files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
-+
+ manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
+@@ -54,22 +52,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
-@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file })
++filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
++
++can_exec(pegasus_t, pegasus_exec_t)
+
+ allow pegasus_t pegasus_mof_t:dir list_dir_perms;
+-allow pegasus_t pegasus_mof_t:file read_file_perms;
+-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms;
++read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
++read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+
+ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
- files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file })
++files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
--allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+ manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
--files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
+-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file })
+-
+-can_exec(pegasus_t, pegasus_exec_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
-+kernel_read_network_state(pegasus_t)
+ kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
- kernel_read_fs_sysctls(pegasus_t)
- kernel_read_system_state(pegasus_t)
- kernel_search_vm_sysctl(pegasus_t)
- kernel_read_net_sysctls(pegasus_t)
-+kernel_read_xen_state(pegasus_t)
-+kernel_write_xen_state(pegasus_t)
+@@ -80,27 +78,21 @@ kernel_read_net_sysctls(pegasus_t)
+ kernel_read_xen_state(pegasus_t)
+ kernel_write_xen_state(pegasus_t)
-corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_generic_if(pegasus_t)
corenet_tcp_sendrecv_generic_node(pegasus_t)
-@@ -86,7 +97,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+ corenet_tcp_sendrecv_all_ports(pegasus_t)
+ corenet_tcp_bind_generic_node(pegasus_t)
+-
+-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+ corenet_tcp_bind_pegasus_http_port(pegasus_t)
+-
+-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+ corenet_tcp_bind_pegasus_https_port(pegasus_t)
+-
+-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+ corenet_tcp_connect_pegasus_http_port(pegasus_t)
+-
+-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+ corenet_tcp_connect_pegasus_https_port(pegasus_t)
+-
+-corenet_sendrecv_generic_client_packets(pegasus_t)
+ corenet_tcp_connect_generic_port(pegasus_t)
++corenet_sendrecv_generic_client_packets(pegasus_t)
++corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
++corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
++corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
++corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-
--dev_read_sysfs(pegasus_t)
-+dev_rw_sysfs(pegasus_t)
- dev_read_urand(pegasus_t)
-
- fs_getattr_all_fs(pegasus_t)
-@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +106,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -44838,24 +47660,28 @@ index 3185114..d459c82 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-
--files_read_etc_files(pegasus_t)
- files_list_var_lib(pegasus_t)
+@@ -122,24 +115,31 @@ files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-@@ -112,8 +123,6 @@ init_stream_connect_script(pegasus_t)
+
++hostname_exec(pegasus_t)
++
+ init_rw_utmp(pegasus_t)
+ init_stream_connect_script(pegasus_t)
+
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
--
- sysnet_read_config(pegasus_t)
- sysnet_domtrans_ifconfig(pegasus_t)
++sysnet_read_config(pegasus_t)
++sysnet_domtrans_ifconfig(pegasus_t)
-@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
+- dbus_system_bus_client(pegasus_t)
+- dbus_connect_system_bus(pegasus_t)
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
+
@@ -44863,20 +47689,19 @@ index 3185114..d459c82 100644
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
-+
+
+- optional_policy(`
+- networkmanager_dbus_chat(pegasus_t)
+- ')
+optional_policy(`
+ corosync_stream_connect(pegasus_t)
-+')
-+
-+optional_policy(`
-+ hostname_exec(pegasus_t)
-+')
-+
-+optional_policy(`
-+ lldpad_dgram_send(pegasus_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -151,6 +151,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ ricci_stream_connect_modclusterd(pegasus_t)
+')
+
@@ -44884,362 +47709,68 @@ index 3185114..d459c82 100644
rpm_exec(pegasus_t)
')
+@@ -159,8 +163,7 @@ optional_policy(`
+ ')
+
optional_policy(`
-+ samba_manage_config(pegasus_t)
-+')
-+
-+optional_policy(`
-+ sysnet_domtrans_ifconfig(pegasus_t)
-+')
-+
-+optional_policy(`
-+ ssh_exec(pegasus_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(pegasus_t)
+- seutil_sigchld_newrole(pegasus_t)
- seutil_dontaudit_read_config(pegasus_t)
++ sysnet_domtrans_ifconfig(pegasus_t)
')
optional_policy(`
-@@ -136,3 +181,14 @@ optional_policy(`
- optional_policy(`
- unconfined_signull(pegasus_t)
+@@ -168,7 +171,7 @@ optional_policy(`
')
-+
-+optional_policy(`
-+ virt_domtrans(pegasus_t)
-+ virt_stream_connect(pegasus_t)
-+ virt_manage_config(pegasus_t)
-+')
-+
-+optional_policy(`
-+ xen_stream_connect(pegasus_t)
-+ xen_stream_connect_xenstore(pegasus_t)
-+')
-diff --git a/perdition.te b/perdition.te
-index 3636277..05e65ad 100644
---- a/perdition.te
-+++ b/perdition.te
-@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(perdition_t)
- kernel_list_proc(perdition_t)
- kernel_read_proc_symlinks(perdition_t)
--corenet_all_recvfrom_unlabeled(perdition_t)
- corenet_all_recvfrom_netlabel(perdition_t)
- corenet_tcp_sendrecv_generic_if(perdition_t)
- corenet_udp_sendrecv_generic_if(perdition_t)
-@@ -59,8 +58,6 @@ files_read_etc_files(perdition_t)
-
- logging_send_syslog_msg(perdition_t)
-
--miscfiles_read_localization(perdition_t)
--
- sysnet_read_config(perdition_t)
+ optional_policy(`
+- sysnet_domtrans_ifconfig(pegasus_t)
++ seutil_sigchld_newrole(pegasus_t)
+ ')
- userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-diff --git a/phpfpm.fc b/phpfpm.fc
-new file mode 100644
-index 0000000..4c64b13
---- /dev/null
-+++ b/phpfpm.fc
-@@ -0,0 +1,7 @@
-+/usr/lib/systemd/system/php-fpm.service -- gen_context(system_u:object_r:phpfpm_unit_file_t,s0)
-+
-+/usr/sbin/php-fpm -- gen_context(system_u:object_r:phpfpm_exec_t,s0)
-+
-+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_log_t,s0)
-+
-+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0)
-diff --git a/phpfpm.if b/phpfpm.if
-new file mode 100644
-index 0000000..18f0425
---- /dev/null
-+++ b/phpfpm.if
-@@ -0,0 +1,162 @@
-+
-+## <summary> PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. </summary>
-+
-+########################################
-+## <summary>
-+## Execute php-fpm in the phpfpm domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`phpfpm_domtrans',`
-+ gen_require(`
-+ type phpfpm_t, phpfpm_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, phpfpm_exec_t, phpfpm_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read phpfpm's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`phpfpm_read_log',`
-+ gen_require(`
-+ type phpfpm_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ read_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Append to phpfpm log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`phpfpm_append_log',`
-+ gen_require(`
-+ type phpfpm_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage phpfpm log files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`phpfpm_manage_log',`
-+ gen_require(`
-+ type phpfpm_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+ manage_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+ manage_lnk_files_pattern($1, phpfpm_log_t, phpfpm_log_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read phpfpm PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`phpfpm_read_pid_files',`
-+ gen_require(`
-+ type phpfpm_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 phpfpm_var_run_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Execute phpfpm server in the phpfpm domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`phpfpm_systemctl',`
-+ gen_require(`
-+ type phpfpm_t;
-+ type phpfpm_unit_file_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ allow $1 phpfpm_unit_file_t:file read_file_perms;
-+ allow $1 phpfpm_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, phpfpm_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an phpfpm environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`phpfpm_admin',`
-+ gen_require(`
-+ type phpfpm_t;
-+ type phpfpm_log_t;
-+ type phpfpm_var_run_t;
-+ type phpfpm_unit_file_t;
-+ ')
-+
-+ allow $1 phpfpm_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, phpfpm_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, phpfpm_log_t)
-+
-+ files_search_pids($1)
-+ admin_pattern($1, phpfpm_var_run_t)
-+
-+ phpfpm_systemctl($1)
-+ admin_pattern($1, phpfpm_unit_file_t)
-+ allow $1 phpfpm_unit_file_t:service all_service_perms;
-+
-+ optional_policy(`
-+ systemd_passwd_agent_exec($1)
-+ systemd_read_fifo_file_passwd_run($1)
-+ ')
-+')
-diff --git a/phpfpm.te b/phpfpm.te
-new file mode 100644
-index 0000000..78af4d7
---- /dev/null
-+++ b/phpfpm.te
-@@ -0,0 +1,61 @@
-+policy_module(phpfpm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type phpfpm_t;
-+type phpfpm_exec_t;
-+init_daemon_domain(phpfpm_t, phpfpm_exec_t)
-+
-+type phpfpm_log_t;
-+logging_log_file(phpfpm_log_t)
-+
-+type phpfpm_var_run_t;
-+files_pid_file(phpfpm_var_run_t)
-+
-+type phpfpm_unit_file_t;
-+systemd_unit_file(phpfpm_unit_file_t)
-+
-+########################################
-+#
-+# phpfpm local policy
-+#
-+
-+allow phpfpm_t self:capability { chown kill setgid setuid sys_chroot sys_nice };
-+allow phpfpm_t self:process { setsched setrlimit signal sigkill };
-+
-+allow phpfpm_t self:fifo_file rw_fifo_file_perms;
-+allow phpfpm_t self:tcp_socket { accept listen };
-+allow phpfpm_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
-+manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t)
-+
-+manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-+manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t)
-+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir )
-+
-+kernel_read_system_state(phpfpm_t)
-+kernel_read_kernel_sysctls(phpfpm_t)
-+
-+corenet_tcp_bind_generic_port(phpfpm_t)
-+
-+domain_use_interactive_fds(phpfpm_t)
-+
-+files_read_etc_files(phpfpm_t)
-+
-+auth_use_nsswitch(phpfpm_t)
-+
-+dev_read_rand(phpfpm_t)
-+dev_read_urand(phpfpm_t)
-+
-+logging_send_syslog_msg(phpfpm_t)
-+
-+sysnet_dns_name_resolve(phpfpm_t)
-+
-+optional_policy(`
-+ mysql_stream_connect(phpfpm_t)
-+ mysql_tcp_connect(phpfpm_t)
-+')
+ optional_policy(`
diff --git a/pingd.if b/pingd.if
-index 8688aae..cf34fc1 100644
+index 21a6ecb..b99e4cb 100644
--- a/pingd.if
+++ b/pingd.if
-@@ -55,7 +55,6 @@ interface(`pingd_manage_config',`
+@@ -55,7 +55,8 @@ interface(`pingd_manage_config',`
+ ')
+
files_search_etc($1)
- manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
- manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
--
+- allow $1 pingd_etc_t:file manage_file_perms;
++ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
++ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
')
#######################################
-@@ -77,12 +76,15 @@ interface(`pingd_manage_config',`
- #
- interface(`pingd_admin',`
- gen_require(`
-- type pingd_t, pingd_etc_t;
-- type pingd_initrc_exec_t, pingd_modules_t;
-+ type pingd_t, pingd_etc_t, pingd_modules_t;
-+ type pingd_initrc_exec_t;
+@@ -81,9 +82,13 @@ interface(`pingd_admin',`
+ type pingd_initrc_exec_t;
')
- allow $1 pingd_t:process { ptrace signal_perms };
+ allow $1 pingd_t:process signal_perms;
ps_process_pattern($1, pingd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pingd_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 pingd_initrc_exec_t system_r;
diff --git a/pingd.te b/pingd.te
-index e9cf8a4..c476cf4 100644
+index 0f77942..0e3f230 100644
--- a/pingd.te
+++ b/pingd.te
-@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t)
+@@ -10,7 +10,7 @@ type pingd_exec_t;
+ init_daemon_domain(pingd_t, pingd_exec_t)
- # type for config
type pingd_etc_t;
-files_type(pingd_etc_t)
+files_config_file(pingd_etc_t)
type pingd_initrc_exec_t;
init_script_file(pingd_initrc_exec_t)
-@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
-
- allow pingd_t self:capability net_raw;
- allow pingd_t self:tcp_socket create_stream_socket_perms;
--allow pingd_t self:rawip_socket { write read create bind };
-+allow pingd_t self:rawip_socket create_socket_perms;
-
- read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
-
-@@ -43,5 +43,3 @@ auth_use_nsswitch(pingd_t)
+@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t)
files_search_usr(pingd_t)
logging_send_syslog_msg(pingd_t)
@@ -45462,7 +47993,7 @@ index 0000000..8d681d1
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..b1d27d7
+index 0000000..be7f288
--- /dev/null
+++ b/piranha.te
@@ -0,0 +1,295 @@
@@ -45567,7 +48098,7 @@ index 0000000..b1d27d7
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
-+corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_bind_servistaitsm_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_rand(piranha_web_t)
@@ -45761,6 +48292,134 @@ index 0000000..b1d27d7
+corecmd_exec_shell(piranha_domain)
+
+sysnet_read_config(piranha_domain)
+diff --git a/pkcs.fc b/pkcs.fc
+deleted file mode 100644
+index f9dc0be..0000000
+--- a/pkcs.fc
++++ /dev/null
+@@ -1,7 +0,0 @@
+-/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0)
+-
+-/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
+-
+-/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
+-
+-/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
+diff --git a/pkcs.if b/pkcs.if
+deleted file mode 100644
+index 69be2aa..0000000
+--- a/pkcs.if
++++ /dev/null
+@@ -1,45 +0,0 @@
+-## <summary>Implementations of the Cryptoki specification.</summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an pkcs slotd environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`pkcs_admin_slotd',`
+- gen_require(`
+- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
+- type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
+- ')
+-
+- allow $1 pkcs_slotd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, pkcs_slotd_t)
+-
+- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 pkcs_slotd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_var_lib($1)
+- admin_pattern($1, pkcs_slotd_var_lib_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, pkcs_slotd_var_run_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, pkcs_slotd_tmp_t)
+-
+- fs_search_tmpfs($1)
+- admin_pattern($1, pkcs_slotd_tmpfs_t)
+-')
+diff --git a/pkcs.te b/pkcs.te
+deleted file mode 100644
+index 977b972..0000000
+--- a/pkcs.te
++++ /dev/null
+@@ -1,58 +0,0 @@
+-policy_module(pkcs, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type pkcs_slotd_t;
+-type pkcs_slotd_exec_t;
+-init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
+-
+-type pkcs_slotd_initrc_exec_t;
+-init_script_file(pkcs_slotd_initrc_exec_t)
+-
+-type pkcs_slotd_var_lib_t;
+-files_type(pkcs_slotd_var_lib_t)
+-
+-type pkcs_slotd_var_run_t;
+-files_pid_file(pkcs_slotd_var_run_t)
+-
+-type pkcs_slotd_tmp_t;
+-files_tmp_file(pkcs_slotd_tmp_t)
+-
+-type pkcs_slotd_tmpfs_t;
+-files_tmpfs_file(pkcs_slotd_tmpfs_t)
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow pkcs_slotd_t self:capability kill;
+-allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
+-allow pkcs_slotd_t self:sem create_sem_perms;
+-allow pkcs_slotd_t self:shm create_shm_perms;
+-allow pkcs_slotd_t self:unix_stream_socket { accept listen };
+-
+-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+-manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
+-files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
+-
+-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
+-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file)
+-
+-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
+-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
+-files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
+-
+-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+-
+-files_read_etc_files(pkcs_slotd_t)
+-
+-logging_send_syslog_msg(pkcs_slotd_t)
+-
+-miscfiles_read_localization(pkcs_slotd_t)
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
new file mode 100644
index 0000000..dd1b8f2
@@ -46611,51 +49270,237 @@ index 0000000..dfebbd9
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
-index 5702ca4..ef1dd7a 100644
+index 735500f..ef1dd7a 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
-@@ -2,6 +2,14 @@
+@@ -1,15 +1,15 @@
+-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
++/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
- /sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
++/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
-+
- /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
-+
- /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+
+-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
++/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+
+-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
++/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
-+
+
+-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
-+
- /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-+
+
+-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
+
+-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 9759ed8..17c097d 100644
+index 30e751f..17c097d 100644
--- a/plymouthd.if
+++ b/plymouthd.if
-@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
+@@ -1,4 +1,4 @@
+-## <summary>Plymouth graphical boot.</summary>
++## <summary>Plymouth graphical boot</summary>
+
+ ########################################
+ ## <summary>
+@@ -10,18 +10,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_domtrans',`
++interface(`plymouthd_domtrans', `
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute plymouthd in the caller domain.
++## Execute the plymoth daemon in the current domain
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_exec',`
++interface(`plymouthd_exec', `
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, plymouthd_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to plymouthd using a unix
+-## domain stream socket.
++## Allow domain to Stream socket connect
++## to Plymouth daemon.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -49,18 +47,17 @@ interface(`plymouthd_exec',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_stream_connect',`
++interface(`plymouthd_stream_connect', `
+ gen_require(`
+- type plymouthd_t, plymouthd_spool_t;
++ type plymouthd_t;
+ ')
+
+- files_search_spool($1)
+- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
++ allow $1 plymouthd_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute plymouth in the caller domain.
++## Execute the plymoth command in the current domain
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_exec_plymouth',`
++interface(`plymouthd_exec_plymouth', `
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, plymouth_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to run plymouth.
++## Execute a domain transition to run plymouthd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_domtrans_plymouth',`
++interface(`plymouthd_domtrans_plymouth', `
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+ ')
+
+@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',`
## </summary>
## </param>
#
--interface(`plymouthd_read_spool_files', `
-+interface(`plymouthd_read_spool_files',`
+-interface(`plymouthd_search_spool',`
++interface(`plymouthd_search_spool', `
gen_require(`
type plymouthd_spool_t;
')
-@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', `
+
+- files_search_spool($1)
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
++ files_search_spool($1)
+ ')
+
+ ########################################
+@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_manage_spool_files',`
++interface(`plymouthd_manage_spool_files', `
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_search_lib',`
++interface(`plymouthd_search_lib', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_read_lib_files',`
++interface(`plymouthd_read_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_manage_lib_files',`
++interface(`plymouthd_manage_lib_files', `
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',`
########################################
## <summary>
--## All of the rules required to administrate
--## an plymouthd environment
+-## Read plymouthd pid files.
++## Read plymouthd PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`plymouthd_read_pid_files',`
++interface(`plymouthd_read_pid_files', `
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+@@ -233,36 +228,74 @@ interface(`plymouthd_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an plymouthd environment.
+## Allow the specified domain to read
+## to plymouthd log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`plymouthd_read_log',`
+ gen_require(`
@@ -46670,14 +49515,16 @@ index 9759ed8..17c097d 100644
+## <summary>
+## Allow the specified domain to manage
+## to plymouthd log files.
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## Role allowed access.
++## Domain allowed access.
## </summary>
## </param>
--## <param name="role">
-+#
+-## <rolecap/>
+ #
+-interface(`plymouthd_admin',`
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -46695,20 +49542,18 @@ index 9759ed8..17c097d 100644
+## an plymouthd environment
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
- interface(`plymouthd_admin', `
++## </summary>
++## </param>
++#
++interface(`plymouthd_admin', `
gen_require(`
-@@ -249,12 +285,17 @@ interface(`plymouthd_admin', `
+ type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
-- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+- allow $1 plymouthd_t:process { ptrace signal_perms };
- read_files_pattern($1, plymouthd_t, plymouthd_t)
+ allow $1 plymouthd_t:process signal_perms;
+ ps_process_pattern($1, plymouthd_t)
@@ -46716,32 +49561,28 @@ index 9759ed8..17c097d 100644
+ allow $1 plymouthd_t:process ptrace;
+ ')
+- files_search_spool($1)
+ files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
+- files_search_var_lib($1)
admin_pattern($1, plymouthd_var_lib_t)
+- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 86700ed..5772ef0 100644
+index b1f412b..5772ef0 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -1,4 +1,4 @@
--policy_module(plymouthd, 1.1.0)
+-policy_module(plymouthd, 1.1.4)
+policy_module(plymouthd, 1.0.1)
########################################
#
-@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.1.0)
- type plymouth_t;
- type plymouth_exec_t;
- application_domain(plymouth_t, plymouth_exec_t)
-+role system_r types plymouth_t;
-
- type plymouthd_t;
- type plymouthd_exec_t;
+@@ -15,7 +15,7 @@ type plymouthd_exec_t;
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
type plymouthd_spool_t;
@@ -46750,46 +49591,37 @@ index 86700ed..5772ef0 100644
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
+@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t)
-+type plymouthd_var_log_t;
-+logging_log_file(plymouthd_var_log_t)
-+
- type plymouthd_var_run_t;
- files_pid_file(plymouthd_var_run_t)
-
-@@ -28,6 +32,7 @@ files_pid_file(plymouthd_var_run_t)
+ ########################################
+ #
+-# Daemon local policy
++# Plymouthd private policy
#
allow plymouthd_t self:capability { sys_admin sys_tty_config };
-+allow plymouthd_t self:capability2 block_suspend;
- dontaudit plymouthd_t self:capability dac_override;
+-dontaudit plymouthd_t self:capability dac_override;
+ allow plymouthd_t self:capability2 block_suspend;
++dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
-@@ -42,6 +47,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
- manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
-+manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+ manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
-+logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
-+
- manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
- manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
- files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -57,13 +66,42 @@ dev_write_framebuffer(plymouthd_t)
+ logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
- domain_use_interactive_fds(plymouthd_t)
-
-+fs_getattr_all_fs(plymouthd_t)
-+
- files_read_etc_files(plymouthd_t)
- files_read_usr_files(plymouthd_t)
+ manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+@@ -77,12 +75,22 @@ term_getattr_pty_fs(plymouthd_t)
+ term_use_all_terms(plymouthd_t)
+ term_use_ptmx(plymouthd_t)
-miscfiles_read_localization(plymouthd_t)
-+term_getattr_pty_fs(plymouthd_t)
-+term_use_all_terms(plymouthd_t)
-+term_use_ptmx(plymouthd_t)
-+
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
@@ -46804,31 +49636,39 @@ index 86700ed..5772ef0 100644
+
+term_use_unallocated_ttys(plymouthd_t)
+
-+optional_policy(`
+ optional_policy(`
+- gnome_read_generic_home_content(plymouthd_t)
+ gnome_read_config(plymouthd_t)
-+')
-+
-+optional_policy(`
-+ sssd_stream_connect(plymouthd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -90,21 +98,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_manage_xdm_spool_files(plymouthd_t)
+- xserver_read_xdm_state(plymouthd_t)
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
-+')
-+
+ ')
+
########################################
#
- # Plymouth private policy
-@@ -74,6 +112,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+-# Client local policy
++# Plymouth private policy
+ #
+
+ allow plymouth_t self:process signal;
+-allow plymouth_t self:fifo_file rw_fifo_file_perms;
++allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
+-
kernel_read_system_state(plymouth_t)
-+kernel_stream_connect(plymouth_t)
+ kernel_stream_connect(plymouth_t)
- domain_use_interactive_fds(plymouth_t)
-
-@@ -81,7 +120,6 @@ files_read_etc_files(plymouth_t)
+@@ -114,11 +120,12 @@ files_read_etc_files(plymouth_t)
term_use_ptmx(plymouth_t)
@@ -46836,61 +49676,84 @@ index 86700ed..5772ef0 100644
sysnet_read_config(plymouth_t)
+-ifdef(`hide_broken_symptoms',`
++plymouthd_stream_connect(plymouth_t)
++
++ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
+ hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
-index 4cffb07..4170218 100644
+index a14b3bc..caa8e6c 100644
--- a/podsleuth.te
+++ b/podsleuth.te
-@@ -25,7 +25,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
- # podsleuth local policy
+@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
#
+
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
- allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:fifo_file rw_fifo_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
-@@ -66,7 +67,6 @@ fs_getattr_tmpfs(podsleuth_t)
+@@ -76,8 +77,6 @@ fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)
fs_rw_removable_blk_files(podsleuth_t)
-miscfiles_read_localization(podsleuth_t)
-
+-
sysnet_dns_name_resolve(podsleuth_t)
+ userdom_signal_unpriv_users(podsleuth_t)
diff --git a/policykit.fc b/policykit.fc
-index 63d0061..4718a93 100644
+index 1d76c72..4718a93 100644
--- a/policykit.fc
+++ b/policykit.fc
-@@ -1,16 +1,20 @@
- /usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
--/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+@@ -1,23 +1,20 @@
+-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-
+-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
- /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
- /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
--/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
++/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
- /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
--/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
- /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
- /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
- /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
- /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
++/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
diff --git a/policykit.if b/policykit.if
-index 48ff1e8..be00a65 100644
+index 032a84d..be00a65 100644
--- a/policykit.if
+++ b/policykit.if
-@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',`
+@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',`
class dbus send_msg;
')
@@ -46899,44 +49762,55 @@ index 48ff1e8..be00a65 100644
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
-
+@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',`
########################################
## <summary>
--## Execute a domain transition to run polkit_auth.
-+## Send and receive messages from
+ ## Send and receive messages from
+-## policykit auth over dbus.
+## policykit over dbus.
## </summary>
## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`policykit_dbus_chat_auth',`
-+ gen_require(`
-+ type policykit_auth_t;
-+ class dbus send_msg;
-+ ')
-+
+ ## <summary>
+@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',`
+ class dbus send_msg;
+ ')
+
+ ps_process_pattern(policykit_auth_t, $1)
+
-+ allow $1 policykit_auth_t:dbus send_msg;
-+ allow policykit_auth_t $1:dbus send_msg;
-+')
-+
-+########################################
- ## <summary>
--## Domain allowed to transition.
-+## Execute a domain transition to run polkit_auth.
+ allow $1 policykit_auth_t:dbus send_msg;
+ allow policykit_auth_t $1:dbus send_msg;
+ ')
+@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',`
+ ## Execute a domain transition to run polkit_auth.
## </summary>
-+## <param name="domain">
+ ## <param name="domain">
+-## <summary>
+## <summary>
-+## Domain allowed to transition.
+ ## Domain allowed to transition.
+-## </summary>
+## </summary>
## </param>
#
interface(`policykit_domtrans_auth',`
-@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',`
+@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',`
+ type policykit_auth_t, policykit_auth_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a policy_auth in the policy
+-## auth domain, and allow the specified
+-## role the policy auth domain.
++## Execute a policy_auth in the policy_auth domain, and
++## allow the specified role the policy_auth domain,
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',`
## Role allowed access.
## </summary>
## </param>
@@ -46944,30 +49818,89 @@ index 48ff1e8..be00a65 100644
#
interface(`policykit_run_auth',`
gen_require(`
-@@ -62,6 +88,9 @@ interface(`policykit_run_auth',`
+- attribute_role policykit_auth_roles;
++ type policykit_auth_t;
+ ')
policykit_domtrans_auth($1)
- role $2 types policykit_auth_t;
+- roleattribute $2 policykit_auth_roles;
++ role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
')
########################################
-@@ -69,9 +98,9 @@ interface(`policykit_run_auth',`
- ## Execute a domain transition to run polkit_grant.
+ ## <summary>
+-## Execute a domain transition to run polkit grant.
++## Execute a domain transition to run polkit_grant.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`policykit_domtrans_grant',`
+@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',`
+ type policykit_grant_t, policykit_grant_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a policy_grant in the policy
+-## grant domain, and allow the specified
+-## role the policy grant domain.
++## Execute a policy_grant in the policy_grant domain, and
++## allow the specified role the policy_grant domain,
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',`
+ #
+ interface(`policykit_run_grant',`
+ gen_require(`
+- attribute_role policykit_grant_roles;
++ type policykit_grant_t;
+ ')
+
+ policykit_domtrans_grant($1)
+- roleattribute $2 policykit_grant_roles;
++ role $2 types policykit_grant_t;
++
++ allow $1 policykit_grant_t:process signal;
++
++ ps_process_pattern(policykit_grant_t, $1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read policykit reload files.
++## read policykit reload files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -154,7 +162,7 @@ interface(`policykit_read_reload',`
+
+ ########################################
+ ## <summary>
+-## Read and write policykit reload files.
++## rw policykit reload files
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`policykit_domtrans_grant',`
-@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',`
- ## Execute a domain transition to run polkit_resolve.
+ ## <summary>
+@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',`
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to run polkit resolve.
++## Execute a domain transition to run polkit_resolve.
## </summary>
## <param name="domain">
-## <summary>
@@ -46978,7 +49911,34 @@ index 48ff1e8..be00a65 100644
## </param>
#
interface(`policykit_domtrans_resolve',`
-@@ -206,4 +235,50 @@ interface(`policykit_read_lib',`
+@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',`
+ type policykit_resolve_t, policykit_resolve_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
++
++ ps_process_pattern(policykit_resolve_t, $1)
+ ')
+
+ ########################################
+@@ -205,13 +214,13 @@ interface(`policykit_search_lib',`
+ type policykit_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ allow $1 policykit_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read policykit lib files.
++## read policykit lib files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -226,4 +235,50 @@ interface(`policykit_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@@ -47030,140 +49990,139 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 44db896..946bfb5 100644
+index 49694e8..946bfb5 100644
--- a/policykit.te
+++ b/policykit.te
-@@ -1,51 +1,67 @@
--policy_module(policykit, 1.2.0)
+@@ -1,4 +1,4 @@
+-policy_module(policykit, 1.2.8)
+policy_module(policykit, 1.1.0)
########################################
#
- # Declarations
- #
+@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8)
--type policykit_t alias polkit_t;
--type policykit_exec_t alias polkit_exec_t;
-+attribute policykit_domain;
-+
-+type policykit_t, policykit_domain;
-+type policykit_exec_t;
- init_daemon_domain(policykit_t, policykit_exec_t)
+ attribute policykit_domain;
--type policykit_auth_t alias polkit_auth_t;
--type policykit_auth_exec_t alias polkit_auth_exec_t;
-+type policykit_auth_t, policykit_domain;
-+type policykit_auth_exec_t;
+-attribute_role policykit_auth_roles;
+-attribute_role policykit_grant_roles;
+-
+ type policykit_t, policykit_domain;
+ type policykit_exec_t;
+ init_daemon_domain(policykit_t, policykit_exec_t)
+@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t)
+ type policykit_auth_t, policykit_domain;
+ type policykit_auth_exec_t;
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+-role policykit_auth_roles types policykit_auth_t;
--type policykit_grant_t alias polkit_grant_t;
--type policykit_grant_exec_t alias polkit_grant_exec_t;
-+type policykit_grant_t, policykit_domain;
-+type policykit_grant_exec_t;
+ type policykit_grant_t, policykit_domain;
+ type policykit_grant_exec_t;
init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+-role policykit_grant_roles types policykit_grant_t;
--type policykit_resolve_t alias polkit_resolve_t;
--type policykit_resolve_exec_t alias polkit_resolve_exec_t;
-+type policykit_resolve_t, policykit_domain;
-+type policykit_resolve_exec_t;
- init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+ type policykit_resolve_t, policykit_domain;
+ type policykit_resolve_exec_t;
+@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t)
- type policykit_reload_t alias polkit_reload_t;
- files_type(policykit_reload_t)
+ #######################################
+ #
+-# Common policykit domain local policy
++# policykit_domain local policy
+ #
-+type policykit_tmp_t;
-+files_tmp_file(policykit_tmp_t)
-+
- type policykit_var_lib_t alias polkit_var_lib_t;
- files_type(policykit_var_lib_t)
+ allow policykit_domain self:process { execmem getattr };
+ allow policykit_domain self:fifo_file rw_fifo_file_perms;
- type policykit_var_run_t alias polkit_var_run_t;
- files_pid_file(policykit_var_run_t)
+-kernel_search_proc(policykit_domain)
+-
+-corecmd_exec_bin(policykit_domain)
+-
+ dev_read_sysfs(policykit_domain)
-+#######################################
-+#
-+# policykit_domain local policy
-+#
-+
-+allow policykit_domain self:process { execmem getattr };
-+allow policykit_domain self:fifo_file rw_fifo_file_perms;
-+
-+dev_read_sysfs(policykit_domain)
-+
+-files_read_usr_files(policykit_domain)
+-
+-logging_send_syslog_msg(policykit_domain)
+-
+-miscfiles_read_localization(policykit_domain)
+-
########################################
#
- # policykit local policy
+-# Local policy
++# policykit local policy
#
--allow policykit_t self:capability { setgid setuid };
--allow policykit_t self:process getattr;
--allow policykit_t self:fifo_file rw_file_perms;
-+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
-+allow policykit_t self:process { getsched setsched signal };
- allow policykit_t self:unix_dgram_socket create_socket_perms;
--allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+ allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
+ allow policykit_t self:process { getsched setsched signal };
+-allow policykit_t self:unix_stream_socket { accept connectto listen };
++allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++policykit_domtrans_auth(policykit_t)
++
++can_exec(policykit_t, policykit_exec_t)
++corecmd_exec_bin(policykit_t)
++
++dev_read_sysfs(policykit_t)
- policykit_domtrans_auth(policykit_t)
-
- can_exec(policykit_t, policykit_exec_t)
- corecmd_exec_bin(policykit_t)
+ rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
-+dev_read_sysfs(policykit_t)
++policykit_domtrans_resolve(policykit_t)
+
- rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+ manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
- policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +72,115 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
-+kernel_read_system_state(policykit_t)
- kernel_read_kernel_sysctls(policykit_t)
+-can_exec(policykit_t, policykit_exec_t)
+-
+-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
+-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
+-
+-kernel_read_kernel_sysctls(policykit_t)
+ kernel_read_system_state(policykit_t)
++kernel_read_kernel_sysctls(policykit_t)
--files_read_etc_files(policykit_t)
-+domain_read_all_domains_state(policykit_t)
-+
- files_read_usr_files(policykit_t)
-+files_dontaudit_search_all_mountpoints(policykit_t)
-+
-+fs_list_inotifyfs(policykit_t)
+ domain_read_all_domains_state(policykit_t)
- auth_use_nsswitch(policykit_t)
++files_read_usr_files(policykit_t)
+ files_dontaudit_search_all_mountpoints(policykit_t)
- logging_send_syslog_msg(policykit_t)
+ fs_list_inotifyfs(policykit_t)
--miscfiles_read_localization(policykit_t)
--
-+userdom_getattr_all_users(policykit_t)
+ auth_use_nsswitch(policykit_t)
+
++logging_send_syslog_msg(policykit_t)
++
+ userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
-+
-+optional_policy(`
-+ dbus_system_domain(policykit_t, policykit_exec_t)
-+
+
+ optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
+
+ init_dbus_chat(policykit_t)
+
-+ optional_policy(`
-+ consolekit_dbus_chat(policykit_t)
-+ ')
-+
-+ optional_policy(`
-+ rpm_dbus_chat(policykit_t)
-+ ')
-+')
-+
-+optional_policy(`
+ optional_policy(`
+ consolekit_dbus_chat(policykit_t)
+ ')
+@@ -109,29 +105,43 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ consolekit_list_pid_files(policykit_t)
-+ consolekit_read_pid_files(policykit_t)
-+')
-+
-+optional_policy(`
+ consolekit_read_pid_files(policykit_t)
+ ')
+
+ optional_policy(`
+- gnome_read_generic_home_content(policykit_t)
+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
+ kerberos_manage_host_rcache(policykit_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_manage_host_rcache(policykit_t)
+- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
+ gnome_read_config(policykit_t)
+')
+
@@ -47171,255 +50130,292 @@ index 44db896..946bfb5 100644
+ systemd_read_logind_sessions_files(policykit_t)
+ systemd_login_list_pid_dirs(policykit_t)
+ systemd_login_read_pid_files(policykit_t)
-+')
+ ')
########################################
#
- # polkit_auth local policy
+-# Auth local policy
++# polkit_auth local policy
#
--allow policykit_auth_t self:capability setgid;
--allow policykit_auth_t self:process getattr;
--allow policykit_auth_t self:fifo_file rw_file_perms;
+-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
-+dontaudit policykit_auth_t self:capability sys_tty_config;
+ dontaudit policykit_auth_t self:capability sys_tty_config;
+-allow policykit_auth_t self:process { getsched setsched signal };
+-allow policykit_auth_t self:unix_stream_socket { accept listen };
+allow policykit_auth_t self:process { setsched getsched signal };
+
- allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
- allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
++allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
++allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+-ps_process_pattern(policykit_auth_t, policykit_domain)
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
- can_exec(policykit_auth_t, policykit_auth_exec_t)
--corecmd_search_bin(policykit_auth_t)
++can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_exec_bin(policykit_auth_t)
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-+manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
-+manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
-+files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir })
-+
- manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
-
- manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,14 +155,12 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+-can_exec(policykit_auth_t, policykit_auth_exec_t)
+-
-kernel_read_system_state(policykit_auth_t)
-+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+ kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
--files_read_etc_files(policykit_auth_t)
-+dev_read_video_dev(policykit_auth_t)
-+
-+files_read_etc_runtime_files(policykit_auth_t)
- files_read_usr_files(policykit_auth_t)
-+files_search_home(policykit_auth_t)
-+
-+fs_getattr_all_fs(policykit_auth_t)
-+fs_search_tmpfs(policykit_auth_t)
+ dev_read_video_dev(policykit_auth_t)
-+auth_rw_var_auth(policykit_auth_t)
- auth_use_nsswitch(policykit_auth_t)
-+auth_domtrans_chk_passwd(policykit_auth_t)
+ files_read_etc_runtime_files(policykit_auth_t)
++files_read_usr_files(policykit_auth_t)
+ files_search_home(policykit_auth_t)
- logging_send_syslog_msg(policykit_auth_t)
+ fs_getattr_all_fs(policykit_auth_t)
+@@ -162,48 +170,58 @@ auth_rw_var_auth(policykit_auth_t)
+ auth_use_nsswitch(policykit_auth_t)
+ auth_domtrans_chk_passwd(policykit_auth_t)
--miscfiles_read_localization(policykit_auth_t)
-+miscfiles_read_fonts(policykit_auth_t)
-+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
++logging_send_syslog_msg(policykit_auth_t)
++
+ miscfiles_read_fonts(policykit_auth_t)
+ miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
-- dbus_system_bus_client(policykit_auth_t)
+- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t)
+- dbus_all_session_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
- dbus_session_bus_client(policykit_auth_t)
++ dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +193,26 @@ optional_policy(`
+ consolekit_dbus_chat(policykit_auth_t)
+ ')
+-
+- optional_policy(`
+- policykit_dbus_chat(policykit_auth_t)
+- ')
+ ')
+
+ optional_policy(`
++ kernel_search_proc(policykit_auth_t)
hal_read_state(policykit_auth_t)
')
-+optional_policy(`
+ optional_policy(`
+- kerberos_manage_host_rcache(policykit_auth_t)
+- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
+ kerberos_manage_host_rcache(policykit_auth_t)
-+')
-+
-+optional_policy(`
-+ xserver_stream_connect(policykit_auth_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
-+ xserver_read_xdm_pid(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
-+')
-+
+ ')
+
########################################
#
- # polkit_grant local policy
+-# Grant local policy
++# polkit_grant local policy
#
allow policykit_grant_t self:capability setuid;
--allow policykit_grant_t self:process getattr;
--allow policykit_grant_t self:fifo_file rw_file_perms;
+
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -142,22 +229,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+-ps_process_pattern(policykit_grant_t, policykit_domain)
++policykit_domtrans_auth(policykit_grant_t)
++
++policykit_domtrans_resolve(policykit_grant_t)
++
++can_exec(policykit_grant_t, policykit_grant_exec_t)
++corecmd_search_bin(policykit_grant_t)
+
+ rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
+
+@@ -211,23 +229,21 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
--files_read_etc_files(policykit_grant_t)
- files_read_usr_files(policykit_grant_t)
+-can_exec(policykit_grant_t, policykit_grant_exec_t)
+-
+-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
+-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
++files_read_usr_files(policykit_grant_t)
--auth_use_nsswitch(policykit_grant_t)
auth_domtrans_chk_passwd(policykit_grant_t)
-+auth_use_nsswitch(policykit_grant_t)
-
- logging_send_syslog_msg(policykit_grant_t)
+ auth_use_nsswitch(policykit_grant_t)
--miscfiles_read_localization(policykit_grant_t)
--
++logging_send_syslog_msg(policykit_grant_t)
++
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
-- dbus_system_bus_client(policykit_grant_t)
-+ cron_manage_system_job_lib_files(policykit_grant_t)
-+')
+ cron_manage_system_job_lib_files(policykit_grant_t)
+ ')
- optional_policy(`
-+ dbus_system_bus_client(policykit_grant_t)
+-optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(policykit_grant_t)
+-
+ optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
- ')
-@@ -167,9 +254,8 @@ optional_policy(`
- # polkit_resolve local policy
+@@ -235,26 +251,29 @@ optional_policy(`
+
+ ########################################
+ #
+-# Resolve local policy
++# polkit_resolve local policy
#
--allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
--allow policykit_resolve_t self:process getattr;
--allow policykit_resolve_t self:fifo_file rw_file_perms;
-+allow policykit_resolve_t self:capability { setuid sys_nice };
+ allow policykit_resolve_t self:capability { setuid sys_nice };
+-allow policykit_resolve_t self:unix_stream_socket { accept listen };
+
+-ps_process_pattern(policykit_resolve_t, policykit_domain)
++allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
++allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
- allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
- allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
++policykit_domtrans_auth(policykit_resolve_t)
-@@ -182,17 +268,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t
- can_exec(policykit_resolve_t, policykit_resolve_exec_t)
- corecmd_search_bin(policykit_resolve_t)
+ read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
--files_read_etc_files(policykit_resolve_t)
- files_read_usr_files(policykit_resolve_t)
+ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
--mcs_ptrace_all(policykit_resolve_t)
+ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
++corecmd_search_bin(policykit_resolve_t)
+
+-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-
- auth_use_nsswitch(policykit_resolve_t)
+-mcs_ptrace_all(policykit_resolve_t)
++files_read_usr_files(policykit_resolve_t)
- logging_send_syslog_msg(policykit_resolve_t)
+ auth_use_nsswitch(policykit_resolve_t)
--miscfiles_read_localization(policykit_resolve_t)
--
++logging_send_syslog_msg(policykit_resolve_t)
++
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
+@@ -266,6 +285,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kernel_search_proc(policykit_resolve_t)
+ hal_read_state(policykit_resolve_t)
+ ')
+
diff --git a/polipo.fc b/polipo.fc
-new file mode 100644
-index 0000000..11f77ee
---- /dev/null
+index d35614b..11f77ee 100644
+--- a/polipo.fc
+++ b/polipo.fc
-@@ -0,0 +1,16 @@
-+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
-+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
-+
+@@ -1,15 +1,16 @@
+-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0)
+ HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
+ HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
+
+-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0)
+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
-+
-+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
-+
+
+ /etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
+
-+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
-+
-+/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
-+
-+/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
-+
+ /usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
+
+ /var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
+
+ /var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
+
+-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/polipo.if b/polipo.if
-new file mode 100644
-index 0000000..d00f6ba
---- /dev/null
+index ae27bb7..d00f6ba 100644
+--- a/polipo.if
+++ b/polipo.if
-@@ -0,0 +1,219 @@
+@@ -1,8 +1,8 @@
+-## <summary>Lightweight forwarding and caching proxy server.</summary>
+## <summary>Caching web proxy.</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Role access for Polipo session.
+## Role access for polipo session.
-+## </summary>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+@@ -11,14 +11,13 @@
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+template(`polipo_role',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ #
+ template(`polipo_role',`
+ gen_require(`
+- type polipo_session_t, polipo_exec_t, polipo_config_home_t;
+- type polipo_cache_home_t;
+ type polipo_session_t, polipo_exec_t;
-+ ')
-+
-+ ########################################
-+ #
-+ # Declarations
-+ #
-+
-+ role $1 types polipo_session_t;
-+
-+ ########################################
-+ #
-+ # Policy
-+ #
-+
+ ')
+
+ ########################################
+@@ -33,15 +32,11 @@ template(`polipo_role',`
+ # Policy
+ #
+
+- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
+-
+- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
+- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
+- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
+-
+- allow $2 polipo_session_t:process { ptrace signal_perms };
+ allow $2 polipo_session_t:process signal_perms;
-+ ps_process_pattern($2, polipo_session_t)
+ ps_process_pattern($2, polipo_session_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 polipo_session_t:process ptrace;
+ ')
-+
-+ tunable_policy(`polipo_session_users',`
-+ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
-+ ',`
-+ can_exec($2, polipo_exec_t)
-+ ')
-+')
-+
-+########################################
-+## <summary>
+
+ tunable_policy(`polipo_session_users',`
+ domtrans_pattern($2, polipo_exec_t, polipo_session_t)
+@@ -52,57 +47,129 @@ template(`polipo_role',`
+
+ ########################################
+ ## <summary>
+-## Execute Polipo in the Polipo
+-## system domain.
+## Create configuration files in user
+## home directories with a named file
+## type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`polipo_initrc_domtrans',`
+interface(`polipo_named_filetrans_config_home_files',`
-+ gen_require(`
+ gen_require(`
+- type polipo_initrc_exec_t;
+ type polipo_config_home_t;
-+ ')
-+
+ ')
+
+- init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
+')
+
@@ -47441,19 +50437,23 @@ index 0000000..d00f6ba
+ ')
+
+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create specified objects in generic
+-## log directories with the polipo
+-## log file type.
+## Create configuration files in admin
+## home directories with a named file
+## type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+#
+interface(`polipo_named_filetrans_admin_config_home_files',`
+ gen_require(`
@@ -47470,10 +50470,12 @@ index 0000000..d00f6ba
+## type transition.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Class of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+#
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
+ gen_require(`
@@ -47489,16 +50491,19 @@ index 0000000..d00f6ba
+## type transition.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`polipo_log_filetrans_log',`
+interface(`polipo_named_filetrans_log_files',`
-+ gen_require(`
-+ type polipo_log_t;
-+ ')
-+
+ gen_require(`
+ type polipo_log_t;
+ ')
+
+- logging_log_filetrans($1, polipo_log_t, $2, $3)
+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
+')
+
@@ -47523,48 +50528,55 @@ index 0000000..d00f6ba
+ allow $1 polipo_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, polipo_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an polipo environment.
+## Administrate an polipo environment.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`polipo_admin',`
-+ gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',`
+ #
+ interface(`polipo_admin',`
+ gen_require(`
+- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
+- type polipo_conf_t, polipo_log_t, polipo_var_run_t;
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ type polipo_unit_file_t;
-+ ')
-+
+ ')
+
+- allow $1 polipo_system_t:process { ptrace signal_perms };
+- ps_process_pattern($1, polipo_system_t)
+ allow $1 polipo_t:process signal_perms;
+ ps_process_pattern($1, polipo_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 polipo_t:process ptrace;
+ ')
-+
+
+- polipo_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 polipo_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ domain_system_change_exemption($1)
+ role_transition $2 polipo_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_var($1)
+- admin_pattern($1, polipo_cache_t)
+-
+- files_search_etc($1)
+- admin_pattern($1, polipo_conf_t)
+ files_list_etc($1)
+ admin_pattern($1, polipo_etc_t)
-+
+
+- logging_search_logs($1)
+ logging_list_logs($1)
-+ admin_pattern($1, polipo_log_t)
-+
+ admin_pattern($1, polipo_log_t)
+
+- files_search_pids($1)
+- admin_pattern($1, polipo_var_run_t)
+ files_list_var($1)
+ admin_pattern($1, polipo_cache_t)
+
@@ -47574,34 +50586,39 @@ index 0000000..d00f6ba
+ polipo_systemctl($1)
+ admin_pattern($1, polipo_unit_file_t)
+ allow $1 polipo_unit_file_t:service all_service_perms;
-+')
+ ')
diff --git a/polipo.te b/polipo.te
-new file mode 100644
-index 0000000..a0b37ad
---- /dev/null
+index 316d53a..a0b37ad 100644
+--- a/polipo.te
+++ b/polipo.te
-@@ -0,0 +1,159 @@
+@@ -1,4 +1,4 @@
+-policy_module(polipo, 1.0.4)
+policy_module(polipo, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+## <desc>
-+## <p>
+
+ ########################################
+ #
+@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4)
+
+ ## <desc>
+ ## <p>
+-## Determine whether Polipo system
+-## daemon can access CIFS file systems.
+## Determine whether polipo can
+## access cifs file systems.
-+## </p>
-+## </desc>
+ ## </p>
+ ## </desc>
+-gen_tunable(polipo_system_use_cifs, false)
+gen_tunable(polipo_use_cifs, false)
-+
-+## <desc>
-+## <p>
+
+ ## <desc>
+ ## <p>
+-## Determine whether Polipo system
+-## daemon can access NFS file systems.
+## Determine whether Polipo can
+## access nfs file systems.
-+## </p>
-+## </desc>
+ ## </p>
+ ## </desc>
+-gen_tunable(polipo_system_use_nfs, false)
+gen_tunable(polipo_use_nfs, false)
+
+## <desc>
@@ -47611,65 +50628,84 @@ index 0000000..a0b37ad
+## </p>
+## </desc>
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
-+
-+## <desc>
-+## <p>
-+## Determine whether calling user domains
-+## can execute Polipo daemon in the
-+## polipo_session_t domain.
-+## </p>
-+## </desc>
-+gen_tunable(polipo_session_users, false)
-+
-+## <desc>
+
+ ## <desc>
+ ## <p>
+@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false)
+ gen_tunable(polipo_session_users, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether Polipo session daemon
+-## can send syslog messages.
+-## </p>
+## <p>
+## Allow polipo to connect to all ports > 1023
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(polipo_session_send_syslog_msg, false)
+gen_tunable(polipo_connect_all_unreserved, false)
-+
-+attribute polipo_daemon;
-+
+
+ attribute polipo_daemon;
+
+-type polipo_system_t, polipo_daemon;
+type polipo_t, polipo_daemon;
-+type polipo_exec_t;
+ type polipo_exec_t;
+-init_daemon_domain(polipo_system_t, polipo_exec_t)
+init_daemon_domain(polipo_t, polipo_exec_t)
-+
-+type polipo_initrc_exec_t;
-+init_script_file(polipo_initrc_exec_t)
-+
+
+ type polipo_initrc_exec_t;
+ init_script_file(polipo_initrc_exec_t)
+
+-type polipo_conf_t;
+-files_config_file(polipo_conf_t)
+type polipo_etc_t;
+files_config_file(polipo_etc_t)
-+
-+type polipo_cache_t;
-+files_type(polipo_cache_t)
-+
-+type polipo_log_t;
-+logging_log_file(polipo_log_t)
-+
+
+ type polipo_cache_t;
+ files_type(polipo_cache_t)
+@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+ type polipo_log_t;
+ logging_log_file(polipo_log_t)
+
+-type polipo_var_run_t;
+-files_pid_file(polipo_var_run_t)
+type polipo_pid_t;
+files_pid_file(polipo_pid_t)
-+
-+type polipo_session_t, polipo_daemon;
+
+ type polipo_session_t, polipo_daemon;
+-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
+application_domain(polipo_session_t, polipo_exec_t)
+ubac_constrained(polipo_session_t)
+
+type polipo_config_home_t;
+userdom_user_home_content(polipo_config_home_t)
-+
-+type polipo_cache_home_t;
-+userdom_user_home_content(polipo_cache_home_t)
-+
+
+ type polipo_cache_home_t;
+ userdom_user_home_content(polipo_cache_home_t)
+
+-type polipo_config_home_t;
+-userdom_user_home_content(polipo_config_home_t)
+type polipo_unit_file_t;
+systemd_unit_file(polipo_unit_file_t)
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Session local policy
+# Global local policy
-+#
-+
+ #
+
+-allow polipo_session_t polipo_config_home_t:file read_file_perms;
+-
+-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
+-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
+-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
+-
+-auth_use_nsswitch(polipo_session_t)
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+allow polipo_daemon self:tcp_socket { listen accept };
-+
+
+-userdom_use_user_terminals(polipo_session_t)
+corenet_tcp_bind_generic_node(polipo_daemon)
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
@@ -47677,300 +50713,146 @@ index 0000000..a0b37ad
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
-+
+
+-tunable_policy(`polipo_session_send_syslog_msg',`
+- logging_send_syslog_msg(polipo_session_t)
+-')
+files_read_usr_files(polipo_daemon)
-+
+
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_read_nfs_files(polipo_session_t)
+-',`
+- fs_dontaudit_read_nfs_files(polipo_session_t)
+-')
+fs_search_auto_mountpoints(polipo_daemon)
-+
-+
-+########################################
-+#
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_read_cifs_files(polipo_session_t)
+-',`
+- fs_dontaudit_read_cifs_files(polipo_session_t)
+-')
+
+ ########################################
+ #
+-# System local policy
+# Polipo local policy
-+#
-+
+ #
+
+-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
-+
+
+-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
+-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
+-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
-+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
-+files_var_filetrans(polipo_t, polipo_cache_t, dir)
-+
-+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
-+logging_log_filetrans(polipo_t, polipo_log_t, file)
-+
-+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
-+files_pid_filetrans(polipo_t, polipo_pid_t, file)
-+
-+auth_use_nsswitch(polipo_t)
-+
-+logging_send_syslog_msg(polipo_t)
-+
-+optional_policy(`
-+ cron_system_entry(polipo_t, polipo_exec_t)
-+')
-+
-+tunable_policy(`polipo_connect_all_unreserved',`
-+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
-+')
-+
-+tunable_policy(`polipo_use_cifs',`
-+ fs_manage_cifs_files(polipo_t)
-+')
-+
-+tunable_policy(`polipo_use_nfs',`
-+ fs_manage_nfs_files(polipo_t)
-+')
-+
-+########################################
-+#
-+# Polipo session local policy
-+#
-+
-+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
-+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
-+
-+auth_use_nsswitch(polipo_session_t)
-+
-+userdom_use_user_terminals(polipo_session_t)
-+
-+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
-+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
-+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
-+')
-+
-+logging_send_syslog_msg(polipo_session_t)
-+
-+userdom_home_manager(polipo_session_t)
-diff --git a/portage.fc b/portage.fc
-index d9b2a90..5b0e6f8 100644
---- a/portage.fc
-+++ b/portage.fc
-@@ -25,7 +25,7 @@
- /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
- /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
- /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
--/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
-+/var/log/emerge-fetch.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
- /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
- /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
- /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
-diff --git a/portage.if b/portage.if
-index 08ac5af..9c4aa3c 100644
---- a/portage.if
-+++ b/portage.if
-@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
- #
- interface(`portage_run',`
- gen_require(`
-- attribute_role portage_roles;
-+ type portage_t, portage_fetch_t, portage_sandbox_t;
-+ #attribute_role portage_roles;
- ')
++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++files_var_filetrans(polipo_t, polipo_cache_t, dir)
-- portage_domtrans($1)
-- roleattribute $2 portage_roles;
-+ #portage_domtrans($1)
-+ #roleattribute $2 portage_roles;
-+ portage_domtrans($1)
-+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
-+
- ')
+-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
+-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
+-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
+-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
++manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++logging_log_filetrans(polipo_t, polipo_log_t, file)
- ########################################
-@@ -139,7 +143,6 @@ interface(`portage_compile_domain',`
- # really shouldnt need this but some packages test
- # network access, such as during configure
- # also distcc--need to reinvestigate confining distcc client
-- corenet_all_recvfrom_unlabeled($1)
- corenet_all_recvfrom_netlabel($1)
- corenet_tcp_sendrecv_generic_if($1)
- corenet_udp_sendrecv_generic_if($1)
-diff --git a/portage.te b/portage.te
-index 630f16f..64fb1f5 100644
---- a/portage.te
-+++ b/portage.te
-@@ -12,7 +12,7 @@ policy_module(portage, 1.13.0)
- ## </desc>
- gen_tunable(portage_use_nfs, false)
-
--attribute_role portage_roles;
-+#attribute_role portage_roles;
-
- type gcc_config_t;
- type gcc_config_exec_t;
-@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
- domain_obj_id_change_exemption(portage_t)
- rsync_entry_type(portage_t)
- corecmd_shell_entry_type(portage_t)
--role portage_roles types portage_t;
-+#role portage_roles types portage_t;
-+role system_r types portage_t;
-
- # portage compile sandbox domain
- type portage_sandbox_t;
-@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
- # the shell is the entrypoint if regular sandbox is disabled
- # portage_exec_t is the entrypoint if regular sandbox is enabled
- corecmd_shell_entry_type(portage_sandbox_t)
--role portage_roles types portage_sandbox_t;
-+#role portage_roles types portage_sandbox_t;
-+role system_r types portage_sandbox_t;
-
- # portage package fetching domain
- type portage_fetch_t;
-@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
- application_domain(portage_fetch_t, portage_fetch_exec_t)
- corecmd_shell_entry_type(portage_fetch_t)
- rsync_entry_type(portage_fetch_t)
--role portage_roles types portage_fetch_t;
-+#role portage_roles types portage_fetch_t;
-+role system_r types portage_fetch_t;
-
- type portage_devpts_t;
- term_pty(portage_devpts_t)
-@@ -56,7 +59,7 @@ type portage_db_t;
- files_type(portage_db_t)
-
- type portage_conf_t;
--files_type(portage_conf_t)
-+files_config_file(portage_conf_t)
-
- type portage_cache_t;
- files_type(portage_cache_t)
-@@ -115,18 +118,19 @@ files_list_all(gcc_config_t)
- init_dontaudit_read_script_status_files(gcc_config_t)
-
- libs_read_lib_files(gcc_config_t)
--libs_run_ldconfig(gcc_config_t, portage_roles)
-+#libs_run_ldconfig(gcc_config_t, portage_roles)
-+libs_domtrans_ldconfig(gcc_config_t)
- libs_manage_shared_libs(gcc_config_t)
- # gcc-config creates a temp dir for the libs
- libs_manage_lib_dirs(gcc_config_t)
-
- logging_send_syslog_msg(gcc_config_t)
-
--miscfiles_read_localization(gcc_config_t)
-+userdom_use_inherited_user_terminals(gcc_config_t)
-
--userdom_use_user_terminals(gcc_config_t)
--
--consoletype_exec(gcc_config_t)
-+optional_policy(`
-+ consoletype_exec(gcc_config_t)
-+')
+-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t)
+-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file)
++manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
++files_pid_filetrans(polipo_t, polipo_pid_t, file)
- ifdef(`distro_gentoo',`
- init_exec_rc(gcc_config_t)
-@@ -198,33 +202,41 @@ auth_manage_shadow(portage_t)
- init_exec(portage_t)
-
- # run setfiles -r
--seutil_run_setfiles(portage_t, portage_roles)
-+#seutil_run_setfiles(portage_t, portage_roles)
- # run semodule
--seutil_run_semanage(portage_t, portage_roles)
-+#seutil_run_semanage(portage_t, portage_roles)
-
--portage_run_gcc_config(portage_t, portage_roles)
-+#portage_run_gcc_config(portage_t, portage_roles)
- # if sesandbox is disabled, compiling is performed in this domain
- portage_compile_domain(portage_t)
+-auth_use_nsswitch(polipo_system_t)
++auth_use_nsswitch(polipo_t)
--optional_policy(`
-- bootloader_run(portage_t, portage_roles)
--')
-+#optional_policy(`
-+# bootloader_run(portage_t, portage_roles)
-+#')
+-logging_send_syslog_msg(polipo_system_t)
++logging_send_syslog_msg(polipo_t)
optional_policy(`
- cron_system_entry(portage_t, portage_exec_t)
- cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+- cron_system_entry(polipo_system_t, polipo_exec_t)
++ cron_system_entry(polipo_t, polipo_exec_t)
')
--optional_policy(`
-- modutils_run_depmod(portage_t, portage_roles)
-- modutils_run_update_mods(portage_t, portage_roles)
-+#optional_policy(`
-+# modutils_run_depmod(portage_t, portage_roles)
-+# modutils_run_update_mods(portage_t, portage_roles)
- #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+-tunable_policy(`polipo_system_use_cifs',`
+- fs_manage_cifs_files(polipo_system_t)
+-',`
+- fs_dontaudit_read_cifs_files(polipo_system_t)
++tunable_policy(`polipo_connect_all_unreserved',`
++ corenet_tcp_connect_all_unreserved_ports(polipo_t)
')
--optional_policy(`
-- usermanage_run_groupadd(portage_t, portage_roles)
-- usermanage_run_useradd(portage_t, portage_roles)
--')
-+#optional_policy(`
-+# usermanage_run_groupadd(portage_t, portage_roles)
-+# usermanage_run_useradd(portage_t, portage_roles)
-+#')
+-tunable_policy(`polipo_system_use_nfs',`
+- fs_manage_nfs_files(polipo_system_t)
+-',`
+- fs_dontaudit_read_nfs_files(polipo_system_t)
++tunable_policy(`polipo_use_cifs',`
++ fs_manage_cifs_files(polipo_t)
++')
+
-+seutil_domtrans_setfiles(portage_t)
-+seutil_domtrans_semanage(portage_t)
-+bootloader_domtrans(portage_t)
-+modutils_domtrans_depmod(portage_t)
-+modutils_domtrans_update_mods(portage_t)
-+usermanage_domtrans_groupadd(portage_t)
-+usermanage_domtrans_useradd(portage_t)
-
- ifdef(`TODO',`
- # seems to work ok without these
-@@ -271,7 +283,6 @@ kernel_read_kernel_sysctls(portage_fetch_t)
- corecmd_exec_bin(portage_fetch_t)
- corecmd_exec_shell(portage_fetch_t)
++tunable_policy(`polipo_use_nfs',`
++ fs_manage_nfs_files(polipo_t)
+ ')
--corenet_all_recvfrom_unlabeled(portage_fetch_t)
- corenet_all_recvfrom_netlabel(portage_fetch_t)
- corenet_tcp_sendrecv_generic_if(portage_fetch_t)
- corenet_tcp_sendrecv_generic_node(portage_fetch_t)
-@@ -303,16 +314,13 @@ logging_dontaudit_search_logs(portage_fetch_t)
+ ########################################
+ #
+-# Polipo global local policy
++# Polipo session local policy
+ #
- term_search_ptys(portage_fetch_t)
+-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
+-allow polipo_daemon self:tcp_socket { listen accept };
+-
+-corenet_all_recvfrom_unlabeled(polipo_daemon)
+-corenet_all_recvfrom_netlabel(polipo_daemon)
+-corenet_tcp_sendrecv_generic_if(polipo_daemon)
+-corenet_tcp_sendrecv_generic_node(polipo_daemon)
+-corenet_tcp_bind_generic_node(polipo_daemon)
++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
--miscfiles_read_localization(portage_fetch_t)
+-corenet_sendrecv_http_client_packets(polipo_daemon)
+-corenet_tcp_sendrecv_http_port(polipo_daemon)
+-corenet_tcp_connect_http_port(polipo_daemon)
++auth_use_nsswitch(polipo_session_t)
- sysnet_read_config(portage_fetch_t)
- sysnet_dns_name_resolve(portage_fetch_t)
+-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+-corenet_tcp_bind_http_cache_port(polipo_daemon)
++userdom_use_user_terminals(polipo_session_t)
--userdom_use_user_terminals(portage_fetch_t)
-+userdom_use_inherited_user_terminals(portage_fetch_t)
- userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+-files_read_usr_files(polipo_daemon)
++tunable_policy(`polipo_session_bind_all_unreserved_ports',`
++ corenet_tcp_sendrecv_all_ports(polipo_session_t)
++ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
++')
--rsync_exec(portage_fetch_t)
--
- ifdef(`hide_broken_symptoms',`
- dontaudit portage_fetch_t portage_cache_t:file read;
- ')
-@@ -328,6 +336,10 @@ optional_policy(`
- gpg_exec(portage_fetch_t)
- ')
+-fs_search_auto_mountpoints(polipo_daemon)
++logging_send_syslog_msg(polipo_session_t)
-+optional_policy(`
-+ rsync_exec(portage_fetch_t)
-+')
-+
- ##########################################
- #
- # Portage sandbox domain
+-miscfiles_read_localization(polipo_daemon)
++userdom_home_manager(polipo_session_t)
diff --git a/portmap.fc b/portmap.fc
-index 3cdcd9f..2061efe 100644
+index cd45831..69406ee 100644
--- a/portmap.fc
+++ b/portmap.fc
-@@ -1,6 +1,8 @@
+@@ -4,9 +4,14 @@
+ /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+ /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
- /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
++ifdef(`distro_debian',`
++/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
++/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
++', `
+ /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+ /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+ /usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
++')
-+/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
-+
- ifdef(`distro_debian',`
- /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
- /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+ /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
+ /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/portmap.te b/portmap.te
-index c1db652..66590bd 100644
+index 738c13b..04a202e 100644
--- a/portmap.te
+++ b/portmap.te
-@@ -43,7 +43,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
+@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
@@ -47978,21 +50860,20 @@ index c1db652..66590bd 100644
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
-@@ -73,12 +72,10 @@ fs_search_auto_mountpoints(portmap_t)
+@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t)
domain_use_interactive_fds(portmap_t)
--files_read_etc_files(portmap_t)
+auth_use_nsswitch(portmap_t)
-
++
logging_send_syslog_msg(portmap_t)
-miscfiles_read_localization(portmap_t)
--
- sysnet_read_config(portmap_t)
++sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-@@ -113,7 +110,6 @@ allow portmap_helper_t self:udp_socket create_socket_perms;
+ userdom_dontaudit_search_user_home_dirs(portmap_t)
+@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen };
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
@@ -48000,45 +50881,32 @@ index c1db652..66590bd 100644
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
-@@ -133,7 +129,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t)
-
- domain_dontaudit_use_interactive_fds(portmap_helper_t)
-
--files_read_etc_files(portmap_helper_t)
- files_rw_generic_pids(portmap_helper_t)
+@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t)
- init_rw_utmp(portmap_helper_t)
-@@ -142,7 +137,7 @@ logging_send_syslog_msg(portmap_helper_t)
-
- sysnet_read_config(portmap_helper_t)
+ logging_send_syslog_msg(portmap_helper_t)
-userdom_use_user_terminals(portmap_helper_t)
++sysnet_read_config(portmap_helper_t)
++
+userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
-
- optional_policy(`
diff --git a/portreserve.fc b/portreserve.fc
-index 4313a6f..cc334a3 100644
+index 1b2b4f9..575b7d6 100644
--- a/portreserve.fc
+++ b/portreserve.fc
-@@ -1,7 +1,10 @@
--/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+@@ -1,6 +1,6 @@
+ /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
-+
-+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
- /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+ /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-+/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
-+
- /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/portreserve.if b/portreserve.if
-index 7719d16..d283895 100644
+index 5ad5291..7f1ae2a 100644
--- a/portreserve.if
+++ b/portreserve.if
-@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
+@@ -105,8 +105,11 @@ interface(`portreserve_admin',`
type portreserve_initrc_exec_t;
')
@@ -48052,31 +50920,22 @@ index 7719d16..d283895 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index 152af92..d67fea5 100644
+index a38b57a..614785d 100644
--- a/portreserve.te
+++ b/portreserve.te
-@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t;
- init_script_file(portreserve_initrc_exec_t)
-
- type portreserve_etc_t;
--files_type(portreserve_etc_t)
-+files_config_file(portreserve_etc_t)
-
- type portreserve_var_run_t;
- files_pid_file(portreserve_var_run_t)
-@@ -42,7 +42,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
+@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
-corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
- corenet_tcp_bind_generic_node(portreserve_t)
- corenet_udp_bind_generic_node(portreserve_t)
+ corenet_tcp_sendrecv_generic_if(portreserve_t)
+ corenet_udp_sendrecv_generic_if(portreserve_t)
diff --git a/portslave.te b/portslave.te
-index 69c331e..528f2d8 100644
+index e85e33d..a7d7c55 100644
--- a/portslave.te
+++ b/portslave.te
-@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(portslave_t)
+@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
@@ -48084,7 +50943,7 @@ index 69c331e..528f2d8 100644
corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
-@@ -79,7 +78,7 @@ fs_getattr_xattr_fs(portslave_t)
+@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t)
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
@@ -48092,23 +50951,45 @@ index 69c331e..528f2d8 100644
+term_use_all_inherited_ttys(portslave_t)
term_search_ptys(portslave_t)
- auth_rw_login_records(portslave_t)
+ auth_domtrans_chk_passwd(portslave_t)
diff --git a/postfix.fc b/postfix.fc
-index 1ddfa16..c0e0959 100644
+index c0e8785..c0e0959 100644
--- a/postfix.fc
+++ b/postfix.fc
-@@ -1,5 +1,6 @@
- # postfix
--/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+@@ -1,38 +1,38 @@
+-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
+-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+-
+-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+-
++# postfix
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
- ifdef(`distro_redhat', `
- /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
- /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -22,16 +23,17 @@ ifdef(`distro_redhat', `
++ifdef(`distro_redhat', `
++/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
++/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
++/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
++/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
++/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
++/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
++/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
++/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
++', `
+ /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
++/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+ /usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
- /usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
++/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
@@ -48116,132 +50997,207 @@ index 1ddfa16..c0e0959 100644
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
--/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
- ')
- /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
- /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
-+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+-
+-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+-
++')
++/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
++/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+ /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
- /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -42,9 +44,11 @@ ifdef(`distro_redhat', `
+@@ -44,14 +44,14 @@
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
--/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
+-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
--/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
+-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
- /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
- /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
- /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
++/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
++/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
++/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
++/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
++/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+ /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if
-index 46bee12..20a3ccd 100644
+index 2e23946..41da729 100644
--- a/postfix.if
+++ b/postfix.if
-@@ -28,75 +28,23 @@ interface(`postfix_stub',`
+@@ -1,4 +1,4 @@
+-## <summary>Postfix email server.</summary>
++## <summary>Postfix email server</summary>
+
+ ########################################
+ ## <summary>
+@@ -16,13 +16,14 @@ interface(`postfix_stub',`
+ ')
+ ')
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a postfix domain.
++## Creates types and rules for a basic
++## postfix process domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix for the domain.
+ ## </summary>
## </param>
#
- template(`postfix_domain_template',`
-- type postfix_$1_t;
-+ gen_require(`
-+ attribute postfix_domain;
-+ ')
-+
-+ type postfix_$1_t, postfix_domain;
+@@ -31,73 +32,69 @@ template(`postfix_domain_template',`
+ attribute postfix_domain;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ type postfix_$1_t, postfix_domain;
type postfix_$1_exec_t;
domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
-- dontaudit postfix_$1_t self:capability sys_tty_config;
-- allow postfix_$1_t self:process { signal_perms setpgid };
-- allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
-- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
-- allow postfix_$1_t self:unix_stream_socket connectto;
--
-- allow postfix_master_t postfix_$1_t:process signal;
-- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
-- allow postfix_$1_t postfix_master_t:file read;
--
-- allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
-- read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
-- read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+- ########################################
+- #
+- # Policy
+- #
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
--
-- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
--
-- allow postfix_$1_t postfix_master_t:process sigchld;
--
-- allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
--
-- allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
-- files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
--
- kernel_read_system_state(postfix_$1_t)
-- kernel_read_network_state(postfix_$1_t)
-- kernel_read_all_sysctls(postfix_$1_t)
--
-- dev_read_sysfs(postfix_$1_t)
-- dev_read_rand(postfix_$1_t)
-- dev_read_urand(postfix_$1_t)
--
-- fs_search_auto_mountpoints(postfix_$1_t)
-- fs_getattr_xattr_fs(postfix_$1_t)
-- fs_rw_anon_inodefs_files(postfix_$1_t)
--
-- term_dontaudit_use_console(postfix_$1_t)
--
-- corecmd_exec_shell(postfix_$1_t)
--
-- files_read_etc_files(postfix_$1_t)
-- files_read_etc_runtime_files(postfix_$1_t)
-- files_read_usr_symlinks(postfix_$1_t)
-- files_search_spool(postfix_$1_t)
-- files_getattr_tmp_dirs(postfix_$1_t)
-- files_search_all_mountpoints(postfix_$1_t)
--
-- init_dontaudit_use_fds(postfix_$1_t)
-- init_sigchld(postfix_$1_t)
++ kernel_read_system_state(postfix_$1_t)
auth_use_nsswitch(postfix_$1_t)
++
++ logging_send_syslog_msg(postfix_$1_t)
++
++ can_exec(postfix_$1_t, postfix_$1_exec_t)
+ ')
- logging_send_syslog_msg(postfix_$1_t)
-
-- miscfiles_read_localization(postfix_$1_t)
-- miscfiles_read_generic_certs(postfix_$1_t)
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a postfix server domain.
++## Creates a postfix server process domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix of the domain.
+ ## </summary>
+ ## </param>
+ #
+ template(`postfix_server_domain_template',`
+- gen_require(`
+- attribute postfix_server_domain, postfix_server_tmp_content;
+- ')
-
-- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+- ########################################
+- #
+- # Declarations
+- #
-
-- optional_policy(`
-- udev_read_db(postfix_$1_t)
-- ')
-+ can_exec(postfix_$1_t, postfix_$1_exec_t)
- ')
+ postfix_domain_template($1)
- ########################################
-@@ -115,7 +63,7 @@ template(`postfix_server_domain_template',`
- type postfix_$1_tmp_t;
+- typeattribute postfix_$1_t postfix_server_domain;
+-
+- type postfix_$1_tmp_t, postfix_server_tmp_content;
++ type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
-- allow postfix_$1_t self:capability { setuid setgid dac_override };
+- ########################################
+- #
+- # Declarations
+- #
+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
- allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
- allow postfix_$1_t self:tcp_socket create_socket_perms;
- allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -126,7 +74,6 @@ template(`postfix_server_domain_template',`
++ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
++ allow postfix_$1_t self:tcp_socket create_socket_perms;
++ allow postfix_$1_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
++
++ corenet_all_recvfrom_netlabel(postfix_$1_t)
++ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
++ corenet_udp_sendrecv_generic_if(postfix_$1_t)
++ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
++ corenet_udp_sendrecv_generic_node(postfix_$1_t)
++ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
++ corenet_udp_sendrecv_all_ports(postfix_$1_t)
++ corenet_tcp_bind_generic_node(postfix_$1_t)
++ corenet_udp_bind_generic_node(postfix_$1_t)
++ corenet_tcp_connect_all_ports(postfix_$1_t)
++ corenet_sendrecv_all_client_packets(postfix_$1_t)
+ ')
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a postfix user domain.
++## Creates a process domain for programs
++## that are ran by users.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix of the domain.
+ ## </summary>
+ ## </param>
+ #
+@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',`
+ attribute postfix_user_domains, postfix_user_domtrans;
+ ')
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+ postfix_domain_template($1)
+
+ typeattribute postfix_$1_t postfix_user_domains;
+
+- ########################################
+- #
+- # Policy
+- #
+-
+ allow postfix_$1_t self:capability dac_override;
-- corenet_all_recvfrom_unlabeled(postfix_$1_t)
- corenet_all_recvfrom_netlabel(postfix_$1_t)
- corenet_tcp_sendrecv_generic_if(postfix_$1_t)
- corenet_udp_sendrecv_generic_if(postfix_$1_t)
-@@ -165,6 +112,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
@@ -48250,99 +51206,189 @@ index 46bee12..20a3ccd 100644
')
########################################
-@@ -208,6 +157,11 @@ interface(`postfix_read_config',`
- ## The object class of the object being created.
- ## </summary>
- ## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
- #
- interface(`postfix_config_filetrans',`
- gen_require(`
-@@ -215,7 +169,7 @@ interface(`postfix_config_filetrans',`
+ ## <summary>
+-## Read postfix configuration content.
++## Read postfix configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
+ type postfix_etc_t;
')
++ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
++ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
files_search_etc($1)
-- filetrans_pattern($1, postfix_etc_t, $2, $3)
-+ filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
+- allow $1 postfix_etc_t:dir list_dir_perms;
+- allow $1 postfix_etc_t:file read_file_perms;
+- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
')
########################################
-@@ -257,6 +211,25 @@ interface(`postfix_rw_local_pipes',`
+ ## <summary>
+-## Create specified object in postfix
+-## etc directories with a type transition.
++## Create files with the specified type in
++## the postfix configuration directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
+ type postfix_etc_t;
+ ')
+
++ files_search_etc($1)
+ filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
+ ')
+
+@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+
+ ########################################
+ ## <summary>
+-## Read and write postfix local pipes.
++## Allow read/write postfix local pipes
++## TCP sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Read postfix local process state files.
+## Allow read/write postfix public pipes
+## TCP sockets.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`postfix_read_local_state',`
+- gen_require(`
+- type postfix_local_t;
+- ')
+interface(`postfix_rw_public_pipes',`
+ gen_require(`
+ type postfix_public_t;
+ ')
-+
+
+- kernel_search_proc($1)
+- allow $1 postfix_local_t:dir list_dir_perms;
+- allow $1 postfix_local_t:file read_file_perms;
+- allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
-+')
-+
+ ')
+
########################################
## <summary>
- ## Allow domain to read postfix local process state
-@@ -272,7 +245,8 @@ interface(`postfix_read_local_state',`
- type postfix_local_t;
+-## Read and write inherited postfix master pipes.
++## Allow domain to read postfix local process state
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`postfix_rw_inherited_master_pipes',`
++interface(`postfix_read_local_state',`
+ gen_require(`
+- type postfix_master_t;
++ type postfix_local_t;
')
-- read_files_pattern($1, postfix_local_t, postfix_local_t)
+- allow $1 postfix_master_t:fd use;
+- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_local_t)
')
########################################
-@@ -290,7 +264,27 @@ interface(`postfix_read_master_state',`
- type postfix_master_t;
+ ## <summary>
+-## Read postfix master process state files.
++## Allow domain to read postfix master process state
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
')
-- read_files_pattern($1, postfix_master_t, postfix_master_t)
-+ kernel_search_proc($1)
+ kernel_search_proc($1)
+- allow $1 postfix_master_t:dir list_dir_perms;
+- allow $1 postfix_master_t:file read_file_perms;
+- allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
+ ps_process_pattern($1, postfix_master_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Use postfix master file descriptors.
+## Use postfix master process file
+## file descriptors.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`postfix_use_fds_master',`
-+ gen_require(`
-+ type postfix_master_t;
-+ ')
-+
-+ allow $1 postfix_master_t:fd use;
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
+ type postfix_map_t, postfix_map_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute postfix map in the postfix
+-## map domain, and allow the specified
+-## role the postfix_map domain.
++## Execute postfix_map in the postfix_map domain, and
++## allow the specified role the postfix_map domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
+ #
+ interface(`postfix_run_map',`
+ gen_require(`
+- attribute_role postfix_map_roles;
++ type postfix_map_t;
+ ')
+
+ postfix_domtrans_map($1)
+- roleattribute $2 postfix_map_roles;
++ role $2 types postfix_map_t;
')
########################################
-@@ -376,6 +370,25 @@ interface(`postfix_domtrans_master',`
+ ## <summary>
+-## Execute the master postfix program
+-## in the postfix_master domain.
++## Execute the master postfix program in the
++## postfix_master domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',`
+ type postfix_master_t, postfix_master_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute the master postfix program
+-## in the caller domain.
+## Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
@@ -48359,10 +51405,29 @@ index 46bee12..20a3ccd 100644
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
- ########################################
++########################################
++## <summary>
++## Execute the master postfix program in the
++## caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -402,21 +405,18 @@ interface(`postfix_exec_master',`
+ type postfix_master_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, postfix_master_exec_t)
+ ')
+
+ #######################################
## <summary>
- ## Execute the master postfix program in the
-@@ -404,7 +417,6 @@ interface(`postfix_exec_master',`
+-## Connect to postfix master process
+-## using a unix domain stream socket.
++## Connect to postfix master process using a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -48370,52 +51435,87 @@ index 46bee12..20a3ccd 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +428,24 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
+-## Read and write postfix master
+-## unnamed pipes. (Deprecated)
+## Allow read/write postfix master pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`postfix_rw_master_pipes',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`postfix_rw_master_pipes',`
+- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
+- postfix_rw_inherited_master_pipes($1)
++interface(`postfix_rw_inherited_master_pipes',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
## Execute the master postdrop in the
- ## postfix_postdrop domain.
+-## postfix postdrop domain.
++## postfix_postdrop domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',`
+ type postfix_postdrop_t, postfix_postdrop_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+ ')
+
+ ########################################
+ ## <summary>
+ ## Execute the master postqueue in the
+-## postfix postqueue domain.
++## postfix_postqueue domain.
## </summary>
-@@ -452,6 +482,61 @@ interface(`postfix_domtrans_postqueue',`
+ ## <param name="domain">
+ ## <summary>
+@@ -478,30 +479,67 @@ interface(`postfix_domtrans_postqueue',`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
')
+-#######################################
+########################################
-+## <summary>
+ ## <summary>
+-## Execute the master postqueue in
+-## the caller domain. (Deprecated)
+## Execute the master postqueue in the
+## postfix_postdrop domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the iptables domain.
+## </summary>
+## </param>
+## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- postfix_exec_postqueue($1)
+
+interface(`postfix_run_postqueue',`
+ gen_require(`
@@ -48425,8 +51525,8 @@ index 46bee12..20a3ccd 100644
+ postfix_domtrans_postqueue($1)
+ role $2 types postfix_postqueue_t;
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
-+')
-+
+ ')
+
+########################################
+## <summary>
+## Execute postfix_postgqueue in the postfix_postgqueue domain, and
@@ -48456,43 +51556,86 @@ index 46bee12..20a3ccd 100644
+
#######################################
## <summary>
- ## Execute the master postqueue in the caller domain.
-@@ -462,7 +547,7 @@ interface(`postfix_domtrans_postqueue',`
- ## </summary>
- ## </param>
- #
--interface(`posftix_exec_postqueue',`
-+interface(`postfix_exec_postqueue',`
- gen_require(`
+-## Execute postfix postqueue in
+-## the caller domain.
++## Execute the master postqueue in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -514,13 +552,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +614,25 @@ interface(`postfix_domtrans_smtp',`
+
+- corecmd_search_bin($1)
+ can_exec($1, postfix_postqueue_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create postfix private sock files.
++## Create a named socket in a postfix private directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -533,13 +570,13 @@ interface(`postfix_create_private_sockets',`
+ type postfix_private_t;
+ ')
+
++ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## postfix private sock files.
++## manage named socket in a postfix private directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -552,13 +589,14 @@ interface(`postfix_manage_private_sockets',`
+ type postfix_private_t;
+ ')
+
++ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute the smtp postfix program
+-## in the postfix smtp domain.
++## Execute the master postfix program in the
++## postfix_master domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -571,14 +609,12 @@ interface(`postfix_domtrans_smtp',`
+ type postfix_smtp_t, postfix_smtp_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
+ ')
########################################
## <summary>
+-## Get attributes of all postfix mail
+-## spool files.
+## Getattr postfix mail spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`postfix_getattr_spool_files',`
-+ gen_require(`
-+ attribute postfix_spool_type;
-+ ')
-+
-+ files_search_spool($1)
-+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
-+')
-+
-+########################################
-+## <summary>
- ## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +643,10 @@ interface(`postfix_domtrans_smtp',`
+ ## <summary>
+@@ -586,7 +622,7 @@ interface(`postfix_domtrans_smtp',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`postfix_getattr_all_spool_files',`
++interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+@@ -607,11 +643,11 @@ interface(`postfix_getattr_all_spool_files',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -48500,12 +51643,13 @@ index 46bee12..20a3ccd 100644
+ attribute postfix_spool_type;
')
-- allow $1 postfix_spool_t:dir search_dir_perms;
+ allow $1 postfix_spool_type:dir search_dir_perms;
files_search_spool($1)
+- allow $1 postfix_spool_t:dir search_dir_perms;
')
-@@ -558,10 +662,10 @@ interface(`postfix_search_spool',`
+ ########################################
+@@ -626,11 +662,11 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -48513,12 +51657,13 @@ index 46bee12..20a3ccd 100644
+ attribute postfix_spool_type;
')
-- allow $1 postfix_spool_t:dir list_dir_perms;
+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
+- allow $1 postfix_spool_t:dir list_dir_perms;
')
-@@ -577,11 +681,11 @@ interface(`postfix_list_spool',`
+ ########################################
+@@ -645,17 +681,16 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -48532,7 +51677,14 @@ index 46bee12..20a3ccd 100644
')
########################################
-@@ -596,11 +700,31 @@ interface(`postfix_read_spool_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## postfix mail spool files.
++## Create, read, write, and delete postfix mail spool files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -665,11 +700,31 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -48566,44 +51718,42 @@ index 46bee12..20a3ccd 100644
')
########################################
-@@ -621,3 +745,157 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +748,8 @@ interface(`postfix_domtrans_user_mail_handler',`
- typeattribute $1 postfix_user_domtrans;
- ')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an postfix environment.
+## All of the rules required to administrate
+## an postfix environment.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`postfix_admin',`
-+ gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -710,37 +765,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+ #
+ interface(`postfix_admin',`
+ gen_require(`
+- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
+- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
+- type postfix_data_t, postfix_var_run_t, postfix_public_t;
+- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 postfix_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, postfix_domain)
+ allow $1 postfix_bounce_t:process signal_perms;
+ ps_process_pattern($1, postfix_bounce_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_bounce_t:process ptrace;
+ ')
-+
+
+- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+ allow $1 postfix_cleanup_t:process signal_perms;
+ ps_process_pattern($1, postfix_cleanup_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -48635,25 +51785,38 @@ index 46bee12..20a3ccd 100644
+ postfix_run_postqueue($1, $2)
+
+ postfix_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 postfix_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
+- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
+ admin_pattern($1, postfix_data_t)
-+
+
+- files_search_spool($1)
+- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, postfix_data_t)
+ files_list_spool($1)
+ admin_pattern($1, postfix_spool_type)
-+
-+ admin_pattern($1, postfix_var_run_t)
-+
+
+- files_search_pids($1)
+ admin_pattern($1, postfix_var_run_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
+ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
-+
+
+- postfix_exec_master($1)
+- postfix_exec_postqueue($1)
+- postfix_stream_connect_master($1)
+- postfix_run_map($1, $2)
+ admin_pattern($1, postfix_public_t)
+
+ postfix_filetrans_named_content($1)
@@ -48723,94 +51886,211 @@ index 46bee12..20a3ccd 100644
+
+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
-+')
+ ')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..ae56a3e 100644
+index 191a66f..ca44603 100644
--- a/postfix.te
+++ b/postfix.te
-@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
- # Declarations
+@@ -1,4 +1,4 @@
+-policy_module(postfix, 1.14.10)
++policy_module(postfix, 1.14.0)
+
+ ########################################
+ #
+@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10)
#
-+## <desc>
+ ## <desc>
+-## <p>
+-## Determine whether postfix local
+-## can manage mail spool content.
+-## </p>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## </p>
-+## </desc>
-+gen_tunable(postfix_local_write_mail_spool, true)
-+
-+attribute postfix_domain;
-+attribute postfix_spool_type;
+ ## </desc>
+ gen_tunable(postfix_local_write_mail_spool, true)
+
+ attribute postfix_domain;
+-attribute postfix_server_domain;
+-attribute postfix_server_tmp_content;
+ attribute postfix_spool_type;
attribute postfix_user_domains;
- # domains that transition to the
- # postfix user domains
-@@ -12,8 +21,8 @@ attribute postfix_user_domtrans;
++# domains that transition to the
++# postfix user domains
+ attribute postfix_user_domtrans;
+-attribute_role postfix_map_roles;
+-roleattribute system_r postfix_map_roles;
+-
postfix_server_domain_template(bounce)
--type postfix_spool_bounce_t;
+ type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
-+type postfix_spool_bounce_t, postfix_spool_type;
+files_spool_file(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
-@@ -41,6 +50,9 @@ typealias postfix_master_t alias postfix_t;
- # generation macro work
- mta_mailserver(postfix_t, postfix_master_exec_t)
-
-+type postfix_initrc_exec_t;
-+init_script_file(postfix_initrc_exec_t)
-+
- postfix_server_domain_template(pickup)
+@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t)
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
- postfix_server_domain_template(pipe)
-@@ -49,6 +61,7 @@ postfix_user_domain_template(postdrop)
- mta_mailserver_user_agent(postfix_postdrop_t)
++# Program for creating database files
+ type postfix_map_t;
+ type postfix_map_exec_t;
+ application_domain(postfix_map_t, postfix_map_exec_t)
+-role postfix_map_roles types postfix_map_t;
++role system_r types postfix_map_t;
- postfix_user_domain_template(postqueue)
-+mta_mailserver_user_agent(postfix_postqueue_t)
+ type postfix_map_tmp_t;
+ files_tmp_file(postfix_map_tmp_t)
- type postfix_private_t;
- files_type(postfix_private_t)
-@@ -65,14 +78,14 @@ mta_mailserver_sender(postfix_smtp_t)
+ postfix_domain_template(master)
+ typealias postfix_master_t alias postfix_t;
++# alias is a hack to make the disable trans bool
++# generation macro work
+ mta_mailserver(postfix_t, postfix_master_exec_t)
+ type postfix_initrc_exec_t;
+@@ -80,13 +79,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
--type postfix_spool_t;
+ type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
-+type postfix_spool_t, postfix_spool_type;
+files_spool_file(postfix_spool_t)
--type postfix_spool_maildrop_t;
+ type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
-+type postfix_spool_maildrop_t, postfix_spool_type;
+files_spool_file(postfix_spool_maildrop_t)
--type postfix_spool_flush_t;
+ type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
-+type postfix_spool_flush_t, postfix_spool_type;
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
files_type(postfix_public_t)
-@@ -94,23 +107,26 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -94,6 +93,7 @@ files_type(postfix_public_t)
+ type postfix_var_run_t;
+ files_pid_file(postfix_var_run_t)
+
++# the data_directory config parameter
+ type postfix_data_t;
+ files_type(postfix_data_t)
- # chown is to set the correct ownership of queue dirs
- allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
--allow postfix_master_t self:fifo_file rw_fifo_file_perms;
-+allow postfix_master_t self:capability2 block_suspend;
+@@ -102,160 +102,63 @@ mta_mailserver_delivery(postfix_virtual_t)
+
+ ########################################
+ #
+-# Common postfix domain local policy
++# Postfix master process local policy
+ #
+
+-allow postfix_domain self:capability { sys_nice sys_chroot };
+-dontaudit postfix_domain self:capability sys_tty_config;
+-allow postfix_domain self:process { signal_perms setpgid setsched };
+-allow postfix_domain self:fifo_file rw_fifo_file_perms;
+-allow postfix_domain self:unix_stream_socket { accept connectto listen };
+-
+-allow postfix_domain postfix_etc_t:dir list_dir_perms;
+-allow postfix_domain postfix_etc_t:file read_file_perms;
+-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
+-
+-allow postfix_domain postfix_master_t:file read_file_perms;
+-
+-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
+-
+-allow postfix_domain postfix_master_t:process sigchld;
+-
+-allow postfix_domain postfix_spool_t:dir list_dir_perms;
+-
+-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+-
+-kernel_read_system_state(postfix_domain)
+-kernel_read_network_state(postfix_domain)
+-kernel_read_all_sysctls(postfix_domain)
+-
+-dev_read_sysfs(postfix_domain)
+-dev_read_rand(postfix_domain)
+-dev_read_urand(postfix_domain)
+-
+-fs_search_auto_mountpoints(postfix_domain)
+-fs_getattr_all_fs(postfix_domain)
+-fs_rw_anon_inodefs_files(postfix_domain)
+-
+-term_dontaudit_use_console(postfix_domain)
+-
+-corecmd_exec_shell(postfix_domain)
+-
+-files_read_etc_runtime_files(postfix_domain)
+-files_read_usr_files(postfix_domain)
+-files_search_spool(postfix_domain)
+-files_getattr_tmp_dirs(postfix_domain)
+-files_search_all_mountpoints(postfix_domain)
+-
+-init_dontaudit_use_fds(postfix_domain)
+-init_sigchld(postfix_domain)
+-
+-logging_send_syslog_msg(postfix_domain)
+-
+-miscfiles_read_localization(postfix_domain)
+-miscfiles_read_generic_certs(postfix_domain)
+-
+-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+-
+-optional_policy(`
+- udev_read_db(postfix_domain)
+-')
+-
+-########################################
+-#
+-# Common postfix server domain local policy
+-#
+-
+-allow postfix_server_domain self:capability { setuid setgid dac_override };
+-
+-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+-
+-corenet_all_recvfrom_unlabeled(postfix_server_domain)
+-corenet_all_recvfrom_netlabel(postfix_server_domain)
+-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
+-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
+-
+-corenet_sendrecv_all_client_packets(postfix_server_domain)
+-corenet_tcp_connect_all_ports(postfix_server_domain)
+-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
+-
+-########################################
+-#
+-# Common postfix user domain local policy
+-#
+-
+-allow postfix_user_domains self:capability dac_override;
+-
+-domain_use_interactive_fds(postfix_user_domains)
+-
+-########################################
+-#
+-# Master local policy
+-#
+-
+-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
++# chown is to set the correct ownership of queue dirs
++allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+ allow postfix_master_t self:capability2 block_suspend;
+
-+allow postfix_master_t self:process setrlimit;
+ allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
--allow postfix_master_t self:process setrlimit;
-+allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
+-allow postfix_master_t postfix_domain:process signal;
+-
+ allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
-
- can_exec(postfix_master_t, postfix_exec_t)
++
++can_exec(postfix_master_t, postfix_exec_t)
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
@@ -48818,37 +52098,71 @@ index a1e0f60..ae56a3e 100644
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
--allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-
--allow postfix_master_t postfix_postqueue_exec_t:file getattr;
++
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
++
++manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
++manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
++
++domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
- manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
- manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +146,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+ allow postfix_master_t postfix_prng_t:file rw_file_perms;
+
++manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
++manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
++
++domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
++
++# allow access to deferred queue and allow removing bogus incoming entries
+ manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
--allow postfix_master_t postfix_spool_bounce_t:file getattr;
-+allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
+ allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -138,11 +154,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
-
+ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
+-
+-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
+-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
+
+-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
+-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
+-
+-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
+-
+-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
+-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
+-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
- kernel_read_all_sysctls(postfix_master_t)
+-can_exec(postfix_master_t, postfix_exec_t)
++kernel_read_all_sysctls(postfix_master_t)
+-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+-
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -150,6 +166,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +166,47 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -48856,41 +52170,72 @@ index a1e0f60..ae56a3e 100644
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
corenet_tcp_bind_generic_node(postfix_master_t)
+-
+-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+-
+-corenet_sendrecv_smtp_server_packets(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -157,6 +176,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
- corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
- corenet_sendrecv_smtp_server_packets(postfix_master_t)
- corenet_sendrecv_all_client_packets(postfix_master_t)
+-
+-corenet_sendrecv_spamd_server_packets(postfix_master_t)
+-corenet_tcp_bind_spamd_port(postfix_master_t)
+-
+-corenet_sendrecv_all_client_packets(postfix_master_t)
+ corenet_tcp_connect_all_ports(postfix_master_t)
++corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
++corenet_sendrecv_smtp_server_packets(postfix_master_t)
++corenet_sendrecv_all_client_packets(postfix_master_t)
+# for spampd
+corenet_tcp_bind_spamd_port(postfix_master_t)
- # for a find command
+-# Can this be conditional?
+-corenet_sendrecv_all_server_packets(postfix_master_t)
+-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
+-
++# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
-@@ -167,14 +188,14 @@ corecmd_exec_bin(postfix_master_t)
+
++corecmd_exec_shell(postfix_master_t)
+ corecmd_exec_bin(postfix_master_t)
+
domain_use_interactive_fds(postfix_master_t)
- files_read_usr_files(postfix_master_t)
++files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
-+files_search_tmp(postfix_master_t)
+ files_search_tmp(postfix_master_t)
--term_dontaudit_search_ptys(postfix_master_t)
-+mcs_file_read_all(postfix_master_t)
+ mcs_file_read_all(postfix_master_t)
--miscfiles_read_man_pages(postfix_master_t)
-+term_dontaudit_search_ptys(postfix_master_t)
+ term_dontaudit_search_ptys(postfix_master_t)
+-miscfiles_read_man_pages(postfix_master_t)
+-
seutil_sigchld_newrole(postfix_master_t)
--# postfix does a "find" on startup for some reason - keep it quiet
-seutil_dontaudit_search_config(postfix_master_t)
- mta_rw_aliases(postfix_master_t)
+-mta_manage_aliases(postfix_master_t)
+-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
+-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
+-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
+-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
++mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
-@@ -195,15 +216,11 @@ optional_policy(`
+ mta_getattr_spool(postfix_master_t)
+
++ifdef(`distro_redhat',`
++ # for newer main.cf that uses /etc/aliases
++ mta_manage_aliases(postfix_master_t)
++ mta_etc_filetrans_aliases(postfix_master_t)
++')
++
+ optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
+ ')
+@@ -316,14 +216,11 @@ optional_policy(`
')
optional_policy(`
--# for postalias
+# for postalias
mailman_manage_data_files(postfix_master_t)
')
@@ -48903,32 +52248,41 @@ index a1e0f60..ae56a3e 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -220,13 +237,17 @@ allow postfix_bounce_t self:capability dac_read_search;
- allow postfix_bounce_t self:tcp_socket create_socket_perms;
+@@ -333,12 +230,14 @@ optional_policy(`
- allow postfix_bounce_t postfix_public_t:sock_file write;
--allow postfix_bounce_t postfix_public_t:dir search;
+ ########################################
+ #
+-# Bounce local policy
++# Postfix bounce local policy
+ #
+
+ allow postfix_bounce_t self:capability dac_read_search;
++allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
++allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+@@ -355,35 +254,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
-+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-+
- manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,22 +258,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+ ########################################
+ #
+-# Cleanup local policy
++# Postfix cleanup local policy
#
allow postfix_cleanup_t self:process setrlimit;
-+allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
+-
+ allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
+-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+-
+-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
+-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
+-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
- # connect to master process
++# connect to master process
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -48948,47 +52302,52 @@ index a1e0f60..ae56a3e 100644
corecmd_exec_bin(postfix_cleanup_t)
+-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
+-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
+-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
+# allow postfix to connect to sqlgrey
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
-+
+
mta_read_aliases(postfix_cleanup_t)
- optional_policy(`
-@@ -264,7 +294,6 @@ optional_policy(`
- # Postfix local local policy
+@@ -393,29 +291,45 @@ optional_policy(`
+
+ ########################################
+ #
+-# Local local policy
++# Postfix local local policy
#
--allow postfix_local_t self:fifo_file rw_fifo_file_perms;
- allow postfix_local_t self:process { setsched setrlimit };
+-allow postfix_local_t self:capability chown;
+-allow postfix_local_t self:process setrlimit;
++allow postfix_local_t self:process { setsched setrlimit };
- # connect to master process
-@@ -272,28 +301,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
++# connect to master process
+ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
- # for .forward - maybe we need a new type for it?
++# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+-
+-allow postfix_local_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+
-+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
- allow postfix_local_t postfix_spool_t:file rw_file_perms;
+ domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
- corecmd_exec_shell(postfix_local_t)
++allow postfix_local_t postfix_spool_t:file rw_file_perms;
++
++corecmd_exec_shell(postfix_local_t)
corecmd_exec_bin(postfix_local_t)
--files_read_etc_files(postfix_local_t)
--
logging_dontaudit_search_logs(postfix_local_t)
+-mta_delete_spool(postfix_local_t)
mta_read_aliases(postfix_local_t)
- mta_delete_spool(postfix_local_t)
- # For reading spamassasin
++mta_delete_spool(postfix_local_t)
++# For reading spamassasin
mta_read_config(postfix_local_t)
+# Handle vacation script
-+mta_send_mail(postfix_local_t)
+ mta_send_mail(postfix_local_t)
--domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
--# Might be a leak, but I need a postfix expert to explain
--allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+userdom_read_user_home_content_files(postfix_local_t)
+userdom_exec_user_bin_files(postfix_local_t)
+
@@ -49000,33 +52359,29 @@ index a1e0f60..ae56a3e 100644
+ fs_exec_cifs_files(postfix_local_t)
+')
+
-+tunable_policy(`postfix_local_write_mail_spool',`
-+ mta_manage_spool(postfix_local_t)
-+')
-
+ tunable_policy(`postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
+ ')
+@@ -423,6 +337,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
optional_policy(`
clamav_search_lib(postfix_local_t)
clamav_exec_clamscan(postfix_local_t)
+ clamav_stream_connect(postfix_domain)
-+')
-+
-+optional_policy(`
-+ dovecot_domtrans_deliver(postfix_local_t)
-+')
-+
-+optional_policy(`
-+ dspam_domtrans(postfix_local_t)
')
optional_policy(`
-@@ -304,9 +356,26 @@ optional_policy(`
+@@ -434,6 +349,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++# for postalias
+ mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
+@@ -444,6 +360,10 @@ optional_policy(`
')
optional_policy(`
-+ nagios_search_spool(postfix_local_t)
-+')
-+
-+optional_policy(`
+ openshift_search_lib(postfix_local_t)
+')
+
@@ -49034,35 +52389,51 @@ index a1e0f60..ae56a3e 100644
procmail_domtrans(postfix_local_t)
')
-+optional_policy(`
-+ sendmail_rw_pipes(postfix_local_t)
-+')
-+
-+optional_policy(`
-+ zarafa_domtrans_deliver(postfix_local_t)
-+ zarafa_stream_connect_server(postfix_local_t)
-+')
-+
+@@ -458,15 +378,17 @@ optional_policy(`
+
########################################
#
- # Postfix map local policy
-@@ -329,7 +398,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+-# Map local policy
++# Postfix map local policy
+ #
+-
+ allow postfix_map_t self:capability { dac_override setgid setuid };
+-allow postfix_map_t self:tcp_socket { accept listen };
++allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
++allow postfix_map_t self:unix_dgram_socket create_socket_perms;
++allow postfix_map_t self:tcp_socket create_stream_socket_perms;
++allow postfix_map_t self:udp_socket create_socket_perms;
+
+-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
+-allow postfix_map_t postfix_etc_t:file manage_file_perms;
+-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
++manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
++manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
++manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+
+ manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+ manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+@@ -476,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_all_recvfrom_unlabeled(postfix_map_t)
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
- corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +416,6 @@ corecmd_read_bin_sockets(postfix_map_t)
-
- files_list_home(postfix_map_t)
- files_read_usr_files(postfix_map_t)
--files_read_etc_files(postfix_map_t)
- files_read_etc_runtime_files(postfix_map_t)
- files_dontaudit_search_var(postfix_map_t)
++corenet_udp_sendrecv_generic_if(postfix_map_t)
+ corenet_tcp_sendrecv_generic_node(postfix_map_t)
+-
+-corenet_sendrecv_all_client_packets(postfix_map_t)
+-corenet_tcp_connect_all_ports(postfix_map_t)
++corenet_udp_sendrecv_generic_node(postfix_map_t)
+ corenet_tcp_sendrecv_all_ports(postfix_map_t)
++corenet_udp_sendrecv_all_ports(postfix_map_t)
++corenet_tcp_connect_all_ports(postfix_map_t)
++corenet_sendrecv_all_client_packets(postfix_map_t)
-@@ -356,8 +423,6 @@ auth_use_nsswitch(postfix_map_t)
+ corecmd_list_bin(postfix_map_t)
+ corecmd_read_bin_symlinks(postfix_map_t)
+@@ -500,21 +423,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -49071,193 +52442,292 @@ index a1e0f60..ae56a3e 100644
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -379,18 +444,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
- rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
- rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-+allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
-+read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
-+delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+ optional_policy(`
++# for postalias
+ mailman_manage_data_files(postfix_map_t)
+ ')
+
+ ########################################
+ #
+-# Pickup local policy
++# Postfix pickup local policy
+ #
+
++allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
- postfix_list_spool(postfix_pickup_t)
+ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+ rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+@@ -524,6 +448,8 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+ read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+ delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++postfix_list_spool(postfix_pickup_t)
++
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+@@ -533,7 +459,7 @@ mcs_file_write_all(postfix_pickup_t)
-+mcs_file_read_all(postfix_pickup_t)
-+mcs_file_write_all(postfix_pickup_t)
-+
########################################
#
- # Postfix pipe local policy
+-# Pipe local policy
++# Postfix pipe local policy
#
--allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
allow postfix_pipe_t self:process setrlimit;
+@@ -576,20 +502,28 @@ optional_policy(`
+
+ ########################################
+ #
+-# Postdrop local policy
++# Postfix postdrop local policy
+ #
+
++# usually it does not need a UDP socket
+ allow postfix_postdrop_t self:capability sys_resource;
++allow postfix_postdrop_t self:tcp_socket create;
++allow postfix_postdrop_t self:udp_socket create_socket_perms;
++
++# Might be a leak, but I need a postfix expert to explain
++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
+ rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
- write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +472,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
++postfix_list_spool(postfix_postdrop_t)
+ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+-
+ mcs_file_read_all(postfix_postdrop_t)
+ mcs_file_write_all(postfix_postdrop_t)
-+corecmd_exec_bin(postfix_pipe_t)
++corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
++corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+
- optional_policy(`
- dovecot_domtrans_deliver(postfix_pipe_t)
+ term_dontaudit_use_all_ptys(postfix_postdrop_t)
+ term_dontaudit_use_all_ttys(postfix_postdrop_t)
+
+@@ -603,10 +537,7 @@ optional_policy(`
+ cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -420,6 +493,7 @@ optional_policy(`
+-optional_policy(`
+- fail2ban_dontaudit_use_fds(postfix_postdrop_t)
+-')
+-
++# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
optional_policy(`
- spamassassin_domtrans_client(postfix_pipe_t)
-+ spamassassin_kill_client(postfix_pipe_t)
+ fstools_read_pipes(postfix_postdrop_t)
')
+@@ -621,17 +552,23 @@ optional_policy(`
- optional_policy(`
-@@ -436,11 +510,17 @@ allow postfix_postdrop_t self:capability sys_resource;
- allow postfix_postdrop_t self:tcp_socket create;
- allow postfix_postdrop_t self:udp_socket create_socket_perms;
+ #######################################
+ #
+-# Postqueue local policy
++# Postfix postqueue local policy
+ #
-+# Might be a leak, but I need a postfix expert to explain
-+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
++allow postfix_postqueue_t self:tcp_socket create;
++allow postfix_postqueue_t self:udp_socket { create ioctl };
+
- rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
-
- postfix_list_spool(postfix_postdrop_t)
- manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++# wants to write to /var/spool/postfix/public/showq
+ stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
-+mcs_file_read_all(postfix_postdrop_t)
-+mcs_file_write_all(postfix_postdrop_t)
-+
- corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
- corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
++# write to /var/spool/postfix/public/qmgr
+ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
-@@ -487,8 +567,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
- # to write the mailq output, it really should not need read access!
-term_use_all_ptys(postfix_postqueue_t)
-term_use_all_ttys(postfix_postqueue_t)
++# to write the mailq output, it really should not need read access!
+term_use_all_inherited_ptys(postfix_postqueue_t)
+term_use_all_inherited_ttys(postfix_postqueue_t)
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +599,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -647,67 +584,80 @@ optional_policy(`
+
+ ########################################
+ #
+-# Qmgr local policy
++# Postfix qmgr local policy
+ #
+
+-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+-
+ stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
- allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
- allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
--allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+-
++# for /var/spool/postfix/active
+ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
++allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
++allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-
++
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +623,9 @@ postfix_list_spool(postfix_showq_t)
+ ########################################
+ #
+-# Showq local policy
++# Postfix showq local policy
+ #
+
+ allow postfix_showq_t self:capability { setuid setgid };
++allow postfix_showq_t self:tcp_socket create_socket_perms;
+ allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+
++allow postfix_showq_t postfix_spool_t:file read_file_perms;
++
++postfix_list_spool(postfix_showq_t)
++
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
--allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
-+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
-+
-+mcs_file_read_all(postfix_showq_t)
+ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
- # to write the mailq output, it really should not need read access!
+-allow postfix_showq_t postfix_spool_t:file read_file_perms;
+-
+ mcs_file_read_all(postfix_showq_t)
+
++# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +644,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+ term_use_all_ttys(postfix_showq_t)
+
+ ########################################
+ #
+-# Smtp delivery local policy
++# Postfix smtp delivery local policy
+ #
- allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
++# connect to master process
+ allow postfix_smtp_t self:capability sys_chroot;
+-
+ stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-+rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
++allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
++allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
+ rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+# for spampd
+corenet_tcp_connect_spamd_port(postfix_master_t)
+corenet_tcp_bind_spamd_port(postfix_master_t)
+
- files_search_all_mountpoints(postfix_smtp_t)
-
++files_search_all_mountpoints(postfix_smtp_t)
++
optional_policy(`
-@@ -565,6 +657,14 @@ optional_policy(`
+ cyrus_stream_connect(postfix_smtp_t)
')
optional_policy(`
+- dovecot_stream_connect(postfix_smtp_t)
+ dovecot_stream_connect(postfix_smtp_t)
-+')
-+
-+optional_policy(`
-+ dspam_stream_connect(postfix_smtp_t)
-+')
-+
-+optional_policy(`
- milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +681,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
- corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+ optional_policy(`
+@@ -720,24 +670,28 @@ optional_policy(`
+
+ ########################################
+ #
+-# Smtpd local policy
++# Postfix smtpd local policy
+ #
+-
+ allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
++# connect to master process
+ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
- # for prng_exch
--allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-+manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-+manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
-+manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
++# Connect to policy server
++corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
++
++# for prng_exch
+ manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
+-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
+-
corecmd_exec_bin(postfix_smtpd_t)
- # for OpenSSL certificates
- files_read_usr_files(postfix_smtpd_t)
++# for OpenSSL certificates
++files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
-+fs_getattr_all_dirs(postfix_smtpd_t)
-+fs_getattr_all_fs(postfix_smtpd_t)
-+
- mta_read_aliases(postfix_smtpd_t)
+ fs_getattr_all_dirs(postfix_smtpd_t)
+ fs_getattr_all_fs(postfix_smtpd_t)
- optional_policy(`
- dovecot_stream_connect_auth(postfix_smtpd_t)
-+ dovecot_stream_connect(postfix_smtpd_t)
- ')
+@@ -754,6 +708,7 @@ optional_policy(`
optional_policy(`
-@@ -599,6 +707,11 @@ optional_policy(`
+ milter_stream_connect_all(postfix_smtpd_t)
++ spamassassin_read_pid_files(postfix_smtpd_t)
')
optional_policy(`
-+ milter_stream_connect_all(postfix_smtpd_t)
-+ spamassassin_read_pid_files(postfix_smtpd_t)
-+')
-+
-+optional_policy(`
- postgrey_stream_connect(postfix_smtpd_t)
+@@ -764,31 +719,102 @@ optional_policy(`
+ sasl_connect(postfix_smtpd_t)
')
-@@ -611,7 +724,6 @@ optional_policy(`
- # Postfix virtual local policy
+-optional_policy(`
+- spamassassin_read_spamd_pid_files(postfix_smtpd_t)
+- spamassassin_stream_connect_spamd(postfix_smtpd_t)
+-')
+-
+ ########################################
+ #
+-# Virtual local policy
++# Postfix virtual local policy
#
--allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
- allow postfix_virtual_t self:process { setsched setrlimit };
+-allow postfix_virtual_t self:process setrlimit;
++allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +734,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
- corecmd_exec_shell(postfix_virtual_t)
- corecmd_exec_bin(postfix_virtual_t)
--files_read_etc_files(postfix_virtual_t)
- files_read_usr_files(postfix_virtual_t)
++# connect to master process
+ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
++corecmd_exec_shell(postfix_virtual_t)
+ corecmd_exec_bin(postfix_virtual_t)
+
++files_read_usr_files(postfix_virtual_t)
++
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +741,80 @@ mta_delete_spool(postfix_virtual_t)
- # For reading spamassasin
+ mta_delete_spool(postfix_virtual_t)
++# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
-+
-+userdom_manage_user_home_dirs(postfix_virtual_t)
+
+ userdom_manage_user_home_dirs(postfix_virtual_t)
+-userdom_manage_user_home_content_dirs(postfix_virtual_t)
+-userdom_manage_user_home_content_files(postfix_virtual_t)
+userdom_manage_user_home_content(postfix_virtual_t)
-+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+ userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
+
+########################################
@@ -49308,7 +52778,7 @@ index a1e0f60..ae56a3e 100644
+files_read_usr_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
+files_search_spool(postfix_domain)
-+files_getattr_tmp_dirs(postfix_domain)
++files_list_tmp(postfix_domain)
+files_search_all_mountpoints(postfix_domain)
+
+init_dontaudit_use_fds(postfix_domain)
@@ -49332,16 +52802,11 @@ index a1e0f60..ae56a3e 100644
+ udev_read_db(postfix_domain)
+')
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
-index feae93b..b2af729 100644
+index 5de8173..985b877 100644
--- a/postfixpolicyd.if
+++ b/postfixpolicyd.if
-@@ -20,12 +20,14 @@
- interface(`postfixpolicyd_admin',`
- gen_require(`
- type postfix_policyd_t, postfix_policyd_conf_t;
-- type postfix_policyd_var_run_t;
-- type postfix_policyd_initrc_exec_t;
-+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
+@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
@@ -49354,33 +52819,18 @@ index feae93b..b2af729 100644
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
-index 7257526..e69e0d4 100644
+index 70f0533..3eed489 100644
--- a/postfixpolicyd.te
+++ b/postfixpolicyd.te
-@@ -23,19 +23,18 @@ files_pid_file(postfix_policyd_var_run_t)
- # Local Policy
- #
-
--allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
- allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
- allow postfix_policyd_t self:process setrlimit;
--allow postfix_policyd_t self:unix_dgram_socket { connect create write};
-+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
-+allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
-
- allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
- allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
--allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
-+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
-
+@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
- corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
-@@ -48,6 +47,4 @@ files_read_usr_files(postfix_policyd_t)
+ corenet_tcp_bind_generic_node(postfix_policyd_t)
+@@ -52,6 +51,4 @@ files_read_usr_files(postfix_policyd_t)
logging_send_syslog_msg(postfix_policyd_t)
@@ -49388,50 +52838,44 @@ index 7257526..e69e0d4 100644
-
sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/postgrey.if b/postgrey.if
-index ad15fde..12202e1 100644
+index b9e71b5..a7502cd 100644
--- a/postgrey.if
+++ b/postgrey.if
-@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
+@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',`
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
')
-- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
-- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
files_search_pids($1)
-+ files_search_spool($1)
+ files_search_spool($1)
+- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
')
########################################
-@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
- type postgrey_spool_t;
- ')
-
-+ files_search_spool($1)
- allow $1 postgrey_spool_t:dir search_dir_perms;
- ')
-
-@@ -57,13 +58,15 @@ interface(`postgrey_search_spool',`
+@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',`
#
interface(`postgrey_admin',`
gen_require(`
-- type postgrey_t, postgrey_etc_t;
-+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
- type postgrey_var_lib_t, postgrey_var_run_t;
+- type postgrey_t, postgrey_etc_t, postgrey_spool_t;
+- type postgrey_var_lib_t, postgrey_var_run_t;
- type postgrey_initrc_exec_t;
++ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
++ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
')
- allow $1 postgrey_t:process { ptrace signal_perms };
+ allow $1 postgrey_t:process signal_perms;
ps_process_pattern($1, postgrey_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 postgrey_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
-index db843e2..570cf36 100644
+index 3b11496..8c3efb2 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -49443,8 +52887,8 @@ index db843e2..570cf36 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
-@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(postgrey_t)
- # for perl
+@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t)
+
corecmd_search_bin(postgrey_t)
-corenet_all_recvfrom_unlabeled(postgrey_t)
@@ -49464,50 +52908,268 @@ index db843e2..570cf36 100644
sysnet_read_config(postgrey_t)
diff --git a/ppp.fc b/ppp.fc
-index 2d82c6d..ff2c96a 100644
+index efcb653..ff2c96a 100644
--- a/ppp.fc
+++ b/ppp.fc
-@@ -11,19 +11,24 @@
- # Fix /etc/ppp {up,down} family scripts (see man pppd)
- /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
-
+@@ -1,30 +1,45 @@
+-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
++#
++# /etc
++#
++/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
++/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
++/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
++/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
++/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
++/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
++# Fix /etc/ppp {up,down} family scripts (see man pppd)
++/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+
- /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
- #
- # /sbin
- #
--/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
+-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
++#
++# /sbin
++#
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
- #
- # /usr
- #
+-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+-
+-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0)
++#
++# /usr
++#
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
- /usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
- /usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
--/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
-
- #
- # /var
-@@ -34,5 +39,7 @@
- # Fix pptp sockets
- /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
++/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
++#
++# /var
++#
+ /var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
++/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
++# Fix pptp sockets
++/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
++
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+
- /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
--/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
++/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
-index de4bdb7..a4cad0b 100644
+index cd8b8b9..cb827c0 100644
--- a/ppp.if
+++ b/ppp.if
-@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
+@@ -1,110 +1,91 @@
+-## <summary>Point to Point Protocol daemon creates links in ppp networks.</summary>
++## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
+
+-########################################
++#######################################
+ ## <summary>
+-## Role access for ppp.
++## Create, read, write, and delete
++## ppp home files.
+ ## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+ ## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+-## </param>
+-#
+-interface(`ppp_role',`
+- refpolicywarn(`$0($*) has been deprecated')
+-')
+-
+-########################################
+-## <summary>
+-## Create, read, write, and delete
+-## ppp home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`ppp_manage_home_files',`
+- gen_require(`
+- type ppp_home_t;
+- ')
++ gen_require(`
++ type ppp_home_t;
++ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 ppp_home_t:file manage_file_perms;
++ userdom_search_user_home_dirs($1)
++ allow $1 ppp_home_t:file manage_file_perms;
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Read ppp user home content files.
++## Read ppp user home content files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`ppp_read_home_files',`
+- gen_require(`
+- type ppp_home_t;
++ gen_require(`
++ type ppp_home_t;
+
+- ')
++ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 ppp_home_t:file read_file_perms;
++ userdom_search_user_home_dirs($1)
++ allow $1 ppp_home_t:file read_file_perms;
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Relabel ppp home files.
++## Relabel ppp home files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`ppp_relabel_home_files',`
+- gen_require(`
+- type ppp_home_t;
+- ')
++ gen_require(`
++ type ppp_home_t;
++ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 ppp_home_t:file relabel_file_perms;
++ userdom_search_user_home_dirs($1)
++ allow $1 ppp_home_t:file relabel_file_perms;
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the ppp home type.
++## Create objects in user home
++## directories with the ppp home type.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ ## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
++## <summary>
++## Class of the object being created.
++## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
++## <summary>
++## The name of the object being created.
++## </summary>
+ ## </param>
+ #
+ interface(`ppp_home_filetrans_ppp_home',`
+- gen_require(`
+- type ppp_home_t;
+- ')
++ gen_require(`
++ type ppp_home_t;
++ ')
+
+- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
++ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
+ ')
+
+ ########################################
+@@ -128,7 +109,7 @@ interface(`ppp_use_fds',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to inherit
+-## and use ppp file discriptors.
++## and use PPP file discriptors.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Send child terminated signals to ppp.
++## Send a SIGCHLD signal to PPP.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -165,7 +146,7 @@ interface(`ppp_sigchld',`
+
+ ########################################
+ ## <summary>
+-## Send kill signals to ppp.
++## Send ppp a kill signal
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -173,7 +154,6 @@ interface(`ppp_sigchld',`
## </summary>
## </param>
#
@@ -49515,57 +53177,212 @@ index de4bdb7..a4cad0b 100644
interface(`ppp_kill',`
gen_require(`
type pppd_t;
-@@ -176,11 +175,18 @@ interface(`ppp_run_cond',`
- #
- interface(`ppp_run',`
- gen_require(`
-- attribute_role pppd_roles;
-+ #attribute_role pppd_roles;
-+ type pppd_t;
+@@ -184,7 +164,7 @@ interface(`ppp_kill',`
+
+ ########################################
+ ## <summary>
+-## Send generic signals to ppp.
++## Send a generic signal to PPP.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -202,7 +182,7 @@ interface(`ppp_signal',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to ppp.
++## Send a generic signull to PPP.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -220,7 +200,7 @@ interface(`ppp_signull',`
+
+ ########################################
+ ## <summary>
+-## Execute pppd in the pppd domain.
++## Execute domain in the ppp domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -239,8 +219,7 @@ interface(`ppp_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Conditionally execute pppd on
+-## behalf of a user or staff type.
++## Conditionally execute ppp daemon on behalf of a user or staff type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -249,7 +228,7 @@ interface(`ppp_domtrans',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to allow the ppp domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -268,8 +247,7 @@ interface(`ppp_run_cond',`
+
+ ########################################
+ ## <summary>
+-## Unconditionally execute ppp daemon
+-## on behalf of a user or staff type.
++## Unconditionally execute ppp daemon on behalf of a user or staff type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -278,7 +256,7 @@ interface(`ppp_run_cond',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to allow the ppp domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -288,13 +266,13 @@ interface(`ppp_run',`
+ attribute_role pppd_roles;
')
- ppp_domtrans($1)
-- roleattribute $2 pppd_roles;
-+ #ppp_domtrans($1)
-+ #roleattribute $2 pppd_roles;
-+
-+ role $2 types pppd_t;
-+
-+ tunable_policy(`pppd_for_user',`
-+ ppp_domtrans($1)
-+ ')
++ ppp_domtrans($1
+ roleattribute $2 pppd_roles;
')
########################################
-@@ -276,7 +282,8 @@ interface(`ppp_read_pid_files',`
- type pppd_var_run_t;
+ ## <summary>
+-## Execute domain in the caller domain.
++## Execute domain in the ppp caller.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -326,13 +304,13 @@ interface(`ppp_read_config',`
+ type pppd_etc_t;
+ ')
+
+- files_search_etc($1)
+ read_files_pattern($1, pppd_etc_t, pppd_etc_t)
++ files_search_etc($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read ppp writable configuration content.
++## Read PPP-writable configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',`
+ type pppd_etc_t, pppd_etc_rw_t;
+ ')
+
+- files_search_etc($1)
+- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms;
++ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_etc_rw_t:file read_file_perms;
+- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms;
++ files_search_etc($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read ppp secret files.
++## Read PPP secrets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',`
+ type pppd_etc_t, pppd_secret_t;
+ ')
+
+- files_search_etc($1)
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_secret_t:file read_file_perms;
+- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
++ files_search_etc($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read ppp pid files.
++## Read PPP pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',`
')
+ files_search_pids($1)
- allow $1 pppd_var_run_t:file read_file_perms;
-+ files_search_pids($1)
+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
########################################
-@@ -294,6 +301,7 @@ interface(`ppp_manage_pid_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## ppp pid files.
++## Create, read, write, and delete PPP pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -413,37 +388,25 @@ interface(`ppp_manage_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Create specified pppd pid objects
+-## with a type transition.
++## Create, read, write, and delete PPP pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+ interface(`ppp_pid_filetrans',`
+ gen_require(`
type pppd_var_run_t;
')
-+ files_search_pids($1)
- allow $1 pppd_var_run_t:file manage_file_perms;
+- files_pid_filetrans($1, pppd_var_run_t, $2, $3)
++ files_pid_filetrans($1, pppd_var_run_t, file)
')
-@@ -335,6 +343,29 @@ interface(`ppp_initrc_domtrans',`
+ ########################################
+ ## <summary>
+-## Execute pppd init script in
+-## the initrc domain.
++## Execute ppp server in the ntpd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',`
########################################
## <summary>
+-## All of the rules required to
+-## administrate an ppp environment.
+## Execute pppd server in the pppd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`ppp_systemctl',`
+ gen_require(`
@@ -49582,11 +53399,13 @@ index de4bdb7..a4cad0b 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an ppp environment
- ## </summary>
-@@ -343,20 +374,31 @@ interface(`ppp_initrc_domtrans',`
- ## Domain allowed access.
++## All of the rules required to administrate
++## an ppp environment
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access.
++## Domain allowed access.
## </summary>
## </param>
+## <param name="role">
@@ -49599,120 +53418,173 @@ index de4bdb7..a4cad0b 100644
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
-- type pppd_etc_t, pppd_secret_t;
-- type pppd_etc_rw_t, pppd_var_run_t;
--
+- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t;
+- type pppd_var_run_t, pppd_initrc_exec_t;
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
-- type pppd_initrc_exec_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
+ type pppd_unit_file_t;
- ')
-
-- allow $1 pppd_t:process { ptrace signal_perms getattr };
++ ')
++
+ allow $1 pppd_t:process signal_perms;
- ps_process_pattern($1, pppd_t)
++ ps_process_pattern($1, pppd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pppd_t:process ptrace;
+ allow $1 pptp_t:process ptrace;
-+ ')
-+
+ ')
+
+- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { pptp_t pppd_t })
+ allow $1 pptp_t:process signal_perms;
+ ps_process_pattern($1, pptp_t)
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
-@@ -369,6 +411,7 @@ interface(`ppp_admin',`
+@@ -496,14 +490,26 @@ interface(`ppp_admin',`
+ admin_pattern($1, pppd_tmp_t)
+
logging_list_logs($1)
- admin_pattern($1, pppd_log_t)
+- admin_pattern($1, { pptp_log_t pppd_log_t })
++ admin_pattern($1, pppd_log_t)
-+ files_list_locks($1)
+ files_list_locks($1)
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -381,10 +424,11 @@ interface(`ppp_admin',`
- files_list_pids($1)
- admin_pattern($1, pppd_var_run_t)
-
-- allow $1 pptp_t:process { ptrace signal_perms getattr };
-- ps_process_pattern($1, pptp_t)
--
- admin_pattern($1, pptp_log_t)
+- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t })
++ admin_pattern($1, pppd_etc_t)
++
++ admin_pattern($1, pppd_etc_rw_t)
++
++ admin_pattern($1, pppd_secret_t)
- admin_pattern($1, pptp_var_run_t)
+ files_list_pids($1)
+- admin_pattern($1, { pptp_var_run_t pppd_var_run_t })
++ admin_pattern($1, pppd_var_run_t)
++
++ admin_pattern($1, pptp_log_t)
++
++ admin_pattern($1, pptp_var_run_t)
+
+ ppp_systemctl($1)
+ admin_pattern($1, pppd_unit_file_t)
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..5a550bb 100644
+index b2b5dba..2a04cb0 100644
--- a/ppp.te
+++ b/ppp.te
-@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
+@@ -1,4 +1,4 @@
+-policy_module(ppp, 1.13.5)
++policy_module(ppp, 1.13.0)
+
+ ########################################
+ #
+@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether pppd can
+-## load kernel modules.
+-## </p>
++## <p>
++## Allow pppd to load kernel modules for certain modems
++## </p>
+ ## </desc>
+ gen_tunable(pppd_can_insmod, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether common users can
+-## run pppd with a domain transition.
+-## </p>
++## <p>
++## Allow pppd to be run for a regular user
++## </p>
## </desc>
gen_tunable(pppd_for_user, false)
--attribute_role pppd_roles;
-+#attribute_role pppd_roles;
+ attribute_role pppd_roles;
+-attribute_role pptp_roles;
- # pppd_t is the domain for the pppd program.
- # pppd_exec_t is the type of the pppd executable.
++# pppd_t is the domain for the pppd program.
++# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
--role pppd_roles types pppd_t;
-+#role pppd_roles types pppd_t;
+ role pppd_roles types pppd_t;
+role system_r types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
-@@ -42,6 +43,9 @@ files_type(pppd_etc_rw_t)
+
++# Define a separate type for /etc/ppp
+ type pppd_etc_t;
+ files_config_file(pppd_etc_t)
+
++# Define a separate type for writable files under /etc/ppp
+ type pppd_etc_rw_t;
+ files_type(pppd_etc_rw_t)
+
type pppd_initrc_exec_t alias pppd_script_exec_t;
init_script_file(pppd_initrc_exec_t)
+type pppd_unit_file_t;
+systemd_unit_file(pppd_unit_file_t)
+
- # pppd_secret_t is the type of the pap and chap password files
++# pppd_secret_t is the type of the pap and chap password files
type pppd_secret_t;
files_type(pppd_secret_t)
-@@ -61,7 +65,8 @@ files_pid_file(pppd_var_run_t)
+
+@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
--role pppd_roles types pptp_t;
+-role pptp_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
-@@ -74,9 +79,9 @@ files_pid_file(pptp_var_run_t)
- # PPPD Local policy
+@@ -67,12 +74,9 @@ logging_log_file(pptp_log_t)
+ type pptp_var_run_t;
+ files_pid_file(pptp_var_run_t)
+
+-type ppp_home_t;
+-userdom_user_home_content(ppp_home_t)
+-
+ ########################################
+ #
+-# PPPD local policy
++# PPPD Local policy
#
--allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
- dontaudit pppd_t self:capability sys_tty_config;
--allow pppd_t self:process { getsched signal };
-+allow pppd_t self:process { getsched setsched signal };
+ allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+@@ -80,41 +84,47 @@ dontaudit pppd_t self:capability sys_tty_config;
+ allow pppd_t self:process { getsched setsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
- allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -88,28 +93,29 @@ allow pppd_t self:packet_socket create_socket_perms;
-
- domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+-allow pppd_t self:netlink_route_socket nlmsg_write;
+-allow pppd_t self:tcp_socket { accept listen };
++allow pppd_t self:unix_dgram_socket create_socket_perms;
++allow pppd_t self:unix_stream_socket create_socket_perms;
++allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
++allow pppd_t self:tcp_socket create_stream_socket_perms;
++allow pppd_t self:udp_socket { connect connected_socket_perms };
+ allow pppd_t self:packet_socket create_socket_perms;
--allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
++
+ allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
- allow pppd_t pppd_etc_t:file read_file_perms;
--allow pppd_t pppd_etc_t:lnk_file { getattr read };
-+allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
+-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
++allow pppd_t pppd_etc_t:file read_file_perms;
+ allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
- # Automatically label newly created files under /etc/ppp with this type
++# Automatically label newly created files under /etc/ppp with this type
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-allow pppd_t pppd_lock_t:file manage_file_perms;
@@ -49720,22 +53592,39 @@ index bcbf9ac..5a550bb 100644
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_search_locks(pppd_t)
--allow pppd_t pppd_log_t:file manage_file_perms;
+-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
logging_log_filetrans(pppd_t, pppd_log_t, file)
manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
- files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
++files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
-+manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+ manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
--files_pid_filetrans(pppd_t, pppd_var_run_t, file)
-+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
+ files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
+-can_exec(pppd_t, pppd_exec_t)
+-
+-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+-
allow pppd_t pptp_t:process signal;
-@@ -130,7 +136,6 @@ dev_search_sysfs(pppd_t)
++# for SSP
++# Access secret files
+ allow pppd_t pppd_secret_t:file read_file_perms;
+
++ppp_initrc_domtrans(pppd_t)
++
+ kernel_read_kernel_sysctls(pppd_t)
+ kernel_read_system_state(pppd_t)
+ kernel_rw_net_sysctls(pppd_t)
+@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t)
+ kernel_request_load_module(pppd_t)
+
+ dev_read_urand(pppd_t)
++dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
dev_rw_modem(pppd_t)
@@ -49743,36 +53632,56 @@ index bcbf9ac..5a550bb 100644
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
-@@ -147,10 +152,12 @@ fs_getattr_all_fs(pppd_t)
- fs_search_auto_mountpoints(pppd_t)
+@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t)
+ corenet_udp_sendrecv_generic_node(pppd_t)
+ corenet_tcp_sendrecv_all_ports(pppd_t)
+ corenet_udp_sendrecv_all_ports(pppd_t)
+-
++# Access /dev/ppp.
+ corenet_rw_ppp_dev(pppd_t)
- term_use_unallocated_ttys(pppd_t)
++fs_getattr_all_fs(pppd_t)
++fs_search_auto_mountpoints(pppd_t)
++
++term_use_unallocated_ttys(pppd_t)
+term_use_usb_ttys(pppd_t)
- term_setattr_unallocated_ttys(pppd_t)
- term_ioctl_generic_ptys(pppd_t)
- # for pppoe
- term_create_pty(pppd_t, pppd_devpts_t)
++term_setattr_unallocated_ttys(pppd_t)
++term_ioctl_generic_ptys(pppd_t)
++# for pppoe
++term_create_pty(pppd_t, pppd_devpts_t)
+term_use_generic_ptys(pppd_t)
-
- # allow running ip-up and ip-down scripts and running chat.
++
++# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
-@@ -161,43 +168,54 @@ domain_use_interactive_fds(pppd_t)
+ corecmd_exec_shell(pppd_t)
+
+@@ -146,37 +168,32 @@ domain_use_interactive_fds(pppd_t)
files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
+files_read_usr_files(pppd_t)
- # for scripts
--files_read_etc_files(pppd_t)
+-fs_getattr_all_fs(pppd_t)
+-fs_search_auto_mountpoints(pppd_t)
++# for scripts
+-term_use_unallocated_ttys(pppd_t)
+-term_setattr_unallocated_ttys(pppd_t)
+-term_ioctl_generic_ptys(pppd_t)
+-term_create_pty(pppd_t, pppd_devpts_t)
+-term_use_generic_ptys(pppd_t)
+-
+-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
+-init_signal_script(pppd_t)
init_dontaudit_write_utmp(pppd_t)
- init_signal_script(pppd_t)
++init_signal_script(pppd_t)
+-auth_run_chk_passwd(pppd_t, pppd_roles)
auth_use_nsswitch(pppd_t)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
-+auth_write_login_records(pppd_t)
+ auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
@@ -49788,20 +53697,12 @@ index bcbf9ac..5a550bb 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
+userdom_search_admin_dir(pppd_t)
-
- ppp_exec(pppd_t)
++
++ppp_exec(pppd_t)
optional_policy(`
-- ddclient_run(pppd_t, pppd_roles)
-+ #ddclient_run(pppd_t, pppd_roles)
-+ ddclient_domtrans(pppd_t)
-+')
-+
-+optional_policy(`
-+ l2tpd_dgram_send(pppd_t)
-+ l2tpd_rw_socket(pppd_t)
-+ l2tpd_stream_connect(pppd_t)
- ')
+ ddclient_run(pppd_t, pppd_roles)
+@@ -190,7 +207,7 @@ optional_policy(`
optional_policy(`
tunable_policy(`pppd_can_insmod',`
@@ -49810,33 +53711,60 @@ index bcbf9ac..5a550bb 100644
')
')
- optional_policy(`
- mta_send_mail(pppd_t)
-+ mta_system_content(pppd_etc_t)
-+ mta_system_content(pppd_etc_rw_t)
- ')
+@@ -218,16 +235,19 @@ optional_policy(`
- optional_policy(`
-@@ -247,21 +265,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
- allow pptp_t pptp_log_t:file manage_file_perms;
+ ########################################
+ #
+-# PPTP local policy
++# PPTP Local policy
+ #
+
+ allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+ dontaudit pptp_t self:capability sys_tty_config;
+ allow pptp_t self:process signal;
+ allow pptp_t self:fifo_file rw_fifo_file_perms;
+-allow pptp_t self:unix_stream_socket { accept connectto listen };
++allow pptp_t self:unix_dgram_socket create_socket_perms;
++allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow pptp_t self:rawip_socket create_socket_perms;
+-allow pptp_t self:netlink_route_socket nlmsg_write;
++allow pptp_t self:tcp_socket create_socket_perms;
++allow pptp_t self:udp_socket create_socket_perms;
++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ allow pptp_t pppd_etc_t:dir list_dir_perms;
+ allow pptp_t pppd_etc_t:file read_file_perms;
+@@ -236,45 +256,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+ allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
+ allow pptp_t pppd_etc_rw_t:file read_file_perms;
+ allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
++can_exec(pptp_t, pppd_etc_rw_t)
+
++# Allow pptp to append to pppd log files
+ allow pptp_t pppd_log_t:file append_file_perms;
+
+-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
+-
+-can_exec(pptp_t, pppd_etc_rw_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
- kernel_list_proc(pptp_t)
++kernel_list_proc(pptp_t)
+kernel_signal(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
-+kernel_read_network_state(pptp_t)
- kernel_read_proc_symlinks(pptp_t)
+ kernel_read_network_state(pptp_t)
++kernel_read_proc_symlinks(pptp_t)
kernel_read_system_state(pptp_t)
-+kernel_signal(pptp_t)
-
- dev_read_sysfs(pptp_t)
+ kernel_signal(pptp_t)
++dev_read_sysfs(pptp_t)
++
corecmd_exec_shell(pptp_t)
corecmd_read_bin_symlinks(pptp_t)
@@ -49844,17 +53772,33 @@ index bcbf9ac..5a550bb 100644
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
-@@ -272,8 +293,7 @@ corenet_tcp_bind_generic_node(pptp_t)
+ corenet_tcp_sendrecv_generic_node(pptp_t)
+ corenet_raw_sendrecv_generic_node(pptp_t)
+ corenet_tcp_sendrecv_all_ports(pptp_t)
+-
+-corenet_tcp_connect_all_reserved_ports(pptp_t)
++corenet_tcp_bind_generic_node(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
- corenet_tcp_connect_all_reserved_ports(pptp_t)
++corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
-
--files_read_etc_files(pptp_t)
-+corenet_tcp_connect_pptp_port(pptp_t)
+-corenet_sendrecv_pptp_client_packets(pptp_t)
+ corenet_tcp_connect_pptp_port(pptp_t)
+-dev_read_sysfs(pptp_t)
+-
+-domain_use_interactive_fds(pptp_t)
+-
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -288,8 +308,6 @@ auth_use_nsswitch(pptp_t)
+
+@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
+ term_search_ptys(pptp_t)
+ term_use_ptmx(pptp_t)
+
++domain_use_interactive_fds(pptp_t)
++
+ auth_use_nsswitch(pptp_t)
logging_send_syslog_msg(pptp_t)
@@ -49864,23 +53808,146 @@ index bcbf9ac..5a550bb 100644
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
diff --git a/prelink.fc b/prelink.fc
-index ec0e76a..62af9a4 100644
+index a90d623..62af9a4 100644
--- a/prelink.fc
+++ b/prelink.fc
-@@ -4,7 +4,7 @@
+@@ -1,11 +1,11 @@
+ /etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
+
+-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
++/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
--/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
+-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
- /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
++/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
- /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
++/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
++/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.if b/prelink.if
-index 93ec175..e6605c1 100644
+index 20d4697..e6605c1 100644
--- a/prelink.if
+++ b/prelink.if
-@@ -202,3 +202,21 @@ interface(`prelink_relabel_lib',`
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Execute prelink in the prelink domain.
++## Execute the prelink program in the prelink domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -18,15 +18,15 @@ interface(`prelink_domtrans',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prelink_exec_t, prelink_t)
+
+- ifdef(`hide_broken_symptoms',`
++ ifdef(`hide_broken_symptoms', `
+ dontaudit prelink_t $1:socket_class_set { read write };
+- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
++ dontaudit prelink_t $1:fifo_file setattr;
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute prelink in the caller domain.
++## Execute the prelink program in the current domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -45,9 +45,7 @@ interface(`prelink_exec',`
+
+ ########################################
+ ## <summary>
+-## Execute prelink in the prelink
+-## domain, and allow the specified role
+-## the prelink domain.
++## Execute the prelink program in the prelink domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -56,18 +54,18 @@ interface(`prelink_exec',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to allow the prelink domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`prelink_run',`
+ gen_require(`
+- attribute_role prelink_roles;
++ type prelink_t;
+ ')
+
+ prelink_domtrans($1)
+- roleattribute $2 prelink_roles;
++ role $2 types prelink_t;
+ ')
+
+ ########################################
+@@ -80,6 +78,7 @@ interface(`prelink_run',`
+ ## </summary>
+ ## </param>
+ #
++# cjp: added for misc non-entrypoint objects
+ interface(`prelink_object_file',`
+ gen_require(`
+ attribute prelink_object;
+@@ -90,7 +89,7 @@ interface(`prelink_object_file',`
+
+ ########################################
+ ## <summary>
+-## Read prelink cache files.
++## Read the prelink cache.
+ ## </summary>
+ ## <param name="file_type">
+ ## <summary>
+@@ -109,7 +108,7 @@ interface(`prelink_read_cache',`
+
+ ########################################
+ ## <summary>
+-## Delete prelink cache files.
++## Delete the prelink cache.
+ ## </summary>
+ ## <param name="file_type">
+ ## <summary>
+@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',`
+ type prelink_cache_t;
+ ')
+
++ allow $1 prelink_cache_t:file unlink;
+ files_rw_etc_dirs($1)
+- allow $1 prelink_cache_t:file delete_file_perms;
+ ')
+
+ ########################################
+@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',`
+
+ ########################################
+ ## <summary>
+-## Relabel from prelink lib files.
++## Relabel from files in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',`
+
+ ########################################
+ ## <summary>
+-## Relabel prelink lib files.
++## Relabel from files in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',`
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
@@ -49903,118 +53970,194 @@ index 93ec175..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index af55369..9f1d1b5 100644
+index c0f047a..9f1d1b5 100644
--- a/prelink.te
+++ b/prelink.te
-@@ -18,6 +18,7 @@ type prelink_cron_system_t;
- type prelink_cron_system_exec_t;
- domain_type(prelink_cron_system_t)
- domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
-+domain_obj_id_change_exemption(prelink_cron_system_t)
-
- type prelink_log_t;
- logging_log_file(prelink_log_t)
-@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
- # Local policy
+@@ -1,4 +1,4 @@
+-policy_module(prelink, 1.10.2)
++policy_module(prelink, 1.10.0)
+
+ ########################################
#
+@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2)
+
+ attribute prelink_object;
--allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
-+allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
- allow prelink_t self:process { execheap execmem execstack signal };
- allow prelink_t self:fifo_file rw_fifo_file_perms;
+-attribute_role prelink_roles;
+-
+ type prelink_t;
+ type prelink_exec_t;
+ init_system_domain(prelink_t, prelink_exec_t)
+ domain_obj_id_change_exemption(prelink_t)
+-role prelink_roles types prelink_t;
+
+ type prelink_cache_t;
+ files_type(prelink_cache_t)
+@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms;
+ allow prelink_t prelink_cache_t:file manage_file_perms;
+ files_etc_filetrans(prelink_t, prelink_cache_t, file)
+
+-allow prelink_t prelink_log_t:dir setattr_dir_perms;
++allow prelink_t prelink_log_t:dir setattr;
+ create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+ read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+ logging_log_filetrans(prelink_t, prelink_log_t, file)
+
+-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+ files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
-@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
++allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
+ fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
+
+ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
- # prelink misc objects that are not system
- # libraries or entrypoints
--allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
++# prelink misc objects that are not system
++# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -75,25 +75,24 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
+-files_getattr_all_files(prelink_t)
files_list_all(prelink_t)
- files_getattr_all_files(prelink_t)
-@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
-
- fs_getattr_xattr_fs(prelink_t)
-
-+storage_getattr_fixed_disk_dev(prelink_t)
+-files_manage_usr_files(prelink_t)
+-files_manage_var_files(prelink_t)
++files_getattr_all_files(prelink_t)
++files_write_non_security_dirs(prelink_t)
+ files_read_etc_files(prelink_t)
+ files_read_etc_runtime_files(prelink_t)
+-files_relabelfrom_usr_files(prelink_t)
+-files_search_var_lib(prelink_t)
+-files_write_non_security_dirs(prelink_t)
+ files_dontaudit_read_all_symlinks(prelink_t)
++files_manage_usr_files(prelink_t)
++files_manage_var_files(prelink_t)
++files_relabelfrom_usr_files(prelink_t)
+
+-fs_getattr_all_fs(prelink_t)
+-fs_search_auto_mountpoints(prelink_t)
+-
+-selinux_get_enforce_mode(prelink_t)
++fs_getattr_xattr_fs(prelink_t)
+
+ storage_getattr_fixed_disk_dev(prelink_t)
+
++selinux_get_enforce_mode(prelink_t)
+
- selinux_get_enforce_mode(prelink_t)
-
libs_exec_ld_so(prelink_t)
-@@ -96,9 +101,16 @@ libs_manage_shared_libs(prelink_t)
+ libs_legacy_use_shared_libs(prelink_t)
+ libs_manage_ld_so(prelink_t)
+@@ -102,32 +101,16 @@ libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
-miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
+-userdom_manage_user_home_content_files(prelink_t)
+-# pending
+-# userdom_relabel_user_home_content_files(prelink_t)
+-# userdom_execmod_user_home_content_files(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
-+userdom_exec_user_home_content_files(prelink_t)
-+
+ userdom_exec_user_home_content_files(prelink_t)
+
+-ifdef(`hide_broken_symptoms',`
+- miscfiles_read_man_pages(prelink_t)
+-
+- optional_policy(`
+- dbus_read_config(prelink_t)
+- ')
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files(prelink_t)
+- fs_manage_nfs_files(prelink_t)
+-')
+systemd_read_unit_files(prelink_t)
-+
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files(prelink_t)
+- fs_manage_cifs_files(prelink_t)
+-')
+term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +121,15 @@ optional_policy(`
+@@ -138,11 +121,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(prelink_t)
-+ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
-+')
-+
-+optional_policy(`
+ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
+ ')
+
+ optional_policy(`
+- mozilla_manage_plugin_rw_files(prelink_t)
+ mozilla_plugin_manage_rw_files(prelink_t)
-+')
-+
-+optional_policy(`
- rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +150,7 @@ optional_policy(`
+ optional_policy(`
+@@ -155,17 +139,18 @@ optional_policy(`
+
+ ########################################
+ #
+-# Cron system local policy
++# Prelink Cron system Policy
+ #
+
+ optional_policy(`
+ allow prelink_cron_system_t self:capability setuid;
+ allow prelink_cron_system_t self:process { setsched setfscreate signal };
+ allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
++ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
- allow prelink_cron_system_t prelink_cache_t:file unlink;
+- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
++ allow prelink_cron_system_t prelink_cache_t:file unlink;
+ files_delete_etc_dir_entry(prelink_cron_system_t)
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -144,21 +166,38 @@ optional_policy(`
- corecmd_exec_bin(prelink_cron_system_t)
- corecmd_exec_shell(prelink_cron_system_t)
+@@ -174,7 +159,7 @@ optional_policy(`
-+ dev_list_sysfs(prelink_cron_system_t)
-+ dev_read_sysfs(prelink_cron_system_t)
-+
- files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
- files_read_etc_files(prelink_cron_system_t)
- files_search_var_lib(prelink_cron_system_t)
+ manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
+ files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms;
++ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
-+ fs_search_cgroup_dirs(prelink_cron_system_t)
-+
-+ auth_use_nsswitch(prelink_cron_system_t)
+ kernel_read_system_state(prelink_cron_system_t)
+
+@@ -184,8 +169,11 @@ optional_policy(`
+ dev_list_sysfs(prelink_cron_system_t)
+ dev_read_sysfs(prelink_cron_system_t)
+
+- files_rw_etc_dirs(prelink_cron_system_t)
+ files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
++ files_read_etc_files(prelink_cron_system_t)
++ files_search_var_lib(prelink_cron_system_t)
+
-+ init_telinit(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
++ fs_search_cgroup_dirs(prelink_cron_system_t)
+
+ auth_use_nsswitch(prelink_cron_system_t)
- libs_exec_ld_so(prelink_cron_system_t)
+@@ -196,11 +184,20 @@ optional_policy(`
logging_search_logs(prelink_cron_system_t)
@@ -50036,78 +54179,169 @@ index af55369..9f1d1b5 100644
+ dbus_read_config(prelink_t)
+ ')
+')
-diff --git a/prelude.fc b/prelude.fc
-index 3bd847a..a52b025 100644
---- a/prelude.fc
-+++ b/prelude.fc
-@@ -5,6 +5,7 @@
-
- /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
-
-+/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
- /usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
- /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
- /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
diff --git a/prelude.if b/prelude.if
-index 2316653..f41a4f7 100644
+index c83a838..f41a4f7 100644
--- a/prelude.if
+++ b/prelude.if
-@@ -112,22 +112,24 @@ interface(`prelude_manage_spool',`
+@@ -1,13 +1,13 @@
+-## <summary>Prelude hybrid intrusion detection system.</summary>
++## <summary>Prelude hybrid intrusion detection system</summary>
+
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run prelude.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`prelude_domtrans',`
+@@ -15,19 +15,17 @@ interface(`prelude_domtrans',`
+ type prelude_t, prelude_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, prelude_exec_t, prelude_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run prelude audisp.
++## Execute a domain transition to run prelude_audisp.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`prelude_domtrans_audisp',`
+@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',`
+ type prelude_audisp_t, prelude_audisp_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Send generic signals to prelude audisp.
++## Signal the prelude_audisp domain.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed acccess.
++## </summary>
+ ## </param>
+ #
+ interface(`prelude_signal_audisp',`
+@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',`
+
+ ########################################
+ ## <summary>
+-## Read prelude spool files.
++## Read the prelude spool files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -78,13 +75,12 @@ interface(`prelude_read_spool',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## prelude manager spool files.
++## Manage to prelude-manager spool files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`prelude_manage_spool',`
+@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an prelude environment.
++## All of the rules required to administrate
++## an prelude environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',`
#
interface(`prelude_admin',`
gen_require(`
-- type prelude_t, prelude_spool_t;
-- type prelude_var_run_t, prelude_var_lib_t;
+- type prelude_t, prelude_spool_t, prelude_lml_var_run_t;
+- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
- type prelude_audisp_t, prelude_audisp_var_run_t;
-- type prelude_initrc_exec_t;
--
-- type prelude_lml_t, prelude_lml_tmp_t;
-- type prelude_lml_var_run_t;
+- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
')
-- allow $1 prelude_t:process { ptrace signal_perms };
+- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
+ allow $1 prelude_t:process signal_perms;
- ps_process_pattern($1, prelude_t)
++ ps_process_pattern($1, prelude_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 prelude_t:process ptrace;
+ allow $1 prelude_audisp_t:process ptrace;
+ allow $1 prelude_lml_t:process ptrace;
+ ')
-
-- allow $1 prelude_audisp_t:process { ptrace signal_perms };
++
+ allow $1 prelude_audisp_t:process signal_perms;
- ps_process_pattern($1, prelude_audisp_t)
-
-- allow $1 prelude_lml_t:process { ptrace signal_perms };
++ ps_process_pattern($1, prelude_audisp_t)
++
+ allow $1 prelude_lml_t:process signal_perms;
- ps_process_pattern($1, prelude_lml_t)
++ ps_process_pattern($1, prelude_lml_t)
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
-@@ -135,10 +137,17 @@ interface(`prelude_admin',`
+ domain_system_change_exemption($1)
role_transition $2 prelude_initrc_exec_t system_r;
allow $2 system_r;
+- files_search_spool($1)
+ files_list_spool($1)
admin_pattern($1, prelude_spool_t)
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, prelude_log_t)
+-
+- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, prelude_var_lib_t)
-+
+
+- files_search_pids($1)
+- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t })
+ files_list_pids($1)
- admin_pattern($1, prelude_var_run_t)
- admin_pattern($1, prelude_audisp_var_run_t)
-- admin_pattern($1, prelude_lml_tmp_t)
- admin_pattern($1, prelude_lml_var_run_t)
-+
++ admin_pattern($1, prelude_var_run_t)
++ admin_pattern($1, prelude_audisp_var_run_t)
++ admin_pattern($1, prelude_lml_var_run_t)
+
+- files_search_tmp($1)
+ files_list_tmp($1)
-+ admin_pattern($1, prelude_lml_tmp_t)
+ admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
-index b1bc02c..a06f448 100644
+index db864df..6cff94f 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -50119,7 +54353,7 @@ index b1bc02c..a06f448 100644
type prelude_log_t;
logging_log_file(prelude_log_t)
-@@ -82,7 +82,6 @@ kernel_read_sysctl(prelude_t)
+@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
corecmd_search_bin(prelude_t)
@@ -50127,24 +54361,16 @@ index b1bc02c..a06f448 100644
corenet_all_recvfrom_netlabel(prelude_t)
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
-@@ -95,7 +94,6 @@ corenet_tcp_connect_mysqld_port(prelude_t)
- dev_read_rand(prelude_t)
- dev_read_urand(prelude_t)
-
--files_read_etc_files(prelude_t)
- files_read_etc_runtime_files(prelude_t)
- files_read_usr_files(prelude_t)
- files_search_tmp(prelude_t)
-@@ -107,8 +105,6 @@ auth_use_nsswitch(prelude_t)
+@@ -108,8 +107,6 @@ auth_use_nsswitch(prelude_t)
logging_send_audit_msgs(prelude_t)
logging_send_syslog_msg(prelude_t)
-miscfiles_read_localization(prelude_t)
-
optional_policy(`
- mysql_search_db(prelude_t)
mysql_stream_connect(prelude_t)
-@@ -143,7 +139,6 @@ kernel_read_system_state(prelude_audisp_t)
+ mysql_tcp_connect(prelude_t)
+@@ -141,7 +138,6 @@ kernel_read_system_state(prelude_audisp_t)
corecmd_search_bin(prelude_audisp_t)
@@ -50152,12 +54378,13 @@ index b1bc02c..a06f448 100644
corenet_all_recvfrom_netlabel(prelude_audisp_t)
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
-@@ -156,14 +151,11 @@ dev_read_urand(prelude_audisp_t)
- # Init script handling
+@@ -155,15 +151,12 @@ dev_read_urand(prelude_audisp_t)
+
domain_use_interactive_fds(prelude_audisp_t)
-files_read_etc_files(prelude_audisp_t)
files_read_etc_runtime_files(prelude_audisp_t)
+ files_search_spool(prelude_audisp_t)
files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
@@ -50167,7 +54394,7 @@ index b1bc02c..a06f448 100644
sysnet_dns_name_resolve(prelude_audisp_t)
########################################
-@@ -183,7 +175,6 @@ kernel_read_sysctl(prelude_correlator_t)
+@@ -184,7 +177,6 @@ kernel_read_sysctl(prelude_correlator_t)
corecmd_search_bin(prelude_correlator_t)
@@ -50175,7 +54402,7 @@ index b1bc02c..a06f448 100644
corenet_all_recvfrom_netlabel(prelude_correlator_t)
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
-@@ -192,14 +183,11 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t)
+@@ -196,14 +188,11 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
dev_read_rand(prelude_correlator_t)
dev_read_urand(prelude_correlator_t)
@@ -50189,57 +54416,27 @@ index b1bc02c..a06f448 100644
-
sysnet_dns_name_resolve(prelude_correlator_t)
- prelude_manage_spool(prelude_correlator_t)
-@@ -210,8 +198,8 @@ prelude_manage_spool(prelude_correlator_t)
+ ########################################
+@@ -212,6 +201,8 @@ sysnet_dns_name_resolve(prelude_correlator_t)
#
allow prelude_lml_t self:capability dac_override;
--allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
--allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
-@@ -236,10 +224,10 @@ kernel_read_sysctl(prelude_lml_t)
-
- corecmd_exec_bin(prelude_lml_t)
-
-+corenet_all_recvfrom_netlabel(prelude_lml_t)
- corenet_tcp_sendrecv_generic_if(prelude_lml_t)
- corenet_tcp_sendrecv_generic_node(prelude_lml_t)
- corenet_tcp_recvfrom_netlabel(prelude_lml_t)
--corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
- corenet_sendrecv_unlabeled_packets(prelude_lml_t)
- corenet_tcp_connect_prelude_port(prelude_lml_t)
-
-@@ -247,7 +235,6 @@ dev_read_rand(prelude_lml_t)
- dev_read_urand(prelude_lml_t)
-
- files_list_etc(prelude_lml_t)
--files_read_etc_files(prelude_lml_t)
- files_read_etc_runtime_files(prelude_lml_t)
-
- fs_getattr_all_fs(prelude_lml_t)
-@@ -262,8 +249,6 @@ libs_read_lib_files(prelude_lml_t)
+@@ -262,8 +253,6 @@ libs_read_lib_files(prelude_lml_t)
logging_send_syslog_msg(prelude_lml_t)
logging_read_generic_logs(prelude_lml_t)
-miscfiles_read_localization(prelude_lml_t)
-
- sysnet_dns_name_resolve(prelude_lml_t)
-
userdom_read_all_users_state(prelude_lml_t)
-@@ -283,7 +268,6 @@ optional_policy(`
-
- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
-- files_read_etc_files(httpd_prewikka_script_t)
- files_search_tmp(httpd_prewikka_script_t)
-
- kernel_read_sysctl(httpd_prewikka_script_t)
+ optional_policy(`
diff --git a/privoxy.if b/privoxy.if
-index afd1751..5aff531 100644
+index bdcee30..34f3143 100644
--- a/privoxy.if
+++ b/privoxy.if
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
@@ -50256,37 +54453,18 @@ index afd1751..5aff531 100644
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
-index 2dbf4d4..daa7c93 100644
+index 85b1c9a..072d425 100644
--- a/privoxy.te
+++ b/privoxy.te
-@@ -46,10 +46,10 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
- manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
- files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
-
--kernel_read_system_state(privoxy_t)
- kernel_read_kernel_sysctls(privoxy_t)
-+kernel_read_network_state(privoxy_t)
-+kernel_read_system_state(privoxy_t)
-
--corenet_all_recvfrom_unlabeled(privoxy_t)
- corenet_all_recvfrom_netlabel(privoxy_t)
- corenet_tcp_sendrecv_generic_if(privoxy_t)
- corenet_tcp_sendrecv_generic_node(privoxy_t)
-@@ -62,6 +62,7 @@ corenet_tcp_connect_squid_port(privoxy_t)
- corenet_tcp_connect_ftp_port(privoxy_t)
- corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
-+corenet_tcp_connect_tor_socks_port(privoxy_t)
- corenet_sendrecv_http_cache_client_packets(privoxy_t)
- corenet_sendrecv_squid_client_packets(privoxy_t)
- corenet_sendrecv_http_cache_server_packets(privoxy_t)
-@@ -76,18 +77,15 @@ fs_search_auto_mountpoints(privoxy_t)
+ corenet_tcp_sendrecv_tor_port(privoxy_t)
- domain_use_interactive_fds(privoxy_t)
-
--files_read_etc_files(privoxy_t)
++
+ dev_read_sysfs(privoxy_t)
- auth_use_nsswitch(privoxy_t)
+ domain_use_interactive_fds(privoxy_t)
+@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t)
logging_send_syslog_msg(privoxy_t)
@@ -50294,153 +54472,347 @@ index 2dbf4d4..daa7c93 100644
-
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
- # cjp: this should really not be needed
--userdom_use_user_terminals(privoxy_t)
-+userdom_use_inherited_user_terminals(privoxy_t)
- tunable_policy(`privoxy_connect_any',`
- corenet_tcp_connect_all_ports(privoxy_t)
diff --git a/procmail.fc b/procmail.fc
-index 1343621..4b36a13 100644
+index bdff6c9..4b36a13 100644
--- a/procmail.fc
+++ b/procmail.fc
-@@ -1,3 +1,5 @@
+@@ -1,6 +1,7 @@
+-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
++/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
++/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/procmail.if b/procmail.if
-index b64b02f..166e9c3 100644
+index 00edeab..166e9c3 100644
--- a/procmail.if
+++ b/procmail.if
-@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',`
+@@ -1,4 +1,4 @@
+-## <summary>Procmail mail delivery agent.</summary>
++## <summary>Procmail mail delivery agent</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,6 +15,7 @@ interface(`procmail_domtrans',`
+ type procmail_exec_t, procmail_t;
+ ')
+
++ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, procmail_exec_t, procmail_t)
+ ')
+@@ -34,101 +35,33 @@ interface(`procmail_exec',`
+ type procmail_exec_t;
+ ')
+
++ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, procmail_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## procmail home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`procmail_manage_home_files',`
+- gen_require(`
+- type procmail_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 procmail_home_t:file manage_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Read procmail user home content files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`procmail_read_home_files',`
+- gen_require(`
+- type procmail_home_t;
+-
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 procmail_home_t:file read_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Relabel procmail home files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`procmail_relabel_home_files',`
+- gen_require(`
+- type ppp_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 procmail_home_t:file relabel_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create objects in user home
+-## directories with the procmail home type.
++## Read procmail tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`procmail_home_filetrans_procmail_home',`
++interface(`procmail_read_tmp_files',`
+ gen_require(`
+- type procmail_home_t;
++ type procmail_tmp_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3)
++ files_search_tmp($1)
++ allow $1 procmail_tmp_t:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read procmail tmp files.
++## Read/write procmail tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`procmail_read_tmp_files',`
++interface(`procmail_rw_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
files_search_tmp($1)
- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+- allow $1 procmail_tmp_t:file read_file_perms;
++ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Read and write procmail tmp files.
+## Read procmail home directory content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`procmail_rw_tmp_files',`
+interface(`procmail_read_home_files',`
-+ gen_require(`
+ gen_require(`
+- type procmail_tmp_t;
+ type procmail_home_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
-+')
+ ')
diff --git a/procmail.te b/procmail.te
-index 29b9295..23625fc 100644
+index d447152..170ed82 100644
--- a/procmail.te
+++ b/procmail.te
-@@ -10,6 +10,9 @@ type procmail_exec_t;
- application_domain(procmail_t, procmail_exec_t)
- role system_r types procmail_t;
-
-+type procmail_home_t;
-+userdom_user_home_content(procmail_home_t)
-+
- type procmail_log_t;
- logging_log_file(procmail_log_t)
+@@ -1,4 +1,4 @@
+-policy_module(procmail, 1.12.2)
++policy_module(procmail, 1.12.0)
-@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms;
- can_exec(procmail_t, procmail_exec_t)
+ ########################################
+ #
+@@ -14,7 +14,7 @@ type procmail_home_t;
+ userdom_user_home_content(procmail_home_t)
- # Write log to /var/log/procmail.log or /var/log/procmail/.*
--allow procmail_t procmail_log_t:dir setattr;
-+allow procmail_t procmail_log_t:dir setattr_dir_perms;
+ type procmail_log_t;
+-logging_log_file(procmail_log_t)
++logging_log_file(procmail_log_t)
+
+ type procmail_tmp_t;
+ files_tmp_file(procmail_tmp_t)
+@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t)
+ allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+ allow procmail_t self:process { setsched signal signull };
+ allow procmail_t self:fifo_file rw_fifo_file_perms;
+-allow procmail_t self:tcp_socket { accept listen };
++allow procmail_t self:unix_stream_socket create_socket_perms;
++allow procmail_t self:unix_dgram_socket create_socket_perms;
++allow procmail_t self:tcp_socket create_stream_socket_perms;
++allow procmail_t self:udp_socket create_socket_perms;
+
+-allow procmail_t procmail_home_t:file read_file_perms;
++can_exec(procmail_t, procmail_exec_t)
+
++# Write log to /var/log/procmail.log or /var/log/procmail/.*
+ allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
- read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -44,7 +47,6 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+@@ -40,56 +44,69 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+ allow procmail_t procmail_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
+-can_exec(procmail_t, procmail_exec_t)
+-
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_all_recvfrom_unlabeled(procmail_t)
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_generic_if(procmail_t)
- corenet_udp_sendrecv_generic_if(procmail_t)
-@@ -67,17 +69,23 @@ auth_use_nsswitch(procmail_t)
++corenet_udp_sendrecv_generic_if(procmail_t)
+ corenet_tcp_sendrecv_generic_node(procmail_t)
+-
+-corenet_sendrecv_spamd_client_packets(procmail_t)
++corenet_udp_sendrecv_generic_node(procmail_t)
++corenet_tcp_sendrecv_all_ports(procmail_t)
++corenet_udp_sendrecv_all_ports(procmail_t)
++corenet_udp_bind_generic_node(procmail_t)
+ corenet_tcp_connect_spamd_port(procmail_t)
+-corenet_tcp_sendrecv_spamd_port(procmail_t)
+-
++corenet_sendrecv_spamd_client_packets(procmail_t)
+ corenet_sendrecv_comsat_client_packets(procmail_t)
+-corenet_tcp_connect_comsat_port(procmail_t)
+-corenet_tcp_sendrecv_comsat_port(procmail_t)
+-
+-corecmd_exec_bin(procmail_t)
+-corecmd_exec_shell(procmail_t)
+
+ dev_read_urand(procmail_t)
- corecmd_exec_bin(procmail_t)
- corecmd_exec_shell(procmail_t)
--corecmd_read_bin_symlinks(procmail_t)
+-fs_getattr_all_fs(procmail_t)
++fs_getattr_xattr_fs(procmail_t)
+ fs_search_auto_mountpoints(procmail_t)
+ fs_rw_anon_inodefs_files(procmail_t)
--files_read_etc_files(procmail_t)
+ auth_use_nsswitch(procmail_t)
+
++corecmd_exec_bin(procmail_t)
++corecmd_exec_shell(procmail_t)
++
files_read_etc_runtime_files(procmail_t)
- files_search_pids(procmail_t)
- # for spamassasin
++files_search_pids(procmail_t)
++# for spamassasin
files_read_usr_files(procmail_t)
+-logging_send_syslog_msg(procmail_t)
+application_exec_all(procmail_t)
+
+init_read_utmp(procmail_t)
-+
- logging_send_syslog_msg(procmail_t)
-+logging_append_all_logs(procmail_t)
-miscfiles_read_localization(procmail_t)
++logging_send_syslog_msg(procmail_t)
++logging_append_all_logs(procmail_t)
+
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
-+userdom_search_user_home_dirs(procmail_t)
+ userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
- # only works until we define a different type for maildir
- userdom_manage_user_home_content_dirs(procmail_t)
-@@ -87,8 +95,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
- userdom_manage_user_home_content_sockets(procmail_t)
- userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
-
--# Do not audit attempts to access /root.
--userdom_dontaudit_search_user_home_dirs(procmail_t)
-+# Execute user executables
-+userdom_exec_user_bin_files(procmail_t)
-
- mta_manage_spool(procmail_t)
- mta_read_queue(procmail_t)
-@@ -97,21 +105,19 @@ ifdef(`hide_broken_symptoms',`
- mta_dontaudit_rw_queue(procmail_t)
- ')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(procmail_t)
- fs_manage_nfs_files(procmail_t)
- fs_manage_nfs_symlinks(procmail_t)
-+userdom_home_manager(procmail_t)
+-')
++# only works until we define a different type for maildir
++userdom_manage_user_home_content_dirs(procmail_t)
++userdom_manage_user_home_content_files(procmail_t)
++userdom_manage_user_home_content_symlinks(procmail_t)
++userdom_manage_user_home_content_pipes(procmail_t)
++userdom_manage_user_home_content_sockets(procmail_t)
++userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+
-+optional_policy(`
-+ clamav_domtrans_clamscan(procmail_t)
-+ clamav_search_lib(procmail_t)
- ')
++# Execute user executables
++userdom_exec_user_bin_files(procmail_t)
++
++mta_manage_spool(procmail_t)
++mta_read_queue(procmail_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(procmail_t)
- fs_manage_cifs_files(procmail_t)
- fs_manage_cifs_symlinks(procmail_t)
-+optional_policy(`
-+ cyrus_stream_connect(procmail_t)
++ifdef(`hide_broken_symptoms',`
++ mta_dontaudit_rw_queue(procmail_t)
+ ')
+
++userdom_home_manager(procmail_t)
++
+ optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+ clamav_search_lib(procmail_t)
+@@ -100,12 +117,7 @@ optional_policy(`
')
optional_policy(`
-- clamav_domtrans_clamscan(procmail_t)
-- clamav_search_lib(procmail_t)
+- mta_manage_spool(procmail_t)
+- mta_read_config(procmail_t)
+- mta_read_queue(procmail_t)
+- mta_manage_mail_home_rw_content(procmail_t)
+- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
+- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
+ gnome_manage_data(procmail_t)
')
optional_policy(`
-@@ -125,6 +131,11 @@ optional_policy(`
+@@ -113,16 +125,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nagios_search_spool(procmail_t)
+-')
+-
+-optional_policy(`
++ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
+ postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
-+ postfix_rw_master_pipes(procmail_t)
+- postfix_rw_master_pipes(procmail_t)
++ postfix_rw_inherited_master_pipes(procmail_t)
+')
+
+optional_policy(`
@@ -50448,36 +54820,41 @@ index 29b9295..23625fc 100644
')
optional_policy(`
-@@ -134,6 +145,7 @@ optional_policy(`
+@@ -131,6 +144,8 @@ optional_policy(`
+ ')
optional_policy(`
- mta_read_config(procmail_t)
++ mta_read_config(procmail_t)
+ mta_manage_home_rw(procmail_t)
sendmail_domtrans(procmail_t)
sendmail_signal(procmail_t)
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
diff --git a/psad.if b/psad.if
-index bc329d1..20bb463 100644
+index d4dcf78..59ab964 100644
--- a/psad.if
+++ b/psad.if
-@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
+@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
+ ')
+
files_search_etc($1)
- manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
- manage_files_pattern($1, psad_etc_t, psad_etc_t)
--
+- allow $1 psad_etc_t:dir manage_dir_perms;
+- allow $1 psad_etc_t:file manage_file_perms;
+- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
++ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
++ manage_files_pattern($1, psad_etc_t, psad_etc_t)
')
########################################
-@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',`
+@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',`
########################################
## <summary>
--## Read psad PID files.
+-## Read and write psad pid files.
+## Read and write psad PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -176,6 +175,45 @@ interface(`psad_append_log',`
+@@ -179,6 +178,45 @@ interface(`psad_append_log',`
########################################
## <summary>
@@ -50523,16 +54900,7 @@ index bc329d1..20bb463 100644
## Read and write psad fifo files.
## </summary>
## <param name="domain">
-@@ -186,7 +224,7 @@ interface(`psad_append_log',`
- #
- interface(`psad_rw_fifo_file',`
- gen_require(`
-- type psad_t;
-+ type psad_t, psad_var_lib_t;
- ')
-
- files_search_var_lib($1)
-@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',`
+@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',`
#######################################
## <summary>
@@ -50556,10 +54924,10 @@ index bc329d1..20bb463 100644
+
+#######################################
+## <summary>
- ## Read and write psad tmp files.
+ ## Read and write psad temporary files.
## </summary>
## <param name="domain">
-@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',`
+@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
@@ -50571,10 +54939,11 @@ index bc329d1..20bb463 100644
- allow $1 psad_t:process { ptrace signal_perms };
+ allow $1 psad_t:process signal_perms;
ps_process_pattern($1, psad_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 psad_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
@@ -50601,180 +54970,335 @@ index bc329d1..20bb463 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
-index d4000e0..7fbcae1 100644
+index 5427bb6..718c847 100644
--- a/psad.te
+++ b/psad.te
-@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
-
- # config files
- type psad_etc_t;
--files_type(psad_etc_t)
-+files_config_file(psad_etc_t)
-
- type psad_initrc_exec_t;
- init_script_file(psad_initrc_exec_t)
-@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t)
-
- allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
- dontaudit psad_t self:capability sys_tty_config;
--allow psad_t self:process signull;
-+allow psad_t self:process signal_perms;
- allow psad_t self:fifo_file rw_fifo_file_perms;
- allow psad_t self:rawip_socket create_socket_perms;
-
-@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
- logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
-
- # pid file
-+manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t)
- manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
- manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
--files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
-+files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file })
-
- # tmp files
- manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
-@@ -73,7 +74,6 @@ kernel_read_net_sysctls(psad_t)
- corecmd_exec_shell(psad_t)
+@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
corecmd_exec_bin(psad_t)
+ corecmd_exec_shell(psad_t)
-corenet_all_recvfrom_unlabeled(psad_t)
corenet_all_recvfrom_netlabel(psad_t)
corenet_tcp_sendrecv_generic_if(psad_t)
corenet_tcp_sendrecv_generic_node(psad_t)
-@@ -85,22 +85,23 @@ corenet_sendrecv_whois_client_packets(psad_t)
+@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t)
dev_read_urand(psad_t)
files_read_etc_runtime_files(psad_t)
-+files_read_usr_files(psad_t)
+-files_read_usr_files(psad_t)
fs_getattr_all_fs(psad_t)
- auth_use_nsswitch(psad_t)
-
--iptables_domtrans(psad_t)
--
- logging_read_generic_logs(psad_t)
+@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t)
logging_read_syslog_config(psad_t)
logging_send_syslog_msg(psad_t)
-miscfiles_read_localization(psad_t)
-
sysnet_exec_ifconfig(psad_t)
-
- optional_policy(`
-+ iptables_domtrans(psad_t)
-+')
-+
-+optional_policy(`
- mta_send_mail(psad_t)
- mta_read_queue(psad_t)
- ')
-diff --git a/ptchown.if b/ptchown.if
-index 96cc023..5919bbd 100644
---- a/ptchown.if
-+++ b/ptchown.if
-@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',`
- domtrans_pattern($1, ptchown_exec_t, ptchown_t)
- ')
-
-+#######################################
-+## <summary>
-+## Execute ptchown in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`ptchown_exec',`
-+ gen_require(`
-+ type ptchown_exec_t;
-+ ')
-+
-+ can_exec($1, ptchown_exec_t)
-+')
-+
- ########################################
- ## <summary>
- ## Execute ptchown in the ptchown domain, and
+
+ optional_policy(`
diff --git a/ptchown.te b/ptchown.te
-index d90245a..546474f 100644
+index d67905e..d54cb62 100644
--- a/ptchown.te
+++ b/ptchown.te
-@@ -28,4 +28,4 @@ term_setattr_all_ptys(ptchown_t)
+@@ -31,4 +31,4 @@ term_setattr_all_ptys(ptchown_t)
term_use_generic_ptys(ptchown_t)
term_use_ptmx(ptchown_t)
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
diff --git a/pulseaudio.fc b/pulseaudio.fc
-index 84f23dc..0e7d875 100644
+index 6864479..0e7d875 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
-@@ -1,5 +1,12 @@
--HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
- HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+@@ -1,9 +1,14 @@
+ HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
++HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
-+
+
+-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
- /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
++/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
++/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
++/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index f40c64d..7015dce 100644
+index fa3dc8e..ec47fb6 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
-@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
- allow pulseaudio_t $2:unix_stream_socket connectto;
- allow $2 pulseaudio_t:unix_stream_socket connectto;
+@@ -2,47 +2,44 @@
+
+ ########################################
+ ## <summary>
+-## Role access for pulseaudio.
++## Role access for pulseaudio
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
+ ## </summary>
+ ## </param>
+ #
+ interface(`pulseaudio_role',`
+ gen_require(`
+- attribute pulseaudio_tmpfsfile;
+- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
+- type pulseaudio_tmp_t;
++ type pulseaudio_t, pulseaudio_exec_t;
++ class dbus { acquire_svc send_msg };
+ ')
+- pulseaudio_run($2, $1)
++ role $1 types pulseaudio_t;
+
+- allow $2 pulseaudio_t:process { ptrace signal_perms };
+- ps_process_pattern($2, pulseaudio_t)
++ # Transition from the user domain to the derived domain.
++ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+
+- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
+- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
++ ps_process_pattern($2, pulseaudio_t)
+
+- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse")
+- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth")
+- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie")
++ allow pulseaudio_t $2:process { signal signull };
++ allow $2 pulseaudio_t:process { signal signull sigkill };
++ ps_process_pattern(pulseaudio_t, $2)
+
+- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
++ allow pulseaudio_t $2:unix_stream_socket connectto;
++ allow $2 pulseaudio_t:unix_stream_socket connectto;
+
+- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
+- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
-+
- allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+
+- allow pulseaudio_t $2:unix_stream_socket connectto;
++ allow $2 pulseaudio_t:dbus send_msg;
++ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+ ')
+
+ ########################################
+@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute pulseaudio in the pulseaudio
+-## domain, and allow the specified role
+-## the pulseaudio domain.
++## Execute pulseaudio in the pulseaudio domain, and
++## allow the specified role the pulseaudio domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',`
+ #
+ interface(`pulseaudio_run',`
+ gen_require(`
+- attribute_role pulseaudio_roles;
++ type pulseaudio_t;
+ ')
+
+ pulseaudio_domtrans($1)
+- roleattribute $2 pulseaudio_roles;
++ role $2 types pulseaudio_t;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute pulseaudio in the caller domain.
++## Execute a pulseaudio in the current domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',`
+ type pulseaudio_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, pulseaudio_exec_t)
')
-@@ -151,12 +154,14 @@ interface(`pulseaudio_signull',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to execute pulseaudio.
++## Do not audit to execute a pulseaudio.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to pulseaudio.
++## Send signull signal to pulseaudio
+ ## processes.
+ ## </summary>
+ ## <param name="domain">
+@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',`
+
+ #####################################
+ ## <summary>
+-## Connect to pulseaudio with a unix
+-## domain stream socket.
++## Connect to pulseaudio over a unix domain
++## stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',`
+ #
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t;
+- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
++ type pulseaudio_t, pulseaudio_var_run_t;
+ type pulseaudio_home_t;
')
files_search_pids($1)
- allow $1 pulseaudio_t:process signull;
- allow pulseaudio_t $1:process signull;
- stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
++ allow $1 pulseaudio_t:process signull;
++ allow pulseaudio_t $1:process signull;
++ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
')
########################################
-@@ -257,4 +262,88 @@ interface(`pulseaudio_manage_home_files',`
+@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## Set attributes of pulseaudio home directories.
++## Set the attributes of the pulseaudio homedir.
+ ## </summary>
+-## <param name="domain">
++## <param name="user_domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+@@ -205,85 +204,95 @@ interface(`pulseaudio_setattr_home_dir',`
+ type pulseaudio_home_t;
+ ')
+
+- allow $1 pulseaudio_home_t:dir setattr_dir_perms;
++ allow $1 pulseaudio_home_t:dir setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read pulseaudio home content.
++## Read pulseaudio homedir files.
+ ## </summary>
+-## <param name="domain">
++## <param name="user_domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+ interface(`pulseaudio_read_home_files',`
+- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
+- pulseaudio_read_home($1)
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read pulseaudio home content.
++## Read and write Pulse Audio files.
+ ## </summary>
+-## <param name="domain">
++## <param name="user_domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`pulseaudio_read_home',`
++interface(`pulseaudio_rw_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
++ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ userdom_search_user_home_dirs($1)
+- allow $1 pulseaudio_home_t:dir list_dir_perms;
+- allow $1 pulseaudio_home_t:file read_file_perms;
+- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write Pulse Audio files.
++## Create, read, write, and delete pulseaudio
++## home directory files.
+ ## </summary>
+-## <param name="domain">
++## <param name="user_domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`pulseaudio_rw_home_files',`
++interface(`pulseaudio_manage_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
userdom_search_user_home_dirs($1)
- manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ pulseaudio_filetrans_home_content($1)
-+ pulseaudio_filetrans_admin_home_content($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
+## home directory symlinks.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="user_domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`pulseaudio_manage_home_files',`
+- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
+- pulseaudio_manage_home($1)
+interface(`pulseaudio_manage_home_symlinks',`
+ gen_require(`
+ type pulseaudio_home_t;
@@ -50782,49 +55306,93 @@ index f40c64d..7015dce 100644
+
+ userdom_search_user_home_dirs($1)
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## pulseaudio home content.
+## Create pulseaudio content in the user home directory
+## with an correct label.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -291,62 +300,72 @@ interface(`pulseaudio_manage_home_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`pulseaudio_manage_home',`
+interface(`pulseaudio_filetrans_home_content',`
-+ gen_require(`
-+ type pulseaudio_home_t;
-+ ')
-+
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 pulseaudio_home_t:dir manage_dir_perms;
+- allow $1 pulseaudio_home_t:file manage_file_perms;
+- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the pulseaudio
+-## home type.
+## Create pulseaudio content in the admin home directory
+## with an correct label.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+interface(`pulseaudio_filetrans_admin_home_content',`
-+ gen_require(`
-+ type pulseaudio_home_t;
-+ ')
-+
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Make the specified tmpfs file type
+-## pulseaudio tmpfs content.
++## Make the specified tmpfs file type
++## pulseaudio tmpfs content.
+ ## </summary>
+ ## <param name="file_type">
++## <summary>
++## File type to make pulseaudio tmpfs content.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_tmpfs_content',`
++ gen_require(`
++ attribute pulseaudio_tmpfsfile;
++ ')
++
++ typeattribute $1 pulseaudio_tmpfsfile;
+')
+
+########################################
@@ -50832,71 +55400,164 @@ index f40c64d..7015dce 100644
+## Allow the domain to read pulseaudio state files in /proc.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## File type to make pulseaudio tmpfs content.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`pulseaudio_tmpfs_content',`
+interface(`pulseaudio_read_state',`
-+ gen_require(`
+ gen_require(`
+- attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t;
-+ ')
-+
+ ')
+
+- typeattribute $1 pulseaudio_tmpfsfile;
+ kernel_search_proc($1)
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 901ac9b..bef43f7 100644
+index e31bbe1..276636a 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
-@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -1,4 +1,4 @@
+-policy_module(pulseaudio, 1.5.4)
++policy_module(pulseaudio, 1.5.0)
- manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
- manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+ ########################################
+ #
+@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4)
+ attribute pulseaudio_client;
+ attribute pulseaudio_tmpfsfile;
+
+-attribute_role pulseaudio_roles;
+-
+ type pulseaudio_t;
+ type pulseaudio_exec_t;
+ init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+ userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
+-role pulseaudio_roles types pulseaudio_t;
++role system_r types pulseaudio_t;
+
+ type pulseaudio_home_t;
+ userdom_user_home_content(pulseaudio_home_t)
+
+-type pulseaudio_tmp_t;
+-userdom_user_tmp_file(pulseaudio_tmp_t)
+-
+ type pulseaudio_tmpfs_t;
+ userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
+
+ type pulseaudio_var_lib_t;
+ files_type(pulseaudio_var_lib_t)
++ubac_constrained(pulseaudio_var_lib_t)
+
+ type pulseaudio_var_run_t;
+ files_pid_file(pulseaudio_var_run_t)
++ubac_constrained(pulseaudio_var_run_t)
+
+ ########################################
+ #
+-# Local policy
++# pulseaudio local policy
+ #
+
+ allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+ allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+-allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
+-allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
+-allow pulseaudio_t self:unix_dgram_socket sendto;
+-allow pulseaudio_t self:tcp_socket { accept listen };
++allow pulseaudio_t self:fifo_file rw_file_perms;
++allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
++allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
++allow pulseaudio_t self:udp_socket create_socket_perms;
+ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
+-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
+-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+-
+-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
+-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
+-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
+-
+-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
+-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
+-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
- userdom_search_user_home_dirs(pulseaudio_t)
++userdom_search_user_home_dirs(pulseaudio_t)
+pulseaudio_filetrans_home_content(pulseaudio_t)
-+
+
+-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
+userdom_read_user_home_content_files(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -51,7 +57,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+-
+-allow pulseaudio_t pulseaudio_client:process signull;
+-ps_process_pattern(pulseaudio_t, pulseaudio_client)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,24 +70,15 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
-corenet_all_recvfrom_unlabeled(pulseaudio_t)
corenet_all_recvfrom_netlabel(pulseaudio_t)
+-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+-corenet_udp_sendrecv_generic_if(pulseaudio_t)
+-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+-corenet_udp_sendrecv_generic_node(pulseaudio_t)
+-
+-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
+-
+-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
-@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+-corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
+-
+-corenet_sendrecv_sap_server_packets(pulseaudio_t)
++corenet_tcp_sendrecv_generic_if(pulseaudio_t)
++corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
- corenet_udp_sendrecv_generic_if(pulseaudio_t)
- corenet_udp_sendrecv_generic_node(pulseaudio_t)
+-corenet_udp_sendrecv_sap_port(pulseaudio_t)
++corenet_udp_sendrecv_generic_if(pulseaudio_t)
++corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
- dev_read_sysfs(pulseaudio_t)
- dev_read_urand(pulseaudio_t)
+@@ -111,34 +87,35 @@ dev_read_urand(pulseaudio_t)
--files_read_etc_files(pulseaudio_t)
files_read_usr_files(pulseaudio_t)
- fs_rw_anon_inodefs_files(pulseaudio_t)
++fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
+-fs_getattr_all_fs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
+-fs_rw_anon_inodefs_files(pulseaudio_t)
+-fs_search_auto_mountpoints(pulseaudio_t)
-term_use_all_ttys(pulseaudio_t)
-term_use_all_ptys(pulseaudio_t)
@@ -50908,37 +55569,44 @@ index 901ac9b..bef43f7 100644
logging_send_syslog_msg(pulseaudio_t)
-miscfiles_read_localization(pulseaudio_t)
-+tunable_policy(`use_nfs_home_dirs',`
+-
+-userdom_search_user_home_dirs(pulseaudio_t)
+-userdom_write_user_tmp_sockets(pulseaudio_t)
+-
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs(pulseaudio_t)
+ fs_mounton_nfs(pulseaudio_t)
-+ fs_manage_nfs_dirs(pulseaudio_t)
-+ fs_manage_nfs_files(pulseaudio_t)
-+ fs_manage_nfs_symlinks(pulseaudio_t)
+ fs_manage_nfs_dirs(pulseaudio_t)
+ fs_manage_nfs_files(pulseaudio_t)
+ fs_manage_nfs_symlinks(pulseaudio_t)
+ fs_manage_nfs_named_sockets(pulseaudio_t)
+ fs_manage_nfs_named_pipes(pulseaudio_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs(pulseaudio_t)
+ fs_mounton_cifs(pulseaudio_t)
-+ fs_manage_cifs_dirs(pulseaudio_t)
-+ fs_manage_cifs_files(pulseaudio_t)
-+ fs_manage_cifs_symlinks(pulseaudio_t)
+ fs_manage_cifs_dirs(pulseaudio_t)
+ fs_manage_cifs_files(pulseaudio_t)
+ fs_manage_cifs_symlinks(pulseaudio_t)
+ fs_manage_cifs_named_sockets(pulseaudio_t)
+ fs_manage_cifs_named_pipes(pulseaudio_t)
-+')
+ ')
--# cjp: this seems excessive. need to confirm
--userdom_manage_user_home_content_files(pulseaudio_t)
--userdom_manage_user_tmp_files(pulseaudio_t)
--userdom_manage_user_tmpfs_files(pulseaudio_t)
-+optional_policy(`
-+ alsa_read_rw_config(pulseaudio_t)
-+')
+ optional_policy(`
+@@ -151,8 +128,9 @@ optional_policy(`
optional_policy(`
- bluetooth_stream_connect(pulseaudio_t)
-@@ -125,16 +147,37 @@ optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
+- dbus_all_session_bus_client(pulseaudio_t)
+- dbus_connect_all_session_bus(pulseaudio_t)
++ dbus_system_bus_client(pulseaudio_t)
++ dbus_session_bus_client(pulseaudio_t)
++ dbus_connect_session_bus(pulseaudio_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(pulseaudio_t)
+@@ -172,16 +150,33 @@ optional_policy(`
')
optional_policy(`
@@ -50958,10 +55626,6 @@ index 901ac9b..bef43f7 100644
+')
+
+optional_policy(`
-+ mpd_read_tmpfs_files(pulseaudio_t)
-+')
-+
-+optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
@@ -50976,226 +55640,378 @@ index 901ac9b..bef43f7 100644
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
-@@ -146,3 +189,7 @@ optional_policy(`
- xserver_read_xdm_pid(pulseaudio_t)
+@@ -194,7 +189,11 @@ optional_policy(`
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
-+
+
+-########################################
+optional_policy(`
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
++
++#######################################
+ #
+ # Client local policy
+ #
+@@ -208,8 +207,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+
+ fs_getattr_tmpfs(pulseaudio_client)
+
+-corenet_all_recvfrom_unlabeled(pulseaudio_client)
+-corenet_all_recvfrom_netlabel(pulseaudio_client)
+ corenet_tcp_sendrecv_generic_if(pulseaudio_client)
+ corenet_tcp_sendrecv_generic_node(pulseaudio_client)
+
+@@ -218,36 +215,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+ corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
+
+ pulseaudio_stream_connect(pulseaudio_client)
+-pulseaudio_manage_home(pulseaudio_client)
+-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
+-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
+-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
++pulseaudio_manage_home_files(pulseaudio_client)
+ pulseaudio_signull(pulseaudio_client)
+
+-# TODO: ~/.cache
+ userdom_manage_user_home_content_files(pulseaudio_client)
+
+ userdom_read_user_tmpfs_files(pulseaudio_client)
+-# userdom_delete_user_tmpfs_files(pulseaudio_client)
+
+ tunable_policy(`use_nfs_home_dirs',`
+- fs_getattr_nfs(pulseaudio_client)
+- fs_manage_nfs_dirs(pulseaudio_client)
+- fs_manage_nfs_files(pulseaudio_client)
+- fs_read_nfs_symlinks(pulseaudio_client)
++ fs_getattr_nfs(pulseaudio_client)
++ fs_manage_nfs_dirs(pulseaudio_client)
++ fs_manage_nfs_files(pulseaudio_client)
++ fs_read_nfs_symlinks(pulseaudio_client)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_getattr_cifs(pulseaudio_client)
+- fs_manage_cifs_dirs(pulseaudio_client)
+- fs_manage_cifs_files(pulseaudio_client)
+- fs_read_cifs_symlinks(pulseaudio_client)
++ fs_getattr_cifs(pulseaudio_client)
++ fs_manage_cifs_dirs(pulseaudio_client)
++ fs_manage_cifs_files(pulseaudio_client)
++ fs_read_cifs_symlinks(pulseaudio_client)
+ ')
+
+ optional_policy(`
+- pulseaudio_dbus_chat(pulseaudio_client)
++ pulseaudio_dbus_chat(pulseaudio_client)
+ ')
+
+ optional_policy(`
+- rtkit_scheduled(pulseaudio_client)
++ rtkit_scheduled(pulseaudio_client)
+ ')
diff --git a/puppet.fc b/puppet.fc
-index 2f1e529..8c0b242 100644
+index 4ecda09..8c0b242 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -3,6 +3,7 @@
+@@ -1,14 +1,12 @@
+-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
- /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
- /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+-
+-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+-
+-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
++/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
++/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
++/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 2855a44..b7b5ee7 100644
+index 7cb8b1f..b7b5ee7 100644
--- a/puppet.if
+++ b/puppet.if
-@@ -8,6 +8,53 @@
- ## </p>
- ## </desc>
+@@ -1,4 +1,12 @@
+-## <summary>Configuration management system.</summary>
++## <summary>Puppet client daemon</summary>
++## <desc>
++## <p>
++## Puppet is a configuration management system written in Ruby.
++## The client daemon is responsible for periodically requesting the
++## desired system state from the server and ensuring the state of
++## the client system matches.
++## </p>
++## </desc>
-+########################################
-+## <summary>
-+## Execute puppetca in the puppetca
-+## domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`puppet_domtrans_puppetca',`
-+ gen_require(`
-+ type puppetca_t, puppetca_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, puppetca_exec_t, puppetca_t)
-+')
-+
-+#####################################
-+## <summary>
-+## Execute puppetca in the puppetca
-+## domain and allow the specified
-+## role the puppetca domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`puppet_run_puppetca',`
-+ gen_require(`
+ ########################################
+ ## <summary>
+@@ -40,16 +48,19 @@ interface(`puppet_domtrans_puppetca',`
+ #
+ interface(`puppet_run_puppetca',`
+ gen_require(`
+- attribute_role puppetca_roles;
+ type puppetca_t, puppetca_exec_t;
-+ ')
-+
-+ puppet_domtrans_puppetca($1)
+ ')
+
+ puppet_domtrans_puppetca($1)
+- roleattribute $2 puppetca_roles;
+ role $2 types puppetca_t;
-+')
-+
- ################################################
+ ')
+
+-####################################
++################################################
## <summary>
- ## Read / Write to Puppet temp files. Puppet uses
-@@ -26,6 +73,178 @@ interface(`puppet_rw_tmp', `
- type puppet_tmp_t;
+-## Read puppet configuration content.
++## Read / Write to Puppet temp files. Puppet uses
++## some system binaries (groupadd, etc) that run in
++## a non-puppet domain and redirects output into temp
++## files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -57,15 +68,13 @@ interface(`puppet_run_puppetca',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`puppet_read_config',`
++interface(`puppet_rw_tmp', `
+ gen_require(`
+- type puppet_etc_t;
++ type puppet_tmp_t;
')
-- allow $1 puppet_tmp_t:file rw_file_perms;
+- files_search_etc($1)
+- allow $1 puppet_etc_t:dir list_dir_perms;
+- allow $1 puppet_etc_t:file read_file_perms;
+- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
- files_search_tmp($1)
++ files_search_tmp($1)
')
-+
-+################################################
-+## <summary>
-+## Read Puppet lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+
+ ################################################
+@@ -78,158 +87,164 @@ interface(`puppet_read_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`puppet_read_lib_files',`
+interface(`puppet_read_lib',`
-+ gen_require(`
-+ type puppet_var_lib_t;
-+ ')
-+
-+ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
-+')
-+
-+###############################################
-+## <summary>
+ ')
+
+ ###############################################
+ ## <summary>
+-## Create, read, write, and delete
+-## puppet lib files.
+## Manage Puppet lib files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`puppet_manage_lib_files',`
+- gen_require(`
+- type puppet_var_lib_t;
+- ')
+interface(`puppet_manage_lib',`
+ gen_require(`
+ type puppet_var_lib_t;
+ ')
-+
+
+- files_search_var_lib($1)
+- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
+ files_search_var_lib($1)
-+')
-+
+ ')
+
+-#####################################
+######################################
-+## <summary>
+ ## <summary>
+-## Append puppet log files.
+## Allow the specified domain to search puppet's log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`puppet_append_log_files',`
+- gen_require(`
+- type puppet_log_t;
+- ')
+interface(`puppet_search_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
-+
+
+- logging_search_logs($1)
+- append_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ allow $1 puppet_log_t:dir search_dir_perms;
-+')
-+
-+#####################################
-+## <summary>
+ ')
+
+ #####################################
+ ## <summary>
+-## Create puppet log files.
+## Allow the specified domain to read puppet's log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`puppet_create_log_files',`
+- gen_require(`
+- type puppet_log_t;
+- ')
+interface(`puppet_read_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
-+
+
+- logging_search_logs($1)
+- create_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ read_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
-+#####################################
-+## <summary>
+ ')
+
+ #####################################
+ ## <summary>
+-## Read puppet log files.
+## Allow the specified domain to create puppet's log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`puppet_read_log_files',`
+- gen_require(`
+- type puppet_log_t;
+- ')
+interface(`puppet_create_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
-+
+
+- logging_search_logs($1)
+- read_files_pattern($1, puppet_log_t, puppet_log_t)
+ logging_search_logs($1)
+ create_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
+ ')
+
+-################################################
+####################################
-+## <summary>
+ ## <summary>
+-## Read and write to puppet tempoprary files.
+## Allow the specified domain to append puppet's log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`puppet_rw_tmp', `
+- gen_require(`
+- type puppet_tmp_t;
+- ')
+interface(`puppet_append_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
-+
+
+- files_search_tmp($1)
+- allow $1 puppet_tmp_t:file rw_file_perms;
+ logging_search_logs($1)
+ append_files_pattern($1, puppet_log_t, puppet_log_t)
-+')
-+
+ ')
+
+-########################################
+####################################
-+## <summary>
+ ## <summary>
+-## All of the rules required to
+-## administrate an puppet environment.
+## Allow the specified domain to manage puppet's log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+-interface(`puppet_admin',`
+- gen_require(`
+- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t;
+- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t;
+- type puppet_var_run_t, puppetmaster_tmp_t;
+- type puppet_t, puppetca_t, puppetmaster_t;
+- ')
+-
+- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
+-
+- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
+- allow $2 system_r;
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
-+
+
+- files_search_etc($1)
+- admin_pattern($1, puppet_etc_t)
+ logging_search_logs($1)
+ manage_files_pattern($1, puppet_log_t, puppet_log_t)
+')
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, puppet_log_t)
+####################################
+## <summary>
+## Allow the specified domain to read puppet's config files.
@@ -51210,12 +56026,14 @@ index 2855a44..b7b5ee7 100644
+ gen_require(`
+ type puppet_etc_t;
+ ')
-+
+
+- files_search_var_lib($1)
+- admin_pattern($1, puppet_var_lib_t)
+ logging_search_logs($1)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
-+
+
+#####################################
+## <summary>
+## Allow the specified domain to search puppet's pid files.
@@ -51231,87 +56049,156 @@ index 2855a44..b7b5ee7 100644
+ type puppet_var_run_t;
+ ')
+
-+ files_search_pids($1)
+ files_search_pids($1)
+- admin_pattern($1, puppet_var_run_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t })
+-
+- puppet_run_puppetca($1, $2)
+ allow $1 puppet_var_run_t:dir search_dir_perms;
-+')
+ ')
diff --git a/puppet.te b/puppet.te
-index baa88f6..050d953 100644
+index f2309f4..050d953 100644
--- a/puppet.te
+++ b/puppet.te
-@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0)
+@@ -1,4 +1,4 @@
+-policy_module(puppet, 1.3.7)
++policy_module(puppet, 1.3.0)
+
+ ########################################
+ #
+@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether puppet can
+-## manage all non-security files.
+-## </p>
++## <p>
++## Allow Puppet client to manage all file
++## types.
++## </p>
## </desc>
gen_tunable(puppet_manage_all_files, false)
+-attribute_role puppetca_roles;
+-roleattribute system_r puppetca_roles;
+## <desc>
+## <p>
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
+## </p>
+## </desc>
+gen_tunable(puppetmaster_use_db, false)
-+
+
type puppet_t;
type puppet_exec_t;
- init_daemon_domain(puppet_t, puppet_exec_t)
-@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t)
+@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t)
+
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
+-init_daemon_run_dir(puppet_var_run_t, "puppet")
-+type puppetca_t;
-+type puppetca_exec_t;
-+application_domain(puppetca_t, puppetca_exec_t)
+ type puppetca_t;
+ type puppetca_exec_t;
+ application_domain(puppetca_t, puppetca_exec_t)
+-role puppetca_roles types puppetca_t;
+role system_r types puppetca_t;
-+
+
type puppetmaster_t;
type puppetmaster_exec_t;
- init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
-@@ -50,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
- # Puppet personal policy
+@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t)
+
+ ########################################
+ #
+-# Local policy
++# Puppet personal policy
#
--allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-allow puppet_t self:tcp_socket { accept listen };
++allow puppet_t self:tcp_socket create_stream_socket_perms;
+ allow puppet_t self:udp_socket create_socket_perms;
+
+-allow puppet_t puppet_etc_t:dir list_dir_perms;
+-allow puppet_t puppet_etc_t:file read_file_perms;
+-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
++read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+
+ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- files_search_var_lib(puppet_t)
+-can_exec(puppet_t, puppet_var_lib_t)
++files_search_var_lib(puppet_t)
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -80,12 +92,14 @@ kernel_dontaudit_search_sysctl(puppet_t)
+-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
+-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
++create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+ create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
++append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+ logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+
+ manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+@@ -91,30 +90,28 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+ kernel_dontaudit_search_sysctl(puppet_t)
kernel_dontaudit_search_kernel_sysctl(puppet_t)
- kernel_read_system_state(puppet_t)
++kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
-+kernel_read_kernel_sysctls(puppet_t)
+ kernel_read_kernel_sysctls(puppet_t)
+-kernel_read_net_sysctls(puppet_t)
+-kernel_read_network_state(puppet_t)
+corecmd_read_all_executables(puppet_t)
+corecmd_dontaudit_access_all_executables(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
+-corecmd_read_all_executables(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
- corenet_tcp_bind_generic_node(puppet_t)
-@@ -103,11 +117,11 @@ files_manage_config_files(puppet_t)
+-
+-corenet_sendrecv_puppet_client_packets(puppet_t)
++corenet_tcp_bind_generic_node(puppet_t)
+ corenet_tcp_connect_puppet_port(puppet_t)
+-corenet_tcp_sendrecv_puppet_port(puppet_t)
++corenet_sendrecv_puppet_client_packets(puppet_t)
+
+ dev_read_rand(puppet_t)
+ dev_read_sysfs(puppet_t)
+ dev_read_urand(puppet_t)
+
+-domain_interactive_fd(puppet_t)
+ domain_read_all_domains_state(puppet_t)
++domain_interactive_fd(puppet_t)
+
+ files_manage_config_files(puppet_t)
files_manage_config_dirs(puppet_t)
- files_manage_etc_dirs(puppet_t)
- files_manage_etc_files(puppet_t)
-+files_read_usr_files(puppet_t)
+@@ -124,10 +121,7 @@ files_read_usr_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
+-files_search_var_lib(puppet_t)
+-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
selinux_validate_context(puppet_t)
-@@ -115,6 +129,8 @@ selinux_validate_context(puppet_t)
+@@ -135,6 +129,8 @@ selinux_validate_context(puppet_t)
term_dontaudit_getattr_unallocated_ttys(puppet_t)
term_dontaudit_getattr_all_ttys(puppet_t)
@@ -51320,7 +56207,7 @@ index baa88f6..050d953 100644
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
-@@ -123,22 +139,23 @@ init_signull_script(puppet_t)
+@@ -143,18 +139,15 @@ init_signull_script(puppet_t)
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
@@ -51332,40 +56219,16 @@ index baa88f6..050d953 100644
seutil_domtrans_semanage(puppet_t)
+seutil_read_file_contexts(puppet_t)
--sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
+-sysnet_use_ldap(puppet_t)
tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
+ files_manage_non_security_files(puppet_t)
-+')
-+
-+optional_policy(`
-+ cfengine_read_lib_files(puppet_t)
- ')
-
- optional_policy(`
-- consoletype_domtrans(puppet_t)
-+ consoletype_exec(puppet_t)
')
optional_policy(`
-@@ -146,6 +163,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mount_domtrans(puppet_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(puppet_t)
-+')
-+
-+optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
-@@ -164,8 +189,134 @@ optional_policy(`
+@@ -196,21 +189,92 @@ optional_policy(`
')
optional_policy(`
@@ -51446,51 +56309,51 @@ index baa88f6..050d953 100644
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(puppet_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Ca local policy
+# PuppetCA personal policy
-+#
-+
-+allow puppetca_t self:capability { dac_override setgid setuid };
-+allow puppetca_t self:fifo_file rw_fifo_file_perms;
-+
+ #
+
+ allow puppetca_t self:capability { dac_override setgid setuid };
+ allow puppetca_t self:fifo_file rw_fifo_file_perms;
+
+-allow puppetca_t puppet_etc_t:dir list_dir_perms;
+-allow puppetca_t puppet_etc_t:file read_file_perms;
+-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
-+
-+allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
-+manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-+manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-+
-+allow puppetca_t puppet_log_t:dir search_dir_perms;
-+
-+allow puppetca_t puppet_var_run_t:dir search_dir_perms;
-+
-+kernel_read_system_state(puppetca_t)
+
+ allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
+ manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
+@@ -221,6 +285,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+ allow puppetca_t puppet_var_run_t:dir search_dir_perms;
+
+ kernel_read_system_state(puppetca_t)
+# Maybe dontaudit this like we did with other puppet domains?
-+kernel_read_kernel_sysctls(puppetca_t)
-+
-+corecmd_exec_bin(puppetca_t)
-+corecmd_exec_shell(puppetca_t)
-+
-+dev_read_urand(puppetca_t)
-+dev_search_sysfs(puppetca_t)
-+
-+files_read_etc_files(puppetca_t)
-+files_search_var_lib(puppetca_t)
-+
-+selinux_validate_context(puppetca_t)
-+
-+logging_search_logs(puppetca_t)
-+
-+miscfiles_read_generic_certs(puppetca_t)
-+
-+seutil_read_file_contexts(puppetca_t)
-+
-+optional_policy(`
-+ hostname_exec(puppetca_t)
-+')
-+
+ kernel_read_kernel_sysctls(puppetca_t)
+
+ corecmd_exec_bin(puppetca_t)
+@@ -230,14 +295,12 @@ dev_read_urand(puppetca_t)
+ dev_search_sysfs(puppetca_t)
+
+ files_read_etc_files(puppetca_t)
+-files_search_pids(puppetca_t)
+ files_search_var_lib(puppetca_t)
+
+ selinux_validate_context(puppetca_t)
+
+ logging_search_logs(puppetca_t)
+
+-miscfiles_read_localization(puppetca_t)
+ miscfiles_read_generic_certs(puppetca_t)
+
+ seutil_read_file_contexts(puppetca_t)
+@@ -246,38 +309,52 @@ optional_policy(`
+ hostname_exec(puppetca_t)
+ ')
+
+optional_policy(`
+ mta_sendmail_access_check(puppetca_t)
+')
@@ -51499,43 +56362,64 @@ index baa88f6..050d953 100644
+ usermanage_access_check_groupadd(puppet_t)
+ usermanage_access_check_passwd(puppet_t)
+ usermanage_access_check_useradd(puppet_t)
- ')
-
++')
++
########################################
-@@ -184,51 +335,83 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
- list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
- read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-
--allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
--allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+ #
+-# Master local policy
++# Pupper master personal policy
+ #
+
+ allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+ allow puppetmaster_t self:process { signal_perms getsched setsched };
+ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
++allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+ allow puppetmaster_t self:socket create;
+-allow puppetmaster_t self:tcp_socket { accept listen };
++allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
++allow puppetmaster_t self:udp_socket create_socket_perms;
+
+-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
+-allow puppetmaster_t puppet_etc_t:file read_file_perms;
+-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
++list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
++read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
+-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
- manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
+-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
++manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
- setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
+-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
++setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
++manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
- manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
- manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
++manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
++manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
-+kernel_read_network_state(puppetmaster_t)
- kernel_read_system_state(puppetmaster_t)
- kernel_read_crypto_sysctls(puppetmaster_t)
-+kernel_read_kernel_sysctls(puppetmaster_t)
-
- corecmd_exec_bin(puppetmaster_t)
+ kernel_read_network_state(puppetmaster_t)
+@@ -289,21 +366,23 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -51543,8 +56427,11 @@ index baa88f6..050d953 100644
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
+-
+-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
- corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
++corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+corenet_tcp_connect_ntop_port(puppetmaster_t)
+
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
@@ -51553,47 +56440,50 @@ index baa88f6..050d953 100644
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
-+dev_search_sysfs(puppetmaster_t)
+ dev_search_sysfs(puppetmaster_t)
+-domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
--files_read_etc_files(puppetmaster_t)
--files_search_var_lib(puppetmaster_t)
-+files_read_usr_files(puppetmaster_t)
-+
-+selinux_validate_context(puppetmaster_t)
-+
-+auth_use_nsswitch(puppetmaster_t)
+ files_read_usr_files(puppetmaster_t)
+@@ -314,26 +393,27 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
+ miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
-+miscfiles_read_generic_certs(puppetmaster_t)
-+
-+seutil_read_file_contexts(puppetmaster_t)
--sysnet_dns_name_resolve(puppetmaster_t)
+ seutil_read_file_contexts(puppetmaster_t)
+
sysnet_run_ifconfig(puppetmaster_t, system_r)
+-optional_policy(`
+- hostname_exec(puppetmaster_t)
+-')
+mta_send_mail(puppetmaster_t)
-+
-+optional_policy(`
+
+ optional_policy(`
+- mta_send_mail(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ mysql_stream_connect(puppetmaster_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mysql_stream_connect(puppetmaster_t)
+ tunable_policy(`puppetmaster_use_db',`
+ postgresql_stream_connect(puppetmaster_t)
+ ')
-+')
-+
+ ')
+
optional_policy(`
- hostname_exec(puppetmaster_t)
+- postgresql_stream_connect(puppetmaster_t)
++ hostname_exec(puppetmaster_t)
')
-@@ -239,3 +422,9 @@ optional_policy(`
+
+ optional_policy(`
+@@ -342,3 +422,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -51604,156 +56494,181 @@ index baa88f6..050d953 100644
+ usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/pwauth.fc b/pwauth.fc
-new file mode 100644
-index 0000000..e2f8687
---- /dev/null
+index 7e7b444..e2f8687 100644
+--- a/pwauth.fc
+++ b/pwauth.fc
-@@ -0,0 +1,3 @@
+@@ -1,3 +1,3 @@
+-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
-+
+
+-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
diff --git a/pwauth.if b/pwauth.if
-new file mode 100644
-index 0000000..86d25ea
---- /dev/null
+index 1148dce..86d25ea 100644
+--- a/pwauth.if
+++ b/pwauth.if
-@@ -0,0 +1,74 @@
+@@ -1,72 +1,74 @@
+-## <summary>External plugin for mod_authnz_external authenticator.</summary>
+
+## <summary>policy for pwauth</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Role access for pwauth.
+## Transition to pwauth.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+ ## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`pwauth_role',`
+interface(`pwauth_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type pwauth_t;
+ type pwauth_t, pwauth_exec_t;
-+ ')
-+
+ ')
+
+- pwauth_run($2, $1)
+-
+- ps_process_pattern($2, pwauth_t)
+- allow $2 pwauth_t:process { ptrace signal_perms };
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute pwauth in the pwauth domain.
+## Execute pwauth in the pwauth domain, and
+## allow the specified role the pwauth domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the pwauth domain.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`pwauth_domtrans',`
+interface(`pwauth_run',`
-+ gen_require(`
+ gen_require(`
+- type pwauth_t, pwauth_exec_t;
+ type pwauth_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, pwauth_exec_t, pwauth_t)
+ pwauth_domtrans($1)
+ role $2 types pwauth_t;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute pwauth in the pwauth
+-## domain, and allow the specified
+-## role the pwauth domain.
+## Role access for pwauth
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="role">
-+## <summary>
+ ## <summary>
+-## Domain allowed to transition.
+## Role allowed access
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## User domain for the role
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`pwauth_run',`
+interface(`pwauth_role',`
-+ gen_require(`
+ gen_require(`
+- attribute_role pwauth_roles;
+ type pwauth_t;
-+ ')
-+
+ ')
+
+- pwauth_domtrans($1)
+- roleattribute $2 pwauth_roles;
+ role $1 types pwauth_t;
+
+ pwauth_domtrans($2)
+
+ ps_process_pattern($2, pwauth_t)
+ allow $2 pwauth_t:process signal;
-+')
+ ')
diff --git a/pwauth.te b/pwauth.te
-new file mode 100644
-index 0000000..8f357cc
---- /dev/null
+index 3078e34..8f357cc 100644
+--- a/pwauth.te
+++ b/pwauth.te
-@@ -0,0 +1,39 @@
-+policy_module(pwauth, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pwauth_t;
-+type pwauth_exec_t;
-+application_domain(pwauth_t, pwauth_exec_t)
+@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0)
+ # Declarations
+ #
+
+-attribute_role pwauth_roles;
+-roleattribute system_r pwauth_roles;
+-
+ type pwauth_t;
+ type pwauth_exec_t;
+ application_domain(pwauth_t, pwauth_exec_t)
+-role pwauth_roles types pwauth_t;
+role system_r types pwauth_t;
-+
-+type pwauth_var_run_t;
-+files_pid_file(pwauth_var_run_t)
-+
-+########################################
-+#
+
+ type pwauth_var_run_t;
+ files_pid_file(pwauth_var_run_t)
+
+ ########################################
+ #
+-# Local policy
+# pwauth local policy
-+#
-+allow pwauth_t self:capability setuid;
-+allow pwauth_t self:process setrlimit;
+ #
+-
+ allow pwauth_t self:capability setuid;
+ allow pwauth_t self:process setrlimit;
+
-+allow pwauth_t self:fifo_file manage_fifo_file_perms;
+ allow pwauth_t self:fifo_file manage_fifo_file_perms;
+-allow pwauth_t self:unix_stream_socket { accept listen };
+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
+ files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
+
+ domain_use_interactive_fds(pwauth_t)
+
+
-+manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
-+files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
-+
-+domain_use_interactive_fds(pwauth_t)
-+
-+
-+auth_domtrans_chkpwd(pwauth_t)
-+auth_use_nsswitch(pwauth_t)
+ auth_domtrans_chkpwd(pwauth_t)
+ auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t)
-+
-+init_read_utmp(pwauth_t)
-+
-+logging_send_syslog_msg(pwauth_t)
-+logging_send_audit_msgs(pwauth_t)
-diff --git a/pxe.fc b/pxe.fc
-index 44b3a0c..5d247cb 100644
---- a/pxe.fc
-+++ b/pxe.fc
-@@ -1,6 +1,6 @@
-
- /usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
--/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
-+/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0)
+ init_read_utmp(pwauth_t)
- /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
+ logging_send_syslog_msg(pwauth_t)
+ logging_send_audit_msgs(pwauth_t)
+-
+-miscfiles_read_localization(pwauth_t)
diff --git a/pxe.te b/pxe.te
-index fec69eb..848c311 100644
+index 72db707..270bf8a 100644
--- a/pxe.te
+++ b/pxe.te
-@@ -49,8 +49,6 @@ fs_search_auto_mountpoints(pxe_t)
+@@ -57,8 +57,6 @@ fs_search_auto_mountpoints(pxe_t)
logging_send_syslog_msg(pxe_t)
@@ -51762,58 +56677,211 @@ index fec69eb..848c311 100644
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
userdom_dontaudit_search_user_home_dirs(pxe_t)
+diff --git a/pyicqt.fc b/pyicqt.fc
+deleted file mode 100644
+index 0c143e3..0000000
+--- a/pyicqt.fc
++++ /dev/null
+@@ -1,11 +0,0 @@
+-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
+-
+-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
+-
+-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
+-
+-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0)
+-
+-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+-
+-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
+diff --git a/pyicqt.if b/pyicqt.if
+deleted file mode 100644
+index 0ccea82..0000000
+--- a/pyicqt.if
++++ /dev/null
+@@ -1,45 +0,0 @@
+-## <summary>ICQ transport for XMPP server.</summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an pyicqt environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`pyicqt_admin',`
+- gen_require(`
+- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
+- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
+- ')
+-
+- allow $1 pyicqt_t:process { ptrace signal_perms };
+- ps_process_pattern($1, pyicqt_t)
+-
+- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 pyicqt_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, pyicqt_conf_t)
+-
+- logging_search_logs($1)
+- admin_pattern($1, pyicqt_log_t)
+-
+- files_search_spool($1)
+- admin_pattern($1, pyicqt_spool_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, pyicqt_var_run_t)
+-')
diff --git a/pyicqt.te b/pyicqt.te
-index a841221..c653e4a 100644
+deleted file mode 100644
+index 99bebbd..0000000
--- a/pyicqt.te
-+++ b/pyicqt.te
-@@ -13,7 +13,7 @@ type pyicqt_conf_t;
- files_config_file(pyicqt_conf_t)
-
- type pyicqt_spool_t;
++++ /dev/null
+@@ -1,92 +0,0 @@
+-policy_module(pyicqt, 1.0.1)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type pyicqt_t;
+-type pyicqt_exec_t;
+-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
+-
+-type pyicqt_initrc_exec_t;
+-init_script_file(pyicqt_initrc_exec_t)
+-
+-type pyicqt_conf_t;
+-files_config_file(pyicqt_conf_t)
+-
+-type pyicqt_log_t;
+-logging_log_file(pyicqt_log_t)
+-
+-type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
-+files_spool_file(pyicqt_spool_t)
-
- type pyicqt_var_run_t;
- files_pid_file(pyicqt_var_run_t)
-@@ -40,7 +40,6 @@ kernel_read_system_state(pyicqt_t)
-
- corecmd_exec_bin(pyicqt_t)
-
+-
+-type pyicqt_var_run_t;
+-files_pid_file(pyicqt_var_run_t)
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow pyicqt_t self:process signal_perms;
+-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
+-allow pyicqt_t self:tcp_socket { accept listen };
+-
+-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
+-
+-allow pyicqt_t pyicqt_log_t:file append_file_perms;
+-allow pyicqt_t pyicqt_log_t:file create_file_perms;
+-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
+-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
+-
+-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
+-
+-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
+-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
+-
+-kernel_read_system_state(pyicqt_t)
+-
+-corecmd_exec_bin(pyicqt_t)
+-
-corenet_all_recvfrom_unlabeled(pyicqt_t)
- corenet_all_recvfrom_netlabel(pyicqt_t)
- corenet_tcp_sendrecv_generic_if(pyicqt_t)
- corenet_tcp_sendrecv_generic_node(pyicqt_t)
-@@ -54,6 +53,5 @@ files_read_usr_files(pyicqt_t)
-
- libs_read_lib_files(pyicqt_t)
-
+-corenet_all_recvfrom_netlabel(pyicqt_t)
+-corenet_tcp_sendrecv_generic_if(pyicqt_t)
+-corenet_tcp_sendrecv_generic_node(pyicqt_t)
+-corenet_tcp_bind_generic_node(pyicqt_t)
+-
+-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
+-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
+-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
+-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
+-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t)
+-
+-dev_read_sysfs(pyicqt_t)
+-dev_read_urand(pyicqt_t)
+-
+-files_read_usr_files(pyicqt_t)
+-
+-fs_getattr_all_fs(pyicqt_t)
+-
+-auth_use_nsswitch(pyicqt_t)
+-
+-libs_read_lib_files(pyicqt_t)
+-
+-logging_send_syslog_msg(pyicqt_t)
+-
-miscfiles_read_localization(pyicqt_t)
-
- sysnet_read_config(pyicqt_t)
+-
+-optional_policy(`
+- jabber_manage_lib_files(pyicqt_t)
+-')
+-
+-optional_policy(`
+- mysql_stream_connect(pyicqt_t)
+- mysql_tcp_connect(pyicqt_t)
+-')
+-
+-optional_policy(`
+- seutil_sigchld_newrole(pyicqt_t)
+-')
diff --git a/pyzor.fc b/pyzor.fc
-index d4a7750..a927c5a 100644
+index af13139..a927c5a 100644
--- a/pyzor.fc
+++ b/pyzor.fc
-@@ -1,9 +1,13 @@
- /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
+@@ -1,12 +1,13 @@
+-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+-
+-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+-
++/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+ /etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
- HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
- /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
- /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
++/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
++/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
- /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
--/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
-+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+ /var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/pyzor.if b/pyzor.if
-index 494f7e2..2c411af 100644
+index 593c03d..2c411af 100644
--- a/pyzor.if
+++ b/pyzor.if
-@@ -14,6 +14,7 @@
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Role access for pyzor.
++## Role access for pyzor
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+@@ -14,31 +14,30 @@
## User domain for the role
## </summary>
## </param>
@@ -51821,11 +56889,28 @@ index 494f7e2..2c411af 100644
#
interface(`pyzor_role',`
gen_require(`
-@@ -28,7 +29,10 @@ interface(`pyzor_role',`
+- attribute_role pyzor_roles;
+- type pyzor_t, pyzor_exec_t, pyzor_home_t;
+- type pyzor_tmp_t;
++ type pyzor_t, pyzor_exec_t;
++ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
+ ')
+
+- roleattribute $1 pyzor_roles;
++ role $1 types pyzor_t;
- # allow ps to show pyzor and allow the user to kill it
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pyzor_exec_t, pyzor_t)
+
+- allow $2 pyzor_t:process { ptrace signal_perms };
++ # allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
-- allow $2 pyzor_t:process signal;
+-
+- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
+ allow $2 pyzor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 pyzor_t:process ptrace;
@@ -51833,63 +56918,92 @@ index 494f7e2..2c411af 100644
')
########################################
-@@ -88,3 +92,50 @@ interface(`pyzor_exec',`
+ ## <summary>
+-## Send generic signals to pyzor.
++## Send generic signals to pyzor
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',`
+ type pyzor_exec_t, pyzor_t;
+ ')
+
++ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pyzor_exec_t, pyzor_t)
+ ')
+@@ -88,14 +88,15 @@ interface(`pyzor_exec',`
+ type pyzor_exec_t;
+ ')
+
++ files_search_usr($1)
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an pyzor environment.
+## All of the rules required to administrate
+## an pyzor environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -104,33 +105,37 @@ interface(`pyzor_exec',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
+## The role to be allowed to manage the pyzor domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`pyzor_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`pyzor_admin',`
+ gen_require(`
+- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
+- type pyzor_var_lib_t, pyzor_etc_t;
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 pyzord_t:process { ptrace signal_perms };
+ allow $1 pyzord_t:process signal_perms;
-+ ps_process_pattern($1, pyzord_t)
+ ps_process_pattern($1, pyzord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 pyzord_t:process ptrace;
+ ')
-+
-+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 pyzord_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pyzord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_search_etc($1)
+- admin_pattern($1, pyzor_etc_t)
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
-+
+
+- logging_search_logs($1)
+ logging_list_logs($1)
-+ admin_pattern($1, pyzord_log_t)
-+
+ admin_pattern($1, pyzord_log_t)
+
+- files_search_var_lib($1)
+- admin_pattern($1, pyzor_var_lib_t)
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
-+
+
+- pyzor_role($2, $1)
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
-+')
+ ')
diff --git a/pyzor.te b/pyzor.te
-index c8fb70b..f7bf36e 100644
+index 6c456d2..f7bf36e 100644
--- a/pyzor.te
+++ b/pyzor.te
-@@ -1,42 +1,66 @@
--policy_module(pyzor, 2.2.0)
+@@ -1,61 +1,82 @@
+-policy_module(pyzor, 2.2.1)
+policy_module(pyzor, 2.1.0)
########################################
@@ -51897,12 +57011,15 @@ index c8fb70b..f7bf36e 100644
# Declarations
#
+-attribute_role pyzor_roles;
+-roleattribute system_r pyzor_roles;
+-
-type pyzor_t;
-type pyzor_exec_t;
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
--role system_r types pyzor_t;
+-role pyzor_roles types pyzor_t;
-
-type pyzor_etc_t;
-files_type(pyzor_etc_t)
@@ -51927,6 +57044,9 @@ index c8fb70b..f7bf36e 100644
-type pyzord_exec_t;
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
+-type pyzord_initrc_exec_t;
+-init_script_file(pyzord_initrc_exec_t)
+-
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+ifdef(`distro_redhat',`
@@ -51988,34 +57108,104 @@ index c8fb70b..f7bf36e 100644
########################################
#
-@@ -74,11 +98,13 @@ corenet_tcp_connect_http_port(pyzor_t)
+-# Local policy
++# Pyzor client local policy
+ #
+
++allow pyzor_t self:udp_socket create_socket_perms;
++
+ manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+ manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+ manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor")
++userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
+
+ allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
+ read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
++files_search_var_lib(pyzor_t)
+
+ manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+ manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+@@ -67,37 +88,25 @@ kernel_read_system_state(pyzor_t)
+ corecmd_list_bin(pyzor_t)
+ corecmd_getattr_bin_files(pyzor_t)
+
+-corenet_all_recvfrom_unlabeled(pyzor_t)
+-corenet_all_recvfrom_netlabel(pyzor_t)
+ corenet_tcp_sendrecv_generic_if(pyzor_t)
++corenet_udp_sendrecv_generic_if(pyzor_t)
+ corenet_tcp_sendrecv_generic_node(pyzor_t)
+-
+-corenet_sendrecv_http_client_packets(pyzor_t)
++corenet_udp_sendrecv_generic_node(pyzor_t)
++corenet_tcp_sendrecv_all_ports(pyzor_t)
++corenet_udp_sendrecv_all_ports(pyzor_t)
+ corenet_tcp_connect_http_port(pyzor_t)
+-corenet_tcp_sendrecv_http_port(pyzor_t)
dev_read_urand(pyzor_t)
--files_read_etc_files(pyzor_t)
+-fs_getattr_all_fs(pyzor_t)
+-fs_search_auto_mountpoints(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
auth_use_nsswitch(pyzor_t)
-miscfiles_read_localization(pyzor_t)
-+
-+mta_read_queue(pyzor_t)
- userdom_dontaudit_search_user_home_dirs(pyzor_t)
+ mta_read_queue(pyzor_t)
-@@ -109,8 +135,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
- can_exec(pyzord_t, pyzor_exec_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(pyzor_t)
+- fs_manage_nfs_files(pyzor_t)
+- fs_manage_nfs_symlinks(pyzor_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(pyzor_t)
+- fs_manage_cifs_files(pyzor_t)
+- fs_manage_cifs_symlinks(pyzor_t)
+-')
++userdom_dontaudit_search_user_home_dirs(pyzor_t)
+
+ optional_policy(`
+ amavis_manage_lib_files(pyzor_t)
+@@ -111,25 +120,24 @@ optional_policy(`
+
+ ########################################
+ #
+-# Daemon local policy
++# Pyzor server local policy
+ #
+
+-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms;
++allow pyzord_t self:udp_socket create_socket_perms;
++
+ manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
++allow pyzord_t pyzor_var_lib_t:dir setattr;
+ files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+
++read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
+ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+-allow pyzord_t pyzor_etc_t:file read_file_perms;
+-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms;
- manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
--allow pyzord_t pyzord_log_t:dir setattr;
--logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } )
-+allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
-+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
++can_exec(pyzord_t, pyzor_exec_t)
++
++manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+ allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
+-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+ logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
+-can_exec(pyzord_t, pyzor_exec_t)
+-
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
-@@ -119,7 +145,6 @@ dev_read_urand(pyzord_t)
+
+@@ -137,24 +145,25 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
@@ -52023,25 +57213,84 @@ index c8fb70b..f7bf36e 100644
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_generic_if(pyzord_t)
corenet_udp_sendrecv_generic_node(pyzord_t)
-@@ -128,13 +153,11 @@ corenet_udp_bind_generic_node(pyzord_t)
++corenet_udp_sendrecv_all_ports(pyzord_t)
+ corenet_udp_bind_generic_node(pyzord_t)
+-
+-corenet_sendrecv_pyzor_server_packets(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
- corenet_sendrecv_pyzor_server_packets(pyzord_t)
+-corenet_udp_sendrecv_pyzor_port(pyzord_t)
++corenet_sendrecv_pyzor_server_packets(pyzord_t)
--files_read_etc_files(pyzord_t)
+-auth_use_nsswitch(pyzord_t)
- auth_use_nsswitch(pyzord_t)
+-logging_send_syslog_msg(pyzord_t)
++auth_use_nsswitch(pyzord_t)
locallogin_dontaudit_use_fds(pyzord_t)
-miscfiles_read_localization(pyzord_t)
- # Do not audit attempts to access /root.
- userdom_dontaudit_search_user_home_dirs(pyzord_t)
-diff --git a/qemu.if b/qemu.if
-index 268d691..580f9ee 100644
---- a/qemu.if
-+++ b/qemu.if
-@@ -43,7 +43,6 @@ template(`qemu_domain_template',`
++# Do not audit attempts to access /root.
+ userdom_dontaudit_search_user_home_dirs(pyzord_t)
+
+ mta_manage_spool(pyzord_t)
++
++optional_policy(`
++ logging_send_syslog_msg(pyzord_t)
++')
+diff --git a/qemu.fc b/qemu.fc
+index 6b53fa4..64d877e 100644
+--- a/qemu.fc
++++ b/qemu.fc
+@@ -1,5 +1,4 @@
+-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+-
+ /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+diff --git a/qemu.if b/qemu.if
+index eaf56b8..580f9ee 100644
+--- a/qemu.if
++++ b/qemu.if
+@@ -1,19 +1,21 @@
+-## <summary>QEMU machine emulator and virtualizer.</summary>
++## <summary>QEMU machine emulator and virtualizer</summary>
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a qemu domain.
++## Creates types and rules for a basic
++## qemu process domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix for the domain.
+ ## </summary>
+ ## </param>
+ #
+ template(`qemu_domain_template',`
++
+ ##############################
+ #
+- # Declarations
++ # Local Policy
+ #
+
+ type $1_t;
+@@ -24,7 +26,7 @@ template(`qemu_domain_template',`
+
+ ##############################
+ #
+- # Policy
++ # Local Policy
+ #
+
+ allow $1_t self:capability { dac_read_search dac_override };
+@@ -41,7 +43,6 @@ template(`qemu_domain_template',`
kernel_read_system_state($1_t)
@@ -52049,7 +57298,7 @@ index 268d691..580f9ee 100644
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
-@@ -72,11 +71,10 @@ template(`qemu_domain_template',`
+@@ -70,11 +71,10 @@ template(`qemu_domain_template',`
term_getattr_pty_fs($1_t)
term_use_generic_ptys($1_t)
@@ -52062,86 +57311,158 @@ index 268d691..580f9ee 100644
userdom_attach_admin_tun_iface($1_t)
optional_policy(`
-@@ -98,61 +96,40 @@ template(`qemu_domain_template',`
- ')
- ')
+@@ -98,38 +98,12 @@ template(`qemu_domain_template',`
--#######################################
-+########################################
+ ########################################
## <summary>
--## The per role template for the qemu module.
-+## Execute a domain transition to run qemu.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
- ## </summary>
--## <desc>
--## <p>
--## This template creates a derived domains which are used
--## for qemu web browser.
--## </p>
--## <p>
--## This template is invoked automatically for each user, and
--## generally does not need to be invoked directly
--## by policy writers.
--## </p>
--## </desc>
--## <param name="user_role">
+-## Role access for qemu.
+-## </summary>
+-## <param name="role">
-## <summary>
--## The role associated with the user domain.
+-## Role allowed access.
-## </summary>
-## </param>
--## <param name="user_domain">
+-## <param name="domain">
-## <summary>
--## The type of the user domain.
+-## User domain for the role.
-## </summary>
+-## </param>
+-#
+-template(`qemu_role',`
+- gen_require(`
+- type qemu_t;
+- ')
+-
+- qemu_run($2, $1)
+-
+- allow $2 qemu_t:process { ptrace signal_perms };
+- ps_process_pattern($2, qemu_t)
+-')
+-
+-########################################
+-## <summary>
+ ## Execute a domain transition to run qemu.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
## </param>
#
--template(`qemu_role',`
-+interface(`qemu_domtrans',`
- gen_require(`
+ interface(`qemu_domtrans',`
+@@ -137,18 +111,17 @@ interface(`qemu_domtrans',`
type qemu_t, qemu_exec_t;
-- type qemu_config_t, qemu_config_exec_t;
')
-- role $1 types { qemu_t qemu_config_t };
--
-- domtrans_pattern($2, qemu_exec_t, qemu_t)
-- domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
-- allow qemu_t $2:process signull;
-+ domtrans_pattern($1, qemu_exec_t, qemu_t)
+- corecmd_search_bin($1)
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
')
########################################
## <summary>
--## Execute a domain transition to run qemu.
+-## Execute a qemu in the caller domain.
+## Execute a qemu in the callers domain
## </summary>
## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`qemu_exec',`
+@@ -156,15 +129,12 @@ interface(`qemu_exec',`
+ type qemu_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, qemu_exec_t)
+ ')
+
+ ########################################
## <summary>
--## Domain allowed to transition.
-+## Domain allowed access.
+-## Execute qemu in the qemu domain,
+-## and allow the specified role the
+-## qemu domain.
++## Execute qemu in the qemu domain.
## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -173,23 +143,25 @@ interface(`qemu_exec',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to allow the qemu domain.
+ ## </summary>
## </param>
+ ## <rolecap/>
#
--interface(`qemu_domtrans',`
-+interface(`qemu_exec',`
+ interface(`qemu_run',`
gen_require(`
-- type qemu_t, qemu_exec_t;
-+ type qemu_exec_t;
+- attribute_role qemu_roles;
++ type qemu_t;
')
-- domtrans_pattern($1, qemu_exec_t, qemu_t)
-+ can_exec($1, qemu_exec_t)
+ qemu_domtrans($1)
+- roleattribute $2 qemu_roles;
++ role $2 types qemu_t;
++ allow qemu_t $1:process signull;
++ allow $1 qemu_t:process signull;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read qemu process state files.
++## Allow the domain to read state files in /proc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -202,15 +174,12 @@ interface(`qemu_read_state',`
+ type qemu_t;
+ ')
+
+- kernel_search_proc($1)
+- allow $1 qemu_t:dir list_dir_perms;
+- allow $1 qemu_t:file read_file_perms;
+- allow $1 qemu_t:lnk_file read_lnk_file_perms;
++ read_files_pattern($1, qemu_t, qemu_t)
')
########################################
-@@ -256,20 +233,63 @@ interface(`qemu_kill',`
+ ## <summary>
+-## Set qemu scheduler.
++## Set the schedule on qemu.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -228,7 +197,7 @@ interface(`qemu_setsched',`
+
+ ########################################
+ ## <summary>
+-## Send generic signals to qemu.
++## Send a signal to qemu.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -246,7 +215,7 @@ interface(`qemu_signal',`
+
+ ########################################
+ ## <summary>
+-## Send kill signals to qemu.
++## Send a sigill to qemu
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -264,48 +233,68 @@ interface(`qemu_kill',`
########################################
## <summary>
--## Execute a domain transition to run qemu unconfined.
+-## Execute a domain transition to
+-## run qemu unconfined.
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
@@ -52157,20 +57478,26 @@ index 268d691..580f9ee 100644
+## </p>
+## </desc>
## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_spec_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_qemu_t, qemu_exec_t;
+ type qemu_exec_t;
-+ ')
+ ')
+-
+- corecmd_search_bin($1)
+- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
@@ -52180,156 +57507,416 @@ index 268d691..580f9ee 100644
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
-+')
-+
-+########################################
+ ')
+
+ ########################################
## <summary>
--## Domain allowed to transition.
+-## Create, read, write, and delete
+-## qemu temporary directories.
+## Execute qemu unconfined programs in the role.
## </summary>
+-## <param name="domain">
+## <param name="role">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## The role to allow the qemu unconfined domain.
-+## </summary>
+ ## </summary>
## </param>
#
--interface(`qemu_domtrans_unconfined',`
+-interface(`qemu_manage_tmp_dirs',`
+interface(`qemu_unconfined_role',`
gen_require(`
-- type unconfined_qemu_t, qemu_exec_t;
+- type qemu_tmp_t;
+ type unconfined_qemu_t;
+ type qemu_t;
')
-
-- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+- files_search_tmp($1)
+- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
')
########################################
-@@ -307,3 +327,22 @@ interface(`qemu_manage_tmp_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## qemu temporary files.
++## Manage qemu temporary dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`qemu_manage_tmp_files',`
++interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+- files_search_tmp($1)
+- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
++ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
-+
+
+ ########################################
+ ## <summary>
+-## Execute qemu in a specified domain.
++## Manage qemu temporary files.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Execute qemu in a specified domain.
+-## </p>
+-## <p>
+-## No interprocess communication (signals, pipes,
+-## etc.) is provided by this interface since
+-## the domains are not owned by this module.
+-## </p>
+-## </desc>
+-## <param name="source_domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="target_domain">
++## <param name="domain">
+ ## <summary>
+-## Domain to transition to.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`qemu_spec_domtrans',`
++interface(`qemu_manage_tmp_files',`
+ gen_require(`
+- type qemu_exec_t;
++ type qemu_tmp_t;
+ ')
+
+- corecmd_search_bin($1)
+- domain_auto_trans($1, qemu_exec_t, $2)
++ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ ')
+
+-######################################
+########################################
-+## <summary>
+ ## <summary>
+-## Make qemu executable files an
+-## entrypoint for the specified domain.
+## Make qemu_exec_t an entrypoint for
+## the specified domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## The domain for which qemu_exec_t is an entrypoint.
+-## </summary>
+## <summary>
+## The domain for which qemu_exec_t is an entrypoint.
+## </summary>
-+## </param>
-+#
-+interface(`qemu_entry_type',`
-+ gen_require(`
-+ type qemu_exec_t;
-+ ')
-+
-+ domain_entry_file($1, qemu_exec_t)
-+')
+ ## </param>
+ #
+ interface(`qemu_entry_type',`
diff --git a/qemu.te b/qemu.te
-index 9681d82..695c857 100644
+index 2e824eb..695c857 100644
--- a/qemu.te
+++ b/qemu.te
-@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
+@@ -1,4 +1,4 @@
+-policy_module(qemu, 1.7.4)
++policy_module(qemu, 1.7.0)
+
+ ########################################
+ #
+@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether qemu has full
+-## access to the network.
+-## </p>
++## <p>
++## Allow qemu to connect fully to the network
++## </p>
## </desc>
- gen_tunable(qemu_use_usb, true)
+ gen_tunable(qemu_full_network, false)
+
+-attribute_role qemu_roles;
+-roleattribute system_r qemu_roles;
++## <desc>
++## <p>
++## Allow qemu to use cifs/Samba file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_cifs, true)
++
++## <desc>
++## <p>
++## Allow qemu to use serial/parallel communication ports
++## </p>
++## </desc>
++gen_tunable(qemu_use_comm, false)
-type qemu_exec_t;
+-application_executable_file(qemu_exec_t)
++## <desc>
++## <p>
++## Allow qemu to use nfs file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_nfs, true)
++
++## <desc>
++## <p>
++## Allow qemu to use usb devices
++## </p>
++## </desc>
++gen_tunable(qemu_use_usb, true)
+
virt_domain_template(qemu)
--application_domain(qemu_t, qemu_exec_t)
- role system_r types qemu_t;
+-role qemu_roles types qemu_t;
++role system_r types qemu_t;
########################################
-@@ -50,13 +48,12 @@ role system_r types qemu_t;
- # qemu local policy
+ #
+-# Local policy
++# qemu local policy
#
--can_exec(qemu_t, qemu_exec_t)
--
- storage_raw_write_removable_device(qemu_t)
- storage_raw_read_removable_device(qemu_t)
-
- userdom_search_user_home_content(qemu_t)
- userdom_read_user_tmpfs_files(qemu_t)
++storage_raw_write_removable_device(qemu_t)
++storage_raw_read_removable_device(qemu_t)
++
++userdom_search_user_home_content(qemu_t)
++userdom_read_user_tmpfs_files(qemu_t)
+userdom_stream_connect(qemu_t)
-
++
tunable_policy(`qemu_full_network',`
- allow qemu_t self:udp_socket create_socket_perms;
-@@ -101,6 +98,17 @@ optional_policy(`
++ allow qemu_t self:udp_socket create_socket_perms;
++
+ corenet_udp_sendrecv_generic_if(qemu_t)
+ corenet_udp_sendrecv_generic_node(qemu_t)
+ corenet_udp_sendrecv_all_ports(qemu_t)
+@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',`
+ corenet_tcp_connect_all_ports(qemu_t)
')
- optional_policy(`
-+ tunable_policy(`qemu_use_cifs',`
-+ samba_domtrans_smbd(qemu_t)
-+ ')
++tunable_policy(`qemu_use_cifs',`
++ fs_manage_cifs_dirs(qemu_t)
++ fs_manage_cifs_files(qemu_t)
+')
+
-+optional_policy(`
-+ virt_domtrans_bridgehelper(qemu_t)
++tunable_policy(`qemu_use_comm',`
++ term_use_unallocated_ttys(qemu_t)
++ dev_rw_printer(qemu_t)
+')
+
-+optional_policy(`
-+ virt_manage_home_files(qemu_t)
- virt_manage_images(qemu_t)
- virt_append_log(qemu_t)
- ')
-@@ -113,18 +121,3 @@ optional_policy(`
- xserver_read_xdm_pid(qemu_t)
- xserver_stream_connect(qemu_t)
++tunable_policy(`qemu_use_nfs',`
++ fs_manage_nfs_dirs(qemu_t)
++ fs_manage_nfs_files(qemu_t)
++')
++
++tunable_policy(`qemu_use_usb',`
++ dev_rw_usbfs(qemu_t)
++ fs_manage_dos_dirs(qemu_t)
++ fs_manage_dos_files(qemu_t)
++')
++
+ optional_policy(`
+- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
++ dbus_read_lib_files(qemu_t)
')
--
+
-########################################
-#
--# Unconfined qemu local policy
+-# Unconfined local policy
-#
--
--optional_policy(`
++optional_policy(`
++ pulseaudio_manage_home_files(qemu_t)
++ pulseaudio_stream_connect(qemu_t)
++')
++
++optional_policy(`
++ tunable_policy(`qemu_use_cifs',`
++ samba_domtrans_smbd(qemu_t)
++ ')
++')
+
+ optional_policy(`
- type unconfined_qemu_t;
- typealias unconfined_qemu_t alias qemu_unconfined_t;
- application_type(unconfined_qemu_t)
- unconfined_domain(unconfined_qemu_t)
--
++ virt_domtrans_bridgehelper(qemu_t)
++')
++
++optional_policy(`
++ virt_manage_home_files(qemu_t)
++ virt_manage_images(qemu_t)
++ virt_append_log(qemu_t)
++')
+
- allow unconfined_qemu_t self:process { execstack execmem };
- allow unconfined_qemu_t qemu_exec_t:file execmod;
--')
++optional_policy(`
++ xen_rw_image_files(qemu_t)
++')
++
++optional_policy(`
++ xserver_read_xdm_pid(qemu_t)
++ xserver_stream_connect(qemu_t)
+ ')
diff --git a/qmail.fc b/qmail.fc
-index 0055e54..edee505 100644
+index e53fe5a..edee505 100644
--- a/qmail.fc
+++ b/qmail.fc
-@@ -17,6 +17,7 @@
- /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
- /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+@@ -1,22 +1,6 @@
+-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+-
+-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+-
+-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+-
+-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
++
++/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
++/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+ /var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+ /var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+@@ -29,9 +13,36 @@
+ /var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+ /var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+ /var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
++/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
++/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
++
++/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
-
- /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
-
-@@ -25,7 +26,7 @@ ifdef(`distro_debian', `
-
- /usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-
--#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
++
++/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
++
++ifdef(`distro_debian', `
++/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
++
++/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
++
+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
++
++/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
++/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
++/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
++/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
++/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
++/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
++/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
++/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
++/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
++/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
++/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
++/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
++
++/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
++/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
++')
- /usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
- /usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/qmail.if b/qmail.if
-index a55bf44..05e219e 100644
+index e4f0000..05e219e 100644
--- a/qmail.if
+++ b/qmail.if
-@@ -44,7 +44,6 @@ template(`qmail_child_domain_template',`
+@@ -1,12 +1,12 @@
+-## <summary>Qmail Mail Server.</summary>
++## <summary>Qmail Mail Server</summary>
+
+ ########################################
+ ## <summary>
+-## Template for qmail parent/sub-domain pairs.
++## Template for qmail parent/sub-domain pairs
+ ## </summary>
+ ## <param name="child_prefix">
+ ## <summary>
+-## The prefix of the child domain.
++## The prefix of the child domain
+ ## </summary>
+ ## </param>
+ ## <param name="parent_domain">
+@@ -16,35 +16,39 @@
+ ## </param>
+ #
+ template(`qmail_child_domain_template',`
+- gen_require(`
+- attribute qmail_child_domain;
+- ')
+-
+- ########################################
+- #
+- # Declarations
+- #
+-
+- type $1_t, qmail_child_domain;
+- type $1_exec_t;
++ type $1_t;
+ domain_type($1_t)
++ type $1_exec_t;
+ domain_entry_file($1_t, $1_exec_t)
+-
++ domain_auto_trans($2, $1_exec_t, $1_t)
+ role system_r types $1_t;
- fs_getattr_xattr_fs($1_t)
+- ########################################
+- #
+- # Policy
+- #
++ allow $1_t self:process signal_perms;
++
++ allow $1_t $2:fd use;
++ allow $1_t $2:fifo_file rw_file_perms;
++ allow $1_t $2:process sigchld;
++
++ allow $1_t qmail_etc_t:dir list_dir_perms;
++ allow $1_t qmail_etc_t:file read_file_perms;
++ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
++
++ allow $1_t qmail_start_t:fd use;
++
++ kernel_list_proc($2)
++ kernel_read_proc_symlinks($2)
-- miscfiles_read_localization($1_t)
+- domtrans_pattern($2, $1_exec_t, $1_t)
++ corecmd_search_bin($1_t)
++
++ files_search_var($1_t)
++
++ fs_getattr_xattr_fs($1_t)
+
+- kernel_read_system_state($2)
')
########################################
-@@ -62,14 +61,13 @@ interface(`qmail_domtrans_inject',`
+ ## <summary>
+-## Transition to qmail_inject_t.
++## Transition to qmail_inject_t
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',`
type qmail_inject_t, qmail_inject_exec_t;
')
@@ -52341,11 +57928,17 @@ index a55bf44..05e219e 100644
- corecmd_search_bin($1)
',`
files_search_var($1)
-- corecmd_search_bin($1)
')
- ')
+@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',`
-@@ -88,14 +86,13 @@ interface(`qmail_domtrans_queue',`
+ ########################################
+ ## <summary>
+-## Transition to qmail_queue_t.
++## Transition to qmail_queue_t
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',`
type qmail_queue_t, qmail_queue_exec_t;
')
@@ -52357,11 +57950,33 @@ index a55bf44..05e219e 100644
- corecmd_search_bin($1)
',`
files_search_var($1)
-- corecmd_search_bin($1)
+ ')
+@@ -108,20 +112,21 @@ interface(`qmail_read_config',`
+ type qmail_etc_t;
+ ')
+
+- files_search_var($1)
+ allow $1 qmail_etc_t:dir list_dir_perms;
+ allow $1 qmail_etc_t:file read_file_perms;
+ allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
++ files_search_var($1)
+
+ ifdef(`distro_debian',`
++ # handle /etc/qmail
+ files_search_etc($1)
')
')
-@@ -149,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
+ ########################################
+ ## <summary>
+-## Define the specified domain as a
+-## qmail-smtp service.
++## Define the specified domain as a qmail-smtp service.
++## Needed by antivirus/antispam filters.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
domtrans_pattern(qmail_smtpd_t, $2, $1)
')
@@ -52422,10 +58037,48 @@ index a55bf44..05e219e 100644
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
-index 355b2a2..af2850e 100644
+index 1bef513..af2850e 100644
--- a/qmail.te
+++ b/qmail.te
-@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+@@ -1,11 +1,11 @@
+-policy_module(qmail, 1.5.1)
++policy_module(qmail, 1.5.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-attribute qmail_child_domain;
++attribute qmail_user_domains;
+
+ type qmail_alias_home_t;
+ files_type(qmail_alias_home_t)
+@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t)
+ type qmail_exec_t;
+ files_type(qmail_exec_t)
+
+-type qmail_inject_t;
++type qmail_inject_t, qmail_user_domains;
+ type qmail_inject_exec_t;
+ domain_type(qmail_inject_t)
+ domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
+@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+ mta_mailserver_delivery(qmail_lspawn_t)
+
+ qmail_child_domain_template(qmail_queue, qmail_inject_t)
++typeattribute qmail_queue_t qmail_user_domains;
+ mta_mailserver_user_agent(qmail_queue_t)
+
+ qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+ mta_mailserver_sender(qmail_remote_t)
+
+ qmail_child_domain_template(qmail_rspawn, qmail_start_t)
++
+ qmail_child_domain_template(qmail_send, qmail_start_t)
++
+ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
++
qmail_child_domain_template(qmail_splogger, qmail_start_t)
type qmail_spool_t;
@@ -52434,20 +58087,43 @@ index 355b2a2..af2850e 100644
type qmail_start_t;
type qmail_start_exec_t;
-@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+
########################################
#
- # qmail-clean local policy
--# this component cleans up the queue directory
+-# Common qmail child domain local policy
+-#
+-
+-allow qmail_child_domain self:process signal_perms;
+-
+-allow qmail_child_domain qmail_etc_t:dir list_dir_perms;
+-allow qmail_child_domain qmail_etc_t:file read_file_perms;
+-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms;
+-
+-allow qmail_child_domain qmail_start_t:fd use;
+-
+-corecmd_search_bin(qmail_child_domain)
+-
+-files_search_var(qmail_child_domain)
+-
+-fs_getattr_xattr_fs(qmail_child_domain)
+-
+-miscfiles_read_localization(qmail_child_domain)
+-
+-########################################
+-#
+-# Clean local policy
++# qmail-clean local policy
+# this component cleans up the queue directory
#
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
-@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+
########################################
#
- # qmail-inject local policy
--# this component preprocesses mail from stdin and invokes qmail-queue
+-# Inject local policy
++# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
#
@@ -52457,7 +58133,7 @@ index 355b2a2..af2850e 100644
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
-@@ -81,18 +81,17 @@ corecmd_search_bin(qmail_inject_t)
+@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t)
files_search_var(qmail_inject_t)
@@ -52467,26 +58143,20 @@ index 355b2a2..af2850e 100644
########################################
#
- # qmail-local local policy
--# this component delivers a mail message
+-# Local local policy
++# qmail-local local policy
+# this component delivers a mail message
#
--allow qmail_local_t self:fifo_file write_file_perms;
+-allow qmail_local_t self:fifo_file write_fifo_file_perms;
allow qmail_local_t self:process signal_perms;
+-allow qmail_local_t self:unix_stream_socket { accept listen };
+allow qmail_local_t self:fifo_file write_file_perms;
- allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
++allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-@@ -109,7 +108,6 @@ kernel_read_system_state(qmail_local_t)
- corecmd_exec_bin(qmail_local_t)
- corecmd_exec_shell(qmail_local_t)
-
--files_read_etc_files(qmail_local_t)
- files_read_etc_runtime_files(qmail_local_t)
-
- auth_use_nsswitch(qmail_local_t)
-@@ -121,13 +119,17 @@ mta_append_spool(qmail_local_t)
+ manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
@@ -52499,24 +58169,26 @@ index 355b2a2..af2850e 100644
########################################
#
- # qmail-lspawn local policy
--# this component schedules local deliveries
+-# Lspawn local policy
++# qmail-lspawn local policy
+# this component schedules local deliveries
#
allow qmail_lspawn_t self:capability { setuid setgid };
-@@ -143,22 +145,21 @@ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
+@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
- corecmd_search_bin(qmail_lspawn_t)
+ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
-files_read_etc_files(qmail_lspawn_t)
++corecmd_search_bin(qmail_lspawn_t)
++
files_search_pids(qmail_lspawn_t)
files_search_tmp(qmail_lspawn_t)
########################################
#
- # qmail-queue local policy
--# this component places a mail in a delivery queue, later to be processed by qmail-send
+-# Queue local policy
++# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
#
@@ -52530,55 +58202,78 @@ index 355b2a2..af2850e 100644
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-@@ -175,7 +176,7 @@ optional_policy(`
+@@ -183,28 +175,34 @@ optional_policy(`
+
########################################
#
- # qmail-remote local policy
--# this component sends mail via SMTP
+-# Remote local policy
++# qmail-remote local policy
+# this component sends mail via SMTP
#
- allow qmail_remote_t self:tcp_socket create_socket_perms;
-@@ -183,7 +184,6 @@ allow qmail_remote_t self:udp_socket create_socket_perms;
-
++allow qmail_remote_t self:tcp_socket create_socket_perms;
++allow qmail_remote_t self:udp_socket create_socket_perms;
++
rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
-corenet_all_recvfrom_unlabeled(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
- corenet_udp_sendrecv_generic_if(qmail_remote_t)
-@@ -202,7 +202,7 @@ sysnet_read_config(qmail_remote_t)
++corenet_udp_sendrecv_generic_if(qmail_remote_t)
+ corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+-
+-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+-corenet_tcp_connect_smtp_port(qmail_remote_t)
++corenet_udp_sendrecv_generic_node(qmail_remote_t)
+ corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
++corenet_udp_sendrecv_dns_port(qmail_remote_t)
++corenet_tcp_connect_smtp_port(qmail_remote_t)
++corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+
+ dev_read_rand(qmail_remote_t)
+ dev_read_urand(qmail_remote_t)
+
+-sysnet_dns_name_resolve(qmail_remote_t)
++sysnet_read_config(qmail_remote_t)
+
########################################
#
- # qmail-rspawn local policy
--# this component scedules remote deliveries
+-# Rspawn local policy
++# qmail-rspawn local policy
+# this component scedules remote deliveries
#
allow qmail_rspawn_t self:process signal_perms;
-@@ -217,7 +217,7 @@ corecmd_search_bin(qmail_rspawn_t)
+@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+
+ rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+
++corecmd_search_bin(qmail_rspawn_t)
++
########################################
#
- # qmail-send local policy
--# this component delivers mail messages from the queue
+-# Send local policy
++# qmail-send local policy
+# this component delivers mail messages from the queue
#
allow qmail_send_t self:process signal_perms;
-@@ -236,7 +236,7 @@ optional_policy(`
+@@ -234,7 +235,8 @@ optional_policy(`
+
########################################
#
- # qmail-smtpd local policy
--# this component receives mails via SMTP
+-# Smtpd local policy
++# qmail-smtpd local policy
+# this component receives mails via SMTP
#
allow qmail_smtpd_t self:process signal_perms;
-@@ -265,27 +265,25 @@ optional_policy(`
+@@ -262,26 +264,26 @@ optional_policy(`
+
########################################
#
- # splogger local policy
--# this component creates entries in syslog
+-# Splogger local policy
++# splogger local policy
+# this component creates entries in syslog
#
@@ -52592,8 +58287,8 @@ index 355b2a2..af2850e 100644
########################################
#
- # qmail-start local policy
--# this component starts up the mail delivery component
+-# Start local policy
++# qmail-start local policy
+# this component starts up the mail delivery component
#
@@ -52605,31 +58300,18 @@ index 355b2a2..af2850e 100644
can_exec(qmail_start_t, qmail_start_exec_t)
-@@ -303,7 +301,7 @@ optional_policy(`
+@@ -298,7 +300,8 @@ optional_policy(`
+
########################################
#
- # tcp-env local policy
--# this component sets up TCP-related environment variables
+-# Tcp-env local policy
++# tcp-env local policy
+# this component sets up TCP-related environment variables
#
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
-diff --git a/qpid.fc b/qpid.fc
-index 4f94229..f3b89e4 100644
---- a/qpid.fc
-+++ b/qpid.fc
-@@ -1,6 +1,7 @@
--/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
-
--/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
-+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
-+
-+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
-
- /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
-
diff --git a/qpid.if b/qpid.if
-index 5a9630c..bedca3a 100644
+index cd51b96..670cb1a 100644
--- a/qpid.if
+++ b/qpid.if
@@ -1,4 +1,4 @@
@@ -52638,19 +58320,23 @@ index 5a9630c..bedca3a 100644
########################################
## <summary>
-@@ -18,9 +18,9 @@ interface(`qpidd_domtrans',`
+@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',`
+ type qpidd_t, qpidd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
')
-#####################################
+########################################
## <summary>
--## Allow read and write access to qpidd semaphores.
+-## Read and write access qpidd semaphores.
+## Execute qpidd server in the qpidd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -28,17 +28,17 @@ interface(`qpidd_domtrans',`
+@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',`
## </summary>
## </param>
#
@@ -52667,12 +58353,12 @@ index 5a9630c..bedca3a 100644
########################################
## <summary>
--## Read and write to qpidd shared memory.
+-## Read and write qpidd shared memory.
+## Read qpidd PID files.
## </summary>
## <param name="domain">
## <summary>
-@@ -46,17 +46,18 @@ interface(`qpidd_rw_semaphores',`
+@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',`
## </summary>
## </param>
#
@@ -52690,12 +58376,14 @@ index 5a9630c..bedca3a 100644
########################################
## <summary>
--## Execute qpidd server in the qpidd domain.
+-## Execute qpidd init script in
+-## the initrc domain.
+## Manage qpidd var_run files.
## </summary>
## <param name="domain">
## <summary>
-@@ -64,17 +65,20 @@ interface(`qpidd_rw_shm',`
+-## Domain allowed to transition.
++## Domain allowed access.
## </summary>
## </param>
#
@@ -52715,12 +58403,12 @@ index 5a9630c..bedca3a 100644
########################################
## <summary>
--## Read qpidd PID files.
+-## Read qpidd pid files.
+## Search qpidd lib directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -82,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
+@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
## </summary>
## </param>
#
@@ -52744,7 +58432,7 @@ index 5a9630c..bedca3a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -101,18 +105,19 @@ interface(`qpidd_read_pid_files',`
+@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',`
## </summary>
## </param>
#
@@ -52754,8 +58442,8 @@ index 5a9630c..bedca3a 100644
type qpidd_var_lib_t;
')
-- allow $1 qpidd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
+- allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
@@ -52767,7 +58455,7 @@ index 5a9630c..bedca3a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -120,19 +125,18 @@ interface(`qpidd_search_lib',`
+@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',`
## </summary>
## </param>
#
@@ -52790,7 +58478,7 @@ index 5a9630c..bedca3a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,13 +144,15 @@ interface(`qpidd_read_lib_files',`
+@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',`
## </summary>
## </param>
#
@@ -52806,40 +58494,18 @@ index 5a9630c..bedca3a 100644
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
')
- ########################################
-@@ -171,8 +177,11 @@ interface(`qpidd_admin',`
- type qpidd_t, qpidd_initrc_exec_t;
- ')
-
-- allow $1 qpidd_t:process { ptrace signal_perms };
-+ allow $1 qpidd_t:process signal_perms;
- ps_process_pattern($1, qpidd_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 qpidd_t:process ptrace;
-+ ')
-
- # Allow qpidd_t to restart the apache service
- qpidd_initrc_domtrans($1)
-@@ -180,7 +189,46 @@ interface(`qpidd_admin',`
- role_transition $2 qpidd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- admin_pattern($1, qpidd_var_lib_t)
-+ qpidd_manage_var_run($1)
-
-- admin_pattern($1, qpidd_var_run_t)
-+ qpidd_manage_var_lib($1)
-+')
-+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## All of the rules required to
+-## administrate an qpidd environment.
+## Allow read and write access to qpidd semaphores.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
@@ -52868,32 +58534,73 @@ index 5a9630c..bedca3a 100644
+ allow $1 qpidd_t:shm rw_shm_perms;
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
- ')
-diff --git a/qpid.te b/qpid.te
-index cb7ecb5..68f26ad 100644
---- a/qpid.te
-+++ b/qpid.te
-@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
- type qpidd_initrc_exec_t;
- init_script_file(qpidd_initrc_exec_t)
++')
++
++#######################################
++## <summary>
++## All of the rules required to
++## administrate an qpidd environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ ## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
++## <summary>
++## Role allowed access.
++## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`qpidd_admin',`
+- gen_require(`
+- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
+- type qpidd_var_run_t;
+- ')
++ gen_require(`
++ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
++ type qpidd_var_run_t;
++ ')
--type qpidd_var_lib_t;
--files_type(qpidd_var_lib_t)
-+type qpidd_tmpfs_t;
-+files_tmpfs_file(qpidd_tmpfs_t)
+- allow $1 qpidd_t:process { ptrace signal_perms };
+- ps_process_pattern($1, qpidd_t)
++ allow $1 qpidd_t:process { signal_perms };
++ ps_process_pattern($1, qpidd_t)
+
+- qpidd_initrc_domtrans($1)
+- domain_system_change_exemption($1)
+- role_transition $2 qpidd_initrc_exec_t system_r;
+- allow $2 system_r;
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 qpidd_t:process ptrace;
++ ')
- type qpidd_var_run_t;
- files_pid_file(qpidd_var_run_t)
+- files_search_var_lib($1(
+- admin_pattern($1, qpidd_var_lib_t)
++ qpidd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 qpidd_initrc_exec_t system_r;
++ allow $2 system_r;
-+type qpidd_var_lib_t;
-+files_type(qpidd_var_lib_t)
+- files_search_pids($1)
+- admin_pattern($1, qpidd_var_run_t)
++ files_search_var_lib($1(
++ admin_pattern($1, qpidd_var_lib_t)
+
- ########################################
- #
- # qpidd local policy
-@@ -30,34 +33,41 @@ allow qpidd_t self:shm create_shm_perms;
- allow qpidd_t self:tcp_socket create_stream_socket_perms;
- allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
++ files_search_pids($1)
++ admin_pattern($1, qpidd_var_run_t)
+ ')
+diff --git a/qpid.te b/qpid.te
+index 76f5b39..8bf531a 100644
+--- a/qpid.te
++++ b/qpid.te
+@@ -37,18 +37,22 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
+ manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
+ fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
@@ -52918,19 +58625,20 @@ index cb7ecb5..68f26ad 100644
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
corenet_tcp_sendrecv_generic_node(qpidd_t)
- corenet_tcp_sendrecv_all_ports(qpidd_t)
--corenet_tcp_bind_generic_node(qpidd_t)
+ corenet_tcp_bind_generic_node(qpidd_t)
+@@ -57,17 +61,18 @@ corenet_sendrecv_amqp_server_packets(qpidd_t)
corenet_tcp_bind_amqp_port(qpidd_t)
+ corenet_tcp_sendrecv_amqp_port(qpidd_t)
+
++
+corenet_tcp_bind_matahari_port(qpidd_t)
-+corenet_tcp_connect_amqp_port(qpidd_t)
+corenet_tcp_connect_matahari_port(qpidd_t)
-
-+dev_read_sysfs(qpidd_t)
++
+ dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
- files_read_etc_files(qpidd_t)
-+files_read_usr_files(qpidd_t)
-
+-files_read_etc_files(qpidd_t)
+-
logging_send_syslog_msg(qpidd_t)
-miscfiles_read_localization(qpidd_t)
@@ -52942,31 +58650,25 @@ index cb7ecb5..68f26ad 100644
')
+
diff --git a/quantum.fc b/quantum.fc
-new file mode 100644
-index 0000000..9108437
---- /dev/null
+index 70ab68b..9ac57eb 100644
+--- a/quantum.fc
+++ b/quantum.fc
-@@ -0,0 +1,10 @@
-+/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
-+
+@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
+
-+/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
-+
-+/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
+ /etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+
+ /usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
diff --git a/quantum.if b/quantum.if
-new file mode 100644
-index 0000000..010b2be
---- /dev/null
+index afc0068..7616aa4 100644
+--- a/quantum.if
+++ b/quantum.if
-@@ -0,0 +1,218 @@
-+## <summary>Quantum is a virtual network service for Openstack</summary>
-+
-+########################################
-+## <summary>
+@@ -2,41 +2,217 @@
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an quantum environment.
+## Transition to quantum.
+## </summary>
+## <param name="domain">
@@ -52987,12 +58689,13 @@ index 0000000..010b2be
+########################################
+## <summary>
+## Read quantum's log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+## <rolecap/>
+#
+interface(`quantum_read_log',`
@@ -53009,7 +58712,8 @@ index 0000000..010b2be
+## Append to quantum log files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -53152,27 +58856,37 @@ index 0000000..010b2be
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`quantum_admin',`
-+ gen_require(`
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`quantum_admin',`
+ gen_require(`
+- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
+- type quantum_var_lib_t, quantum_tmp_t;
+ type quantum_t;
+ type quantum_log_t;
+ type quantum_var_lib_t;
+ type quantum_unit_file_t;
-+ ')
-+
-+ allow $1 quantum_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, quantum_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, quantum_log_t)
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, quantum_var_lib_t)
-+
+ ')
+
+ allow $1 quantum_t:process { ptrace signal_perms };
+ ps_process_pattern($1, quantum_t)
+
+- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 quantum_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+ logging_search_logs($1)
+ admin_pattern($1, quantum_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, quantum_var_lib_t)
+
+- files_search_tmp($1)
+- admin_pattern($1, quantum_tmp_t)
+ quantum_systemctl($1)
+ admin_pattern($1, quantum_unit_file_t)
+ allow $1 quantum_unit_file_t:service all_service_perms;
@@ -53180,201 +58894,293 @@ index 0000000..010b2be
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/quantum.te b/quantum.te
-new file mode 100644
-index 0000000..6e15504
---- /dev/null
+index 769d1fd..e08eabf 100644
+--- a/quantum.te
+++ b/quantum.te
-@@ -0,0 +1,80 @@
-+policy_module(quantum, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type quantum_t;
-+type quantum_exec_t;
-+init_daemon_domain(quantum_t, quantum_exec_t)
-+
-+type quantum_log_t;
-+logging_log_file(quantum_log_t)
-+
-+type quantum_tmp_t;
-+files_tmp_file(quantum_tmp_t)
-+
-+type quantum_var_lib_t;
-+files_type(quantum_var_lib_t)
-+
+@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
+ type quantum_var_lib_t;
+ files_type(quantum_var_lib_t)
+
+type quantum_unit_file_t;
+systemd_unit_file(quantum_unit_file_t)
+
-+########################################
-+#
-+# quantum local policy
-+#
-+allow quantum_t self:capability { setuid sys_resource setgid audit_write };
-+allow quantum_t self:process { setsched setrlimit };
-+allow quantum_t self:key manage_key_perms;
-+
-+allow quantum_t self:fifo_file rw_fifo_file_perms;
-+allow quantum_t self:unix_stream_socket create_stream_socket_perms;
-+allow quantum_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-+manage_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-+logging_log_filetrans(quantum_t, quantum_log_t, { dir file })
-+
-+manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-+files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
-+can_exec(quantum_t, quantum_tmp_t)
-+
-+manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-+manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-+files_var_lib_filetrans(quantum_t, quantum_var_lib_t, { dir file })
-+
-+kernel_read_kernel_sysctls(quantum_t)
-+kernel_read_system_state(quantum_t)
-+
-+corecmd_exec_shell(quantum_t)
-+corecmd_exec_bin(quantum_t)
-+
+ ########################################
+ #
+ # Local policy
+@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
+ corenet_tcp_sendrecv_all_ports(quantum_t)
+ corenet_tcp_bind_generic_node(quantum_t)
+
+corenet_tcp_bind_generic_node(quantum_t)
+corenet_tcp_bind_quantum_port(quantum_t)
+corenet_tcp_connect_mysqld_port(quantum_t)
+
-+dev_read_urand(quantum_t)
-+dev_list_sysfs(quantum_t)
-+
-+domain_use_interactive_fds(quantum_t)
-+
-+files_read_usr_files(quantum_t)
-+
-+auth_use_nsswitch(quantum_t)
-+
-+libs_exec_ldconfig(quantum_t)
-+
-+logging_send_audit_msgs(quantum_t)
-+logging_send_syslog_msg(quantum_t)
-+
-+sysnet_domtrans_ifconfig(quantum_t)
-+
-+optional_policy(`
-+ brctl_domtrans(quantum_t)
-+')
+ dev_list_sysfs(quantum_t)
+ dev_read_urand(quantum_t)
+
+-files_read_usr_files(quantum_t)
+-
+ auth_use_nsswitch(quantum_t)
+
+ libs_exec_ldconfig(quantum_t)
+@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
+ logging_send_audit_msgs(quantum_t)
+ logging_send_syslog_msg(quantum_t)
+
+-miscfiles_read_localization(quantum_t)
+-
+ sysnet_domtrans_ifconfig(quantum_t)
+
+ optional_policy(`
+@@ -94,3 +97,7 @@ optional_policy(`
+
+ postgresql_tcp_connect(quantum_t)
+ ')
+
+optional_policy(`
+ sudo_exec(quantum_t)
+')
diff --git a/quota.fc b/quota.fc
-index f387230..0ee2489 100644
+index cadabe3..0ee2489 100644
--- a/quota.fc
+++ b/quota.fc
-@@ -1,4 +1,5 @@
+@@ -1,6 +1,5 @@
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+-
+-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-@@ -8,12 +9,21 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
- /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+ /etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
+-
+-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
++/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+
+-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+ /usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
-+/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
-+
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
- /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
--/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
- ifdef(`distro_redhat',`
- /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
- ',`
- /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
- ')
-+
+-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
++ifdef(`distro_redhat',`
++/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
++',`
++/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
++')
+
+-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
-+
+
+-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+
+
+-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/quota.if b/quota.if
-index bf75d99..3fb8575 100644
+index da64218..3fb8575 100644
--- a/quota.if
+++ b/quota.if
-@@ -45,6 +45,24 @@ interface(`quota_run',`
- role $2 types quota_t;
+@@ -1,4 +1,4 @@
+-## <summary>File system quota management.</summary>
++## <summary>File system quota management</summary>
+
+ ########################################
+ ## <summary>
+@@ -21,9 +21,8 @@ interface(`quota_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute quota management tools in
+-## the quota domain, and allow the
+-## specified role the quota domain.
++## Execute quota management tools in the quota domain, and
++## allow the specified role the quota domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -39,90 +38,54 @@ interface(`quota_domtrans',`
+ #
+ interface(`quota_run',`
+ gen_require(`
+- attribute_role quota_roles;
++ type quota_t;
+ ')
+
+ quota_domtrans($1)
+- roleattribute $2 quota_roles;
++ role $2 types quota_t;
')
-+#######################################
-+## <summary>
+ #######################################
+ ## <summary>
+-## Execute quota nld in the quota nld domain.
+## Alow to read of filesystem quota data files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+## <summary>
+## Domain to not audit.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`quota_domtrans_nld',`
+- gen_require(`
+- type quota_nld_t, quota_nld_exec_t;
+- ')
+interface(`quota_read_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
-+
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+ allow $1 quota_db_t:file read_file_perms;
-+')
-+
+ ')
+
########################################
## <summary>
- ## Do not audit attempts to get the attributes
-@@ -67,6 +85,25 @@ interface(`quota_dontaudit_getattr_db',`
+-## Create, read, write, and delete
+-## quota db files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`quota_manage_db_files',`
+- gen_require(`
+- type quota_db_t;
+- ')
+-
+- allow $1 quota_db_t:file manage_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create specified objects in specified
+-## directories with a type transition to
+-## the quota db file type.
++## Do not audit attempts to get the attributes
++## of filesystem quota data files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="file_type">
+-## <summary>
+-## Directory to transition on.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`quota_spec_filetrans_db',`
++interface(`quota_dontaudit_getattr_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
+
+- filetrans_pattern($1, $2, quota_db_t, $3, $4)
++ dontaudit $1 quota_db_t:file getattr_file_perms;
+ ')
+
########################################
## <summary>
- ## Create, read, write, and delete quota
+-## Do not audit attempts to get attributes
+-## of filesystem quota data files.
++## Create, read, write, and delete quota
+## db files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`quota_dontaudit_getattr_db',`
+interface(`quota_manage_db',`
-+ gen_require(`
-+ type quota_db_t;
-+ ')
-+
+ gen_require(`
+ type quota_db_t;
+ ')
+
+- dontaudit $1 quota_db_t:file getattr_file_perms;
+ allow $1 quota_db_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## quota flag files.
+## Create, read, write, and delete quota
- ## flag files.
++## flag files.
## </summary>
## <param name="domain">
-@@ -83,3 +120,59 @@ interface(`quota_manage_flags',`
- files_search_var_lib($1)
- manage_files_pattern($1, quota_flag_t, quota_flag_t)
- ')
-+
-+########################################
-+## <summary>
+ ## <summary>
+@@ -160,37 +123,56 @@ interface(`quota_manage_flags',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an quota environment.
+## Transition to quota named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`quota_admin',`
+interface(`quota_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type quota_nld_t, quota_t, quota_db_t;
+- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t;
+ type quota_db_t;
-+ ')
-+
+ ')
+
+- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { quota_nld_t quota_t })
+-
+- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 quota_nld_initrc_exec_t system_r;
+- allow $2 system_r;
+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
@@ -53396,7 +59202,9 @@ index bf75d99..3fb8575 100644
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
+')
-+
+
+- files_list_all($1)
+- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+#######################################
+## <summary>
+## Transition to quota_nld.
@@ -53411,44 +59219,58 @@ index bf75d99..3fb8575 100644
+ gen_require(`
+ type quota_nld_t, quota_nld_exec_t;
+ ')
-+
+
+- quota_run($1, $2)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
-+')
+ ')
diff --git a/quota.te b/quota.te
-index 5dd42f5..0df6e21 100644
+index 4b2c272..0df6e21 100644
--- a/quota.te
+++ b/quota.te
-@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
+@@ -1,16 +1,14 @@
+-policy_module(quota, 1.5.2)
++policy_module(quota, 1.5.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+-attribute_role quota_roles;
+-
type quota_t;
type quota_exec_t;
-init_system_domain(quota_t, quota_exec_t)
+-role quota_roles types quota_t;
+application_domain(quota_t, quota_exec_t)
+#init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
-@@ -15,6 +16,13 @@ files_type(quota_db_t)
- type quota_flag_t;
- files_type(quota_flag_t)
+@@ -22,9 +20,6 @@ type quota_nld_t;
+ type quota_nld_exec_t;
+ init_daemon_domain(quota_nld_t, quota_nld_exec_t)
-+type quota_nld_t;
-+type quota_nld_exec_t;
-+init_daemon_domain(quota_nld_t, quota_nld_exec_t)
-+
-+type quota_nld_var_run_t;
-+files_pid_file(quota_nld_var_run_t)
-+
- ########################################
- #
- # Local policy
-@@ -34,6 +42,17 @@ files_home_filetrans(quota_t, quota_db_t, file)
- files_usr_filetrans(quota_t, quota_db_t, file)
- files_var_filetrans(quota_t, quota_db_t, file)
+-type quota_nld_initrc_exec_t;
+-init_script_file(quota_nld_initrc_exec_t)
+-
+ type quota_nld_var_run_t;
+ files_pid_file(quota_nld_var_run_t)
+
+@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override };
+ dontaudit quota_t self:capability sys_tty_config;
+ allow quota_t self:process signal_perms;
+
++# for /quota.*
+ allow quota_t quota_db_t:file { manage_file_perms quotaon };
+ files_root_filetrans(quota_t, quota_db_t, file)
+ files_boot_filetrans(quota_t, quota_db_t, file)
+@@ -48,7 +44,16 @@ files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
-+userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
-+
+ userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
+
+-kernel_request_load_module(quota_t)
+optional_policy(`
+ mta_spool_filetrans(quota_t, quota_db_t, file)
+ mta_spool_filetrans(quota_t, quota_db_t, file)
@@ -53458,10 +59280,40 @@ index 5dd42f5..0df6e21 100644
+optional_policy(`
+ openshift_lib_filetrans(quota_t, quota_db_t, file)
+')
-
++
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
-@@ -72,7 +91,7 @@ init_use_script_ptys(quota_t)
+ kernel_read_kernel_sysctls(quota_t)
+@@ -58,14 +63,6 @@ dev_read_sysfs(quota_t)
+ dev_getattr_all_blk_files(quota_t)
+ dev_getattr_all_chr_files(quota_t)
+
+-files_list_all(quota_t)
+-files_read_all_files(quota_t)
+-files_read_all_symlinks(quota_t)
+-files_getattr_all_pipes(quota_t)
+-files_getattr_all_sockets(quota_t)
+-files_getattr_all_file_type_fs(quota_t)
+-files_read_etc_runtime_files(quota_t)
+-
+ fs_get_xattr_fs_quotas(quota_t)
+ fs_set_xattr_fs_quotas(quota_t)
+ fs_getattr_xattr_fs(quota_t)
+@@ -80,20 +77,24 @@ term_dontaudit_use_console(quota_t)
+
+ domain_use_interactive_fds(quota_t)
+
++files_list_all(quota_t)
++files_read_all_files(quota_t)
++files_read_all_symlinks(quota_t)
++files_getattr_all_pipes(quota_t)
++files_getattr_all_sockets(quota_t)
++files_getattr_all_file_type_fs(quota_t)
++# Read /etc/mtab.
++files_read_etc_runtime_files(quota_t)
++
+ init_use_fds(quota_t)
+ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
@@ -53470,167 +59322,77 @@ index 5dd42f5..0df6e21 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
-@@ -82,3 +101,30 @@ optional_policy(`
- optional_policy(`
- udev_read_db(quota_t)
+- mta_queue_filetrans(quota_t, quota_db_t, file)
+- mta_spool_filetrans(quota_t, quota_db_t, file)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(quota_t)
')
-+
-+#######################################
-+#
+
+@@ -103,12 +104,12 @@ optional_policy(`
+
+ #######################################
+ #
+-# Nld local policy
+# Local policy
-+#
-+
-+allow quota_nld_t self:fifo_file rw_fifo_file_perms;
-+allow quota_nld_t self:netlink_socket create_socket_perms;
+ #
+
+ allow quota_nld_t self:fifo_file rw_fifo_file_perms;
+ allow quota_nld_t self:netlink_socket create_socket_perms;
+-allow quota_nld_t self:unix_stream_socket { accept listen };
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
-+files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-+
-+kernel_read_network_state(quota_nld_t)
-+
-+auth_use_nsswitch(quota_nld_t)
-+
-+init_read_utmp(quota_nld_t)
-+
-+logging_send_syslog_msg(quota_nld_t)
-+
-+userdom_use_user_terminals(quota_nld_t)
-+
-+optional_policy(`
+
+ manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
+ files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
+@@ -121,11 +122,9 @@ init_read_utmp(quota_nld_t)
+
+ logging_send_syslog_msg(quota_nld_t)
+
+-miscfiles_read_localization(quota_nld_t)
+-
+ userdom_use_user_terminals(quota_nld_t)
+
+ optional_policy(`
+- dbus_system_bus_client(quota_nld_t)
+- dbus_connect_system_bus(quota_nld_t)
+ dbus_system_bus_client(quota_nld_t)
+ dbus_connect_system_bus(quota_nld_t)
-+')
-diff --git a/rabbitmq.fc b/rabbitmq.fc
-new file mode 100644
-index 0000000..594c110
---- /dev/null
-+++ b/rabbitmq.fc
-@@ -0,0 +1,7 @@
-+
-+/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
-+
-+/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
-+
-+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
-diff --git a/rabbitmq.if b/rabbitmq.if
-new file mode 100644
-index 0000000..491bd1f
---- /dev/null
-+++ b/rabbitmq.if
-@@ -0,0 +1,21 @@
-+
-+## <summary>policy for rabbitmq</summary>
-+
-+########################################
-+## <summary>
-+## Transition to rabbitmq.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`rabbitmq_domtrans',`
-+ gen_require(`
-+ type rabbitmq_t, rabbitmq_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
-+')
+ ')
diff --git a/rabbitmq.te b/rabbitmq.te
-new file mode 100644
-index 0000000..4cb2ad8
---- /dev/null
+index 3698b51..62a5977 100644
+--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -0,0 +1,82 @@
-+policy_module(rabbitmq, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rabbitmq_epmd_t;
-+type rabbitmq_epmd_exec_t;
-+init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
-+
-+type rabbitmq_beam_t;
-+type rabbitmq_beam_exec_t;
-+init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-+
-+type rabbitmq_var_lib_t;
-+files_type(rabbitmq_var_lib_t)
-+
-+type rabbitmq_var_log_t;
-+logging_log_file(rabbitmq_var_log_t)
-+
-+######################################
-+#
-+# beam local policy
-+#
-+
-+allow rabbitmq_beam_t self:process { setsched signal signull };
-+
-+allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-+allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
-+
-+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-+
-+can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
-+
-+kernel_read_system_state(rabbitmq_beam_t)
-+
-+corecmd_exec_bin(rabbitmq_beam_t)
-+corecmd_exec_shell(rabbitmq_beam_t)
-+
-+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-+corenet_udp_bind_generic_node(rabbitmq_beam_t)
-+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
-+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-+
-+dev_read_sysfs(rabbitmq_beam_t)
-+
-+files_read_etc_files(rabbitmq_beam_t)
-+
-+
-+optional_policy(`
-+ sysnet_dns_name_resolve(rabbitmq_beam_t)
-+')
-+
-+########################################
-+#
-+# epmd local policy
-+#
-+
-+domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-+
-+allow rabbitmq_epmd_t self:process signal;
-+
-+allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
-+allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-+allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+# should be append
-+allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms;
-+
-+corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-+corenet_udp_bind_generic_node(rabbitmq_epmd_t)
-+corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-+
-+files_read_etc_files(rabbitmq_epmd_t)
-+
-+logging_send_syslog_msg(rabbitmq_epmd_t)
+@@ -70,10 +70,6 @@ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+
+ dev_read_sysfs(rabbitmq_beam_t)
+
+-files_read_etc_files(rabbitmq_beam_t)
+-
+-miscfiles_read_localization(rabbitmq_beam_t)
+-
+ sysnet_dns_name_resolve(rabbitmq_beam_t)
+
+ ########################################
+@@ -81,7 +77,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t)
+ # Epmd local policy
+ #
+
+-
+ allow rabbitmq_epmd_t self:process signal;
+ allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
+ allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
+@@ -99,8 +94,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+ corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
+ corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
+
+-files_read_etc_files(rabbitmq_epmd_t)
+-
+ logging_send_syslog_msg(rabbitmq_epmd_t)
+
+-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
-index 09f7b50..61c6d34 100644
+index c84b7ae..29c453e 100644
--- a/radius.fc
+++ b/radius.fc
@@ -9,6 +9,8 @@
@@ -53639,20 +59401,11 @@ index 09f7b50..61c6d34 100644
+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
+
- /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+ /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
-@@ -16,7 +18,7 @@
- /var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
- /var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
- /var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
--/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
-+/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
- /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
-
- /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/radius.if b/radius.if
-index 75e5dc4..a366f85 100644
+index 4460582..60cf556 100644
--- a/radius.if
+++ b/radius.if
@@ -14,6 +14,29 @@ interface(`radius_use',`
@@ -53684,7 +59437,7 @@ index 75e5dc4..a366f85 100644
+
########################################
## <summary>
- ## All of the rules required to administrate
+ ## All of the rules required to
@@ -35,11 +58,14 @@ interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
@@ -53702,7 +59455,7 @@ index 75e5dc4..a366f85 100644
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -59,4 +85,9 @@ interface(`radius_admin',`
+@@ -57,4 +83,9 @@ interface(`radius_admin',`
files_list_pids($1)
admin_pattern($1, radiusd_var_run_t)
@@ -53713,7 +59466,7 @@ index 75e5dc4..a366f85 100644
+
')
diff --git a/radius.te b/radius.te
-index b1ed1bf..8b3f408 100644
+index 1e7927f..ff81482 100644
--- a/radius.te
+++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -53726,7 +59479,7 @@ index b1ed1bf..8b3f408 100644
########################################
#
# Local policy
-@@ -62,11 +65,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
@@ -53739,40 +59492,20 @@ index b1ed1bf..8b3f408 100644
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_generic_if(radiusd_t)
corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -77,6 +80,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
- corenet_udp_bind_generic_node(radiusd_t)
- corenet_udp_bind_radacct_port(radiusd_t)
- corenet_udp_bind_radius_port(radiusd_t)
-+corenet_tcp_connect_postgresql_port(radiusd_t)
- corenet_tcp_connect_mysqld_port(radiusd_t)
- corenet_tcp_connect_snmp_port(radiusd_t)
- corenet_sendrecv_radius_server_packets(radiusd_t)
-@@ -99,7 +103,6 @@ corecmd_exec_shell(radiusd_t)
- domain_use_interactive_fds(radiusd_t)
-
- files_read_usr_files(radiusd_t)
--files_read_etc_files(radiusd_t)
- files_read_etc_runtime_files(radiusd_t)
-
- auth_use_nsswitch(radiusd_t)
-@@ -110,9 +113,10 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
-miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
-+sysnet_use_ldap(radiusd_t)
-+
- userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
- userdom_dontaudit_search_user_home_dirs(radiusd_t)
-
+ sysnet_use_ldap(radiusd_t)
diff --git a/radvd.if b/radvd.if
-index be05bff..924fc0c 100644
+index ac7058d..48739ac 100644
--- a/radvd.if
+++ b/radvd.if
@@ -1,5 +1,24 @@
- ## <summary>IPv6 router advertisement daemon</summary>
+ ## <summary>IPv6 router advertisement daemon.</summary>
+######################################
+## <summary>
@@ -53795,15 +59528,9 @@ index be05bff..924fc0c 100644
+
########################################
## <summary>
- ## All of the rules required to administrate
-@@ -19,12 +38,15 @@
- #
- interface(`radvd_admin',`
- gen_require(`
-- type radvd_t, radvd_etc_t;
-- type radvd_var_run_t, radvd_initrc_exec_t;
-+ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
-+ type radvd_var_run_t;
+ ## All of the rules required to
+@@ -23,8 +42,11 @@ interface(`radvd_admin',`
+ type radvd_var_run_t;
')
- allow $1 radvd_t:process { ptrace signal_perms };
@@ -53816,25 +59543,10 @@ index be05bff..924fc0c 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
-index f9a2162..903be76 100644
+index b31f2d7..046f5b8 100644
--- a/radvd.te
+++ b/radvd.te
-@@ -43,7 +43,6 @@ kernel_read_network_state(radvd_t)
- kernel_read_system_state(radvd_t)
- kernel_request_load_module(radvd_t)
-
--corenet_all_recvfrom_unlabeled(radvd_t)
- corenet_all_recvfrom_netlabel(radvd_t)
- corenet_tcp_sendrecv_generic_if(radvd_t)
- corenet_udp_sendrecv_generic_if(radvd_t)
-@@ -61,15 +60,12 @@ fs_search_auto_mountpoints(radvd_t)
-
- domain_use_interactive_fds(radvd_t)
-
--files_read_etc_files(radvd_t)
- files_list_usr(radvd_t)
-
- auth_use_nsswitch(radvd_t)
+@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
logging_send_syslog_msg(radvd_t)
@@ -53843,103 +59555,157 @@ index f9a2162..903be76 100644
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
userdom_dontaudit_search_user_home_dirs(radvd_t)
-diff --git a/raid.fc b/raid.fc
-index ed9c70d..c298507 100644
---- a/raid.fc
-+++ b/raid.fc
-@@ -1,6 +1,14 @@
--/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
-+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
-
- /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
- /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
-+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-+
- /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
-index b1a85b5..db0d815 100644
+index 951db7f..db0d815 100644
--- a/raid.if
+++ b/raid.if
-@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',`
+@@ -1,9 +1,8 @@
+-## <summary>RAID array management tools.</summary>
++## <summary>RAID array management tools</summary>
+
+ ########################################
+ ## <summary>
+-## Execute software raid tools in
+-## the mdadm domain.
++## Execute software raid tools in the mdadm domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -22,34 +21,33 @@ interface(`raid_domtrans_mdadm',`
+
+ ######################################
+ ## <summary>
+-## Execute mdadm in the mdadm
+-## domain, and allow the specified
+-## role the mdadm domain.
++## Execute a domain transition to mdadm_t for the
++## specified role, allowing it to use the mdadm_t
++## domain
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed to access mdadm_t domain
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain allowed to transition to mdadm_t
+ ## </summary>
+ ## </param>
+ #
+ interface(`raid_run_mdadm',`
+ gen_require(`
+- attribute_role mdadm_roles;
++ type mdadm_t;
+ ')
+
++ role $1 types mdadm_t;
+ raid_domtrans_mdadm($2)
+- roleattribute $1 mdadm_roles;
+ ')
########################################
## <summary>
+-## Create, read, write, and delete
+-## mdadm pid files.
+## read the mdadm pid files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -57,47 +55,39 @@ interface(`raid_run_mdadm',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`raid_manage_mdadm_pid',`
+interface(`raid_read_mdadm_pid',`
-+ gen_require(`
-+ type mdadm_var_run_t;
-+ ')
-+
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+- files_search_pids($1)
+- allow $1 mdadm_var_run_t:file manage_file_perms;
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete the mdadm pid files.
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an mdadm environment.
++## Create, read, write, and delete the mdadm pid files.
## </summary>
- ## <desc>
++## <desc>
++## <p>
++## Create, read, write, and delete the mdadm pid files.
++## </p>
++## <p>
++## Added for use in the init module.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+-interface(`raid_admin_mdadm',`
++interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
++ type mdadm_var_run_t;
+ ')
+
+- allow $1 mdadm_t:process { ptrace signal_perms };
+- ps_process_pattern($1, mdadm_t)
+-
+- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 mdadm_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_pids($1)
+- admin_pattern($1, mdadm_var_run_t)
+-
+- raid_run_mdadm($2, $1)
++ # FIXME: maybe should have a type_transition. not
++ # clear what this is doing, from the original
++ # mdadm policy
++ allow $1 mdadm_var_run_t:file manage_file_perms;
+ ')
diff --git a/raid.te b/raid.te
-index a8a12b7..a6cbba3 100644
+index 2c1730b..c27bb23 100644
--- a/raid.te
+++ b/raid.te
-@@ -10,11 +10,9 @@ type mdadm_exec_t;
- init_daemon_domain(mdadm_t, mdadm_exec_t)
- role system_r types mdadm_t;
-
--type mdadm_map_t;
--files_type(mdadm_map_t)
--
--type mdadm_var_run_t;
-+type mdadm_var_run_t alias mdadm_map_t;
- files_pid_file(mdadm_var_run_t)
-+dev_associate(mdadm_var_run_t)
-
- ########################################
- #
-@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t)
+@@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
--allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+-allow mdadm_t self:process { getsched setsched signal_perms };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
-+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
--# create .mdadm files in /dev
--allow mdadm_t mdadm_map_t:file manage_file_perms;
--dev_filetrans(mdadm_t, mdadm_map_t, file)
--
-+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+@@ -34,8 +34,8 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
--files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
-+manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+ manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+ manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+-dev_filetrans(mdadm_t, mdadm_var_run_t, file)
+-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
- kernel_read_system_state(mdadm_t)
- kernel_read_kernel_sysctls(mdadm_t)
-+kernel_request_load_module(mdadm_t)
- kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
-
-@@ -52,15 +52,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+ kernel_read_system_state(mdadm_t)
+@@ -51,17 +51,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+ dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
- # unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
@@ -53951,20 +59717,15 @@ index a8a12b7..a6cbba3 100644
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
--fs_search_auto_mountpoints(mdadm_t)
-+fs_list_hugetlbfs(mdadm_t)
-+fs_list_auto_mountpoints(mdadm_t)
+ fs_list_auto_mountpoints(mdadm_t)
+ fs_list_hugetlbfs(mdadm_t)
+ fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -69,16 +72,17 @@ mls_file_write_all_levels(mdadm_t)
- storage_manage_fixed_disk(mdadm_t)
- storage_dev_filetrans_fixed_disk(mdadm_t)
- storage_read_scsi_generic(mdadm_t)
-+storage_write_scsi_generic(mdadm_t)
-
+@@ -74,12 +76,12 @@ storage_write_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -53979,8 +59740,8 @@ index a8a12b7..a6cbba3 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -86,6 +90,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
- mta_send_mail(mdadm_t)
+@@ -89,6 +91,10 @@ optional_policy(`
+ ')
optional_policy(`
+ cron_system_entry(mdadm_t, mdadm_exec_t)
@@ -53991,127 +59752,267 @@ index a8a12b7..a6cbba3 100644
')
diff --git a/razor.fc b/razor.fc
-index 1efba0c..6e26673 100644
+index 6723f4d..6e26673 100644
--- a/razor.fc
+++ b/razor.fc
-@@ -1,8 +1,9 @@
--HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+@@ -1,9 +1,9 @@
+-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
--/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
--/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
--/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
+-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+-
+-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/razor.if b/razor.if
-index f04a595..fee3b7c 100644
+index 1e4b523..fee3b7c 100644
--- a/razor.if
+++ b/razor.if
-@@ -26,6 +26,7 @@ template(`razor_common_domain_template',`
+@@ -1,72 +1,147 @@
+ ## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
++## <desc>
++## <p>
++## A distributed, collaborative, spam detection and filtering network.
++## </p>
++## <p>
++## This policy will work with either the ATrpms provided config
++## file in /etc/razor, or with the default of dumping everything into
++## $HOME/.razor.
++## </p>
++## </desc>
+
+ #######################################
+ ## <summary>
+-## The template to define a razor domain.
++## Template to create types and rules common to
++## all razor domains.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## The prefix of the domain (e.g., user
++## is the prefix for user_t).
+ ## </summary>
+ ## </param>
+ #
+ template(`razor_common_domain_template',`
gen_require(`
- type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+- attribute razor_domain;
+- type razor_exec_t;
++ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
-+
- type $1_t;
+
+- ########################################
+- #
+- # Declarations
+- #
+-
+- type $1_t, razor_domain;
++ type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
-@@ -46,7 +47,7 @@ template(`razor_common_domain_template',`
- # Read system config file
- allow $1_t razor_etc_t:dir list_dir_perms;
- allow $1_t razor_etc_t:file read_file_perms;
-- allow $1_t razor_etc_t:lnk_file { getattr read };
-+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
- manage_files_pattern($1_t, razor_log_t, razor_log_t)
-@@ -93,7 +94,6 @@ template(`razor_common_domain_template',`
- libs_read_lib_files($1_t)
-
-- miscfiles_read_localization($1_t)
+- ########################################
+- #
+- # Declarations
+- #
+-
+- auth_use_nsswitch($1_t)
++ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++ allow $1_t self:fd use;
++ allow $1_t self:fifo_file rw_fifo_file_perms;
++ allow $1_t self:unix_dgram_socket create_socket_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_t self:unix_dgram_socket sendto;
++ allow $1_t self:unix_stream_socket connectto;
++ allow $1_t self:shm create_shm_perms;
++ allow $1_t self:sem create_sem_perms;
++ allow $1_t self:msgq create_msgq_perms;
++ allow $1_t self:msg { send receive };
++ allow $1_t self:tcp_socket create_socket_perms;
++
++ # Read system config file
++ allow $1_t razor_etc_t:dir list_dir_perms;
++ allow $1_t razor_etc_t:file read_file_perms;
++ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
++
++ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
++ manage_files_pattern($1_t, razor_log_t, razor_log_t)
++ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
++ logging_log_filetrans($1_t, razor_log_t, file)
++
++ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
++ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
++ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
++ files_search_var_lib($1_t)
++
++ # Razor is one executable and several symlinks
++ allow $1_t razor_exec_t:file read_file_perms;
++ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
++
++ kernel_read_system_state($1_t)
++ kernel_read_network_state($1_t)
++ kernel_read_software_raid_state($1_t)
++ kernel_getattr_core_if($1_t)
++ kernel_getattr_message_if($1_t)
++ kernel_read_kernel_sysctls($1_t)
++
++ corecmd_exec_bin($1_t)
++
++ corenet_all_recvfrom_unlabeled($1_t)
++ corenet_all_recvfrom_netlabel($1_t)
++ corenet_tcp_sendrecv_generic_if($1_t)
++ corenet_raw_sendrecv_generic_if($1_t)
++ corenet_tcp_sendrecv_generic_node($1_t)
++ corenet_raw_sendrecv_generic_node($1_t)
++ corenet_tcp_sendrecv_razor_port($1_t)
++
++ # mktemp and other randoms
++ dev_read_rand($1_t)
++ dev_read_urand($1_t)
++
++ files_search_pids($1_t)
++ # Allow access to various files in the /etc/directory including mtab
++ # and nsswitch
++ files_read_etc_files($1_t)
++ files_read_etc_runtime_files($1_t)
++
++ fs_search_auto_mountpoints($1_t)
++
++ libs_read_lib_files($1_t)
++
++
++ sysnet_read_config($1_t)
++ sysnet_dns_name_resolve($1_t)
++
++ optional_policy(`
++ nis_use_ypbind($1_t)
++ ')
+ ')
- sysnet_read_config($1_t)
- sysnet_dns_name_resolve($1_t)
-@@ -117,6 +117,7 @@ template(`razor_common_domain_template',`
- ## User domain for the role
+ ########################################
+ ## <summary>
+-## Role access for razor.
++## Role access for razor
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`razor_role',`
gen_require(`
-@@ -130,7 +131,10 @@ interface(`razor_role',`
+- attribute_role razor_roles;
+ type razor_t, razor_exec_t, razor_home_t;
+- type razor_tmp_t;
+ ')
+
+- roleattribute $1 razor_roles;
++ role $1 types razor_t;
- # allow ps to show razor and allow the user to kill it
++ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, razor_exec_t, razor_t)
+
++ # allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process signal;
+-
+- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 razor_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 razor_t:process ptrace;
+ ')
- manage_dirs_pattern($2, razor_home_t, razor_home_t)
- manage_files_pattern($2, razor_home_t, razor_home_t)
-@@ -157,3 +161,43 @@ interface(`razor_domtrans',`
+- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
++ manage_dirs_pattern($2, razor_home_t, razor_home_t)
++ manage_files_pattern($2, razor_home_t, razor_home_t)
++ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
++ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
++ relabel_files_pattern($2, razor_home_t, razor_home_t)
++ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ ')
+
+ ########################################
+@@ -81,17 +156,16 @@ interface(`razor_role',`
+ #
+ interface(`razor_domtrans',`
+ gen_require(`
+- type system_razor_t, razor_exec_t;
++ type razor_t, razor_exec_t;
+ ')
- domtrans_pattern($1, razor_exec_t, razor_t)
+- corecmd_search_bin($1)
+- domtrans_pattern($1, razor_exec_t, system_razor_t)
++ domtrans_pattern($1, razor_exec_t, razor_t)
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## razor home content.
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -99,20 +173,19 @@ interface(`razor_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`razor_manage_home_content',`
+interface(`razor_manage_user_home_files',`
-+ gen_require(`
-+ type razor_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
+ gen_require(`
+ type razor_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+- allow $1 razor_home_t:dir manage_dir_perms;
+- allow $1 razor_home_t:file manage_file_perms;
+- allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read razor lib files.
+## read razor lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`razor_read_lib_files',`
-+ gen_require(`
-+ type razor_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
-+')
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/razor.te b/razor.te
-index 9353d5e..4e15f29 100644
+index 5ddedbc..4e15f29 100644
--- a/razor.te
+++ b/razor.te
-@@ -5,117 +5,124 @@ policy_module(razor, 2.3.0)
+@@ -1,139 +1,128 @@
+-policy_module(razor, 2.3.2)
++policy_module(razor, 2.3.0)
+
+ ########################################
+ #
# Declarations
#
--type razor_exec_t;
--corecmd_executable_file(razor_exec_t)
+-attribute razor_domain;
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_log_t;
@@ -54222,21 +60123,26 @@ index 9353d5e..4e15f29 100644
+
+ auth_use_nsswitch(razor_t)
+-attribute_role razor_roles;
++ logging_send_syslog_msg(razor_t)
+
+-type razor_exec_t;
+-corecmd_executable_file(razor_exec_t)
++ userdom_search_user_home_dirs(razor_t)
++ userdom_use_inherited_user_terminals(razor_t)
+
-type razor_etc_t;
-files_config_file(razor_etc_t)
-+ logging_send_syslog_msg(razor_t)
++ userdom_home_manager(razor_t)
-type razor_home_t;
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-userdom_user_home_content(razor_home_t)
-+ userdom_search_user_home_dirs(razor_t)
-+ userdom_use_inherited_user_terminals(razor_t)
-
+-
-type razor_log_t;
-logging_log_file(razor_log_t)
-+ userdom_home_manager(razor_t)
-
+-
-type razor_tmp_t;
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
@@ -54245,81 +60151,99 @@ index 9353d5e..4e15f29 100644
-type razor_var_lib_t;
-files_type(razor_var_lib_t)
-
--# these are here due to ordering issues:
-razor_common_domain_template(razor)
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
-userdom_user_application_type(razor_t)
+-role razor_roles types razor_t;
-
-razor_common_domain_template(system_razor)
-role system_r types system_razor_t;
-
-########################################
-#
--# System razor local policy
+-# Common razor domain local policy
-#
-
--# this version of razor is invoked typically
--# via the system spam filter
+-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-allow razor_domain self:fd use;
+-allow razor_domain self:fifo_file rw_fifo_file_perms;
+-allow razor_domain self:unix_dgram_socket sendto;
+-allow razor_domain self:unix_stream_socket { accept connectto listen };
-
--allow system_razor_t self:tcp_socket create_socket_perms;
+-allow razor_domain razor_etc_t:dir list_dir_perms;
+-allow razor_domain razor_etc_t:file read_file_perms;
+-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms;
-
--manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
--manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
--manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
--files_search_etc(system_razor_t)
+-allow razor_domain razor_exec_t:file read_file_perms;
+-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms;
-
--allow system_razor_t razor_log_t:file manage_file_perms;
--logging_log_filetrans(system_razor_t, razor_log_t, file)
+-kernel_read_system_state(razor_domain)
+-kernel_read_network_state(razor_domain)
+-kernel_read_software_raid_state(razor_domain)
+-kernel_getattr_core_if(razor_domain)
+-kernel_getattr_message_if(razor_domain)
+-kernel_read_kernel_sysctls(razor_domain)
-
--manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
--files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+-corecmd_exec_bin(razor_domain)
-
--corenet_all_recvfrom_unlabeled(system_razor_t)
--corenet_all_recvfrom_netlabel(system_razor_t)
--corenet_tcp_sendrecv_generic_if(system_razor_t)
--corenet_raw_sendrecv_generic_if(system_razor_t)
--corenet_tcp_sendrecv_generic_node(system_razor_t)
--corenet_raw_sendrecv_generic_node(system_razor_t)
--corenet_tcp_sendrecv_razor_port(system_razor_t)
--corenet_tcp_connect_razor_port(system_razor_t)
--corenet_sendrecv_razor_client_packets(system_razor_t)
+-corenet_all_recvfrom_unlabeled(razor_domain)
+-corenet_all_recvfrom_netlabel(razor_domain)
+-corenet_tcp_sendrecv_generic_if(razor_domain)
+-corenet_tcp_sendrecv_generic_node(razor_domain)
-
--sysnet_read_config(system_razor_t)
+-corenet_tcp_sendrecv_razor_port(razor_domain)
+-corenet_tcp_connect_razor_port(razor_domain)
+-corenet_sendrecv_razor_client_packets(razor_domain)
-
--# cjp: this shouldn't be needed
--userdom_use_unpriv_users_fds(system_razor_t)
+-dev_read_rand(razor_domain)
+-dev_read_urand(razor_domain)
-
--optional_policy(`
-- logging_send_syslog_msg(system_razor_t)
--')
+-files_read_etc_runtime_files(razor_domain)
-
--optional_policy(`
-- nscd_socket_use(system_razor_t)
--')
+-libs_read_lib_files(razor_domain)
+-
+-miscfiles_read_localization(razor_domain)
-
-########################################
-#
--# User razor local policy
+-# System local policy
-#
-
--# Allow razor to be run by hand. Needed by any action other than
--# invocation from a spam filter.
+-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-
+-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t)
+-append_files_pattern(system_razor_t, razor_log_t, razor_log_t)
+-create_files_pattern(system_razor_t, razor_log_t, razor_log_t)
+-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t)
+-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t)
+-logging_log_filetrans(system_razor_t, razor_log_t, file)
+-
+-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-
--allow razor_t self:unix_stream_socket create_stream_socket_perms;
+-########################################
+-#
+-# Session local policy
+-#
-
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
--userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor")
-
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
-
--logging_send_syslog_msg(razor_t)
+-fs_getattr_all_fs(razor_t)
+-fs_search_auto_mountpoints(razor_t)
-
--userdom_search_user_home_dirs(razor_t)
+-userdom_use_unpriv_users_fds(razor_t)
-userdom_use_user_terminals(razor_t)
-
-tunable_policy(`use_nfs_home_dirs',`
@@ -54332,25 +60256,12 @@ index 9353d5e..4e15f29 100644
- fs_manage_cifs_dirs(razor_t)
- fs_manage_cifs_files(razor_t)
- fs_manage_cifs_symlinks(razor_t)
--')
--
--optional_policy(`
-- nscd_socket_use(razor_t)
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
')
-diff --git a/rdisc.fc b/rdisc.fc
-index dee4adc..a7e4bc7 100644
---- a/rdisc.fc
-+++ b/rdisc.fc
-@@ -1,2 +1,4 @@
-
- /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
-+
-+/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.te b/rdisc.te
-index 0f07685..1b75760 100644
+index 9196c1d..972b269 100644
--- a/rdisc.te
+++ b/rdisc.te
@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
@@ -54371,46 +60282,30 @@ index 0f07685..1b75760 100644
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
diff --git a/readahead.fc b/readahead.fc
-index 7077413..0428aee 100644
+index f307db4..0428aee 100644
--- a/readahead.fc
+++ b/readahead.fc
-@@ -1,3 +1,10 @@
--/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+@@ -1,7 +1,10 @@
+-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
-+
- /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+
+
++/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+ /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
-+
+
+-/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/readahead.if b/readahead.if
-index 47c4723..64c8889 100644
+index 661bb88..06f69c4 100644
--- a/readahead.if
+++ b/readahead.if
-@@ -1 +1,44 @@
- ## <summary>Readahead, read files into page cache for improved performance</summary>
-+
-+########################################
-+## <summary>
-+## Transition to the readahead domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`readahead_domtrans',`
-+ gen_require(`
-+ type readahead_t, readahead_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, readahead_exec_t, readahead_t)
-+')
+@@ -19,3 +19,27 @@ interface(`readahead_domtrans',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+ ')
+
+########################################
+## <summary>
@@ -54436,34 +60331,23 @@ index 47c4723..64c8889 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index b4ac57e..e384d8e 100644
+index f1512d6..919a138 100644
--- a/readahead.te
+++ b/readahead.te
-@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
+@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
+dev_associate(readahead_var_run_t)
+ init_daemon_run_dir(readahead_var_run_t, "readahead")
########################################
- #
- # Local policy
- #
-
--allow readahead_t self:capability { fowner dac_override dac_read_search };
-+allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
- dontaudit readahead_t self:capability { net_admin sys_tty_config };
- allow readahead_t self:process { setsched signal_perms };
-
-@@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
- files_search_var_lib(readahead_t)
+@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+ manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
--files_pid_filetrans(readahead_t, readahead_var_run_t, file)
-+manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
-+files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
-+init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+ files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
@@ -54477,17 +60361,19 @@ index b4ac57e..e384d8e 100644
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
-@@ -53,10 +60,19 @@ domain_read_all_domains_state(readahead_t)
+@@ -51,12 +56,21 @@ domain_use_interactive_fds(readahead_t)
+ domain_read_all_domains_state(readahead_t)
- files_list_non_security(readahead_t)
- files_read_non_security_files(readahead_t)
-+files_dontaudit_read_security_files(readahead_t)
files_create_boot_flag(readahead_t)
+files_delete_root_files(readahead_t)
files_getattr_all_pipes(readahead_t)
+ files_list_non_security(readahead_t)
+ files_read_non_security_files(readahead_t)
+ files_search_var_lib(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
++files_dontaudit_read_security_files(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
@@ -54497,7 +60383,7 @@ index b4ac57e..e384d8e 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +82,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,6 +80,7 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -54505,14 +60391,15 @@ index b4ac57e..e384d8e 100644
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
- fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+@@ -74,6 +89,7 @@ fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+ mcs_file_read_all(readahead_t)
mls_file_read_all_levels(readahead_t)
+mcs_file_read_all(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
-@@ -82,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -84,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
@@ -54529,107 +60416,82 @@ index b4ac57e..e384d8e 100644
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
-new file mode 100644
-index 0000000..3c24ce4
---- /dev/null
+index 04babe3..3c24ce4 100644
+--- a/realmd.fc
+++ b/realmd.fc
-@@ -0,0 +1 @@
+@@ -1 +1 @@
+-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
diff --git a/realmd.if b/realmd.if
-new file mode 100644
-index 0000000..e38693b
---- /dev/null
+index bff31df..e38693b 100644
+--- a/realmd.if
+++ b/realmd.if
-@@ -0,0 +1,42 @@
+@@ -1,8 +1,9 @@
+-## <summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary>
+
+## <summary>dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Execute realmd in the realmd domain.
+## Execute realmd in the realmd_t domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`realmd_domtrans',`
-+ gen_require(`
-+ type realmd_t, realmd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, realmd_exec_t, realmd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## realmd over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`realmd_dbus_chat',`
-+ gen_require(`
-+ type realmd_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 realmd_t:dbus send_msg;
-+ allow realmd_t $1:dbus send_msg;
-+')
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/realmd.te b/realmd.te
-new file mode 100644
-index 0000000..c994751
---- /dev/null
+index 9a8f052..c994751 100644
+--- a/realmd.te
+++ b/realmd.te
-@@ -0,0 +1,103 @@
+@@ -1,4 +1,4 @@
+-policy_module(realmd, 1.0.2)
+policy_module(realmd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type realmd_t;
-+type realmd_exec_t;
+
+ ########################################
+ #
+@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2)
+
+ type realmd_t;
+ type realmd_exec_t;
+-init_system_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Local policy
+# realmd local policy
-+#
-+
-+allow realmd_t self:capability sys_nice;
-+allow realmd_t self:process setsched;
-+
-+kernel_read_system_state(realmd_t)
-+
-+corecmd_exec_bin(realmd_t)
-+corecmd_exec_shell(realmd_t)
-+
-+corenet_tcp_connect_http_port(realmd_t)
-+
-+domain_use_interactive_fds(realmd_t)
-+
-+dev_read_rand(realmd_t)
-+dev_read_urand(realmd_t)
-+
+ #
+
+ allow realmd_t self:capability sys_nice;
+@@ -22,28 +23,32 @@ kernel_read_system_state(realmd_t)
+ corecmd_exec_bin(realmd_t)
+ corecmd_exec_shell(realmd_t)
+
+-corenet_all_recvfrom_unlabeled(realmd_t)
+-corenet_all_recvfrom_netlabel(realmd_t)
+-corenet_tcp_sendrecv_generic_if(realmd_t)
+-corenet_tcp_sendrecv_generic_node(realmd_t)
+-
+-corenet_sendrecv_http_client_packets(realmd_t)
+ corenet_tcp_connect_http_port(realmd_t)
+-corenet_tcp_sendrecv_http_port(realmd_t)
+
+ domain_use_interactive_fds(realmd_t)
+
+ dev_read_rand(realmd_t)
+ dev_read_urand(realmd_t)
+
+-fs_getattr_all_fs(realmd_t)
+-
+files_read_etc_files(realmd_t)
-+files_read_usr_files(realmd_t)
-+
+ files_read_usr_files(realmd_t)
+
+fs_getattr_all_fs(realmd_t)
+
-+auth_use_nsswitch(realmd_t)
-+
-+logging_send_syslog_msg(realmd_t)
-+
+ auth_use_nsswitch(realmd_t)
+
+ logging_send_syslog_msg(realmd_t)
+
+sysnet_dns_name_resolve(realmd_t)
+systemd_exec_systemctl(realmd_t)
+
@@ -54640,63 +60502,133 @@ index 0000000..c994751
+ authconfig_domtrans(realmd_t)
+')
+
-+optional_policy(`
-+ dbus_system_domain(realmd_t, realmd_exec_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(realmd_t)
-+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat(realmd_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ hostname_exec(realmd_t)
-+')
-+
-+optional_policy(`
-+ kerberos_use(realmd_t)
-+ kerberos_rw_keytab(realmd_t)
-+')
-+
-+optional_policy(`
-+ nis_exec_ypbind(realmd_t)
+ optional_policy(`
+ dbus_system_domain(realmd_t, realmd_exec_t)
+
+@@ -67,17 +72,21 @@ optional_policy(`
+
+ optional_policy(`
+ nis_exec_ypbind(realmd_t)
+- nis_initrc_domtrans(realmd_t)
+ nis_systemctl_ypbind(realmd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- gnome_read_generic_home_content(realmd_t)
+ gnome_read_config(realmd_t)
+ gnome_read_generic_cache_files(realmd_t)
+ gnome_write_generic_cache_files(realmd_t)
+ gnome_manage_cache_home_dir(realmd_t)
+
-+')
-+
-+optional_policy(`
-+ samba_domtrans_net(realmd_t)
-+ samba_manage_config(realmd_t)
+ ')
+
+ optional_policy(`
+ samba_domtrans_net(realmd_t)
+ samba_manage_config(realmd_t)
+- samba_getattr_winbind_exec(realmd_t)
+ samba_getattr_winbind(realmd_t)
-+')
-+
-+optional_policy(`
-+ sssd_getattr_exec(realmd_t)
-+ sssd_manage_config(realmd_t)
-+ sssd_manage_lib_files(realmd_t)
-+ sssd_manage_public_files(realmd_t)
-+ sssd_read_pid_files(realmd_t)
+ ')
+
+ optional_policy(`
+@@ -86,5 +95,9 @@ optional_policy(`
+ sssd_manage_lib_files(realmd_t)
+ sssd_manage_public_files(realmd_t)
+ sssd_read_pid_files(realmd_t)
+- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
+')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
-+')
+ ')
+diff --git a/remotelogin.fc b/remotelogin.fc
+index 327baf0..d8691bd 100644
+--- a/remotelogin.fc
++++ b/remotelogin.fc
+@@ -1 +1,2 @@
++
+ # Remote login currently has no file contexts.
+diff --git a/remotelogin.if b/remotelogin.if
+index a9ce68e..31be971 100644
+--- a/remotelogin.if
++++ b/remotelogin.if
+@@ -1,4 +1,4 @@
+-## <summary>Rshd, rlogind, and telnetd.</summary>
++## <summary>Policy for rshd, rlogind, and telnetd.</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',`
+ type remote_login_t;
+ ')
+
+- corecmd_search_bin($1)
+ auth_domtrans_login_program($1, remote_login_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Send generic signals to remote login.
++## allow Domain to signal remote login domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
+
+ allow $1 remote_login_t:process signal;
+ ')
+-
+-########################################
+-## <summary>
+-## Create, read, write, and delete
+-## remote login temporary content.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`remotelogin_manage_tmp_content',`
+- gen_require(`
+- type remote_login_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 remote_login_tmp_t:dir manage_dir_perms;
+- allow $1 remote_login_tmp_t:file manage_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Relabel remote login temporary content.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`remotelogin_relabel_tmp_content',`
+- gen_require(`
+- type remote_login_tmp_t;
+- ')
+-
+- files_search_tmp($1)
+- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
+- allow $1 remote_login_tmp_t:file relabel_file_perms;
+-')
diff --git a/remotelogin.te b/remotelogin.te
-index 0a76027..18f59a7 100644
+index c51a32c..18f59a7 100644
--- a/remotelogin.te
+++ b/remotelogin.te
-@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
+@@ -1,4 +1,4 @@
+-policy_module(remotelogin, 1.7.2)
++policy_module(remotelogin, 1.7.0)
+
+ ########################################
+ #
+@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t)
auth_login_pgm_domain(remote_login_t)
auth_login_entry_type(remote_login_t)
@@ -54705,63 +60637,88 @@ index 0a76027..18f59a7 100644
-
########################################
#
- # Remote login remote policy
-@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms;
- allow remote_login_t self:msg { send receive };
- allow remote_login_t self:key write;
+-# Local policy
++# Remote login remote policy
+ #
+ allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+@@ -23,32 +20,42 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
+ allow remote_login_t self:process { setrlimit setexec };
+ allow remote_login_t self:fd use;
+ allow remote_login_t self:fifo_file rw_fifo_file_perms;
++allow remote_login_t self:sock_file read_sock_file_perms;
++allow remote_login_t self:unix_dgram_socket create_socket_perms;
++allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
+ allow remote_login_t self:unix_dgram_socket sendto;
+-allow remote_login_t self:unix_stream_socket { accept connectto listen };
+-
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
--
++allow remote_login_t self:unix_stream_socket connectto;
++allow remote_login_t self:shm create_shm_perms;
++allow remote_login_t self:sem create_sem_perms;
++allow remote_login_t self:msgq create_msgq_perms;
++allow remote_login_t self:msg { send receive };
++allow remote_login_t self:key write;
+
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctls(remote_login_t)
-@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t)
- fs_search_auto_mountpoints(remote_login_t)
+ dev_getattr_mouse_dev(remote_login_t)
+ dev_setattr_mouse_dev(remote_login_t)
++dev_dontaudit_search_sysfs(remote_login_t)
+
+ fs_getattr_xattr_fs(remote_login_t)
++fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
-+term_use_all_ptys(remote_login_t)
-+term_setattr_all_ptys(remote_login_t)
+ term_use_all_ptys(remote_login_t)
+ term_setattr_all_ptys(remote_login_t)
+-auth_manage_pam_console_data(remote_login_t)
+-auth_domtrans_pam_console(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -64,7 +59,6 @@ corecmd_read_bin_sockets(remote_login_t)
++auth_manage_pam_console_data(remote_login_t)
++auth_domtrans_pam_console(remote_login_t)
+
+ corecmd_list_bin(remote_login_t)
+ corecmd_read_bin_symlinks(remote_login_t)
++# cjp: these are probably not needed:
++corecmd_read_bin_files(remote_login_t)
++corecmd_read_bin_pipes(remote_login_t)
++corecmd_read_bin_sockets(remote_login_t)
domain_read_all_entry_files(remote_login_t)
--files_read_etc_files(remote_login_t)
- files_read_etc_runtime_files(remote_login_t)
- files_list_home(remote_login_t)
- files_read_usr_files(remote_login_t)
-@@ -77,9 +71,8 @@ files_list_mnt(remote_login_t)
- # for when /var/mail is a sym-link
+@@ -61,30 +68,32 @@ files_read_world_readable_symlinks(remote_login_t)
+ files_read_world_readable_pipes(remote_login_t)
+ files_read_world_readable_sockets(remote_login_t)
+ files_list_mnt(remote_login_t)
++# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
--sysnet_dns_name_resolve(remote_login_t)
-+auth_use_nsswitch(remote_login_t)
-
-miscfiles_read_localization(remote_login_t)
++auth_use_nsswitch(remote_login_t)
++
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_user_home_content(remote_login_t)
-@@ -87,34 +80,28 @@ userdom_search_user_home_content(remote_login_t)
- # since very weak authentication is used.
++# Only permit unprivileged user domains to be entered via rlogin,
++# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
--# Search for mail spool file.
--mta_getattr_spool(remote_login_t)
-+userdom_manage_user_tmp_dirs(remote_login_t)
-+userdom_manage_user_tmp_files(remote_login_t)
-+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(remote_login_t)
- fs_read_nfs_symlinks(remote_login_t)
-')
--
++userdom_manage_user_tmp_dirs(remote_login_t)
++userdom_manage_user_tmp_files(remote_login_t)
++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
+
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(remote_login_t)
- fs_read_cifs_symlinks(remote_login_t)
@@ -54773,51 +60730,15 @@ index 0a76027..18f59a7 100644
')
optional_policy(`
-- nis_use_ypbind(remote_login_t)
+ # Search for mail spool file.
-+ mta_getattr_spool(remote_login_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(remote_login_t)
-+ telnet_use_ptys(remote_login_t)
- ')
-
- optional_policy(`
-- unconfined_domain(remote_login_t)
- unconfined_shell_domtrans(remote_login_t)
+ mta_getattr_spool(remote_login_t)
')
-diff --git a/resmgr.fc b/resmgr.fc
-index af810b9..a888eb9 100644
---- a/resmgr.fc
-+++ b/resmgr.fc
-@@ -2,6 +2,7 @@
- /etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
-
- /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-+/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
-
- /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
- /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
-diff --git a/resmgr.if b/resmgr.if
-index d457736..eabdd78 100644
---- a/resmgr.if
-+++ b/resmgr.if
-@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
- type resmgrd_var_run_t, resmgrd_t;
- ')
-
-- allow $1 resmgrd_t:unix_stream_socket connectto;
-- allow $1 resmgrd_var_run_t:sock_file { getattr write };
- files_search_pids($1)
-+ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
- ')
diff --git a/resmgr.te b/resmgr.te
-index bf5efbf..b38b22d 100644
+index 6f219b3..f38e183 100644
--- a/resmgr.te
+++ b/resmgr.te
-@@ -53,8 +53,6 @@ storage_raw_write_removable_device(resmgrd_t)
+@@ -54,8 +54,6 @@ storage_write_scsi_generic(resmgrd_t)
logging_send_syslog_msg(resmgrd_t)
@@ -54827,38 +60748,49 @@ index bf5efbf..b38b22d 100644
optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
-index 3c97ef0..91e69b8 100644
+index 5421af0..91e69b8 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
-@@ -1,7 +1,22 @@
+@@ -1,12 +1,22 @@
+-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
-+
+
+-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
- /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
--/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
-+
+
+-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-+
+
+-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
- /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-
+-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
++
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
- /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 7dc38d1..5bd6fdb 100644
+index 1c2f9aa..5bd6fdb 100644
--- a/rgmanager.if
+++ b/rgmanager.if
-@@ -5,9 +5,9 @@
+@@ -1,13 +1,13 @@
+-## <summary>Resource Group Manager.</summary>
++## <summary>rgmanager - Resource Group Manager</summary>
+
+ #######################################
+ ## <summary>
## Execute a domain transition to run rgmanager.
## </summary>
## <param name="domain">
@@ -54870,20 +60802,40 @@ index 7dc38d1..5bd6fdb 100644
## </param>
#
interface(`rgmanager_domtrans',`
-@@ -21,7 +21,7 @@ interface(`rgmanager_domtrans',`
+@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',`
########################################
## <summary>
--## Connect to rgmanager over an unix stream socket.
+-## Connect to rgmanager with a unix
+-## domain stream socket.
+## Connect to rgmanager over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -75,3 +75,91 @@ interface(`rgmanager_manage_tmpfs_files',`
- fs_search_tmpfs($1)
+@@ -41,8 +40,7 @@ interface(`rgmanager_stream_connect',`
+
+ ######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rgmanager tmp files.
++## Allow manage rgmanager tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -61,8 +59,7 @@ interface(`rgmanager_manage_tmp_files',`
+
+ ######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rgmanager tmpfs files.
++## Allow manage rgmanager tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -79,10 +76,28 @@ interface(`rgmanager_manage_tmpfs_files',`
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
-+
+
+#######################################
+## <summary>
+## Allow read and write access to rgmanager semaphores.
@@ -54902,51 +60854,41 @@ index 7dc38d1..5bd6fdb 100644
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
-+######################################
-+## <summary>
+ ######################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an rgmanager environment.
+## All of the rules required to administrate
+## an rgmanager environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -91,7 +106,7 @@ interface(`rgmanager_manage_tmpfs_files',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
+## The role to be allowed to manage the rgmanager domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`rgmanager_admin',`
-+ gen_require(`
-+ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
-+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
-+ ')
-+
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -102,8 +117,11 @@ interface(`rgmanager_admin',`
+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
+ ')
+
+- allow $1 rgmanager_t:process { ptrace signal_perms };
+ allow $1 rgmanager_t:process signal_perms;
-+ ps_process_pattern($1, rgmanager_t)
+ ps_process_pattern($1, rgmanager_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rgmanager_t:process ptrace;
+ ')
-+
-+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rgmanager_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, rgmanager_tmp_t)
-+
-+ admin_pattern($1, rgmanager_tmpfs_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, rgmanager_var_log_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, rgmanager_var_run_t)
-+')
+
+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -121,3 +139,27 @@ interface(`rgmanager_admin',`
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+ ')
+
+
+######################################
@@ -54972,22 +60914,30 @@ index 7dc38d1..5bd6fdb 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/rgmanager.te b/rgmanager.te
-index 3786c45..1ad9c12 100644
+index b418d1c..1ad9c12 100644
--- a/rgmanager.te
+++ b/rgmanager.te
-@@ -14,15 +14,20 @@ gen_tunable(rgmanager_can_network_connect, false)
+@@ -1,4 +1,4 @@
+-policy_module(rgmanager, 1.2.2)
++policy_module(rgmanager, 1.2.0)
- type rgmanager_t;
- type rgmanager_exec_t;
--domain_type(rgmanager_t)
- init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+ ########################################
+ #
+@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2)
+ #
-+type rgmanager_initrc_exec_t;
-+init_script_file(rgmanager_initrc_exec_t)
-+
- type rgmanager_tmp_t;
- files_tmp_file(rgmanager_tmp_t)
+ ## <desc>
+-## <p>
+-## Determine whether rgmanager can
+-## connect to the network using TCP.
+-## </p>
++## <p>
++## Allow rgmanager domain to connect to the network using TCP.
++## </p>
+ ## </desc>
+ gen_tunable(rgmanager_can_network_connect, false)
+@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t)
type rgmanager_tmpfs_t;
files_tmpfs_file(rgmanager_tmpfs_t)
@@ -54997,20 +60947,32 @@ index 3786c45..1ad9c12 100644
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
-@@ -35,9 +40,7 @@ files_pid_file(rgmanager_var_run_t)
+@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t)
+
+ ########################################
+ #
+-# Local policy
++# rgmanager local policy
#
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
--dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
--dontaudit rgmanager_t self:process { ptrace };
-
++
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
- allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
-@@ -52,14 +55,27 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+-allow rgmanager_t self:unix_stream_socket { accept listen };
+-allow rgmanager_t self:tcp_socket { accept listen };
++allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
++allow rgmanager_t self:unix_dgram_socket create_socket_perms;
++allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+ manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
+# var/lib files
+# # needed by hearbeat
+can_exec(rgmanager_t, rgmanager_var_lib_t)
@@ -55021,8 +60983,8 @@ index 3786c45..1ad9c12 100644
+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
+
+
- manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
- logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
++manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
++logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
@@ -55036,15 +60998,20 @@ index 3786c45..1ad9c12 100644
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
-@@ -67,7 +83,6 @@ kernel_search_network_state(rgmanager_t)
+ kernel_search_network_state(rgmanager_t)
+-corenet_all_recvfrom_unlabeled(rgmanager_t)
+-corenet_all_recvfrom_netlabel(rgmanager_t)
+-corenet_tcp_sendrecv_generic_if(rgmanager_t)
+-corenet_tcp_sendrecv_generic_node(rgmanager_t)
+-
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
--consoletype_exec(rgmanager_t)
- # need to write to /dev/misc/dlm-control
++# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -76,31 +91,35 @@ dev_search_sysfs(rgmanager_t)
+ dev_setattr_dlm_control(rgmanager_t)
+ dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
@@ -55059,165 +61026,242 @@ index 3786c45..1ad9c12 100644
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
files_manage_isid_type_dirs(rgmanager_t)
+-files_read_non_security_files(rgmanager_t)
- fs_getattr_xattr_fs(rgmanager_t)
++fs_getattr_xattr_fs(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
-+storage_raw_read_fixed_disk(rgmanager_t)
- storage_getattr_fixed_disk_dev(rgmanager_t)
+ storage_raw_read_fixed_disk(rgmanager_t)
++storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
--#term_use_ptmx(rgmanager_t)
- # needed by resources scripts
--files_read_non_auth_files(rgmanager_t)
++# needed by resources scripts
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
--logging_send_syslog_msg(rgmanager_t)
-+init_domtrans_script(rgmanager_t)
+ init_domtrans_script(rgmanager_t)
+init_initrc_domain(rgmanager_t)
--miscfiles_read_localization(rgmanager_t)
-+logging_send_syslog_msg(rgmanager_t)
+ logging_send_syslog_msg(rgmanager_t)
--mount_domtrans(rgmanager_t)
+-miscfiles_read_localization(rgmanager_t)
+userdom_kill_all_users(rgmanager_t)
tunable_policy(`rgmanager_can_network_connect',`
+- corenet_sendrecv_all_client_packets(rgmanager_t)
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +137,14 @@ optional_policy(`
+- corenet_tcp_sendrecv_all_ports(rgmanager_t)
')
++# rgmanager can run resource scripts
optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
++ corosync_stream_connect(rgmanager_t)
+ ')
+
+ optional_policy(`
+- consoletype_exec(rgmanager_t)
++ apache_domtrans(rgmanager_t)
++ apache_signal(rgmanager_t)
+ ')
+
+ optional_policy(`
+- corosync_stream_connect(rgmanager_t)
+ consoletype_exec(rgmanager_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- apache_domtrans(rgmanager_t)
+- apache_signal(rgmanager_t)
+ dbus_system_bus_client(rgmanager_t)
+ ')
+
+ optional_policy(`
+@@ -130,7 +150,6 @@ optional_policy(`
+
+ optional_policy(`
+ rhcs_stream_connect_groupd(rgmanager_t)
+- rhcs_stream_connect_gfs_controld(rgmanager_t)
+ ')
+
+ optional_policy(`
+@@ -140,6 +159,7 @@ optional_policy(`
+ optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
++ rhcs_stream_connect_gfs_controld(rgmanager_t)
+ ')
+
+ optional_policy(`
+@@ -147,6 +167,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ ldap_initrc_domtrans(rgmanager_t)
++ ldap_systemctl(rgmanager_t)
++ ldap_domtrans(rgmanager_t)
+')
+
+optional_policy(`
- fstools_domtrans(rgmanager_t)
+ mount_domtrans(rgmanager_t)
+ ')
+
+@@ -174,12 +200,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ rpc_initrc_domtrans_nfsd(rgmanager_t)
++ rpc_initrc_domtrans_rpcd(rgmanager_t)
++ rpc_systemctl_nfsd(rgmanager_t)
++ rpc_systemctl_rpcd(rgmanager_t)
++
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+ rpc_manage_nfs_state_data(rgmanager_t)
')
-@@ -140,6 +167,16 @@ optional_policy(`
+ optional_policy(`
++ samba_initrc_domtrans(rgmanager_t)
+ samba_domtrans_smbd(rgmanager_t)
+ samba_domtrans_nmbd(rgmanager_t)
+ samba_manage_var_files(rgmanager_t)
+@@ -201,5 +233,9 @@ optional_policy(`
')
optional_policy(`
-+ ldap_initrc_domtrans(rgmanager_t)
-+ ldap_systemctl(rgmanager_t)
-+ ldap_domtrans(rgmanager_t)
++ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
-+ mount_domtrans(rgmanager_t)
-+')
-+
-+optional_policy(`
- mysql_domtrans_mysql_safe(rgmanager_t)
- mysql_stream_connect(rgmanager_t)
+ xen_domtrans_xm(rgmanager_t)
')
-@@ -165,6 +202,8 @@ optional_policy(`
- optional_policy(`
- rpc_initrc_domtrans_nfsd(rgmanager_t)
- rpc_initrc_domtrans_rpcd(rgmanager_t)
-+ rpc_systemctl_nfsd(rgmanager_t)
-+ rpc_systemctl_rpcd(rgmanager_t)
-
- rpc_domtrans_nfsd(rgmanager_t)
- rpc_domtrans_rpcd(rgmanager_t)
diff --git a/rhcs.fc b/rhcs.fc
-index c2ba53b..977f2eb 100644
+index 47de2d6..977f2eb 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,22 +1,30 @@
- /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
- /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
- /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+@@ -1,31 +1,30 @@
+-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
- /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
- /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
- /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-
- /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
+-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
- /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+-
+-/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/.*\.*log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
- /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
- /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+ /var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
- /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
--/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
- /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
- /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
- /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index de37806..aee7ba7 100644
+index 56bc01f..aee7ba7 100644
--- a/rhcs.if
+++ b/rhcs.if
-@@ -13,7 +13,7 @@
+@@ -1,19 +1,19 @@
+-## <summary>Red Hat Cluster Suite.</summary>
++## <summary>RHCS - Red Hat Cluster Suite</summary>
+
+ #######################################
+ ## <summary>
+-## The template to define a rhcs domain.
++## Creates types and rules for a basic
++## rhcs init daemon domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix for the domain.
+ ## </summary>
+ ## </param>
#
template(`rhcs_domain_template',`
gen_require(`
-- attribute cluster_domain;
+- attribute cluster_domain, cluster_pid, cluster_tmpfs;
+- attribute cluster_log;
+ attribute cluster_domain, cluster_tmpfs, cluster_pid;
')
##############################
-@@ -25,13 +25,13 @@ template(`rhcs_domain_template',`
- type $1_exec_t;
- init_daemon_domain($1_t, $1_exec_t)
-
-- type $1_tmpfs_t;
-+ type $1_tmpfs_t, cluster_tmpfs;
+@@ -28,7 +28,7 @@ template(`rhcs_domain_template',`
+ type $1_tmpfs_t, cluster_tmpfs;
files_tmpfs_file($1_tmpfs_t)
- type $1_var_log_t;
+- type $1_var_log_t, cluster_log;
++ type $1_var_log_t;
logging_log_file($1_var_log_t)
-- type $1_var_run_t;
-+ type $1_var_run_t, cluster_pid;
- files_pid_file($1_var_run_t)
-
- ##############################
-@@ -43,15 +43,20 @@ template(`rhcs_domain_template',`
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ type $1_var_run_t, cluster_pid;
+@@ -44,9 +44,7 @@ template(`rhcs_domain_template',`
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
-+ manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
- manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
++ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
-- logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
-+ logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
+ logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
-+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+@@ -56,20 +54,19 @@ template(`rhcs_domain_template',`
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
-+ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
-+
-+ auth_use_nsswitch($1_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+- optional_policy(`
+- dbus_system_bus_client($1_t)
+- ')
++ auth_use_nsswitch($1_t)
++
+ logging_send_syslog_msg($1_t)
')
######################################
-@@ -59,9 +64,9 @@ template(`rhcs_domain_template',`
- ## Execute a domain transition to run dlm_controld.
+ ## <summary>
+-## Execute a domain transition to
+-## run dlm_controld.
++## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
-## <summary>
@@ -55228,7 +61272,46 @@ index de37806..aee7ba7 100644
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
-@@ -133,6 +138,24 @@ interface(`rhcs_domtrans_fenced',`
+@@ -83,27 +80,8 @@ interface(`rhcs_domtrans_dlm_controld',`
+
+ #####################################
+ ## <summary>
+-## Get attributes of fenced
+-## executable files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`rhcs_getattr_fenced_exec_files',`
+- gen_require(`
+- type fenced_exec_t;
+- ')
+-
+- allow $1 fenced_exec_t:file getattr_file_perms;
+-')
+-
+-#####################################
+-## <summary>
+-## Connect to dlm_controld with a
+-## unix domain stream socket.
++## Connect to dlm_controld over a unix domain
++## stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -122,7 +100,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
+
+ #####################################
+ ## <summary>
+-## Read and write dlm_controld semaphores.
++## Allow read and write access to dlm_controld semaphores.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -160,9 +138,27 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
@@ -55252,98 +61335,208 @@ index de37806..aee7ba7 100644
+
######################################
## <summary>
- ## Allow read and write access to fenced semaphores.
-@@ -156,7 +179,26 @@ interface(`rhcs_rw_fenced_semaphores',`
+-## Read and write fenced semaphores.
++## Allow read and write access to fenced semaphores.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -181,10 +177,9 @@ interface(`rhcs_rw_fenced_semaphores',`
+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+ ')
- ######################################
+-####################################
++######################################
## <summary>
--## Connect to fenced over an unix domain stream socket.
+-## Connect to all cluster domains
+-## with a unix domain stream socket.
+## Read fenced PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rhcs_read_fenced_pid_files',`
-+ gen_require(`
-+ type fenced_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
-+')
-+
-+######################################
-+## <summary>
-+## Connect to fenced over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -169,9 +211,8 @@ interface(`rhcs_stream_connect_fenced',`
- type fenced_var_run_t, fenced_t;
+@@ -192,19 +187,18 @@ interface(`rhcs_rw_fenced_semaphores',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rhcs_stream_connect_cluster',`
++interface(`rhcs_read_fenced_pid_files',`
+ gen_require(`
+- attribute cluster_domain, cluster_pid;
++ type fenced_var_run_t;
')
-- allow $1 fenced_t:unix_stream_socket connectto;
-- allow $1 fenced_var_run_t:sock_file { getattr write };
files_search_pids($1)
-+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
++ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
')
+ ######################################
+ ## <summary>
+-## Connect to fenced with an unix
+-## domain stream socket.
++## Connect to fenced over a unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -223,8 +217,7 @@ interface(`rhcs_stream_connect_fenced',`
+
#####################################
-@@ -237,7 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+ ## <summary>
+-## Execute a domain transition
+-## to run gfs_controld.
++## Execute a domain transition to run gfs_controld.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -243,7 +236,7 @@ interface(`rhcs_domtrans_gfs_controld',`
+
+ ####################################
+ ## <summary>
+-## Read and write gfs_controld semaphores.
++## Allow read and write access to gfs_controld semaphores.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -264,7 +257,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
+
+ ########################################
+ ## <summary>
+-## Read and write gfs_controld_t shared memory.
++## Read and write to gfs_controld_t shared memory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -285,8 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
--## Connect to gfs_controld_t over an unix domain stream socket.
+-## Connect to gfs_controld_t with
+-## a unix domain stream socket.
+## Connect to gfs_controld_t over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -335,6 +376,65 @@ interface(`rhcs_rw_groupd_shm',`
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+@@ -324,8 +316,8 @@ interface(`rhcs_domtrans_groupd',`
+
+ #####################################
+ ## <summary>
+-## Connect to groupd with a unix
+-## domain stream socket.
++## Connect to groupd over a unix domain
++## stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -342,10 +334,9 @@ interface(`rhcs_stream_connect_groupd',`
+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+ ')
+
+-########################################
++#####################################
+ ## <summary>
+-## Read and write all cluster domains
+-## shared memory.
++## Allow read and write access to groupd semaphores.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -353,21 +344,20 @@ interface(`rhcs_stream_connect_groupd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rhcs_rw_cluster_shm',`
++interface(`rhcs_rw_groupd_semaphores',`
+ gen_require(`
+- attribute cluster_domain, cluster_tmpfs;
++ type groupd_t, groupd_tmpfs_t;
+ ')
+
+- allow $1 cluster_domain:shm { rw_shm_perms destroy };
++ allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
+-####################################
+########################################
-+## <summary>
+ ## <summary>
+-## Read and write all cluster
+-## domains semaphores.
+## Read and write to group shared memory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -375,17 +365,20 @@ interface(`rhcs_rw_cluster_shm',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rhcs_rw_cluster_semaphores',`
++interface(`rhcs_rw_groupd_shm',`
+ gen_require(`
+- attribute cluster_domain;
++ type groupd_t, groupd_tmpfs_t;
+ ')
+
+- allow $1 cluster_domain:sem { rw_sem_perms destroy };
++ allow $1 groupd_t:shm { rw_shm_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ ')
+
+-#####################################
++########################################
+ ## <summary>
+-## Read and write groupd semaphores.
++## Read and write to group shared memory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -393,20 +386,20 @@ interface(`rhcs_rw_cluster_semaphores',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rhcs_rw_groupd_semaphores',`
+interface(`rhcs_rw_cluster_shm',`
-+ gen_require(`
+ gen_require(`
+- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain, cluster_tmpfs;
-+ ')
-+
+ ')
+
+- allow $1 groupd_t:sem { rw_sem_perms destroy };
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
-+
-+ fs_search_tmpfs($1)
+
+ fs_search_tmpfs($1)
+- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
-+')
-+
+ ')
+
+-########################################
+####################################
-+## <summary>
+ ## <summary>
+-## Read and write groupd shared memory.
+## Read and write access to cluster domains semaphores.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -414,15 +407,32 @@ interface(`rhcs_rw_groupd_semaphores',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rhcs_rw_groupd_shm',`
+interface(`rhcs_rw_cluster_semaphores',`
-+ gen_require(`
+ gen_require(`
+- type groupd_t, groupd_tmpfs_t;
+ attribute cluster_domain;
-+ ')
-+
+ ')
+
+- allow $1 groupd_t:shm { rw_shm_perms destroy };
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
-+
+
+- fs_search_tmpfs($1)
+- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+####################################
+## <summary>
+## Connect to cluster domains over a unix domain
@@ -55362,25 +61555,23 @@ index de37806..aee7ba7 100644
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
-+')
-+
+ ')
+
######################################
+@@ -446,52 +456,77 @@ interface(`rhcs_domtrans_qdiskd',`
+
+ ########################################
## <summary>
- ## Execute a domain transition to run qdiskd.
-@@ -353,3 +453,80 @@ interface(`rhcs_domtrans_qdiskd',`
- corecmd_search_bin($1)
- domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
- ')
-+
-+########################################
-+## <summary>
+-## All of the rules required to
+-## administrate an rhcs environment.
+## Allow domain to read qdiskd tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+ gen_require(`
@@ -55396,20 +61587,47 @@ index de37806..aee7ba7 100644
+## Allow domain to read cluster lib files
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rhcs_admin',`
+interface(`rhcs_read_cluster_lib_files',`
-+ gen_require(`
+ gen_require(`
+- attribute cluster_domain, cluster_pid, cluster_tmpfs;
+- attribute cluster_log;
+- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
+- type fenced_tmp_t, qdiskd_var_lib_t;
+ type cluster_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
+ ')
+
+- allow $1 cluster_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, cluster_domain)
+-
+- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+- allow $2 system_r;
+-
+- files_search_pids($1)
+- admin_pattern($1, cluster_pid)
+-
+- files_search_locks($1)
+- admin_pattern($1, fenced_lock_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, fenced_tmp_t)
+-
+ files_search_var_lib($1)
+- admin_pattern($1, qdiskd_var_lib_t)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
-+
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, cluster_tmpfs)
+#####################################
+## <summary>
+## Allow domain to manage cluster lib files
@@ -55424,7 +61642,9 @@ index de37806..aee7ba7 100644
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, cluster_log)
+ files_search_var_lib($1)
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
@@ -55447,38 +61667,12 @@ index de37806..aee7ba7 100644
+ files_search_var_lib($1)
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
-+')
+ ')
diff --git a/rhcs.te b/rhcs.te
-index 93c896a..8aa7362 100644
+index 2c2de9a..4efe231 100644
--- a/rhcs.te
+++ b/rhcs.te
-@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
- ## </desc>
- gen_tunable(fenced_can_network_connect, false)
-
-+## <desc>
-+## <p>
-+## Allow fenced domain to execute ssh.
-+## </p>
-+## </desc>
-+gen_tunable(fenced_can_ssh, false)
-+
- attribute cluster_domain;
-+attribute cluster_tmpfs;
-+attribute cluster_pid;
-
- rhcs_domain_template(dlm_controld)
-
-@@ -24,6 +33,8 @@ files_lock_file(fenced_lock_t)
- type fenced_tmp_t;
- files_tmp_file(fenced_tmp_t)
-
-+rhcs_domain_template(foghorn)
-+
- rhcs_domain_template(gfs_controld)
-
- rhcs_domain_template(groupd)
-@@ -33,6 +44,10 @@ rhcs_domain_template(qdiskd)
+@@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -55488,85 +61682,105 @@ index 93c896a..8aa7362 100644
+
#####################################
#
- # dlm_controld local policy
-@@ -46,6 +61,9 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence
- stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+ # Common cluster domains local policy
+@@ -62,10 +66,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
+ allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+ allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+-logging_send_syslog_msg(cluster_domain)
+-
+-miscfiles_read_localization(cluster_domain)
+-
+ optional_policy(`
+ ccs_stream_connect(cluster_domain)
+ ')
+@@ -74,6 +74,10 @@ optional_policy(`
+ corosync_stream_connect(cluster_domain)
+ ')
- kernel_read_system_state(dlm_controld_t)
-+kernel_rw_net_sysctls(dlm_controld_t)
++optional_policy(`
++ dbus_system_bus_client(cluster_domain)
++')
+
-+corecmd_exec_bin(dlm_controld_t)
+ #####################################
+ #
+ # dlm_controld local policy
+@@ -98,6 +102,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
- dev_rw_dlm_control(dlm_controld_t)
- dev_rw_sysfs(dlm_controld_t)
-@@ -56,7 +74,7 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
- optional_policy(`
-- ccs_stream_connect(dlm_controld_t)
++logging_send_syslog_msg(dlm_controld_t)
++
++optional_policy(`
+ corosync_rw_tmpfs(dlm_controld_t)
- ')
-
++')
++
#######################################
-@@ -65,10 +83,11 @@ optional_policy(`
#
+ # fenced local policy
+@@ -105,9 +115,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
--allow fenced_t self:process getsched;
-+allow fenced_t self:process { getsched signal_perms };
-
- allow fenced_t self:tcp_socket create_stream_socket_perms;
- allow fenced_t self:udp_socket create_socket_perms;
-+allow fenced_t self:unix_stream_socket connectto;
+ allow fenced_t self:process { getsched signal_perms };
+-allow fenced_t self:tcp_socket { accept listen };
++
++allow fenced_t self:tcp_socket create_stream_socket_perms;
++allow fenced_t self:udp_socket create_socket_perms;
+ allow fenced_t self:unix_stream_socket connectto;
- can_exec(fenced_t, fenced_exec_t)
++can_exec(fenced_t, fenced_exec_t)
++
+ manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+ files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -82,13 +101,23 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +132,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-+kernel_read_system_state(fenced_t)
+-can_exec(fenced_t, fenced_exec_t)
+-
+ kernel_read_system_state(fenced_t)
+kernel_read_network_state(fenced_t)
-+
- corecmd_exec_bin(fenced_t)
-+corecmd_exec_shell(fenced_t)
-+corenet_udp_bind_ionixnetmon_port(fenced_t)
-+corenet_tcp_bind_zented_port(fenced_t)
-+corenet_udp_bind_zented_port(fenced_t)
- corenet_tcp_connect_http_port(fenced_t)
-+corenet_tcp_connect_zented_port(fenced_t)
+ corecmd_exec_bin(fenced_t)
+ corecmd_exec_shell(fenced_t)
+@@ -148,9 +161,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
+-
+-files_read_usr_files(fenced_t)
+-files_read_usr_symlinks(fenced_t)
+dev_read_rand(fenced_t)
-+files_read_usr_files(fenced_t)
- files_read_usr_symlinks(fenced_t)
-
storage_raw_read_fixed_disk(fenced_t)
-@@ -97,16 +126,37 @@ storage_raw_read_removable_device(fenced_t)
-
+ storage_raw_write_fixed_disk(fenced_t)
+@@ -159,8 +170,9 @@ storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
+ term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
--
--auth_use_nsswitch(fenced_t)
+term_use_generic_ptys(fenced_t)
+-auth_use_nsswitch(fenced_t)
++logging_send_syslog_msg(fenced_t)
+
tunable_policy(`fenced_can_network_connect',`
- corenet_tcp_connect_all_ports(fenced_t)
+ corenet_sendrecv_all_client_packets(fenced_t)
+@@ -186,11 +198,26 @@ optional_policy(`
')
optional_policy(`
+- ccs_read_config(fenced_t)
+ tunable_policy(`fenced_can_ssh',`
+
+ allow fenced_t self:capability { setuid setgid };
+
+ corenet_tcp_connect_ssh_port(fenced_t)
+ ')
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- gnome_read_generic_home_content(fenced_t)
+ ssh_exec(fenced_t)
+ ssh_read_user_home_files(fenced_t)
+ ')
@@ -55577,167 +61791,64 @@ index 93c896a..8aa7362 100644
+')
+
+optional_policy(`
- ccs_read_config(fenced_t)
-- ccs_stream_connect(fenced_t)
-+')
-+
-+optional_policy(`
-+ gnome_read_generic_data_home_files(fenced_t)
++ ccs_read_config(fenced_t)
')
optional_policy(`
-@@ -114,13 +164,52 @@ optional_policy(`
- lvm_read_config(fenced_t)
+@@ -203,6 +230,13 @@ optional_policy(`
+ snmp_manage_var_lib_dirs(fenced_t)
')
+optional_policy(`
-+ snmp_manage_var_lib_files(fenced_t)
-+ snmp_manage_var_lib_dirs(fenced_t)
-+')
-+
-+optional_policy(`
+ virt_domtrans(fenced_t)
+ virt_read_config(fenced_t)
+ virt_read_pid_files(fenced_t)
+ virt_stream_connect(fenced_t)
+')
+
-+#######################################
-+#
-+# foghorn local policy
-+#
-+
-+allow foghorn_t self:process { signal };
-+allow foghorn_t self:tcp_socket create_stream_socket_perms;
-+allow foghorn_t self:udp_socket create_socket_perms;
-+
-+corenet_tcp_connect_agentx_port(foghorn_t)
-+
-+dev_read_urand(foghorn_t)
-+
-+files_read_etc_files(foghorn_t)
-+files_read_usr_files(foghorn_t)
-+
-+sysnet_dns_name_resolve(foghorn_t)
-+
-+optional_policy(`
-+ dbus_connect_system_bus(foghorn_t)
-+')
-+
-+optional_policy(`
-+ snmp_read_snmp_var_lib_files(foghorn_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(foghorn_t)
-+ snmp_stream_connect(foghorn_t)
-+')
-+
- ######################################
- #
- # gfs_controld local policy
+ #######################################
#
+ # foghorn local policy
+@@ -225,6 +259,8 @@ dev_read_urand(foghorn_t)
- allow gfs_controld_t self:capability { net_admin sys_resource };
--
- allow gfs_controld_t self:shm create_shm_perms;
- allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+ files_read_usr_files(foghorn_t)
+
++logging_send_syslog_msg(foghorn_t)
++
+ optional_policy(`
+ dbus_connect_system_bus(foghorn_t)
+ ')
+@@ -257,6 +293,8 @@ storage_getattr_removable_dev(gfs_controld_t)
-@@ -139,10 +228,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
++logging_send_syslog_msg(gfs_controld_t)
++
optional_policy(`
-- ccs_stream_connect(gfs_controld_t)
--')
--
--optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
- ')
-@@ -154,12 +239,12 @@ optional_policy(`
-
- allow groupd_t self:capability { sys_nice sys_resource };
- allow groupd_t self:process setsched;
--
- allow groupd_t self:shm create_shm_perms;
+@@ -275,10 +313,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
-+domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
-+
dev_list_sysfs(groupd_t)
-files_read_etc_files(groupd_t)
-
+-
init_rw_script_tmp_files(groupd_t)
-@@ -168,8 +253,7 @@ init_rw_script_tmp_files(groupd_t)
- # qdiskd local policy
++logging_send_syslog_msg(groupd_t)
++
+ ######################################
#
+ # qdiskd local policy
+@@ -321,6 +359,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
--allow qdiskd_t self:capability ipc_lock;
--
-+allow qdiskd_t self:capability { ipc_lock sys_boot };
- allow qdiskd_t self:tcp_socket create_stream_socket_perms;
- allow qdiskd_t self:udp_socket create_socket_perms;
-
-@@ -182,7 +266,7 @@ kernel_read_system_state(qdiskd_t)
- kernel_read_software_raid_state(qdiskd_t)
- kernel_getattr_core_if(qdiskd_t)
-
--corecmd_getattr_bin_files(qdiskd_t)
-+corecmd_exec_bin(qdiskd_t)
- corecmd_exec_shell(qdiskd_t)
-
- dev_read_sysfs(qdiskd_t)
-@@ -197,19 +281,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
+ auth_use_nsswitch(qdiskd_t)
- files_dontaudit_getattr_all_sockets(qdiskd_t)
- files_dontaudit_getattr_all_pipes(qdiskd_t)
--files_read_etc_files(qdiskd_t)
++logging_send_syslog_msg(qdiskd_t)
+
-+files_read_usr_files(qdiskd_t)
-+
-+fs_list_hugetlbfs(qdiskd_t)
-
- storage_raw_read_removable_device(qdiskd_t)
- storage_raw_write_removable_device(qdiskd_t)
- storage_raw_read_fixed_disk(qdiskd_t)
- storage_raw_write_fixed_disk(qdiskd_t)
-
--auth_use_nsswitch(qdiskd_t)
--
--optional_policy(`
-- ccs_stream_connect(qdiskd_t)
--')
--
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +304,24 @@ optional_policy(`
- # rhcs domains common policy
- #
-
--allow cluster_domain self:capability { sys_nice };
-+allow cluster_domain self:capability sys_nice;
- allow cluster_domain self:process setsched;
--
- allow cluster_domain self:sem create_sem_perms;
- allow cluster_domain self:fifo_file rw_fifo_file_perms;
- allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
- allow cluster_domain self:unix_dgram_socket create_socket_perms;
-
--logging_send_syslog_msg(cluster_domain)
-+manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
-+manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
-
--miscfiles_read_localization(cluster_domain)
-+optional_policy(`
-+ ccs_stream_connect(cluster_domain)
-+')
-
- optional_policy(`
- corosync_stream_connect(cluster_domain)
- ')
-+
-+optional_policy(`
-+ dbus_system_bus_client(cluster_domain)
-+')
diff --git a/rhev.fc b/rhev.fc
new file mode 100644
index 0000000..4b66adf
@@ -55963,38 +62074,122 @@ index 0000000..51b00c0
+ ')
+')
diff --git a/rhgb.if b/rhgb.if
-index 96efae7..793a29f 100644
+index 1a134a7..793a29f 100644
--- a/rhgb.if
+++ b/rhgb.if
-@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
+@@ -1,4 +1,4 @@
+-## <summary> Red Hat Graphical Boot.</summary>
++## <summary> Red Hat Graphical Boot </summary>
+
+ ########################################
+ ## <summary>
+@@ -18,7 +18,7 @@ interface(`rhgb_stub',`
+
+ ########################################
+ ## <summary>
+-## Inherit and use rhgb file descriptors.
++## Use a rhgb file descriptor.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',`
+
+ ########################################
+ ## <summary>
+-## Send generic signals to rhgb.
++## Send a signal to rhgb.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -72,8 +72,7 @@ interface(`rhgb_signal',`
+
+ ########################################
+ ## <summary>
+-## Read and write inherited rhgb unix
+-## domain stream sockets.
++## Read and write to unix stream sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
+
+ ########################################
+ ## <summary>
+-## Connected to rhgb with a unix
+-## domain stream socket.
++## Connected to rhgb unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
+ #
+ interface(`rhgb_stream_connect',`
+ gen_require(`
+- type rhgb_t, rhgb_tmpfs_t;
++ type rhgb_t;
+ ')
+
+- fs_search_tmpfs($1)
+- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t)
++ allow $1 rhgb_t:unix_stream_socket connectto;
+ ')
+
+ ########################################
+@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',`
+
+ ########################################
+ ## <summary>
+-## Read and write rhgb pty devices.
++## Read from and write to the rhgb devpts.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',`
+ type rhgb_devpts_t;
+ ')
+
+- dev_list_all_dev_nodes($1)
+ allow $1 rhgb_devpts_t:chr_file rw_term_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and
+-## write rhgb pty devices.
++## dontaudit Read from and write to the rhgb devpts.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',`
+
+ ########################################
+ ## <summary>
+-## Read and write to rhgb tmpfs files.
++## Read and write to rhgb temporary file system.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
type rhgb_tmpfs_t;
')
-+ fs_search_tmpfs($1)
+-
+ fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
diff --git a/rhgb.te b/rhgb.te
-index 0f262a7..08c49bc 100644
+index 3f32e4b..b729212 100644
--- a/rhgb.te
+++ b/rhgb.te
-@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
- allow rhgb_t self:udp_socket create_socket_perms;
- allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-
--allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
- term_create_pty(rhgb_t, rhgb_devpts_t)
-
- manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
-@@ -46,7 +46,6 @@ kernel_read_system_state(rhgb_t)
+@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
-corenet_all_recvfrom_unlabeled(rhgb_t)
corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
- corenet_udp_sendrecv_generic_if(rhgb_t)
-@@ -97,7 +96,6 @@ libs_read_lib_files(rhgb_t)
+ corenet_tcp_sendrecv_generic_node(rhgb_t)
+@@ -89,7 +88,6 @@ libs_read_lib_files(rhgb_t)
logging_send_syslog_msg(rhgb_t)
@@ -56015,11 +62210,10 @@ index 0000000..1936028
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
diff --git a/rhnsd.if b/rhnsd.if
new file mode 100644
-index 0000000..d2a58c1
+index 0000000..88087b7
--- /dev/null
+++ b/rhnsd.if
-@@ -0,0 +1,75 @@
-+
+@@ -0,0 +1,74 @@
+## <summary>policy for rhnsd</summary>
+
+########################################
@@ -56142,15 +62336,108 @@ index 0000000..5b2757d
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 137605a..fd40b90 100644
+index 6dbc905..92aac94 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
-@@ -194,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -1,8 +1,8 @@
+-## <summary>Subscription Management Certificate Daemon.</summary>
++## <summary>Subscription Management Certificate Daemon policy</summary>
+
+ ########################################
+ ## <summary>
+-## Execute rhsmcertd in the rhsmcertd domain.
++## Transition to rhsmcertd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute rhsmcertd init scripts
+-## in the initrc domain.
++## Execute rhsmcertd server in the rhsmcertd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Read rhsmcertd log files.
++## Read rhsmcertd's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',`
+
+ ########################################
+ ## <summary>
+-## Append rhsmcertd log files.
++## Append to rhsmcertd log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rhsmcertd log files.
++## Manage rhsmcertd log files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',`
+ type rhsmcertd_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rhsmcertd lib files.
++## Manage rhsmcertd lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rhsmcertd lib directories.
++## Manage rhsmcertd lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',`
+
+ ########################################
+ ## <summary>
+-## Read rhsmcertd pid files.
++## Read rhsmcertd PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
####################################
## <summary>
--## Connect to rhsmcertd over a unix domain
--## stream socket.
+-## Connect to rhsmcertd with a
+-## unix domain stream socket.
+## Connect to rhsmcertd over a unix domain
+## stream socket.
## </summary>
@@ -56164,18 +62451,19 @@ index 137605a..fd40b90 100644
## </param>
#
interface(`rhsmcertd_stream_connect',`
-@@ -235,23 +235,23 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
## <summary>
--## Dontaudit Send and receive messages from
+-## Do not audit attempts to send
+-## and receive messages from
-## rhsmcertd over dbus.
+## Dontaudit Send and receive messages from
+## rhsmcertd over dbus.
## </summary>
## <param name="domain">
-## <summary>
--## Domain allowed access.
+-## Domain to not audit.
-## </summary>
+## <summary>
+## Domain allowed access.
@@ -56199,62 +62487,87 @@ index 137605a..fd40b90 100644
')
########################################
-@@ -264,12 +264,6 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
- ## Domain allowed access.
+ ## <summary>
+-## All of the rules required to
+-## administrate an rhsmcertd environment.
++## All of the rules required to administrate
++## an rhsmcertd environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
## </summary>
## </param>
--## <param name="role">
+ ## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
--## </param>
--## <rolecap/>
++## <summary>
++## Role allowed access.
++## </summary>
+ ## </param>
+ ## <rolecap/>
#
++
interface(`rhsmcertd_admin',`
gen_require(`
-@@ -279,18 +273,7 @@ interface(`rhsmcertd_admin',`
+ type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
+- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t;
++ type rhsmcertd_var_lib_t, rhsmcertd_var_run_t;
+ ')
- allow $1 rhsmcertd_t:process signal_perms;
+- allow $1 rhsmcertd_t:process { ptrace signal_perms };
++ allow $1 rhsmcertd_t:process signal_perms;
ps_process_pattern($1, rhsmcertd_t)
--
+
- rhsmcertd_initrc_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
- allow $2 system_r;
--
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rhsmcertd_t:process ptrace;
++ ')
++
++ rhsmcertd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 rhsmcertd_initrc_exec_t system_r;
++ allow $2 system_r;
+
- logging_search_logs($1)
- admin_pattern($1, rhsmcertd_log_t)
--
++ logging_search_logs($1)
++ admin_pattern($1, rhsmcertd_log_t)
+
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
--
++ files_search_var_lib($1)
++ admin_pattern($1, rhsmcertd_var_lib_t)
+
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 rhsmcertd_t:process ptrace;
-+ ')
++ files_search_pids($1)
++ admin_pattern($1, rhsmcertd_var_run_t)
++
++ files_search_locks($1)
++ admin_pattern($1, rhsmcertd_lock_t)
+
+- files_search_locks($1)
+- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..62c40bb 100644
+index 1cedd70..c254f12 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
-@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
- # rhsmcertd local policy
- #
+@@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t)
-+allow rhsmcertd_t self:capability sys_nice;
-+allow rhsmcertd_t self:process { signal setsched };
+ allow rhsmcertd_t self:capability sys_nice;
+ allow rhsmcertd_t self:process { signal setsched };
+
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,40 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
-
- manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
- manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
-+files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
-
-+kernel_read_network_state(rhsmcertd_t)
+@@ -52,21 +53,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+ kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
+corenet_tcp_connect_http_port(rhsmcertd_t)
@@ -56264,58 +62577,47 @@ index 783f678..62c40bb 100644
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
-+dev_read_rand(rhsmcertd_t)
+ dev_read_sysfs(rhsmcertd_t)
+ dev_read_rand(rhsmcertd_t)
dev_read_urand(rhsmcertd_t)
-+dev_read_sysfs(rhsmcertd_t)
+dev_read_raw_memory(rhsmcertd_t)
+ files_list_tmp(rhsmcertd_t)
files_read_etc_files(rhsmcertd_t)
files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
++
++logging_send_syslog_msg(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
-+logging_send_syslog_msg(rhsmcertd_t)
-+
+miscfiles_read_certs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
-+
-+
-+optional_policy(`
+
+ optional_policy(`
+ dmidecode_domtrans(rhsmcertd_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(rhsmcertd_t)
+')
-diff --git a/ricci.fc b/ricci.fc
-index 5b08327..4d5819e 100644
---- a/ricci.fc
-+++ b/ricci.fc
-@@ -1,3 +1,6 @@
-+
-+/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+
- /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
- /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
- /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
-@@ -9,7 +12,7 @@
-
- /var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
-
--/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
-+/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
-
- /var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
- /var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
++optional_policy(`
+ rpm_read_db(rhsmcertd_t)
+ ')
diff --git a/ricci.if b/ricci.if
-index f7826f9..23d579c 100644
+index 2ab3ed1..23d579c 100644
--- a/ricci.if
+++ b/ricci.if
-@@ -5,9 +5,9 @@
+@@ -1,13 +1,13 @@
+-## <summary>Ricci cluster management agent.</summary>
++## <summary>Ricci cluster management agent</summary>
+
+ ########################################
+ ## <summary>
## Execute a domain transition to run ricci.
## </summary>
## <param name="domain">
@@ -56327,15 +62629,22 @@ index f7826f9..23d579c 100644
## </param>
#
interface(`ricci_domtrans',`
-@@ -18,14 +18,32 @@ interface(`ricci_domtrans',`
+@@ -15,19 +15,35 @@ interface(`ricci_domtrans',`
+ type ricci_t, ricci_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Execute a domain transition to
+-## run ricci modcluster.
+## Execute ricci server in the ricci domain.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -56349,49 +62658,68 @@ index f7826f9..23d579c 100644
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
- ########################################
++########################################
## <summary>
- ## Execute a domain transition to run ricci_modcluster.
+-## Domain allowed to transition.
++## Execute a domain transition to run ricci_modcluster.
## </summary>
- ## <param name="domain">
--## <summary>
++## <param name="domain">
+## <summary>
- ## Domain allowed to transition.
--## </summary>
++## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`ricci_domtrans_modcluster',`
-@@ -71,12 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
- type ricci_modcluster_t;
+@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',`
+ type ricci_modcluster_t, ricci_modcluster_exec_t;
')
-- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
-+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
+- corecmd_search_bin($1)
+ domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
')
########################################
## <summary>
--## Connect to ricci_modclusterd over an unix stream socket.
-+## Connect to ricci_modclusterd over a unix stream socket.
+ ## Do not audit attempts to use
+-## ricci modcluster file descriptors.
++## ricci_modcluster file descriptors.
## </summary>
## <param name="domain">
## <summary>
-@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',`
+@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read write
+-## ricci modcluster unamed pipes.
++## ricci_modcluster unamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
+ type ricci_modcluster_t;
')
- files_search_pids($1)
-- allow $1 ricci_modcluster_var_run_t:sock_file write;
-- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
+- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
++ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
--## Execute a domain transition to run ricci_modlog.
-+## Read and write to ricci_modcluserd temporary file system.
+-## Connect to ricci_modclusterd with
+-## a unix domain stream socket.
++## Connect to ricci_modclusterd over a unix stream socket.
## </summary>
## <param name="domain">
+ ## <summary>
+@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',`
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run ricci modlog.
++## Read and write to ricci_modcluserd temporary file system.
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -56407,58 +62735,67 @@ index f7826f9..23d579c 100644
+')
+
+########################################
- ## <summary>
--## Domain allowed to transition.
++## <summary>
+## Execute a domain transition to run ricci_modlog.
## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
- ## </param>
- #
- interface(`ricci_domtrans_modlog',`
-@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',`
- ## Execute a domain transition to run ricci_modrpm.
+ ## <param name="domain">
+ ## <summary>
+@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',`
+ type ricci_modlog_t, ricci_modlog_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run ricci modrpm.
++## Execute a domain transition to run ricci_modrpm.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`ricci_domtrans_modrpm',`
-@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',`
- ## Execute a domain transition to run ricci_modservice.
+ ## <summary>
+@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',`
+ type ricci_modrpm_t, ricci_modrpm_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run ricci modservice.
++## Execute a domain transition to run ricci_modservice.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`ricci_domtrans_modservice',`
-@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',`
- ## Execute a domain transition to run ricci_modstorage.
+ ## <summary>
+@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',`
+ type ricci_modservice_t, ricci_modservice_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to
+-## run ricci modstorage.
++## Execute a domain transition to run ricci_modstorage.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`ricci_domtrans_modstorage',`
-@@ -165,3 +201,70 @@ interface(`ricci_domtrans_modstorage',`
+ ## <summary>
+@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',`
+ type ricci_modstorage_t, ricci_modstorage_exec_t;
+ ')
+- corecmd_search_bin($1)
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
-+
+
+####################################
+## <summary>
+## Allow the specified domain to manage ricci's lib files.
@@ -56479,96 +62816,36 @@ index f7826f9..23d579c 100644
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an ricci environment.
+## All of the rules required to administrate
+## an ricci environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`ricci_admin',`
-+ gen_require(`
-+ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
-+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
-+ ')
-+
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -200,10 +245,13 @@ interface(`ricci_admin',`
+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+ ')
+
+- allow $1 ricci_t:process { ptrace signal_perms };
+ allow $1 ricci_t:process signal_perms;
-+ ps_process_pattern($1, ricci_t)
+ ps_process_pattern($1, ricci_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ricci_t:process ptrace;
+ ')
-+
+
+- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+ ricci_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 ricci_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, ricci_tmp_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, ricci_var_lib_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, ricci_var_log_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, ricci_var_run_t)
-+')
+ domain_system_change_exemption($1)
+ role_transition $2 ricci_initrc_exec_t system_r;
+ allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 33e72e8..6b0ec3e 100644
+index 9702ed2..6d40389 100644
--- a/ricci.te
+++ b/ricci.te
-@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
-
- type ricci_t;
- type ricci_exec_t;
--domain_type(ricci_t)
- init_daemon_domain(ricci_t, ricci_exec_t)
-
-+type ricci_initrc_exec_t;
-+init_script_file(ricci_initrc_exec_t)
-+
- type ricci_tmp_t;
- files_tmp_file(ricci_tmp_t)
-
-@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t)
-
- type ricci_modclusterd_t;
- type ricci_modclusterd_exec_t;
--domain_type(ricci_modclusterd_t)
- init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
-
-+type ricci_modclusterd_tmpfs_t;
-+files_tmpfs_file(ricci_modclusterd_tmpfs_t)
-+
- type ricci_modlog_t;
- type ricci_modlog_exec_t;
- domain_type(ricci_modlog_t)
-@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
- manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
- files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
-
--allow ricci_t ricci_var_log_t:dir setattr;
-+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
- manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
- manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
- logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
-@@ -105,10 +109,10 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
- files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
-
- kernel_read_kernel_sysctls(ricci_t)
-+kernel_read_system_state(ricci_t)
+@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
corecmd_exec_bin(ricci_t)
@@ -56576,7 +62853,7 @@ index 33e72e8..6b0ec3e 100644
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_generic_if(ricci_t)
corenet_tcp_sendrecv_generic_node(ricci_t)
-@@ -123,7 +127,6 @@ dev_read_urand(ricci_t)
+@@ -136,7 +135,6 @@ dev_read_urand(ricci_t)
domain_read_all_domains_state(ricci_t)
@@ -56584,7 +62861,7 @@ index 33e72e8..6b0ec3e 100644
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)
-@@ -136,8 +139,6 @@ locallogin_dontaudit_use_fds(ricci_t)
+@@ -149,8 +147,6 @@ locallogin_dontaudit_use_fds(ricci_t)
logging_send_syslog_msg(ricci_t)
@@ -56593,47 +62870,12 @@ index 33e72e8..6b0ec3e 100644
sysnet_dns_name_resolve(ricci_t)
optional_policy(`
-@@ -170,6 +171,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ shutdown_domtrans(ricci_t)
-+')
-+
-+optional_policy(`
- unconfined_use_fds(ricci_t)
- ')
-
-@@ -193,29 +198,25 @@ corecmd_exec_shell(ricci_modcluster_t)
- corecmd_exec_bin(ricci_modcluster_t)
-
- corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
--corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
-+corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
-+corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
-
- domain_read_all_domains_state(ricci_modcluster_t)
-
- files_search_locks(ricci_modcluster_t)
- files_read_etc_runtime_files(ricci_modcluster_t)
--files_read_etc_files(ricci_modcluster_t)
- files_search_usr(ricci_modcluster_t)
-
-+auth_use_nsswitch(ricci_modcluster_t)
-+
- init_exec(ricci_modcluster_t)
- init_domtrans_script(ricci_modcluster_t)
+@@ -235,9 +231,9 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
-miscfiles_read_localization(ricci_modcluster_t)
-
--modutils_domtrans_insmod(ricci_modcluster_t)
--
--mount_domtrans(ricci_modcluster_t)
--
--consoletype_exec(ricci_modcluster_t)
--
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
+optional_policy(`
+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
@@ -56641,61 +62883,7 @@ index 33e72e8..6b0ec3e 100644
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,7 +234,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(ricci_modcluster_t)
-+ modutils_domtrans_insmod(ricci_modcluster_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(ricci_modcluster_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(ricci_modcluster_t)
- ')
-
- optional_policy(`
-@@ -241,8 +250,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- # XXX This has got to go.
-- unconfined_domain(ricci_modcluster_t)
-+ rgmanager_stream_connect(ricci_modclusterd_t)
- ')
-
- ########################################
-@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
- allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
- allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
-
-+manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-+manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
-+fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
-+
- allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
- manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
- manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
-
- kernel_read_kernel_sysctls(ricci_modclusterd_t)
- kernel_read_system_state(ricci_modclusterd_t)
-+kernel_request_load_module(ricci_modclusterd_t)
-
- corecmd_exec_bin(ricci_modclusterd_t)
-
-@@ -283,7 +296,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
-
- domain_read_all_domains_state(ricci_modclusterd_t)
-
--files_read_etc_files(ricci_modclusterd_t)
- files_read_etc_runtime_files(ricci_modclusterd_t)
-
- fs_getattr_xattr_fs(ricci_modclusterd_t)
-@@ -296,8 +308,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -336,8 +332,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
logging_send_syslog_msg(ricci_modclusterd_t)
@@ -56704,7 +62892,7 @@ index 33e72e8..6b0ec3e 100644
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
optional_policy(`
-@@ -334,12 +344,10 @@ corecmd_exec_bin(ricci_modlog_t)
+@@ -374,12 +368,10 @@ corecmd_exec_bin(ricci_modlog_t)
domain_read_all_domains_state(ricci_modlog_t)
@@ -56717,7 +62905,7 @@ index 33e72e8..6b0ec3e 100644
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
-@@ -361,9 +369,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+@@ -401,9 +393,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
corecmd_exec_bin(ricci_modrpm_t)
files_search_usr(ricci_modrpm_t)
@@ -56728,18 +62916,15 @@ index 33e72e8..6b0ec3e 100644
optional_policy(`
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
-@@ -388,23 +395,24 @@ kernel_read_system_state(ricci_modservice_t)
+@@ -428,14 +419,13 @@ kernel_read_system_state(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
-files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
- # Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
--consoletype_exec(ricci_modservice_t)
--
init_domtrans_script(ricci_modservice_t)
-miscfiles_read_localization(ricci_modservice_t)
@@ -56747,25 +62932,15 @@ index 33e72e8..6b0ec3e 100644
optional_policy(`
ccs_read_config(ricci_modservice_t)
- ')
-
- optional_policy(`
-+ consoletype_exec(ricci_modservice_t)
-+')
-+
-+optional_policy(`
- nscd_dontaudit_search_pid(ricci_modservice_t)
- ')
-
-@@ -418,7 +426,6 @@ optional_policy(`
- #
+@@ -460,7 +450,6 @@ optional_policy(`
+ allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:process { setsched signal };
-dontaudit ricci_modstorage_t self:process ptrace;
- allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
- allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
-@@ -444,22 +451,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+
+ kernel_read_kernel_sysctls(ricci_modstorage_t)
+@@ -483,13 +472,19 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -56779,86 +62954,33 @@ index 33e72e8..6b0ec3e 100644
term_dontaudit_use_console(ricci_modstorage_t)
--fstools_domtrans(ricci_modstorage_t)
+-logging_send_syslog_msg(ricci_modstorage_t)
+auth_use_nsswitch(ricci_modstorage_t)
- logging_send_syslog_msg(ricci_modstorage_t)
-
-miscfiles_read_localization(ricci_modstorage_t)
--
--modutils_read_module_deps(ricci_modstorage_t)
--
--consoletype_exec(ricci_modstorage_t)
--
--mount_domtrans(ricci_modstorage_t)
--
- optional_policy(`
- aisexec_stream_connect(ricci_modstorage_t)
- corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +476,24 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ consoletype_exec(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
- lvm_domtrans(ricci_modstorage_t)
- lvm_manage_config(ricci_modstorage_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(ricci_modstorage_t)
-+ modutils_read_module_deps(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(ricci_modstorage_t)
- ')
++logging_send_syslog_msg(ricci_modstorage_t)
optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
diff --git a/rlogin.fc b/rlogin.fc
-index 2fae3f0..d7f6b82 100644
+index f111877..e361ee9 100644
--- a/rlogin.fc
+++ b/rlogin.fc
-@@ -1,7 +1,10 @@
- HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+@@ -1,5 +1,7 @@
+-HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+-HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
++HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
--/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-+/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
-
- /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/rlogin.if b/rlogin.if
-index 63e78c6..fdd8228 100644
+index 050479d..0e1b364 100644
--- a/rlogin.if
+++ b/rlogin.if
-@@ -21,21 +21,15 @@ interface(`rlogin_domtrans',`
-
- ########################################
- ## <summary>
--## read rlogin homedir content (.config)
-+## read rlogin homedir content (.rlogin)
- ## </summary>
--## <param name="userdomain_prefix">
--## <summary>
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
--## </summary>
--## </param>
--## <param name="user_domain">
-+## <param name="domain">
- ## <summary>
--## The type of the user domain.
-+## Domain allowed access.
+@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',`
## </summary>
## </param>
#
@@ -56868,36 +62990,29 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index 16304ec..3293b25 100644
+index d34cdec..991c738 100644
--- a/rlogin.te
+++ b/rlogin.te
-@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
- # Local policy
- #
-
--allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
-+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
+ allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
- allow rlogind_t self:tcp_socket connected_stream_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow rlogind_t self:capability { setuid setgid };
+-allow rlogind_t self:tcp_socket { accept listen };
++allow rlogind_t self:tcp_socket connected_stream_socket_perms;
++# for identd; cjp: this should probably only be inetd_child rules?
++allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
-
- # for /usr/lib/telnetlogin
-@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t)
+@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
--files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
+-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -52,7 +50,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
@@ -56905,7 +63020,7 @@ index 16304ec..3293b25 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -69,10 +66,11 @@ fs_getattr_xattr_fs(rlogind_t)
+@@ -67,8 +67,10 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -56914,11 +63029,9 @@ index 16304ec..3293b25 100644
auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
--files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
- files_search_home(rlogind_t)
files_search_default(rlogind_t)
-@@ -81,34 +79,29 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +79,28 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@@ -56926,26 +63039,23 @@ index 16304ec..3293b25 100644
-
seutil_read_config(rlogind_t)
+ userdom_search_user_home_dirs(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
- # cjp: this is egregious
- userdom_read_user_home_content_files(rlogind_t)
--
--remotelogin_domtrans(rlogind_t)
--remotelogin_signal(rlogind_t)
++# cjp: this is egregious
++userdom_read_user_home_content_files(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
-+userdom_use_user_terminals(rlogind_t)
+ userdom_use_user_terminals(rlogind_t)
+userdom_home_reader(rlogind_t)
- rlogin_read_home_content(rlogind_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs(rlogind_t)
- fs_read_nfs_files(rlogind_t)
- fs_read_nfs_symlinks(rlogind_t)
-')
--
++rlogin_read_home_content(rlogind_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(rlogind_t)
- fs_read_cifs_files(rlogind_t)
@@ -56953,12 +63063,11 @@ index 16304ec..3293b25 100644
+optional_policy(`
+ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
-+ #part of auth_use_pam
-+ #kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
- kerberos_keytab_template(rlogind, rlogind_t)
+- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
- kerberos_manage_host_rcache(rlogind_t)
+ remotelogin_domtrans(rlogind_t)
+ remotelogin_signal(rlogind_t)
@@ -56966,27 +63075,23 @@ index 16304ec..3293b25 100644
optional_policy(`
diff --git a/rngd.fc b/rngd.fc
-new file mode 100644
-index 0000000..f6be09d
---- /dev/null
+index 5dd779e..276eb3a 100644
+--- a/rngd.fc
+++ b/rngd.fc
-@@ -0,0 +1,6 @@
-+
-+/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
-+
+@@ -1,3 +1,5 @@
+ /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
+
-+/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
+ /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
diff --git a/rngd.if b/rngd.if
-new file mode 100644
-index 0000000..8b505d5
---- /dev/null
+index 0e759a2..8b505d5 100644
+--- a/rngd.if
+++ b/rngd.if
-@@ -0,0 +1,62 @@
-+## <summary>Check and feed random data from hardware device to kernel random device.</summary>
-+
-+########################################
-+## <summary>
+@@ -2,6 +2,28 @@
+
+ ########################################
+ ## <summary>
+## Execute rngd in the rngd domain.
+## </summary>
+## <param name="domain">
@@ -57009,87 +63114,62 @@ index 0000000..8b505d5
+
+########################################
+## <summary>
-+## All of the rules required to
-+## administrate an rng environment.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## All of the rules required to
+ ## administrate an rng environment.
+ ## </summary>
+@@ -17,16 +39,24 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`rngd_admin',`
+interface(`rng_admin',`
-+ gen_require(`
+ gen_require(`
+- type rngd_t, rngd_initrc_exec_t;
+ type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
-+ ')
-+
+ ')
+
+- allow $1 rngd_t:process { ptrace signal_perms };
+ allow $1 rngd_t:process signal_perms;
-+ ps_process_pattern($1, rngd_t)
-+
+ ps_process_pattern($1, rngd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rngd_t:process ptrace;
+ ')
+
-+ init_labeled_script_domtrans($1, rngd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rngd_initrc_exec_t system_r;
-+ allow $2 system_r;
+ init_labeled_script_domtrans($1, rngd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rngd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ rng_systemctl($1)
+ admin_pattern($1, rngd_unit_file_t)
+ allow $1 rngd_unit_file_t:service all_service_perms;
-+')
+ ')
diff --git a/rngd.te b/rngd.te
-new file mode 100644
-index 0000000..50b6196
---- /dev/null
+index 35c1427..2519caa 100644
+--- a/rngd.te
+++ b/rngd.te
-@@ -0,0 +1,37 @@
-+policy_module(rngd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type rngd_t;
-+type rngd_exec_t;
-+init_daemon_domain(rngd_t, rngd_exec_t)
-+
-+type rngd_initrc_exec_t;
-+init_script_file(rngd_initrc_exec_t)
-+
+@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
+ type rngd_initrc_exec_t;
+ init_script_file(rngd_initrc_exec_t)
+
+type rngd_unit_file_t;
+systemd_unit_file(rngd_unit_file_t)
+
-+########################################
-+#
-+# Local policy
-+#
-+
-+allow rngd_t self:capability sys_admin;
-+allow rngd_t self:process { signal };
-+allow rngd_t self:fifo_file rw_fifo_file_perms;
-+allow rngd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_rw_kernel_sysctl(rngd_t)
-+
-+dev_read_rand(rngd_t)
-+dev_read_urand(rngd_t)
-+dev_rw_tpm(rngd_t)
-+dev_write_rand(rngd_t)
-+
-+files_read_etc_files(rngd_t)
-+
-+logging_send_syslog_msg(rngd_t)
+ ########################################
+ #
+ # Local policy
+@@ -29,8 +32,5 @@ dev_read_urand(rngd_t)
+ dev_rw_tpm(rngd_t)
+ dev_write_rand(rngd_t)
+
+-files_read_etc_files(rngd_t)
+-
+ logging_send_syslog_msg(rngd_t)
+
+-miscfiles_read_localization(rngd_t)
diff --git a/roundup.if b/roundup.if
-index 30c4b75..e07c2ff 100644
+index 975bb6a..ce4f5ea 100644
--- a/roundup.if
+++ b/roundup.if
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
@@ -57106,94 +63186,220 @@ index 30c4b75..e07c2ff 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/roundup.te b/roundup.te
-index 57f839f..090dd29 100644
+index 353960c..3b74aae 100644
--- a/roundup.te
+++ b/roundup.te
-@@ -45,7 +45,6 @@ dev_read_sysfs(roundup_t)
- # execute python
+@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
+
corecmd_exec_bin(roundup_t)
-corenet_all_recvfrom_unlabeled(roundup_t)
corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
- corenet_udp_sendrecv_generic_if(roundup_t)
-@@ -75,8 +74,6 @@ fs_search_auto_mountpoints(roundup_t)
+ corenet_tcp_sendrecv_generic_node(roundup_t)
+@@ -60,16 +59,11 @@ dev_read_urand(roundup_t)
+
+ domain_use_interactive_fds(roundup_t)
+
+-files_read_etc_files(roundup_t)
+-files_read_usr_files(roundup_t)
+-
+ fs_getattr_all_fs(roundup_t)
+ fs_search_auto_mountpoints(roundup_t)
logging_send_syslog_msg(roundup_t)
-miscfiles_read_localization(roundup_t)
-
- sysnet_read_config(roundup_t)
+ sysnet_dns_name_resolve(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
diff --git a/rpc.fc b/rpc.fc
-index 5c70c0c..b0c22f7 100644
+index a6fb30c..b0c22f7 100644
--- a/rpc.fc
+++ b/rpc.fc
-@@ -6,6 +6,9 @@
- /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
- /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+@@ -1,12 +1,23 @@
+-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
++#
++# /etc
++#
++/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
++/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
-+
- #
- # /sbin
- #
-@@ -15,12 +18,14 @@
- #
- # /usr
- #
-+/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++#
++# /sbin
++#
++/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
++/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
++#
++# /usr
++#
+ /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
- /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
- /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
- /usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+@@ -16,7 +27,11 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
-+/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
- #
- # /var
-@@ -29,3 +34,4 @@
+-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
++#
++# /var
++#
++/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
- /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
++/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index dddabcf..a61764b 100644
+index 3bd6446..a61764b 100644
--- a/rpc.if
+++ b/rpc.if
-@@ -32,7 +32,11 @@ interface(`rpc_stub',`
+@@ -1,4 +1,4 @@
+-## <summary>Remote Procedure Call Daemon.</summary>
++## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+
+ ########################################
+ ## <summary>
+@@ -20,15 +20,21 @@ interface(`rpc_stub',`
+ ## <summary>
+ ## The template to define a rpc domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <desc>
++## <p>
++## This template creates a domain to be used for
++## a new rpc daemon.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## The type of daemon to be used.
## </summary>
## </param>
#
--template(`rpc_domain_template', `
-+template(`rpc_domain_template',`
-+ gen_require(`
+ template(`rpc_domain_template',`
+ gen_require(`
+- attribute rpc_domain;
+ type var_lib_nfs_t;
-+ ')
-+
+ ')
+
########################################
- #
+@@ -36,18 +42,86 @@ template(`rpc_domain_template',`
# Declarations
-@@ -69,7 +73,6 @@ template(`rpc_domain_template', `
- dev_read_urand($1_t)
- dev_read_rand($1_t)
+ #
-- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_udp_sendrecv_generic_if($1_t)
-@@ -105,7 +108,6 @@ template(`rpc_domain_template', `
+- type $1_t, rpc_domain;
++ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+-
+ domain_use_interactive_fds($1_t)
- logging_send_syslog_msg($1_t)
+- ########################################
++ ####################################
+ #
+- # Policy
++ # Local Policy
+ #
-- miscfiles_read_localization($1_t)
++ dontaudit $1_t self:capability { net_admin sys_tty_config };
++ allow $1_t self:capability net_bind_service;
++ allow $1_t self:process signal_perms;
++ allow $1_t self:unix_dgram_socket create_socket_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_t self:tcp_socket create_stream_socket_perms;
++ allow $1_t self:udp_socket create_socket_perms;
++
++ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
++ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
++
++ kernel_list_proc($1_t)
++ kernel_read_proc_symlinks($1_t)
++ kernel_read_kernel_sysctls($1_t)
++ # bind to arbitary unused ports
++ kernel_rw_rpc_sysctls($1_t)
++
++ dev_read_sysfs($1_t)
++ dev_read_urand($1_t)
++ dev_read_rand($1_t)
++
++ corenet_all_recvfrom_netlabel($1_t)
++ corenet_tcp_sendrecv_generic_if($1_t)
++ corenet_udp_sendrecv_generic_if($1_t)
++ corenet_tcp_sendrecv_generic_node($1_t)
++ corenet_udp_sendrecv_generic_node($1_t)
++ corenet_tcp_sendrecv_all_ports($1_t)
++ corenet_udp_sendrecv_all_ports($1_t)
++ corenet_tcp_bind_generic_node($1_t)
++ corenet_udp_bind_generic_node($1_t)
++ corenet_tcp_bind_reserved_port($1_t)
++ corenet_tcp_connect_all_ports($1_t)
++ corenet_sendrecv_portmap_client_packets($1_t)
++ # do not log when it tries to bind to a port belonging to another domain
++ corenet_dontaudit_tcp_bind_all_ports($1_t)
++ corenet_dontaudit_udp_bind_all_ports($1_t)
++ # bind to arbitary unused ports
++ corenet_tcp_bind_generic_port($1_t)
++ corenet_udp_bind_generic_port($1_t)
++ corenet_tcp_bind_all_rpc_ports($1_t)
++ corenet_udp_bind_all_rpc_ports($1_t)
++ corenet_sendrecv_generic_server_packets($1_t)
++
++ fs_rw_rpc_named_pipes($1_t)
++ fs_search_auto_mountpoints($1_t)
++
++ files_read_etc_files($1_t)
++ files_read_etc_runtime_files($1_t)
++ files_search_var($1_t)
++ files_search_var_lib($1_t)
++ files_list_home($1_t)
++
+ auth_use_nsswitch($1_t)
++
++ logging_send_syslog_msg($1_t)
++
++
++ userdom_dontaudit_use_unpriv_user_fds($1_t)
++
++ optional_policy(`
++ rpcbind_stream_connect($1_t)
++ ')
++
++ optional_policy(`
++ seutil_sigchld_newrole($1_t)
++ ')
++
++ optional_policy(`
++ udev_read_db($1_t)
++ ')
+ ')
- userdom_dontaudit_use_unpriv_user_fds($1_t)
+ ########################################
+@@ -66,8 +140,8 @@ interface(`rpc_udp_send',`
-@@ -152,7 +154,7 @@ interface(`rpc_dontaudit_getattr_exports',`
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get
+-## attributes of export files.
++## Do not audit attempts to get the attributes
++## of the NFS export file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -80,12 +154,12 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
@@ -57202,7 +63408,22 @@ index dddabcf..a61764b 100644
')
########################################
-@@ -188,7 +190,7 @@ interface(`rpc_write_exports',`
+ ## <summary>
+-## Read export files.
++## Allow read access to exports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -103,7 +177,7 @@ interface(`rpc_read_exports',`
+
+ ########################################
+ ## <summary>
+-## Write export files.
++## Allow write access to exports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -116,12 +190,12 @@ interface(`rpc_write_exports',`
type exports_t;
')
@@ -57211,10 +63432,33 @@ index dddabcf..a61764b 100644
')
########################################
-@@ -229,6 +231,29 @@ interface(`rpc_initrc_domtrans_nfsd',`
+ ## <summary>
+-## Execute nfsd in the nfsd domain.
++## Execute domain in nfsd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -134,14 +208,12 @@ interface(`rpc_domtrans_nfsd',`
+ type nfsd_t, nfsd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, nfsd_exec_t, nfsd_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Execute nfsd init scripts in
+-## the initrc domain.
++## Execute domain in nfsd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -159,7 +231,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
## <summary>
+-## Execute rpcd in the rpcd domain.
+## Execute nfsd server in the nfsd domain.
+## </summary>
+## <param name="domain">
@@ -57238,13 +63482,19 @@ index dddabcf..a61764b 100644
+
+########################################
+## <summary>
- ## Execute domain in rpcd domain.
++## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
-@@ -246,6 +271,32 @@ interface(`rpc_domtrans_rpcd',`
- allow rpcd_t $1:process signal;
- ')
+ ## <summary>
+@@ -172,14 +267,39 @@ interface(`rpc_domtrans_rpcd',`
+ type rpcd_t, rpcd_exec_t;
+ ')
+- corecmd_search_bin($1)
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
++ allow rpcd_t $1:process signal;
++')
++
+########################################
+## <summary>
+## Execute rpcd in the rcpd domain, and
@@ -57269,15 +63519,21 @@ index dddabcf..a61764b 100644
+
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
-+')
-+
+ ')
+
#######################################
## <summary>
- ## Execute domain in rpcd domain.
-@@ -266,6 +317,29 @@ interface(`rpc_initrc_domtrans_rpcd',`
+-## Execute rpcd init scripts in
+-## the initrc domain.
++## Execute domain in rpcd domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -197,7 +317,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
########################################
## <summary>
+-## Read nfs exported content.
+## Execute rpcd server in the rpcd domain.
+## </summary>
+## <param name="domain">
@@ -57301,136 +63557,228 @@ index dddabcf..a61764b 100644
+
+########################################
+## <summary>
- ## Read NFS exported content.
++## Read NFS exported content.
## </summary>
## <param name="domain">
-@@ -282,7 +356,7 @@ interface(`rpc_read_nfs_content',`
-
- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
-- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
-+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -329,7 +403,7 @@ interface(`rpc_manage_nfs_ro_content',`
+ ## <summary>
+@@ -218,8 +361,7 @@ interface(`rpc_read_nfs_content',`
########################################
## <summary>
--## Allow domain to read and write to an NFS TCP socket.
-+## Allow domain to read and write to an NFS UDP socket.
+-## Create, read, write, and delete
+-## nfs exported read write content.
++## Allow domain to create read and write NFS directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -337,17 +411,17 @@ interface(`rpc_manage_nfs_ro_content',`
- ## </summary>
- ## </param>
- #
--interface(`rpc_tcp_rw_nfs_sockets',`
-+interface(`rpc_udp_rw_nfs_sockets',`
- gen_require(`
- type nfsd_t;
- ')
-
-- allow $1 nfsd_t:tcp_socket rw_socket_perms;
-+ allow $1 nfsd_t:udp_socket rw_socket_perms;
- ')
+@@ -240,8 +382,7 @@ interface(`rpc_manage_nfs_rw_content',`
########################################
## <summary>
--## Allow domain to read and write to an NFS UDP socket.
-+## Send UDP traffic to NFSd. (Deprecated)
+-## Create, read, write, and delete
+-## nfs exported read only content.
++## Allow domain to create read and write NFS directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -355,17 +429,13 @@ interface(`rpc_tcp_rw_nfs_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`rpc_udp_rw_nfs_sockets',`
+@@ -262,25 +403,7 @@ interface(`rpc_manage_nfs_ro_content',`
+
+ ########################################
+ ## <summary>
+-## Read and write to nfsd tcp sockets.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`rpc_tcp_rw_nfs_sockets',`
- gen_require(`
- type nfsd_t;
- ')
-
-- allow $1 nfsd_t:udp_socket rw_socket_perms;
-+interface(`rpc_udp_send_nfs',`
-+ refpolicywarn(`$0($*) has been deprecated.')
- ')
+- allow $1 nfsd_t:tcp_socket rw_socket_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Read and write to nfsd udp sockets.
++## Allow domain to read and write to an NFS UDP socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -312,7 +435,7 @@ interface(`rpc_udp_send_nfs',`
########################################
## <summary>
--## Send UDP traffic to NFSd. (Deprecated)
+-## Search nfs lib directories.
+## Search NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
-@@ -373,13 +443,18 @@ interface(`rpc_udp_rw_nfs_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`rpc_udp_send_nfs',`
-- refpolicywarn(`$0($*) has been deprecated.')
-+interface(`rpc_search_nfs_state_data',`
-+ gen_require(`
-+ type var_lib_nfs_t;
-+ ')
-+
-+ files_search_var_lib($1)
+@@ -326,12 +449,12 @@ interface(`rpc_search_nfs_state_data',`
+ ')
+
+ files_search_var_lib($1)
+- allow $1 var_lib_nfs_t:dir search;
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
')
########################################
## <summary>
--## Search NFS state data in /var/lib/nfs.
+-## Read nfs lib files.
+## List NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
-@@ -387,13 +462,13 @@ interface(`rpc_udp_send_nfs',`
+@@ -339,19 +462,18 @@ interface(`rpc_search_nfs_state_data',`
## </summary>
## </param>
#
--interface(`rpc_search_nfs_state_data',`
+-interface(`rpc_read_nfs_state_data',`
+interface(`rpc_list_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
-- allow $1 var_lib_nfs_t:dir search;
+- read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
')
########################################
-@@ -432,4 +507,5 @@ interface(`rpc_manage_nfs_state_data',`
+ ## <summary>
+-## Create, read, write, and delete
+-## nfs lib files.
++## Read NFS state data in /var/lib/nfs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -359,62 +481,31 @@ interface(`rpc_read_nfs_state_data',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rpc_manage_nfs_state_data',`
++interface(`rpc_read_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
files_search_var_lib($1)
- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
++ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an rpc environment.
++## Manage NFS state data in /var/lib/nfs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+-interface(`rpc_admin',`
++interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+- attribute rpc_domain;
+- type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+- type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+- type nfsd_ro_t, nfsd_rw_t;
++ type var_lib_nfs_t;
+ ')
+
+- allow $1 rpc_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, rpc_domain)
+-
+- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
+- domain_system_change_exemption($1)
+- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
+- allow $2 system_r;
+-
+- files_list_etc($1)
+- admin_pattern($1, exports_t)
+-
+- files_list_var_lib($1)
+- admin_pattern($1, var_lib_nfs_t)
+-
+- files_list_pids($1)
+- admin_pattern($1, rpcd_var_run_t)
+-
+- files_list_all($1)
+- admin_pattern($1, { nfsd_ro_t nfsd_rw_t })
+-
+- files_list_tmp($1)
+- admin_pattern($1, gssd_tmp_t)
+-
+- fs_search_nfsd_fs($1)
++ files_search_var_lib($1)
++ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index 330d01f..fd96b3c 100644
+index e5212e6..fd96b3c 100644
--- a/rpc.te
+++ b/rpc.te
-@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
- ## Allow gssd to read temp directory. For access to kerberos tgt.
- ## </p>
+@@ -1,4 +1,4 @@
+-policy_module(rpc, 1.14.6)
++policy_module(rpc, 1.14.0)
+
+ ########################################
+ #
+@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether gssd can read
+-## generic user temporary content.
+-## </p>
++## <p>
++## Allow gssd to read temp directory. For access to kerberos tgt.
++## </p>
## </desc>
--gen_tunable(allow_gssd_read_tmp, true)
+-gen_tunable(allow_gssd_read_tmp, false)
+gen_tunable(gssd_read_tmp, true)
## <desc>
- ## <p>
-@@ -19,7 +19,7 @@ gen_tunable(allow_gssd_read_tmp, true)
- ## labeled public_content_rw_t.
- ## </p>
+-## <p>
+-## Determine whether nfs can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
++## <p>
++## Allow nfs servers to modify public files
++## used for public file transfer services. Files/Directories must be
++## labeled public_content_rw_t.
++## </p>
## </desc>
-gen_tunable(allow_nfsd_anon_write, false)
+-
+-attribute rpc_domain;
+gen_tunable(nfsd_anon_write, false)
type exports_t;
files_config_file(exports_t)
-@@ -39,11 +39,17 @@ rpc_domain_template(rpcd)
+@@ -36,16 +32,24 @@ files_tmp_file(gssd_tmp_t)
+ type rpcd_var_run_t;
+ files_pid_file(rpcd_var_run_t)
+
++# rpcd_t is the domain of rpc daemons.
++# rpc_exec_t is the type of rpc daemon programs.
+ rpc_domain_template(rpcd)
+
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t)
@@ -57448,27 +63796,103 @@ index 330d01f..fd96b3c 100644
type nfsd_rw_t;
files_type(nfsd_rw_t)
-@@ -58,13 +64,16 @@ files_mountpoint(var_lib_nfs_t)
- # RPC local policy
+@@ -57,89 +61,26 @@ files_mountpoint(var_lib_nfs_t)
+
+ ########################################
+ #
+-# Common rpc domain local policy
+-#
+-
+-dontaudit rpc_domain self:capability { net_admin sys_tty_config };
+-allow rpc_domain self:process signal_perms;
+-allow rpc_domain self:unix_stream_socket { accept listen };
+-allow rpc_domain self:tcp_socket { accept listen };
+-
+-manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
+-manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
+-
+-kernel_read_system_state(rpc_domain)
+-kernel_read_kernel_sysctls(rpc_domain)
+-kernel_rw_rpc_sysctls(rpc_domain)
+-
+-dev_read_sysfs(rpc_domain)
+-dev_read_urand(rpc_domain)
+-dev_read_rand(rpc_domain)
+-
+-corenet_all_recvfrom_unlabeled(rpc_domain)
+-corenet_all_recvfrom_netlabel(rpc_domain)
+-corenet_tcp_sendrecv_generic_if(rpc_domain)
+-corenet_udp_sendrecv_generic_if(rpc_domain)
+-corenet_tcp_sendrecv_generic_node(rpc_domain)
+-corenet_udp_sendrecv_generic_node(rpc_domain)
+-corenet_tcp_sendrecv_all_ports(rpc_domain)
+-corenet_udp_sendrecv_all_ports(rpc_domain)
+-corenet_tcp_bind_generic_node(rpc_domain)
+-corenet_udp_bind_generic_node(rpc_domain)
+-
+-corenet_sendrecv_all_server_packets(rpc_domain)
+-corenet_tcp_bind_reserved_port(rpc_domain)
+-corenet_tcp_connect_all_ports(rpc_domain)
+-corenet_sendrecv_portmap_client_packets(rpc_domain)
+-corenet_dontaudit_tcp_bind_all_ports(rpc_domain)
+-corenet_dontaudit_udp_bind_all_ports(rpc_domain)
+-corenet_tcp_bind_generic_port(rpc_domain)
+-corenet_udp_bind_generic_port(rpc_domain)
+-corenet_tcp_bind_all_rpc_ports(rpc_domain)
+-corenet_udp_bind_all_rpc_ports(rpc_domain)
+-
+-fs_rw_rpc_named_pipes(rpc_domain)
+-fs_search_auto_mountpoints(rpc_domain)
+-
+-files_read_etc_runtime_files(rpc_domain)
+-files_read_usr_files(rpc_domain)
+-files_list_home(rpc_domain)
+-
+-logging_send_syslog_msg(rpc_domain)
+-
+-miscfiles_read_localization(rpc_domain)
+-
+-userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
+-
+-optional_policy(`
+- rpcbind_stream_connect(rpc_domain)
+-')
+-
+-optional_policy(`
+- seutil_sigchld_newrole(rpc_domain)
+-')
+-
+-optional_policy(`
+- udev_read_db(rpc_domain)
+-')
+-
+-########################################
+-#
+-# Local policy
++# RPC local policy
#
--allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
-+allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
-+allow rpcd_t self:capability2 block_suspend;
+ allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
+ allow rpcd_t self:capability2 block_suspend;
+
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
--allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
-+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
--files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
-+files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
+ files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
- # rpc.statd executes sm-notify
++# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
-@@ -81,21 +90,26 @@ corecmd_exec_bin(rpcd_t)
+
++kernel_read_system_state(rpcd_t)
+ kernel_read_network_state(rpcd_t)
++# for rpc.rquotad
+ kernel_read_sysctl(rpcd_t)
+ kernel_rw_fs_sysctls(rpcd_t)
+ kernel_dontaudit_getattr_core_if(rpcd_t)
+@@ -149,6 +90,7 @@ corecmd_exec_bin(rpcd_t)
files_manage_mounttab(rpcd_t)
files_getattr_all_dirs(rpcd_t)
@@ -57476,11 +63900,7 @@ index 330d01f..fd96b3c 100644
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
- fs_read_rpc_symlinks(rpcd_t)
- fs_rw_rpc_sockets(rpcd_t)
- fs_get_all_fs_quotas(rpcd_t)
-+fs_set_xattr_fs_quotas(rpcd_t)
- fs_getattr_all_fs(rpcd_t)
+@@ -160,13 +102,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -57491,37 +63911,42 @@ index 330d01f..fd96b3c 100644
miscfiles_read_generic_certs(rpcd_t)
-seutil_dontaudit_search_config(rpcd_t)
+-
+-userdom_signal_all_users(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
optional_policy(`
automount_signal(rpcd_t)
-@@ -103,15 +117,32 @@ optional_policy(`
+@@ -174,19 +117,23 @@ optional_policy(`
')
optional_policy(`
+- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- quota_manage_db_files(rpcd_t)
+ quota_manage_db(rpcd_t)
-+')
-+
-+optional_policy(`
- nis_read_ypserv_config(rpcd_t)
')
-+optional_policy(`
+ optional_policy(`
+- rgmanager_manage_tmp_files(rpcd_t)
++ nis_read_ypserv_config(rpcd_t)
+ ')
+
+ optional_policy(`
+- unconfined_signal(rpcd_t)
+ quota_read_db(rpcd_t)
+')
+
+optional_policy(`
+ rgmanager_manage_tmp_files(rpcd_t)
-+')
-+
+ ')
+
########################################
- #
- # NFSD local policy
+@@ -195,41 +142,55 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -57529,52 +63954,62 @@ index 330d01f..fd96b3c 100644
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
-@@ -120,9 +151,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
- kernel_read_system_state(nfsd_t)
+
++# for /proc/fs/nfs/exports - should we have a new type?
++kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
-+kernel_setsched(nfsd_t)
-+kernel_request_load_module(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+
+corecmd_exec_shell(nfsd_t)
- corenet_tcp_bind_all_rpc_ports(nfsd_t)
- corenet_udp_bind_all_rpc_ports(nfsd_t)
-+corenet_tcp_bind_nfs_port(nfsd_t)
-+corenet_udp_bind_nfs_port(nfsd_t)
+-corenet_sendrecv_nfs_server_packets(nfsd_t)
++corenet_tcp_bind_all_rpc_ports(nfsd_t)
++corenet_udp_bind_all_rpc_ports(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+ corenet_udp_bind_nfs_port(nfsd_t)
+-corecmd_exec_shell(nfsd_t)
+-
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -135,12 +173,12 @@ files_getattr_tmp_dirs(nfsd_t)
- # cjp: this should really have its own type
+ dev_rw_lvm_control(nfsd_t)
+
++# does not really need this, but it is easier to just allow it
++files_search_pids(nfsd_t)
++# for exportfs and rpc.mountd
+ files_getattr_tmp_dirs(nfsd_t)
++# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
- files_read_etc_runtime_files(nfsd_t)
++files_read_etc_runtime_files(nfsd_t)
+files_read_usr_files(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
--fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
-fs_rw_nfsd_fs(nfsd_t)
+-# fs_manage_nfsd_fs(nfsd_t)
+fs_manage_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
-@@ -148,8 +186,11 @@ storage_raw_read_removable_device(nfsd_t)
- # Read access to public_content_t and public_content_rw_t
+
++# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
+-tunable_policy(`allow_nfsd_anon_write',`
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+userdom_list_user_tmp(nfsd_t)
+
- # Write access to public_content_t and public_content_rw_t
--tunable_policy(`allow_nfsd_anon_write',`
++# Write access to public_content_t and public_content_rw_t
+tunable_policy(`nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
-@@ -158,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -57582,44 +64017,50 @@ index 330d01f..fd96b3c 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- files_list_non_auth_dirs(nfsd_t)
- files_read_non_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
-+')
-+
-+optional_policy(`
-+ mount_exec(nfsd_t)
+ ')
+
+ optional_policy(`
+ mount_exec(nfsd_t)
+ mount_manage_pid_files(nfsd_t)
')
########################################
-@@ -181,7 +225,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
- allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
- allow gssd_t self:process { getsched setsched };
--allow gssd_t self:fifo_file rw_file_perms;
-+allow gssd_t self:fifo_file rw_fifo_file_perms;
++kernel_read_system_state(gssd_t)
+ kernel_read_network_state(gssd_t)
+ kernel_read_network_state_symlinks(gssd_t)
+ kernel_request_load_module(gssd_t)
+@@ -279,25 +240,29 @@ kernel_signal(gssd_t)
- manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
- manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +243,7 @@ corecmd_exec_bin(gssd_t)
+ corecmd_exec_bin(gssd_t)
+
+-fs_list_inotifyfs(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
+-fs_read_nfs_files(gssd_t)
+fs_read_nfsd_files(gssd_t)
- fs_list_inotifyfs(gssd_t)
++fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +255,14 @@ auth_manage_cache(gssd_t)
++files_read_usr_symlinks(gssd_t)
+ files_dontaudit_write_var_dirs(gssd_t)
+
++auth_use_nsswitch(gssd_t)
+ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
--mount_signal(gssd_t)
--
userdom_signal_all_users(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
@@ -57632,71 +64073,102 @@ index 330d01f..fd96b3c 100644
')
optional_policy(`
-@@ -226,6 +271,11 @@ optional_policy(`
+@@ -306,8 +271,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
+- kerberos_manage_host_rcache(gssd_t)
+- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
-+')
-+
-+optional_policy(`
-+ mount_signal(gssd_t)
')
optional_policy(`
-diff --git a/rpcbind.fc b/rpcbind.fc
-index f5c47d6..164ce1f 100644
---- a/rpcbind.fc
-+++ b/rpcbind.fc
-@@ -2,8 +2,10 @@
-
- /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+@@ -315,7 +279,7 @@ optional_policy(`
+ ')
-+/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
-+
-+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
- /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ optional_policy(`
+- pcscd_read_pid_files(gssd_t)
++ pcscd_read_pub_files(gssd_t)
+ ')
- /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
--/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
--/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ optional_policy(`
diff --git a/rpcbind.if b/rpcbind.if
-index a96249c..ff1163f 100644
+index 3b5e9ee..ff1163f 100644
--- a/rpcbind.if
+++ b/rpcbind.if
-@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
+@@ -1,4 +1,4 @@
+-## <summary>Universal Addresses to RPC Program Number Mapper.</summary>
++## <summary>Universal Addresses to RPC Program Number Mapper</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',`
+ type rpcbind_t, rpcbind_exec_t;
')
- files_search_pids($1)
-- allow $1 rpcbind_var_run_t:sock_file write;
-- allow $1 rpcbind_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
+- corecmd_search_bin($1)
+ domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to rpcbindd with a
+-## unix domain stream socket.
++## Connect to rpcbindd over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## Read rpcbind pid files.
++## Read rpcbind PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',`
+ type rpcbind_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ allow $1 rpcbind_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',`
+ type rpcbind_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
++ files_search_var_lib($1)
')
########################################
-@@ -117,6 +116,60 @@ interface(`rpcbind_manage_lib_files',`
+@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',`
+ type rpcbind_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
++ files_search_var_lib($1)
+ ')
########################################
## <summary>
+-## Send null signals to rpcbind.
+## Send a null signal to rpcbind.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rpcbind_signull',`
-+ gen_require(`
-+ type rpcbind_t;
-+ ')
-+
-+ allow $1 rpcbind_t:process signull;
-+')
-+
-+########################################
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -136,8 +134,44 @@ interface(`rpcbind_signull',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an rpcbind environment.
+## Transition to rpcbind named content
+## </summary>
+## <param name="domain">
@@ -57733,10 +64205,21 @@ index a96249c..ff1163f 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an rpcbind environment
++## All of the rules required to administrate
++## an rpcbind environment
## </summary>
-@@ -138,11 +191,20 @@ interface(`rpcbind_admin',`
+ ## <param name="domain">
+ ## <summary>
+@@ -146,7 +180,7 @@ interface(`rpcbind_signull',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the rpcbind domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -157,17 +191,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -57752,18 +64235,22 @@ index a96249c..ff1163f 100644
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
-+
+
+- files_search_pids($1)
+- admin_pattern($1, rpcbind_var_run_t)
+-
+- files_search_var_lib($1)
+ files_list_var_lib($1)
-+ admin_pattern($1, rpcbind_var_lib_t)
+ admin_pattern($1, rpcbind_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index a63e9ee..e4a0c9b 100644
+index c49828c..1f39c7c 100644
--- a/rpcbind.te
+++ b/rpcbind.te
-@@ -43,7 +43,8 @@ kernel_read_system_state(rpcbind_t)
+@@ -42,7 +42,8 @@ kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
kernel_request_load_module(rpcbind_t)
@@ -57773,7 +64260,7 @@ index a63e9ee..e4a0c9b 100644
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_generic_if(rpcbind_t)
corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -62,8 +63,16 @@ domain_use_interactive_fds(rpcbind_t)
+@@ -65,9 +66,9 @@ domain_use_interactive_fds(rpcbind_t)
files_read_etc_files(rpcbind_t)
files_read_etc_runtime_files(rpcbind_t)
@@ -57784,67 +64271,136 @@ index a63e9ee..e4a0c9b 100644
+logging_send_syslog_msg(rpcbind_t)
sysnet_dns_name_resolve(rpcbind_t)
-+
-+ifdef(`hide_broken_symptoms',`
-+ dontaudit rpcbind_t self:udp_socket listen;
-+')
-+
-+optional_policy(`
-+ nis_use_ypbind(rpcbind_t)
-+')
+
diff --git a/rpm.fc b/rpm.fc
-index b2a0b6a..ee55335 100644
+index ebe91fc..ee55335 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -2,10 +2,12 @@
- /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+@@ -1,61 +1,64 @@
+-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
+-
+-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
+-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
++
++/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -20,12 +22,18 @@
- /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ifdef(`distro_redhat', `
+-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-
+-ifdef(`distro_redhat',`
+-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-')
++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++ifdef(`distro_redhat', `
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
- ')
++')
++
++/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
- /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -36,9 +44,10 @@ ifdef(`distro_redhat', `
- /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
- /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
++/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
- /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
++/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
+-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
++/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
- /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
- /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
++# SuSE
++ifdef(`distro_suse', `
++/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
++')
+ ifdef(`enable_mls',`
+-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ ')
diff --git a/rpm.if b/rpm.if
-index 951d8f6..bedc8ae 100644
+index 0628d50..bedc8ae 100644
--- a/rpm.if
+++ b/rpm.if
-@@ -13,10 +13,13 @@
+@@ -1,8 +1,8 @@
+-## <summary>Redhat package manager.</summary>
++## <summary>Policy for the RPM package manager.</summary>
+
+ ########################################
+ ## <summary>
+-## Execute rpm in the rpm domain.
++## Execute rpm programs in the rpm domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -13,16 +13,18 @@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
@@ -57858,7 +64414,53 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -78,11 +81,19 @@ interface(`rpm_domtrans_script',`
+ ## <summary>
+-## Execute debuginfo install
+-## in the rpm domain.
++## Execute debuginfo_install programs in the rpm domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute rpm scripts in the rpm script domain.
++## Execute rpm_script programs in the rpm_script domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',`
+ type rpm_script_t;
+ ')
+
++ # transition to rpm script:
+ corecmd_shell_domtrans($1, rpm_script_t)
+-
+ allow rpm_script_t $1:fd use;
+- allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
++ allow rpm_script_t $1:fifo_file rw_file_perms;
+ allow rpm_script_t $1:process sigchld;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute rpm in the rpm domain,
+-## and allow the specified roles the
+-## rpm domain.
++## Execute RPM programs in the RPM domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -74,23 +74,31 @@ interface(`rpm_domtrans_script',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to allow the RPM domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
@@ -57880,7 +64482,49 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -178,6 +189,42 @@ interface(`rpm_rw_pipes',`
+ ## <summary>
+-## Execute the rpm in the caller domain.
++## Execute the rpm client in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -109,7 +117,7 @@ interface(`rpm_exec',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to rpm.
++## Send a null signal to rpm.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -127,7 +135,7 @@ interface(`rpm_signull',`
+
+ ########################################
+ ## <summary>
+-## Inherit and use file descriptors from rpm.
++## Inherit and use file descriptors from RPM.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -145,7 +153,7 @@ interface(`rpm_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Read rpm unnamed pipes.
++## Read from an unnamed RPM pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -163,7 +171,7 @@ interface(`rpm_read_pipes',`
+
+ ########################################
+ ## <summary>
+-## Read and write rpm unnamed pipes.
++## Read and write an unnamed RPM pipe.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -181,6 +189,42 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
@@ -57923,7 +64567,35 @@ index 951d8f6..bedc8ae 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -274,8 +321,7 @@ interface(`rpm_append_log',`
+@@ -224,7 +268,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+-## rpm script over dbus.
++## rpm_script over dbus.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -244,7 +288,7 @@ interface(`rpm_script_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## Search rpm log directories.
++## Search RPM log directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -263,7 +307,8 @@ interface(`rpm_search_log',`
+
+ #####################################
+ ## <summary>
+-## Append rpm log files.
++## Allow the specified domain to append
++## to rpm log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -276,14 +321,12 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
@@ -57933,7 +64605,34 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm log files.
++## Create, read, write, and delete the RPM log.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -302,7 +345,7 @@ interface(`rpm_manage_log',`
+
+ ########################################
+ ## <summary>
+-## Inherit and use rpm script file descriptors.
++## Inherit and use file descriptors from RPM scripts.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -320,8 +363,8 @@ interface(`rpm_use_script_fds',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm script temporary files.
++## Create, read, write, and delete RPM
++## script temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -335,12 +378,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -57943,7 +64642,14 @@ index 951d8f6..bedc8ae 100644
')
#####################################
-@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',`
+ ## <summary>
+-## Append rpm temporary files.
++## Allow the specified domain to append
++## to rpm tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -353,14 +399,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -57953,7 +64659,15 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm temporary files.
++## Create, read, write, and delete RPM
++## temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -374,12 +419,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -57963,7 +64677,41 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -456,6 +505,7 @@ interface(`rpm_read_db',`
+ ## <summary>
+-## Read rpm script temporary files.
++## Read RPM script temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -399,7 +446,7 @@ interface(`rpm_read_script_tmp_files',`
+
+ ########################################
+ ## <summary>
+-## Read rpm cache content.
++## Read the RPM cache.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -420,8 +467,7 @@ interface(`rpm_read_cache',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm cache content.
++## Create, read, write, and delete the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -442,7 +488,7 @@ interface(`rpm_manage_cache',`
+
+ ########################################
+ ## <summary>
+-## Read rpm lib content.
++## Read the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -459,11 +505,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -57971,7 +64719,32 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
+ ## <summary>
+-## Delete rpm lib files.
++## Delete the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -482,8 +529,7 @@ interface(`rpm_delete_db',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm lib files.
++## Create, read, write, and delete the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -504,7 +550,7 @@ interface(`rpm_manage_db',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to create, read,
+-## write, and delete rpm lib content.
++## write, and delete the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -517,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -57980,40 +64753,86 @@ index 951d8f6..bedc8ae 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',`
+@@ -543,8 +589,7 @@ interface(`rpm_read_pid_files',`
- files_pid_filetrans($1, rpm_var_run_t, file)
- ')
+ #####################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rpm pid files.
++## Create, read, write, and delete rpm pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -563,8 +608,7 @@ interface(`rpm_manage_pid_files',`
+
+ ######################################
+ ## <summary>
+-## Create files in pid directories
+-## with the rpm pid file type.
++## Create files in /var/run with the rpm pid file type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -573,94 +617,72 @@ interface(`rpm_manage_pid_files',`
+ ## </param>
+ #
+ interface(`rpm_pid_filetrans',`
+- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.')
+- rpm_pid_filetrans_rpm_pid($1, file)
++ gen_require(`
++ type rpm_var_run_t;
++ ')
+
-+########################################
-+## <summary>
++ files_pid_filetrans($1, rpm_var_run_t, file)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create specified objects in pid directories
+-## with the rpm pid file type.
+## Send a null signal to rpm.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`rpm_pid_filetrans_rpm_pid',`
+interface(`rpm_inherited_fifo',`
-+ gen_require(`
+ gen_require(`
+- type rpm_var_run_t;
+ attribute rpm_transition_domain;
-+ ')
-+
+ ')
+
+- files_pid_filetrans($1, rpm_var_run_t, $3, $4)
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
+ ')
+
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an rpm environment.
+## Make rpm_exec_t an entry point for
+## the specified domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`rpm_entry_type',`
+ gen_require(`
@@ -58028,34 +64847,73 @@ index 951d8f6..bedc8ae 100644
+## Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`rpm_admin',`
+interface(`rpm_transition_script',`
-+ gen_require(`
+ gen_require(`
+- type rpm_t, rpm_script_t, rpm_initrc_exec_t;
+- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
+- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
+ type rpm_script_t;
+ attribute rpm_transition_domain;
-+ ')
-+
+ ')
+
+- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { rpm_t rpm_script_t })
+-
+- init_labeled_script_domtrans($1, rpm_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 rpm_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- admin_pattern($1, rpm_file_t)
+-
+- files_list_var($1)
+- admin_pattern($1, rpm_cache_t)
+-
+- files_list_tmp($1)
+- admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
+-
+- files_list_var_lib($1)
+- admin_pattern($1, rpm_var_lib_t)
+ typeattribute $1 rpm_transition_domain;
+ allow $1 rpm_script_t:process transition;
-+
+
+- files_search_locks($1)
+- admin_pattern($1, rpm_lock_t)
+-
+- logging_list_logs($1)
+- admin_pattern($1, rpm_log_t)
+-
+- files_list_pids($1)
+- admin_pattern($1, rpm_var_run_t)
+-
+- fs_search_tmpfs($1)
+- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }
+-
+- rpm_run($1, $2)
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
-+')
+ ')
diff --git a/rpm.te b/rpm.te
-index 60149a5..b33a77d 100644
+index 5cbe81c..b33a77d 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,11 @@
- policy_module(rpm, 1.15.0)
-
-+attribute rpm_transition_domain;
+-policy_module(rpm, 1.15.3)
++policy_module(rpm, 1.15.0)
+
++attribute rpm_transition_domain;
+
########################################
#
# Declarations
@@ -58069,19 +64927,31 @@ index 60149a5..b33a77d 100644
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
-@@ -17,7 +13,10 @@ domain_obj_id_change_exemption(rpm_t)
+@@ -17,10 +13,10 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
-role rpm_roles types rpm_t;
+role system_r types rpm_t;
-+
+
+-type rpm_initrc_exec_t;
+-init_script_file(rpm_initrc_exec_t)
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
type rpm_file_t;
files_type(rpm_file_t)
-@@ -50,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t)
+@@ -31,9 +27,6 @@ files_tmp_file(rpm_tmp_t)
+ type rpm_tmpfs_t;
+ files_tmpfs_file(rpm_tmpfs_t)
+
+-type rpm_lock_t;
+-files_lock_file(rpm_lock_t)
+-
+ type rpm_log_t;
+ logging_log_file(rpm_log_t)
+
+@@ -56,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
@@ -58089,48 +64959,114 @@ index 60149a5..b33a77d 100644
role system_r types rpm_script_t;
type rpm_script_tmp_t;
-@@ -80,6 +78,9 @@ allow rpm_t self:shm create_shm_perms;
+@@ -75,23 +67,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
+ allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+ allow rpm_t self:fd use;
+ allow rpm_t self:fifo_file rw_fifo_file_perms;
++allow rpm_t self:unix_dgram_socket create_socket_perms;
++allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
+ allow rpm_t self:unix_dgram_socket sendto;
+-allow rpm_t self:unix_stream_socket { accept connectto listen };
+-allow rpm_t self:udp_socket connect;
+-allow rpm_t self:tcp_socket { accept listen };
++allow rpm_t self:unix_stream_socket connectto;
++allow rpm_t self:udp_socket { connect };
++allow rpm_t self:udp_socket create_socket_perms;
++allow rpm_t self:tcp_socket create_stream_socket_perms;
+ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
+-allow rpm_t self:file rw_file_perms;
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
-+allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow rpm_t rpm_log_t:file manage_file_perms;
+-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -105,17 +106,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
+ manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+ manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+ files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
++can_exec(rpm_t, rpm_tmp_t)
+
+ manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+@@ -99,23 +96,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++can_exec(rpm_t, rpm_tmpfs_t)
+
+ manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
+-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t)
+-files_lock_filetrans(rpm_t, rpm_lock_t, file)
+-
+-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
++# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
- files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
++files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
-+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+ manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
--files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file })
+-
+-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
- kernel_read_system_state(rpm_t)
- kernel_read_kernel_sysctls(rpm_t)
-+kernel_read_network_state_symlinks(rpm_t)
-+kernel_rw_irq_sysctls(rpm_t)
+@@ -126,41 +119,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-corenet_all_recvfrom_unlabeled(rpm_t)
corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_generic_if(rpm_t)
- corenet_raw_sendrecv_generic_if(rpm_t)
-@@ -131,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t)
++corenet_raw_sendrecv_generic_if(rpm_t)
++corenet_udp_sendrecv_generic_if(rpm_t)
+ corenet_tcp_sendrecv_generic_node(rpm_t)
++corenet_raw_sendrecv_generic_node(rpm_t)
++corenet_udp_sendrecv_generic_node(rpm_t)
+ corenet_tcp_sendrecv_all_ports(rpm_t)
+-
+-corenet_sendrecv_all_client_packets(rpm_t)
++corenet_udp_sendrecv_all_ports(rpm_t)
+ corenet_tcp_connect_all_ports(rpm_t)
++corenet_sendrecv_all_client_packets(rpm_t)
+
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
-+dev_read_raw_memory(rpm_t)
-+dev_manage_all_dev_nodes(rpm_t)
-+
+ dev_read_raw_memory(rpm_t)
+-
+ dev_manage_all_dev_nodes(rpm_t)
+-dev_relabel_all_dev_nodes(rpm_t)
+
+#devices_manage_all_device_types(rpm_t)
-+dev_create_generic_blk_files(rpm_t)
-+dev_create_generic_chr_files(rpm_t)
+ dev_create_generic_blk_files(rpm_t)
+ dev_create_generic_chr_files(rpm_t)
+-
+-domain_read_all_domains_state(rpm_t)
+-domain_getattr_all_domains(rpm_t)
+-domain_use_interactive_fds(rpm_t)
+-domain_dontaudit_getattr_all_pipes(rpm_t)
+-domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+-domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+-domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+-domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+-domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+-domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+-domain_signull_all_domains(rpm_t)
+-
+-files_exec_etc_files(rpm_t)
+-files_relabel_non_auth_files(rpm_t)
+-files_manage_non_auth_files(rpm_t)
+dev_delete_all_blk_files(rpm_t)
+dev_delete_all_chr_files(rpm_t)
+dev_relabel_all_dev_nodes(rpm_t)
@@ -58141,36 +65077,40 @@ index 60149a5..b33a77d 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -158,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t)
+@@ -183,29 +169,49 @@ selinux_compute_relabel_context(rpm_t)
+ selinux_compute_user_contexts(rpm_t)
+
+ storage_raw_write_fixed_disk(rpm_t)
++# for installing kernel packages
+ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
--files_relabel_non_auth_files(rpm_t)
--files_manage_non_auth_files(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
-@@ -168,7 +184,6 @@ rpm_domtrans_script(rpm_t)
-
- domain_read_all_domains_state(rpm_t)
- domain_getattr_all_domains(rpm_t)
--domain_dontaudit_ptrace_all_domains(rpm_t)
- domain_use_interactive_fds(rpm_t)
- domain_dontaudit_getattr_all_pipes(rpm_t)
- domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
-@@ -177,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
- domain_dontaudit_getattr_all_raw_sockets(rpm_t)
- domain_dontaudit_getattr_all_stream_sockets(rpm_t)
- domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
++# transition to rpm script:
+ rpm_domtrans_script(rpm_t)
+
++domain_read_all_domains_state(rpm_t)
++domain_getattr_all_domains(rpm_t)
++domain_use_interactive_fds(rpm_t)
++domain_dontaudit_getattr_all_pipes(rpm_t)
++domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
++domain_dontaudit_getattr_all_udp_sockets(rpm_t)
++domain_dontaudit_getattr_all_packet_sockets(rpm_t)
++domain_dontaudit_getattr_all_raw_sockets(rpm_t)
++domain_dontaudit_getattr_all_stream_sockets(rpm_t)
++domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+domain_signull_all_domains(rpm_t)
-
- files_exec_etc_files(rpm_t)
-
++
++files_exec_etc_files(rpm_t)
++
init_domtrans_script(rpm_t)
init_use_script_ptys(rpm_t)
-+init_signull_script(rpm_t)
+ init_signull_script(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
@@ -58180,7 +65120,7 @@ index 60149a5..b33a77d 100644
+miscfiles_filetrans_named_content(rpm_t)
+
- # allow compiling and loading new policy
++# allow compiling and loading new policy
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
@@ -58189,62 +65129,115 @@ index 60149a5..b33a77d 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -211,14 +229,15 @@ optional_policy(`
- optional_policy(`
+@@ -224,13 +230,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
-+
+
+- optional_policy(`
+- unconfined_dbus_chat(rpm_t)
+- ')
')
optional_policy(`
- prelink_run(rpm_t, rpm_roles)
+ prelink_domtrans(rpm_t)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(rpm_t)
++ # yum-updatesd requires this
++ unconfined_dbus_chat(rpm_t)
++ unconfined_dbus_chat(rpm_script_t)
')
- optional_policy(`
-- unconfined_domain(rpm_t)
-+ unconfined_domain_noaudit(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
- unconfined_dbus_chat(rpm_script_t)
-@@ -229,7 +248,8 @@ optional_policy(`
- # rpm-script Local policy
+ ########################################
+@@ -239,19 +249,20 @@ optional_policy(`
#
--allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
-+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+ allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
-@@ -261,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
++allow rpm_script_t self:unix_dgram_socket create_socket_perms;
++allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
+ allow rpm_script_t self:unix_dgram_socket sendto;
+-allow rpm_script_t self:unix_stream_socket { accept connectto listen };
++allow rpm_script_t self:unix_stream_socket connectto;
+ allow rpm_script_t self:shm create_shm_perms;
+ allow rpm_script_t self:sem create_sem_perms;
+ allow rpm_script_t self:msgq create_msgq_perms;
+ allow rpm_script_t self:msg { send receive };
+ allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+-allow rpm_script_t rpm_t:netlink_route_socket { read write };
+-
+ allow rpm_script_t rpm_tmp_t:file read_file_perms;
+
+ allow rpm_script_t rpm_script_tmp_t:dir mounton;
+@@ -260,6 +271,7 @@ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+ files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
++can_exec(rpm_script_t, rpm_script_tmp_t)
+
+ manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+ manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +279,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+ manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
- can_exec(rpm_script_t, rpm_script_tmpfs_t)
++can_exec(rpm_script_t, rpm_script_tmpfs_t)
+-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
+allow rpm_script_t rpm_t:netlink_route_socket { read write };
-+
+
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
- kernel_read_system_state(rpm_script_t)
- kernel_read_network_state(rpm_script_t)
-+kernel_list_all_proc(rpm_script_t)
+@@ -277,38 +290,22 @@ kernel_read_network_state(rpm_script_t)
+ kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
+-corenet_all_recvfrom_unlabeled(rpm_script_t)
+-corenet_all_recvfrom_netlabel(rpm_script_t)
+-corenet_tcp_sendrecv_generic_if(rpm_script_t)
+-corenet_tcp_sendrecv_generic_node(rpm_script_t)
+-
+-corenet_sendrecv_http_client_packets(rpm_script_t)
+# needed by rhn_check
-+corenet_tcp_connect_http_port(rpm_script_t)
-+
- dev_list_sysfs(rpm_script_t)
-
- # ideally we would not need this
-@@ -286,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t)
- fs_search_auto_mountpoints(rpm_script_t)
+ corenet_tcp_connect_http_port(rpm_script_t)
+-corenet_tcp_sendrecv_http_port(rpm_script_t)
+-
+-corecmd_exec_all_executables(rpm_script_t)
- mcs_killall(rpm_script_t)
--mcs_ptrace_all(rpm_script_t)
+ dev_list_sysfs(rpm_script_t)
++
++# ideally we would not need this
+ dev_manage_generic_blk_files(rpm_script_t)
+ dev_manage_generic_chr_files(rpm_script_t)
+ dev_manage_all_blk_files(rpm_script_t)
+ dev_manage_all_chr_files(rpm_script_t)
- mls_file_read_all_levels(rpm_script_t)
- mls_file_write_all_levels(rpm_script_t)
-@@ -303,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t)
+-domain_read_all_domains_state(rpm_script_t)
+-domain_getattr_all_domains(rpm_script_t)
+-domain_use_interactive_fds(rpm_script_t)
+-domain_signal_all_domains(rpm_script_t)
+-domain_signull_all_domains(rpm_script_t)
+-
+-files_exec_etc_files(rpm_script_t)
+-files_exec_usr_files(rpm_script_t)
+-files_manage_non_auth_files(rpm_script_t)
+-files_relabel_non_auth_files(rpm_script_t)
+-
+ fs_manage_nfs_files(rpm_script_t)
+ fs_getattr_nfs(rpm_script_t)
+ fs_search_all(rpm_script_t)
+ fs_getattr_all_fs(rpm_script_t)
++# why is this not using mount?
+ fs_getattr_xattr_fs(rpm_script_t)
+ fs_mount_xattr_fs(rpm_script_t)
+ fs_unmount_xattr_fs(rpm_script_t)
+@@ -331,30 +328,49 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -58253,23 +65246,25 @@ index 60149a5..b33a77d 100644
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
- # ideally we would not need this
--files_manage_non_auth_files(rpm_script_t)
--auth_relabel_shadow(rpm_script_t)
++# ideally we would not need this
+files_manage_all_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
-
- corecmd_exec_all_executables(rpm_script_t)
++
++corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
++
++domain_read_all_domains_state(rpm_script_t)
++domain_getattr_all_domains(rpm_script_t)
++domain_use_interactive_fds(rpm_script_t)
++domain_signal_all_domains(rpm_script_t)
++domain_signull_all_domains(rpm_script_t)
++
++files_exec_etc_files(rpm_script_t)
++files_read_etc_runtime_files(rpm_script_t)
++files_exec_usr_files(rpm_script_t)
++files_relabel_all_files(rpm_script_t)
- domain_read_all_domains_state(rpm_script_t)
- domain_getattr_all_domains(rpm_script_t)
--domain_dontaudit_ptrace_all_domains(rpm_script_t)
- domain_use_interactive_fds(rpm_script_t)
- domain_signal_all_domains(rpm_script_t)
- domain_signull_all_domains(rpm_script_t)
-@@ -328,35 +354,41 @@ files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
@@ -58283,11 +65278,11 @@ index 60149a5..b33a77d 100644
logging_send_syslog_msg(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
-+miscfiles_filetrans_named_content(rpm_script_t)
-
+-
-modutils_run_depmod(rpm_script_t, rpm_roles)
-modutils_run_insmod(rpm_script_t, rpm_roles)
--
++miscfiles_filetrans_named_content(rpm_script_t)
+
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
@@ -58301,8 +65296,7 @@ index 60149a5..b33a77d 100644
ifdef(`distro_redhat',`
optional_policy(`
- mta_send_mail(rpm_script_t)
-+ mta_system_content(rpm_var_run_t)
+@@ -363,24 +379,24 @@ ifdef(`distro_redhat',`
')
')
@@ -58314,14 +65308,18 @@ index 60149a5..b33a77d 100644
optional_policy(`
- bootloader_run(rpm_script_t, rpm_roles)
+ bootloader_domtrans(rpm_script_t)
-+')
-+
-+optional_policy(`
-+ cups_filetrans_named_content(rpm_script_t)
')
optional_policy(`
-@@ -364,7 +396,7 @@ optional_policy(`
+- dbus_system_bus_client(rpm_script_t)
++ cups_filetrans_named_content(rpm_script_t)
++')
+
+- optional_policy(`
+- unconfined_dbus_chat(rpm_script_t)
+- ')
++optional_policy(`
++ dbus_system_bus_client(rpm_script_t)
')
optional_policy(`
@@ -58330,7 +65328,7 @@ index 60149a5..b33a77d 100644
')
optional_policy(`
-@@ -372,8 +404,17 @@ optional_policy(`
+@@ -388,8 +404,17 @@ optional_policy(`
')
optional_policy(`
@@ -58350,16 +65348,15 @@ index 60149a5..b33a77d 100644
')
optional_policy(`
-@@ -381,7 +422,7 @@ optional_policy(`
+@@ -397,6 +422,7 @@ optional_policy(`
')
optional_policy(`
-- unconfined_domain(rpm_script_t)
+ unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -394,6 +435,6 @@ optional_policy(`
+@@ -409,6 +435,6 @@ optional_policy(`
')
optional_policy(`
@@ -58368,44 +65365,123 @@ index 60149a5..b33a77d 100644
+ usermanage_domtrans_groupadd(rpm_script_t)
+ usermanage_domtrans_useradd(rpm_script_t)
')
+diff --git a/rshd.fc b/rshd.fc
+index 9ad0d58..6a4db03 100644
+--- a/rshd.fc
++++ b/rshd.fc
+@@ -1,3 +1,4 @@
++
+ /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
+ /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+diff --git a/rshd.if b/rshd.if
+index 7ad29c0..2e87d76 100644
+--- a/rshd.if
++++ b/rshd.if
+@@ -2,7 +2,7 @@
+
+ ########################################
+ ## <summary>
+-## Execute rshd in the rshd domain.
++## Domain transition to rshd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -15,6 +15,7 @@ interface(`rshd_domtrans',`
+ type rshd_exec_t, rshd_t;
+ ')
+
++ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rshd_exec_t, rshd_t)
+ ')
diff --git a/rshd.te b/rshd.te
-index 0b405d1..23c58c2 100644
+index f842825..23c58c2 100644
--- a/rshd.te
+++ b/rshd.te
-@@ -22,7 +22,6 @@ allow rshd_t self:tcp_socket create_stream_socket_perms;
+@@ -1,62 +1,76 @@
+-policy_module(rshd, 1.7.1)
++policy_module(rshd, 1.7.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+-
+ type rshd_t;
+ type rshd_exec_t;
+-auth_login_pgm_domain(rshd_t)
+ inetd_tcp_service_domain(rshd_t, rshd_exec_t)
++domain_subj_id_change_exemption(rshd_t)
++domain_role_change_exemption(rshd_t)
++role system_r types rshd_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+-
+ allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+-allow rshd_t self:process { signal_perms setsched setpgid setexec };
++allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(rshd_t)
-corenet_all_recvfrom_unlabeled(rshd_t)
corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
- corenet_udp_sendrecv_generic_if(rshd_t)
-@@ -39,6 +38,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
++corenet_udp_sendrecv_generic_if(rshd_t)
+ corenet_tcp_sendrecv_generic_node(rshd_t)
++corenet_udp_sendrecv_generic_node(rshd_t)
+ corenet_tcp_sendrecv_all_ports(rshd_t)
++corenet_udp_sendrecv_all_ports(rshd_t)
+ corenet_tcp_bind_generic_node(rshd_t)
+-
+-corenet_sendrecv_all_server_packets(rshd_t)
+ corenet_tcp_bind_rsh_port(rshd_t)
+ corenet_tcp_bind_all_rpc_ports(rshd_t)
+ corenet_tcp_connect_all_ports(rshd_t)
+ corenet_tcp_connect_all_rpc_ports(rshd_t)
++corenet_sendrecv_rsh_server_packets(rshd_t)
++
++dev_read_urand(rshd_t)
++
++domain_interactive_fd(rshd_t)
++
++selinux_get_fs_mount(rshd_t)
++selinux_validate_context(rshd_t)
++selinux_compute_access_vector(rshd_t)
++selinux_compute_create_context(rshd_t)
++selinux_compute_relabel_context(rshd_t)
++selinux_compute_user_contexts(rshd_t)
- dev_read_urand(rshd_t)
+ corecmd_read_bin_symlinks(rshd_t)
-+domain_interactive_fd(rshd_t)
+ files_list_home(rshd_t)
++files_read_etc_files(rshd_t)
++files_search_tmp(rshd_t)
++
++auth_login_pgm_domain(rshd_t)
++auth_write_login_records(rshd_t)
+
++init_rw_utmp(rshd_t)
+
- selinux_get_fs_mount(rshd_t)
- selinux_validate_context(rshd_t)
- selinux_compute_access_vector(rshd_t)
-@@ -60,26 +61,16 @@ init_rw_utmp(rshd_t)
- logging_send_syslog_msg(rshd_t)
++logging_send_syslog_msg(rshd_t)
logging_search_logs(rshd_t)
-miscfiles_read_localization(rshd_t)
--
- seutil_read_config(rshd_t)
- seutil_read_default_contexts(rshd_t)
-
- userdom_search_user_home_content(rshd_t)
-+userdom_manage_tmp_role(system_r, rshd_t)
++seutil_read_config(rshd_t)
++seutil_read_default_contexts(rshd_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
- fs_read_nfs_symlinks(rshd_t)
-')
--
++userdom_search_user_home_content(rshd_t)
++userdom_manage_tmp_role(system_r, rshd_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(rshd_t)
- fs_read_cifs_symlinks(rshd_t)
@@ -58415,22 +65491,15 @@ index 0b405d1..23c58c2 100644
optional_policy(`
kerberos_keytab_template(rshd, rshd_t)
- kerberos_manage_host_rcache(rshd_t)
+- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
')
optional_policy(`
-diff --git a/rssh.fc b/rssh.fc
-index 4c091ca..a58f123 100644
---- a/rssh.fc
-+++ b/rssh.fc
-@@ -1 +1,3 @@
- /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
-+
-+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/rssh.te b/rssh.te
-index ffb9605..4bb7119 100644
+index d1fd97f..88bd6f7 100644
--- a/rssh.te
+++ b/rssh.te
-@@ -63,7 +63,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+@@ -60,7 +60,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
kernel_read_system_state(rssh_t)
kernel_read_kernel_sysctls(rssh_t)
@@ -58438,7 +65507,7 @@ index ffb9605..4bb7119 100644
files_read_etc_runtime_files(rssh_t)
files_list_home(rssh_t)
files_read_usr_files(rssh_t)
-@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(rssh_t)
+@@ -70,8 +69,6 @@ fs_search_auto_mountpoints(rssh_t)
logging_send_syslog_msg(rssh_t)
@@ -58447,44 +65516,160 @@ index ffb9605..4bb7119 100644
rssh_domtrans_chroot_helper(rssh_t)
ssh_rw_tcp_sockets(rssh_t)
-@@ -95,10 +92,6 @@ allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
-
- domain_use_interactive_fds(rssh_chroot_helper_t)
-
--files_read_etc_files(rssh_chroot_helper_t)
--
+@@ -95,5 +92,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
auth_use_nsswitch(rssh_chroot_helper_t)
logging_send_syslog_msg(rssh_chroot_helper_t)
-
-miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/rsync.fc b/rsync.fc
-index 479615b..2d77839 100644
+index d25301b..2d77839 100644
--- a/rsync.fc
+++ b/rsync.fc
-@@ -2,6 +2,6 @@
+@@ -1,6 +1,6 @@
+ /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
- /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
++/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
--/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
-+/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
+ /var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
- /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
-index 3386f29..8d8f6c5 100644
+index f1140ef..6bde558 100644
--- a/rsync.if
+++ b/rsync.if
-@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
+@@ -1,16 +1,16 @@
+-## <summary>Fast incremental file transfer for synchronization.</summary>
++## <summary>Fast incremental file transfer for synchronization</summary>
+
+ ########################################
+ ## <summary>
+-## Make rsync executable file an
+-## entry point for the specified domain.
++## Make rsync an entry point for
++## the specified domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The domain for which rsync_exec_t is an entrypoint.
++## The domain for which init scripts are an entrypoint.
+ ## </summary>
+ ## </param>
+-#
++# cjp: added for portage
+ interface(`rsync_entry_type',`
+ gen_require(`
+ type rsync_exec_t;
+@@ -43,14 +43,13 @@ interface(`rsync_entry_type',`
+ ## Domain to transition to.
+ ## </summary>
+ ## </param>
+-#
++# cjp: added for portage
+ interface(`rsync_entry_spec_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+- auto_trans($1, rsync_exec_t, $2)
++ domain_trans($1, rsync_exec_t, $2)
+ ')
+
+ ########################################
+@@ -77,76 +76,31 @@ interface(`rsync_entry_spec_domtrans',`
+ ## Domain to transition to.
+ ## </summary>
+ ## </param>
+-#
++# cjp: added for portage
+ interface(`rsync_entry_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domain_auto_trans($1, rsync_exec_t, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute the rsync program in the rsync domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`rsync_domtrans',`
+- gen_require(`
+- type rsync_t, rsync_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- domtrans_pattern($1, rsync_exec_t, rsync_t)
+-')
+-
+-########################################
+-## <summary>
+-## Execute rsync in the rsync domain, and
+-## allow the specified role the rsync domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`rsync_run',`
+- gen_require(`
+- attribute_role rsync_roles;
+- ')
+-
+- rsync_domtrans($1)
+- roleattribute $2 rsync_roles;
+-')
+-
+-########################################
+-## <summary>
+-## Execute rsync in the caller domain.
++## Execute rsync in the caller domain domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`rsync_exec',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, rsync_exec_t)
+ ')
+
+@@ -165,18 +119,18 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
-- allow $1 rsync_etc_t:file read_file_perms;
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
+- allow $1 rsync_etc_t:file read_file_perms;
')
-@@ -128,9 +128,9 @@ interface(`rsync_read_config',`
- ## Write to rsync config files.
+ ########################################
+ ## <summary>
+-## Write rsync config files.
++## Write to rsync config files.
## </summary>
## <param name="domain">
-## <summary>
@@ -58495,124 +65680,259 @@ index 3386f29..8d8f6c5 100644
## </param>
#
interface(`rsync_write_config',`
-@@ -138,6 +138,49 @@ interface(`rsync_write_config',`
+@@ -184,14 +138,13 @@ interface(`rsync_write_config',`
type rsync_etc_t;
')
-- allow $1 rsync_etc_t:file read_file_perms;
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
-+ files_search_etc($1)
-+')
-+
-+########################################
-+## <summary>
+ files_search_etc($1)
+- allow $1 rsync_etc_t:file write_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## rsync config files.
+## Manage rsync config files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -199,18 +152,18 @@ interface(`rsync_write_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`rsync_manage_config_files',`
+interface(`rsync_manage_config',`
-+ gen_require(`
-+ type rsync_etc_t;
-+ ')
-+
-+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
- files_search_etc($1)
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+- files_search_etc($1)
+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Create specified objects in etc directories
+## Create objects in etc directories
-+## with rsync etc type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## Class of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`rsync_filetrans_config',`
-+ gen_require(`
-+ type rsync_etc_t;
-+ ')
-+
-+ files_etc_filetrans($1, rsync_etc_t, $2)
-+')
+ ## with rsync etc type.
+ ## </summary>
+ ## <param name="domain">
+@@ -223,11 +176,6 @@ interface(`rsync_manage_config_files',`
+ ## Class of the object being created.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+ interface(`rsync_etc_filetrans_config',`
+ gen_require(`
+@@ -236,46 +184,3 @@ interface(`rsync_etc_filetrans_config',`
+
+ files_etc_filetrans($1, rsync_etc_t, $2, $3)
+ ')
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an rsync environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`rsync_admin',`
+- gen_require(`
+- type rsync_t, rsync_etc_t, rsync_data_t;
+- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
+- ')
+-
+- allow $1 rsync_t:process { ptrace signal_perms };
+- ps_process_pattern($1, rsync_t)
+-
+- files_search_etc($1)
+- admin_pattern($1, rsync_etc_t)
+-
+- admin_pattern($1, rsync_data_t)
+-
+- logging_search_logs($1)
+- admin_pattern($1, rsync_log_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, rsync_tmp_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, rsync_var_run_t)
+-
+- rsync_run($1, $2)
+-')
diff --git a/rsync.te b/rsync.te
-index 2834d86..8fdd060 100644
+index e3e7c96..8fdd060 100644
--- a/rsync.te
+++ b/rsync.te
-@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0)
+@@ -1,4 +1,4 @@
+-policy_module(rsync, 1.12.2)
++policy_module(rsync, 1.12.0)
+
+ ########################################
+ #
+@@ -6,67 +6,52 @@ policy_module(rsync, 1.12.2)
+ #
## <desc>
- ## <p>
+-## <p>
+-## Determine whether rsync can use
+-## cifs file systems.
+-## </p>
++## <p>
+## Allow rsync servers to share cifs files systems
+## </p>
-+## </desc>
-+gen_tunable(rsync_use_cifs, false)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(rsync_use_cifs, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether rsync can
+-## use fuse file systems.
+-## </p>
+-## </desc>
+-gen_tunable(rsync_use_fusefs, false)
+-
+-## <desc>
+-## <p>
+-## Determine whether rsync can use
+-## nfs file systems.
+-## </p>
+## <p>
+## Allow rsync servers to share nfs files systems
+## </p>
-+## </desc>
-+gen_tunable(rsync_use_nfs, false)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(rsync_use_nfs, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether rsync can
+-## run as a client
+-## </p>
+## <p>
+## Allow rsync to run as a client
+## </p>
-+## </desc>
-+gen_tunable(rsync_client, false)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(rsync_client, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether rsync can
+-## export all content read only.
+-## </p>
+## <p>
- ## Allow rsync to export any files/directories read only.
- ## </p>
++## Allow rsync to export any files/directories read only.
++## </p>
## </desc>
-@@ -19,7 +40,7 @@ gen_tunable(rsync_export_all_ro, false)
- ## labeled public_content_rw_t.
- ## </p>
+ gen_tunable(rsync_export_all_ro, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether rsync can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
++## <p>
++## Allow rsync to modify public files
++## used for public file transfer services. Files/Directories must be
++## labeled public_content_rw_t.
++## </p>
## </desc>
-gen_tunable(allow_rsync_anon_write, false)
+-
+-attribute_role rsync_roles;
+gen_tunable(rsync_anon_write, false)
type rsync_t;
type rsync_exec_t;
-@@ -59,7 +80,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
- allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
- #end for identd
+ init_daemon_domain(rsync_t, rsync_exec_t)
+-application_domain(rsync_t, rsync_exec_t)
+-role rsync_roles types rsync_t;
++application_executable_file(rsync_exec_t)
++role system_r types rsync_t;
+
+ type rsync_etc_t;
+ files_config_file(rsync_etc_t)
+
+-type rsync_data_t; # customizable
++type rsync_data_t;
+ files_type(rsync_data_t)
+
+ type rsync_log_t;
+@@ -86,15 +71,22 @@ files_pid_file(rsync_var_run_t)
+ allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+ allow rsync_t self:process signal_perms;
+ allow rsync_t self:fifo_file rw_fifo_file_perms;
+-allow rsync_t self:tcp_socket { accept listen };
++allow rsync_t self:tcp_socket create_stream_socket_perms;
++allow rsync_t self:udp_socket connected_socket_perms;
++
++# for identd
++# cjp: this should probably only be inetd_child_t rules?
++# search home and kerberos also.
++allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
++#end for identd
-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
- read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -79,7 +100,6 @@ kernel_read_kernel_sysctls(rsync_t)
+-allow rsync_t rsync_data_t:file read_file_perms;
+-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms;
++read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+
+-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
+ logging_log_filetrans(rsync_t, rsync_log_t, file)
+
+ manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+@@ -108,91 +100,69 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-corenet_all_recvfrom_unlabeled(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
- corenet_udp_sendrecv_generic_if(rsync_t)
-@@ -94,18 +114,19 @@ corenet_sendrecv_rsync_server_packets(rsync_t)
++corenet_udp_sendrecv_generic_if(rsync_t)
+ corenet_tcp_sendrecv_generic_node(rsync_t)
++corenet_udp_sendrecv_generic_node(rsync_t)
++corenet_tcp_sendrecv_all_ports(rsync_t)
++corenet_udp_sendrecv_all_ports(rsync_t)
+ corenet_tcp_bind_generic_node(rsync_t)
+-
+-corenet_sendrecv_rsync_server_packets(rsync_t)
+ corenet_tcp_bind_rsync_port(rsync_t)
+-corenet_tcp_sendrecv_rsync_port(rsync_t)
++corenet_sendrecv_rsync_server_packets(rsync_t)
+
dev_read_urand(rsync_t)
- fs_getattr_xattr_fs(rsync_t)
-+fs_search_auto_mountpoints(rsync_t)
+-fs_getattr_all_fs(rsync_t)
++fs_getattr_xattr_fs(rsync_t)
+ fs_search_auto_mountpoints(rsync_t)
--files_read_etc_files(rsync_t)
files_search_home(rsync_t)
+-auth_can_read_shadow_passwords(rsync_t)
auth_use_nsswitch(rsync_t)
logging_send_syslog_msg(rsync_t)
@@ -58627,7 +65947,25 @@ index 2834d86..8fdd060 100644
miscfiles_manage_public_files(rsync_t)
')
-@@ -122,12 +143,26 @@ optional_policy(`
+-tunable_policy(`rsync_client',`
+- corenet_sendrecv_rsync_client_packets(rsync_t)
+- corenet_tcp_connect_rsync_port(rsync_t)
++optional_policy(`
++ daemontools_service_domain(rsync_t, rsync_exec_t)
++')
+
+- corenet_sendrecv_ssh_client_packets(rsync_t)
+- corenet_tcp_connect_ssh_port(rsync_t)
+- corenet_tcp_sendrecv_ssh_port(rsync_t)
++optional_policy(`
++ kerberos_use(rsync_t)
++')
+
+- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++optional_policy(`
++ inetd_service_domain(rsync_t, rsync_exec_t)
')
tunable_policy(`rsync_export_all_ro',`
@@ -58635,6 +65973,7 @@ index 2834d86..8fdd060 100644
+ files_getattr_all_pipes(rsync_t)
+ fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
+- fs_read_fusefs_files(rsync_t)
fs_read_cifs_files(rsync_t)
- files_list_non_auth_dirs(rsync_t)
- files_read_non_auth_files(rsync_t)
@@ -58642,77 +65981,138 @@ index 2834d86..8fdd060 100644
+ files_read_non_security_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
-+
+
+-tunable_policy(`rsync_use_cifs',`
+- fs_list_cifs(rsync_t)
+- fs_read_cifs_files(rsync_t)
+- fs_read_cifs_symlinks(rsync_t)
+-')
+-
+-tunable_policy(`rsync_use_fusefs',`
+- fs_search_fusefs(rsync_t)
+- fs_read_fusefs_files(rsync_t)
+- fs_read_fusefs_symlinks(rsync_t)
+-')
+-
+-tunable_policy(`rsync_use_nfs',`
+- fs_list_nfs(rsync_t)
+- fs_read_nfs_files(rsync_t)
+- fs_read_nfs_symlinks(rsync_t)
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ corenet_tcp_connect_ssh_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`rsync_client',`
+ ')
+
+ optional_policy(`
+ tunable_policy(`rsync_client',`
+- ssh_exec(rsync_t)
+ ssh_exec(rsync_t)
-+ ')
-+')
-+
- auth_can_read_shadow_passwords(rsync_t)
+ ')
+ ')
+
+-optional_policy(`
+- daemontools_service_domain(rsync_t, rsync_exec_t)
+-')
+-
+-optional_policy(`
+- kerberos_use(rsync_t)
+-')
+-
+-optional_policy(`
+- inetd_service_domain(rsync_t, rsync_exec_t)
+-')
++auth_can_read_shadow_passwords(rsync_t)
diff --git a/rtkit.if b/rtkit.if
-index 46dad1f..051addd 100644
+index bd35afe..051addd 100644
--- a/rtkit.if
+++ b/rtkit.if
-@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',`
+@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
+ type rtkit_daemon_t, rtkit_daemon_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
+ ')
+
+@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',`
########################################
## <summary>
+-## Allow rtkit to control scheduling for your process.
+## Do not audit send and receive messages from
+## rtkit_daemon over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`rtkit_scheduled',`
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
-+ gen_require(`
-+ type rtkit_daemon_t;
+ gen_require(`
+ type rtkit_daemon_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- allow rtkit_daemon_t $1:process { getsched setsched };
+-
+- ps_process_pattern(rtkit_daemon_t, $1)
+-
+- optional_policy(`
+- rtkit_daemon_dbus_chat($1)
+- ')
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:process { getsched setsched };
-+')
-+
-+########################################
-+## <summary>
- ## Allow rtkit to control scheduling for your process
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an rtkit environment.
++## Allow rtkit to control scheduling for your process
## </summary>
## <param name="domain">
-@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',`
- type rtkit_daemon_t;
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+ #
+-interface(`rtkit_admin',`
++interface(`rtkit_scheduled',`
+ gen_require(`
+- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t;
++ type rtkit_daemon_t;
')
+- allow $1 rtkit_daemon_t:process { ptrace signal_perms };
+- ps_process_pattern($1, rtkit_daemon_t)
+-
+- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
+- allow $2 system_r;
+ kernel_search_proc($1)
- ps_process_pattern(rtkit_daemon_t, $1)
- allow rtkit_daemon_t $1:process { getsched setsched };
- rtkit_daemon_dbus_chat($1)
++ ps_process_pattern(rtkit_daemon_t, $1)
++ allow rtkit_daemon_t $1:process { getsched setsched };
++ rtkit_daemon_dbus_chat($1)
+ ')
diff --git a/rtkit.te b/rtkit.te
-index 6f8e268..eaad2c5 100644
+index 3f5a8ef..d7bffcc 100644
--- a/rtkit.te
+++ b/rtkit.te
-@@ -7,7 +7,7 @@ policy_module(rtkit, 1.1.0)
-
- type rtkit_daemon_t;
- type rtkit_daemon_exec_t;
--dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-
- ########################################
- #
-@@ -28,8 +28,9 @@ auth_use_nsswitch(rtkit_daemon_t)
+@@ -31,8 +31,9 @@ auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
@@ -58722,13 +66122,13 @@ index 6f8e268..eaad2c5 100644
+ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+')
optional_policy(`
- policykit_dbus_chat(rtkit_daemon_t)
- ')
+ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+
diff --git a/rwho.if b/rwho.if
-index 71ea0ea..886a45e 100644
+index 0360ff0..e6cb34f 100644
--- a/rwho.if
+++ b/rwho.if
-@@ -138,8 +138,11 @@ interface(`rwho_admin',`
+@@ -139,8 +139,11 @@ interface(`rwho_admin',`
type rwho_initrc_exec_t;
')
@@ -58742,7 +66142,7 @@ index 71ea0ea..886a45e 100644
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rwho.te b/rwho.te
-index a07b2f4..22e0db0 100644
+index 9927d29..9ee5654 100644
--- a/rwho.te
+++ b/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
@@ -58754,15 +66154,7 @@ index a07b2f4..22e0db0 100644
########################################
#
-@@ -24,6 +24,7 @@ files_type(rwho_spool_t)
- #
-
- allow rwho_t self:capability sys_chroot;
-+allow rwho_t self:process signal;
- allow rwho_t self:unix_dgram_socket create;
- allow rwho_t self:fifo_file rw_file_perms;
- allow rwho_t self:unix_stream_socket create_stream_socket_perms;
-@@ -39,7 +40,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
+@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
kernel_read_system_state(rwho_t)
@@ -58770,68 +66162,151 @@ index a07b2f4..22e0db0 100644
corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_generic_if(rwho_t)
corenet_udp_sendrecv_generic_node(rwho_t)
-@@ -55,6 +55,8 @@ files_read_etc_files(rwho_t)
- init_read_utmp(rwho_t)
- init_dontaudit_write_utmp(rwho_t)
+@@ -57,8 +56,7 @@ init_dontaudit_write_utmp(rwho_t)
--miscfiles_read_localization(rwho_t)
-+logging_send_syslog_msg(rwho_t)
+ logging_send_syslog_msg(rwho_t)
+-miscfiles_read_localization(rwho_t)
+-
sysnet_dns_name_resolve(rwho_t)
-+
+
+-# userdom_getattr_user_terminals(rwho_t)
+userdom_getattr_user_terminals(rwho_t)
++
diff --git a/samba.fc b/samba.fc
-index 69a6074..2ccac49 100644
+index b8b66ff..2ccac49 100644
--- a/samba.fc
+++ b/samba.fc
-@@ -14,6 +14,9 @@
- #
- # /usr
- #
+@@ -1,42 +1,54 @@
+-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
++
++#
++# /etc
++#
++/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
++/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
++/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
++/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
++/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
++/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+
+-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+-/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
++#
++# /usr
++#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-+
- /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
- /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
- /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
-@@ -31,11 +34,17 @@
- /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
- /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+-/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
++/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
++/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
++/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
++/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+
+-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
+-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
++/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
++/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
++/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
++/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
+
+-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
++#
++# /var
++#
++/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+-/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-+
- /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
- /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
- /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
++/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+-/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
+-/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+-/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
-+
+
+-/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -48,6 +57,11 @@
+-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
++/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+@@ -45,7 +57,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+-/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
- /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
- /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
++/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
+-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 82cb169..a6bab06 100644
+index aee75af..a6bab06 100644
--- a/samba.if
+++ b/samba.if
-@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
+@@ -1,8 +1,12 @@
+-## <summary>SMB and CIFS client/server programs.</summary>
++## <summary>
++## SMB and CIFS client/server programs for UNIX and
++## name Service Switch daemon for resolving names
++## from Windows NT servers.
++## </summary>
+
+ ########################################
+ ## <summary>
+-## Execute nmbd in the nmbd domain.
++## Execute nmbd net in the nmbd_t domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',`
+
+ #######################################
+ ## <summary>
+-## Send generic signals to nmbd.
++## Allow domain to signal samba
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',`
########################################
## <summary>
+-## Connect to nmbd with a unix domain
+-## stream socket.
+## Search the samba pid directory.
+## </summary>
+## <param name="domain">
@@ -58852,31 +66327,36 @@ index 82cb169..a6bab06 100644
+########################################
+## <summary>
+## Connect to nmbd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`samba_stream_connect_nmbd',`
-+ gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',`
+ #
+ interface(`samba_stream_connect_nmbd',`
+ gen_require(`
+- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type nmbd_t, nmbd_var_run_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t)
+ samba_search_pid($1)
+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute samba server in the samba domain.
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute samba init scripts in
+-## the init script domain.
++## Execute samba server in the samba domain.
## </summary>
## <param name="domain">
-@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',`
+ ## <summary>
+@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
+-## Execute samba net in the samba net domain.
+## Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
@@ -58900,13 +66380,17 @@ index 82cb169..a6bab06 100644
+
+########################################
+## <summary>
- ## Execute samba net in the samba_net domain.
++## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',`
+ ## <summary>
+@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
+-## Execute samba net in the samba net
+-## domain, and allow the specified
+-## role the samba net domain.
+## Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
@@ -58926,13 +66410,24 @@ index 82cb169..a6bab06 100644
+
+########################################
+## <summary>
- ## Execute samba net in the samba_net domain, and
- ## allow the specified role the samba_net domain.
++## Execute samba net in the samba_net domain, and
++## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +183,51 @@ interface(`samba_run_net',`
- role $2 types samba_net_t;
- ')
+ ## <param name="domain">
+ ## <summary>
+@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',`
+ #
+ interface(`samba_run_net',`
+ gen_require(`
+- attribute_role samba_net_roles;
++ type samba_net_t;
+ ')
+ samba_domtrans_net($1)
+- roleattribute $2 samba_net_roles;
++ role $2 types samba_net_t;
++')
++
+#######################################
+## <summary>
+## The role for the samba module.
@@ -58976,12 +66471,43 @@ index 82cb169..a6bab06 100644
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
-+')
-+
+ ')
+
+ ########################################
+@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',`
+
+ ########################################
+ ## <summary>
+-## Execute smbmount in the smbmount
+-## domain, and allow the specified
+-## role the smbmount domain.
++## Execute smbmount interactively and do
++## a domain transition to the smbmount domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',`
+ #
+ interface(`samba_run_smbmount',`
+ gen_require(`
+- attribute_role smbmount_roles;
++ type smbmount_t;
+ ')
+
+ samba_domtrans_smbmount($1)
+- roleattribute $2 smbmount_roles;
++ role $2 types smbmount_t;
+ ')
+
########################################
## <summary>
- ## Execute smbmount in the smbmount domain.
-@@ -166,6 +291,7 @@ interface(`samba_read_config',`
+-## Read samba configuration files.
++## Allow the specified domain to read
++## samba configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -184,12 +291,14 @@ interface(`samba_read_config',`
')
files_search_etc($1)
@@ -58989,76 +66515,385 @@ index 82cb169..a6bab06 100644
read_files_pattern($1, samba_etc_t, samba_etc_t)
')
-@@ -409,9 +535,10 @@ interface(`samba_manage_var_files',`
+ ########################################
+ ## <summary>
+-## Read and write samba configuration files.
++## Allow the specified domain to read
++## and write samba configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -209,8 +318,8 @@ interface(`samba_rw_config',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## samba configuration files.
++## Allow the specified domain to read
++## and write samba configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -231,7 +340,7 @@ interface(`samba_manage_config',`
+
+ ########################################
+ ## <summary>
+-## Read samba log files.
++## Allow the specified domain to read samba's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -252,7 +361,7 @@ interface(`samba_read_log',`
+
+ ########################################
+ ## <summary>
+-## Append to samba log files.
++## Allow the specified domain to append to samba's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -273,7 +382,7 @@ interface(`samba_append_log',`
+
+ ########################################
+ ## <summary>
+-## Execute samba log files in the caller domain.
++## Execute samba log in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -292,7 +401,7 @@ interface(`samba_exec_log',`
+
+ ########################################
+ ## <summary>
+-## Read samba secret files.
++## Allow the specified domain to read samba's secrets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -311,7 +420,7 @@ interface(`samba_read_secrets',`
+
+ ########################################
+ ## <summary>
+-## Read samba share files.
++## Allow the specified domain to read samba's shares
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -330,7 +439,8 @@ interface(`samba_read_share_files',`
+
+ ########################################
+ ## <summary>
+-## Search samba var directories.
++## Allow the specified domain to search
++## samba /var directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -343,13 +453,15 @@ interface(`samba_search_var',`
+ type samba_var_t;
+ ')
+
++ files_search_var($1)
+ files_search_var_lib($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read samba var files.
++## Allow the specified domain to
++## read samba /var files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -362,14 +474,15 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
-- files_search_var($1)
-+ files_search_var_lib($1)
++ files_search_var($1)
+ files_search_var_lib($1)
+ read_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write
+-## samba var files.
++## Do not audit attempts to write samba
++## /var files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',`
+
+ ########################################
+ ## <summary>
+-## Read and write samba var files.
++## Allow the specified domain to
++## read and write samba /var files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',`
+ type samba_var_t;
+ ')
+
++ files_search_var($1)
+ files_search_var_lib($1)
+ rw_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## samba var files.
++## Allow the specified domain to
++## read and write samba /var files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',`
+ ')
+
files_search_var_lib($1)
++ files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
')
########################################
-@@ -548,6 +675,24 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+ ## <summary>
+-## Execute smbcontrol in the smbcontrol domain.
++## Execute a domain transition to run smbcontrol.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+- type smbcontrol_t, smbcontrol_exec_t;
++ type smbcontrol_t;
++ type smbcontrol_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute smbcontrol in the smbcontrol
+-## domain, and allow the specified
+-## role the smbcontrol domain.
++## Execute smbcontrol in the smbcontrol domain, and
++## allow the specified role the smbcontrol domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',`
+ #
+ interface(`samba_run_smbcontrol',`
+ gen_require(`
+- attribute_role smbcontrol_roles;
++ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+- roleattribute $2 smbcontrol_roles;
++ role $2 types smbcontrol_t;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute smbd in the smbd domain.
++## Execute smbd in the smbd_t domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',`
+
+ ######################################
+ ## <summary>
+-## Send generic signals to smbd.
++## Allow domain to signal samba
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',`
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to inherit
+-## and use smbd file descriptors.
++## Do not audit attempts to use file descriptors from samba.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',`
+
+ ########################################
+ ## <summary>
+-## Write smbmount tcp sockets.
++## Allow the specified domain to write to smbmount tcp sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
+
+ ########################################
+ ## <summary>
+-## Read and write smbmount tcp sockets.
++## Allow the specified domain to read and write to smbmount tcp sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write };
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Execute winbind helper in the
+-## winbind helper domain.
+## Allow to getattr on winbind binary.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`samba_domtrans_winbind_helper',`
+- gen_require(`
+- type winbind_helper_t, winbind_helper_exec_t;
+- ')
+interface(`samba_getattr_winbind',`
+ gen_require(`
+ type winbind_exec_t;
+ ')
-+
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_exec_t:file getattr;
-+')
-+
- ########################################
+ ')
+
+-#######################################
++########################################
## <summary>
- ## Execute winbind_helper in the winbind_helper domain.
-@@ -564,6 +709,7 @@ interface(`samba_domtrans_winbind_helper',`
+-## Get attributes of winbind executable files.
++## Execute winbind_helper in the winbind_helper domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`samba_getattr_winbind_exec',`
++interface(`samba_domtrans_winbind_helper',`
+ gen_require(`
+- type winbind_exec_t;
++ type winbind_helper_t, winbind_helper_exec_t;
')
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+- allow $1 winbind_exec_t:file getattr_file_perms;
++ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
')
########################################
-@@ -607,7 +753,7 @@ interface(`samba_read_winbind_pid',`
- type winbind_var_run_t;
+ ## <summary>
+-## Execute winbind helper in the winbind
+-## helper domain, and allow the specified
+-## role the winbind helper domain.
++## Execute winbind_helper in the winbind_helper domain, and
++## allow the specified role the winbind_helper domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',`
+ #
+ interface(`samba_run_winbind_helper',`
+ gen_require(`
+- attribute_role winbind_helper_roles;
++ type winbind_helper_t;
+ ')
+
+ samba_domtrans_winbind_helper($1)
+- roleattribute $2 winbind_helper_roles;
++ role $2 types winbind_helper_t;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read winbind pid files.
++## Allow the specified domain to read the winbind pid files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',`
+ #
+ interface(`samba_read_winbind_pid',`
+ gen_require(`
+- type winbind_var_run_t, smbd_var_run_t;
++ type winbind_var_run_t;
')
- files_search_pids($1)
+- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ samba_search_pid($1)
- allow $1 winbind_var_run_t:file read_file_perms;
++ allow $1 winbind_var_run_t:file read_file_perms;
')
-@@ -626,9 +772,10 @@ interface(`samba_stream_connect_winbind',`
- type samba_var_t, winbind_t, winbind_var_run_t;
+ ########################################
+ ## <summary>
+-## Connect to winbind with a unix
+-## domain stream socket.
++## Connect to winbind.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',`
+ #
+ interface(`samba_stream_connect_winbind',`
+ gen_require(`
+- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t;
++ type samba_var_t, winbind_t, winbind_var_run_t;
')
- files_search_pids($1)
+- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t)
+ samba_search_pid($1)
- allow $1 samba_var_t:dir search_dir_perms;
- stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
++ allow $1 samba_var_t:dir search_dir_perms;
++ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+ samba_read_config($1)
-
- ifndef(`distro_redhat',`
- gen_require(`
-@@ -644,6 +791,37 @@ interface(`samba_stream_connect_winbind',`
++
++ ifndef(`distro_redhat',`
++ gen_require(`
++ type winbind_tmp_t;
++ ')
++
++ # the default for the socket is (poorly named):
++ # /tmp/.winbindd/pipe
++ files_search_tmp($1)
++ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
++ ')
+ ')
########################################
## <summary>
+-## All of the rules required to
+-## administrate an samba environment.
+## Create a set of derived types for apache
+## web content.
+## </summary>
@@ -59090,29 +66925,29 @@ index 82cb169..a6bab06 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an samba environment
++## All of the rules required to administrate
++## an samba environment
## </summary>
-@@ -661,33 +839,33 @@ interface(`samba_stream_connect_winbind',`
- #
+ ## <param name="domain">
+ ## <summary>
+@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the samba domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',`
interface(`samba_admin',`
gen_require(`
-- type nmbd_t, nmbd_var_run_t;
-- type smbd_t, smbd_tmp_t;
-- type smbd_var_run_t;
-- type smbd_spool_t;
--
-- type samba_log_t, samba_var_t;
-- type samba_etc_t, samba_share_t;
-- type samba_secrets_t;
--
-- type swat_var_run_t, swat_tmp_t;
--
+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+- type smbd_t, smbd_tmp_t, smbd_spool_t;
+- type samba_log_t, samba_var_t, samba_secrets_t;
+- type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+- type swat_var_run_t, swat_tmp_t, winbind_log_t;
- type winbind_var_run_t, winbind_tmp_t;
-- type winbind_log_t;
--
-- type samba_initrc_exec_t;
-+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type smbd_t, smbd_tmp_t, samba_secrets_t;
+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t, winbind_log_t;
@@ -59121,23 +66956,19 @@ index 82cb169..a6bab06 100644
+ type samba_unit_file_t;
')
-- allow $1 smbd_t:process { ptrace signal_perms };
+- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 smbd_t:process signal_perms;
- ps_process_pattern($1, smbd_t)
++ ps_process_pattern($1, smbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
+ ')
-
-- allow $1 nmbd_t:process { ptrace signal_perms };
++
+ allow $1 nmbd_t:process signal_perms;
- ps_process_pattern($1, nmbd_t)
-
-- samba_run_smbcontrol($1, $2, $3)
-- samba_run_winbind_helper($1, $2, $3)
-- samba_run_smbmount($1, $2, $3)
-- samba_run_net($1, $2, $3)
++ ps_process_pattern($1, nmbd_t)
++
+ allow $1 samba_unconfined_script_t:process signal_perms;
+ ps_process_pattern($1, samba_unconfined_script_t)
+
@@ -59148,20 +66979,51 @@ index 82cb169..a6bab06 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -709,9 +887,6 @@ interface(`samba_admin',`
- admin_pattern($1, samba_var_t)
- files_list_var($1)
+ role_transition $2 samba_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_etc($1)
++ admin_pattern($1, nmbd_var_run_t)
++
+ admin_pattern($1, samba_etc_t)
++ files_list_etc($1)
+
++ admin_pattern($1, samba_log_t)
+ logging_list_logs($1)
+- admin_pattern($1, { samba_log_t winbind_log_t })
+
+- files_list_var($1)
+- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
++ admin_pattern($1, samba_secrets_t)
-- admin_pattern($1, smbd_spool_t)
- files_list_spool($1)
--
- admin_pattern($1, smbd_var_run_t)
+- admin_pattern($1, smbd_spool_t)
++ admin_pattern($1, samba_share_t)
++
++ admin_pattern($1, samba_var_t)
++ files_list_var($1)
+
++ admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
+- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
-@@ -727,4 +902,9 @@ interface(`samba_admin',`
- admin_pattern($1, winbind_tmp_t)
++ admin_pattern($1, smbd_tmp_t)
+ files_list_tmp($1)
+- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
- admin_pattern($1, winbind_var_run_t)
+- samba_run_smbcontrol($1, $2)
+- samba_run_winbind_helper($1, $2)
+- samba_run_smbmount($1, $2)
+- samba_run_net($1, $2)
++ admin_pattern($1, swat_var_run_t)
++
++ admin_pattern($1, swat_tmp_t)
++
++ admin_pattern($1, winbind_log_t)
++
++ admin_pattern($1, winbind_tmp_t)
++
++ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+
+ samba_systemctl($1)
@@ -59169,34 +67031,153 @@ index 82cb169..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..7e70344 100644
+index 57c034b..7e70344 100644
--- a/samba.te
+++ b/samba.te
-@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
- ## public_content_rw_t.
- ## </p>
+@@ -1,4 +1,4 @@
+-policy_module(samba, 1.15.7)
++policy_module(samba, 1.15.0)
+
+ #################################
+ #
+@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
++## <p>
++## Allow samba to modify public files used for public file
++## transfer services. Files/Directories must be labeled
++## public_content_rw_t.
++## </p>
## </desc>
-gen_tunable(allow_smbd_anon_write, false)
+gen_tunable(smbd_anon_write, false)
## <desc>
- ## <p>
-@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
+-## <p>
+-## Determine whether samba can
+-## create home directories via pam.
+-## </p>
++## <p>
++## Allow samba to create new home directories (e.g. via PAM)
++## </p>
+ ## </desc>
+ gen_tunable(samba_create_home_dirs, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can act as the
+-## domain controller, add users, groups
+-## and change passwords.
+-## </p>
++## <p>
++## Allow samba to act as the domain controller, add users,
++## groups and change passwords.
++##
++## </p>
+ ## </desc>
+ gen_tunable(samba_domain_controller, false)
## <desc>
- ## <p>
+-## <p>
+-## Determine whether samba can
+-## act as a portmapper.
+-## </p>
++## <p>
+## Allow samba to act as a portmapper
+##
+## </p>
-+## </desc>
-+gen_tunable(samba_portmapper, false)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(samba_portmapper, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can share
+-## users home directories.
+-## </p>
+## <p>
- ## Allow samba to share users home directories.
- ## </p>
++## Allow samba to share users home directories.
++## </p>
+ ## </desc>
+ gen_tunable(samba_enable_home_dirs, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can share
+-## any content read only.
+-## </p>
++## <p>
++## Allow samba to share any file/directory read only.
++## </p>
+ ## </desc>
+ gen_tunable(samba_export_all_ro, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can share any
+-## content readable and writable.
+-## </p>
++## <p>
++## Allow samba to share any file/directory read/write.
++## </p>
## </desc>
-@@ -85,6 +93,9 @@ files_config_file(samba_etc_t)
+ gen_tunable(samba_export_all_rw, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can
+-## run unconfined scripts.
+-## </p>
++## <p>
++## Allow samba to run unconfined scripts
++## </p>
+ ## </desc>
+ gen_tunable(samba_run_unconfined, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can
+-## use nfs file systems.
+-## </p>
++## <p>
++## Allow samba to export NFS volumes.
++## </p>
+ ## </desc>
+ gen_tunable(samba_share_nfs, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether samba can
+-## use fuse file systems.
+-## </p>
++## <p>
++## Allow samba to export ntfs/fusefs volumes.
++## </p>
+ ## </desc>
+ gen_tunable(samba_share_fusefs, false)
+
+-attribute_role samba_net_roles;
+-roleattribute system_r samba_net_roles;
+-
+-attribute_role smbcontrol_roles;
+-roleattribute system_r smbcontrol_roles;
+-
+-attribute_role smbmount_roles;
+-roleattribute system_r smbmount_roles;
+-
+-attribute_role winbind_helper_roles;
+-roleattribute system_r winbind_helper_roles;
+-
+ type nmbd_t;
+ type nmbd_exec_t;
+ init_daemon_domain(nmbd_t, nmbd_exec_t)
+@@ -113,13 +93,16 @@ files_config_file(samba_etc_t)
type samba_initrc_exec_t;
init_script_file(samba_initrc_exec_t)
@@ -59206,7 +67187,48 @@ index 905883f..7e70344 100644
type samba_log_t;
logging_log_file(samba_log_t)
-@@ -152,9 +163,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+ type samba_net_t;
+ type samba_net_exec_t;
+ application_domain(samba_net_t, samba_net_exec_t)
+-role samba_net_roles types samba_net_t;
++role system_r types samba_net_t;
+
+ type samba_net_tmp_t;
+ files_tmp_file(samba_net_tmp_t)
+@@ -136,7 +119,7 @@ files_type(samba_var_t)
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
+ application_domain(smbcontrol_t, smbcontrol_exec_t)
+-role smbcontrol_roles types smbcontrol_t;
++role system_r types smbcontrol_t;
+
+ type smbd_t;
+ type smbd_exec_t;
+@@ -149,9 +132,10 @@ type smbd_var_run_t;
+ files_pid_file(smbd_var_run_t)
+
+ type smbmount_t;
++domain_type(smbmount_t)
++
+ type smbmount_exec_t;
+-application_domain(smbmount_t, smbmount_exec_t)
+-role smbmount_roles types smbmount_t;
++domain_entry_file(smbmount_t, smbmount_exec_t)
+
+ type swat_t;
+ type swat_exec_t;
+@@ -170,27 +154,28 @@ type winbind_exec_t;
+ init_daemon_domain(winbind_t, winbind_exec_t)
+
+ type winbind_helper_t;
++domain_type(winbind_helper_t)
++role system_r types winbind_helper_t;
++
+ type winbind_helper_exec_t;
+-application_domain(winbind_helper_t, winbind_helper_exec_t)
+-role winbind_helper_roles types winbind_helper_t;
++domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -59216,29 +67238,50 @@ index 905883f..7e70344 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -181,11 +189,12 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
- manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+ ########################################
+ #
+-# Net local policy
++# Samba net local policy
+ #
+-
+ allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+ allow samba_net_t self:process { getsched setsched };
+-allow samba_net_t self:unix_stream_socket { accept listen };
++allow samba_net_t self:unix_dgram_socket create_socket_perms;
++allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
++allow samba_net_t self:udp_socket create_socket_perms;
++allow samba_net_t self:tcp_socket create_socket_perms;
+
+ allow samba_net_t samba_etc_t:file read_file_perms;
+
+@@ -206,17 +191,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
-+files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
+ files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
- kernel_read_proc_symlinks(samba_net_t)
++kernel_read_proc_symlinks(samba_net_t)
kernel_read_system_state(samba_net_t)
-+kernel_read_network_state(samba_net_t)
+ kernel_read_network_state(samba_net_t)
-corenet_all_recvfrom_unlabeled(samba_net_t)
corenet_all_recvfrom_netlabel(samba_net_t)
- corenet_tcp_sendrecv_generic_if(samba_net_t)
++corenet_tcp_sendrecv_generic_if(samba_net_t)
corenet_udp_sendrecv_generic_if(samba_net_t)
-@@ -203,7 +212,6 @@ dev_read_urand(samba_net_t)
-
- domain_use_interactive_fds(samba_net_t)
++corenet_raw_sendrecv_generic_if(samba_net_t)
+ corenet_tcp_sendrecv_generic_node(samba_net_t)
+-
+-corenet_sendrecv_smbd_client_packets(samba_net_t)
++corenet_udp_sendrecv_generic_node(samba_net_t)
++corenet_raw_sendrecv_generic_node(samba_net_t)
++corenet_tcp_sendrecv_all_ports(samba_net_t)
++corenet_udp_sendrecv_all_ports(samba_net_t)
++corenet_tcp_bind_generic_node(samba_net_t)
++corenet_udp_bind_generic_node(samba_net_t)
+ corenet_tcp_connect_smbd_port(samba_net_t)
+-corenet_tcp_sendrecv_smbd_port(samba_net_t)
--files_read_etc_files(samba_net_t)
- files_read_usr_symlinks(samba_net_t)
+ dev_read_urand(samba_net_t)
- auth_use_nsswitch(samba_net_t)
-@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t)
+@@ -229,54 +219,60 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -59259,138 +67302,211 @@ index 905883f..7e70344 100644
')
optional_policy(`
-@@ -228,13 +237,15 @@ optional_policy(`
+- pcscd_read_pid_files(samba_net_t)
++ pcscd_read_pub_files(samba_net_t)
+ ')
optional_policy(`
kerberos_use(samba_net_t)
+- kerberos_etc_filetrans_keytab(samba_net_t, file)
+ kerberos_etc_filetrans_keytab(samba_net_t)
')
########################################
#
- # smbd Local policy
+-# Smbd Local policy
++# smbd Local policy
#
--allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+
-+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+
+ allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
- allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow smbd_t self:process setrlimit;
-@@ -244,6 +255,7 @@ allow smbd_t self:msg { send receive };
+-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
++allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow smbd_t self:process setrlimit;
+ allow smbd_t self:fd use;
+ allow smbd_t self:fifo_file rw_fifo_file_perms;
+ allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
+-allow smbd_t self:tcp_socket { accept listen };
+-allow smbd_t self:unix_dgram_socket sendto;
+-allow smbd_t self:unix_stream_socket { accept connectto listen };
+allow smbd_t self:key manage_key_perms;
- allow smbd_t self:sock_file read_sock_file_perms;
- allow smbd_t self:tcp_socket create_stream_socket_perms;
- allow smbd_t self:udp_socket create_socket_perms;
-@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow smbd_t nmbd_t:process { signal signull };
++allow smbd_t self:sock_file read_sock_file_perms;
++allow smbd_t self:tcp_socket create_stream_socket_perms;
++allow smbd_t self:udp_socket create_socket_perms;
++allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++allow smbd_t nmbd_t:process { signal signull };
- allow smbd_t nmbd_var_run_t:file rw_file_perms;
+-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
++allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
- allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
++allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
- manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
--allow smbd_t samba_share_t:filesystem getattr;
-+allow smbd_t samba_share_t:filesystem { getattr quotaget };
+ manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+-append_files_pattern(smbd_t, samba_log_t, samba_log_t)
+-create_files_pattern(smbd_t, samba_log_t, samba_log_t)
+-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t)
++manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
- manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
-+files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
+-allow smbd_t samba_net_tmp_t:file getattr_file_perms;
++allow smbd_t samba_net_tmp_t:file getattr;
- allow smbd_t smbcontrol_t:process { signal signull };
+ manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
+ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -292,6 +288,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
-@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
- manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
++allow smbd_t smbcontrol_t:process { signal signull };
++
+ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -301,11 +299,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
--files_pid_filetrans(smbd_t, smbd_var_run_t, file)
-+files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+ files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+
+-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
+-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
++allow smbd_t swat_t:process signal;
+
+-allow smbd_t nmbd_var_run_t:file read_file_perms;
+-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
++
++allow smbd_t winbind_t:process { signal signull };
- allow smbd_t swat_t:process signal;
+ kernel_getattr_core_if(smbd_t)
+ kernel_getattr_message_if(smbd_t)
+@@ -315,43 +313,33 @@ kernel_read_kernel_sysctls(smbd_t)
+ kernel_read_software_raid_state(smbd_t)
+ kernel_read_system_state(smbd_t)
-@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t)
+-corecmd_exec_bin(smbd_t)
corecmd_exec_shell(smbd_t)
- corecmd_exec_bin(smbd_t)
++corecmd_exec_bin(smbd_t)
-corenet_all_recvfrom_unlabeled(smbd_t)
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_generic_if(smbd_t)
- corenet_udp_sendrecv_generic_if(smbd_t)
-@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
++corenet_udp_sendrecv_generic_if(smbd_t)
++corenet_raw_sendrecv_generic_if(smbd_t)
+ corenet_tcp_sendrecv_generic_node(smbd_t)
++corenet_udp_sendrecv_generic_node(smbd_t)
++corenet_raw_sendrecv_generic_node(smbd_t)
++corenet_tcp_sendrecv_all_ports(smbd_t)
++corenet_udp_sendrecv_all_ports(smbd_t)
+ corenet_tcp_bind_generic_node(smbd_t)
+-
+-corenet_sendrecv_smbd_client_packets(smbd_t)
+-corenet_tcp_connect_smbd_port(smbd_t)
+-corenet_sendrecv_smbd_server_packets(smbd_t)
++corenet_udp_bind_generic_node(smbd_t)
+ corenet_tcp_bind_smbd_port(smbd_t)
+-corenet_tcp_sendrecv_smbd_port(smbd_t)
+-
+-corenet_sendrecv_ipp_client_packets(smbd_t)
+ corenet_tcp_connect_ipp_port(smbd_t)
+-corenet_tcp_sendrecv_ipp_port(smbd_t)
++corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
+dev_dontaudit_write_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
- # For redhat bug 566984
-@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t)
++# For redhat bug 566984
+ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
+-domain_use_interactive_fds(smbd_t)
+-domain_dontaudit_list_all_domains_state(smbd_t)
+-
+-files_list_var_lib(smbd_t)
+-files_read_etc_runtime_files(smbd_t)
+-files_read_usr_files(smbd_t)
+-files_search_spool(smbd_t)
+-files_dontaudit_getattr_all_dirs(smbd_t)
+-files_dontaudit_list_all_mountpoints(smbd_t)
+-files_list_mnt(smbd_t)
+-
fs_getattr_all_fs(smbd_t)
-+fs_getattr_all_dirs(smbd_t)
+ fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
- fs_search_auto_mountpoints(smbd_t)
- fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +348,55 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
-+fs_get_all_fs_quotas(smbd_t)
+ fs_get_all_fs_quotas(smbd_t)
+-term_use_ptmx(smbd_t)
+-
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
auth_manage_cache(smbd_t)
-+auth_write_login_records(smbd_t)
-
- domain_use_interactive_fds(smbd_t)
- domain_dontaudit_list_all_domains_state(smbd_t)
-
- files_list_var_lib(smbd_t)
--files_read_etc_files(smbd_t)
- files_read_etc_runtime_files(smbd_t)
- files_read_usr_files(smbd_t)
- files_search_spool(smbd_t)
- # smbd seems to getattr all mountpoints
- files_dontaudit_getattr_all_dirs(smbd_t)
+ auth_write_login_records(smbd_t)
+
++domain_use_interactive_fds(smbd_t)
++domain_dontaudit_list_all_domains_state(smbd_t)
++
++files_list_var_lib(smbd_t)
++files_read_etc_runtime_files(smbd_t)
++files_read_usr_files(smbd_t)
++files_search_spool(smbd_t)
++# smbd seems to getattr all mountpoints
++files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
- # Allow samba to list mnt_t for potential mounted dirs
- files_list_mnt(smbd_t)
++# Allow samba to list mnt_t for potential mounted dirs
++files_list_mnt(smbd_t)
++
+ init_rw_utmp(smbd_t)
-@@ -355,9 +372,10 @@ init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)
-miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
-+sysnet_use_ldap(smbd_t)
-+
+ sysnet_use_ldap(smbd_t)
+
userdom_use_unpriv_users_fds(smbd_t)
- userdom_search_user_home_content(smbd_t)
++userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -372,8 +390,13 @@ ifdef(`hide_broken_symptoms', `
+-userdom_home_filetrans_user_home_dir(smbd_t)
+-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+
+ usermanage_read_crack_db(smbd_t)
+
+-ifdef(`hide_broken_symptoms',`
++term_use_ptmx(smbd_t)
++
++ifdef(`hide_broken_symptoms', `
+ files_dontaudit_getattr_default_dirs(smbd_t)
+ files_dontaudit_getattr_boot_dirs(smbd_t)
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
-tunable_policy(`allow_smbd_anon_write',`
+tunable_policy(`smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
+-')
+')
-+
+
+-tunable_policy(`samba_create_home_dirs',`
+- allow smbd_t self:capability chown;
+- userdom_create_user_home_dirs(smbd_t)
+tunable_policy(`samba_portmapper',`
+ corenet_tcp_bind_epmap_port(smbd_t)
+ corenet_tcp_bind_all_unreserved_ports(smbd_t)
')
tunable_policy(`samba_domain_controller',`
-@@ -389,12 +412,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +412,10 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -59399,104 +67515,131 @@ index 905883f..7e70344 100644
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
-- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+-')
+-
+-tunable_policy(`samba_portmapper',`
+- corenet_sendrecv_all_server_packets(smbd_t)
+- corenet_tcp_bind_epmap_port(smbd_t)
+- corenet_tcp_bind_all_unreserved_ports(smbd_t)
+- corenet_tcp_sendrecv_all_ports(smbd_t)
+ userdom_manage_user_home_content(smbd_t)
')
- # Support Samba sharing of NFS mount points
-@@ -415,6 +433,15 @@ tunable_policy(`samba_share_fusefs',`
++# Support Samba sharing of NFS mount points
+ tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_dirs(smbd_t)
+ fs_manage_nfs_files(smbd_t)
+@@ -435,6 +424,7 @@ tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_named_sockets(smbd_t)
+ ')
+
++# Support Samba sharing of ntfs/fusefs mount points
+ tunable_policy(`samba_share_fusefs',`
+ fs_manage_fusefs_dirs(smbd_t)
+ fs_manage_fusefs_files(smbd_t)
+@@ -442,17 +432,6 @@ tunable_policy(`samba_share_fusefs',`
+ fs_search_fusefs(smbd_t)
')
+-tunable_policy(`samba_export_all_ro',`
+- fs_read_noxattr_fs_files(smbd_t)
+- files_list_non_auth_dirs(smbd_t)
+- files_read_non_auth_files(smbd_t)
+-')
+-
+-tunable_policy(`samba_export_all_rw',`
+- fs_read_noxattr_fs_files(smbd_t)
+- files_manage_non_auth_files(smbd_t)
+-')
+-
optional_policy(`
-+ ccs_read_config(smbd_t)
-+')
-+
-+optional_policy(`
-+ ctdbd_stream_connect(smbd_t)
-+ ctdbd_manage_lib_files(smbd_t)
-+')
-+
-+optional_policy(`
- cups_read_rw_config(smbd_t)
- cups_stream_connect(smbd_t)
+ ccs_read_config(smbd_t)
+ ')
+@@ -473,6 +452,11 @@ optional_policy(`
')
-@@ -426,6 +453,7 @@ optional_policy(`
optional_policy(`
- ldap_stream_connect(smbd_t)
++ ldap_stream_connect(smbd_t)
+ dirsrv_stream_connect(smbd_t)
++')
++
++optional_policy(`
+ lpd_exec_lpr(smbd_t)
')
- optional_policy(`
-@@ -452,26 +480,26 @@ optional_policy(`
- tunable_policy(`samba_create_home_dirs',`
- allow smbd_t self:capability chown;
- userdom_create_user_home_dirs(smbd_t)
-- userdom_home_filetrans_user_home_dir(smbd_t)
+@@ -493,9 +477,32 @@ optional_policy(`
+ udev_read_db(smbd_t)
')
++tunable_policy(`samba_create_home_dirs',`
++ allow smbd_t self:capability chown;
++ userdom_create_user_home_dirs(smbd_t)
++')
++
+userdom_home_filetrans_user_home_dir(smbd_t)
+
- tunable_policy(`samba_export_all_ro',`
-- fs_read_noxattr_fs_files(smbd_t)
-- files_list_non_auth_dirs(smbd_t)
-- files_read_non_auth_files(smbd_t)
-- fs_read_noxattr_fs_files(nmbd_t)
-- files_list_non_auth_dirs(nmbd_t)
-- files_read_non_auth_files(nmbd_t)
++tunable_policy(`samba_export_all_ro',`
+ fs_read_noxattr_fs_files(smbd_t)
+ files_read_non_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
- ')
-
- tunable_policy(`samba_export_all_rw',`
-- fs_read_noxattr_fs_files(smbd_t)
-- files_manage_non_auth_files(smbd_t)
-- fs_read_noxattr_fs_files(nmbd_t)
-- files_manage_non_auth_files(nmbd_t)
-- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++')
++
++tunable_policy(`samba_export_all_rw',`
+ fs_read_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
- ')
-
++')
++
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+
########################################
#
- # nmbd Local policy
-@@ -491,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
- allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-+manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
+-# Nmbd Local policy
++# nmbd Local policy
+ #
+
+ dontaudit nmbd_t self:capability sys_tty_config;
+@@ -506,9 +513,11 @@ allow nmbd_t self:msg { send receive };
+ allow nmbd_t self:msgq create_msgq_perms;
+ allow nmbd_t self:sem create_sem_perms;
+ allow nmbd_t self:shm create_shm_perms;
+-allow nmbd_t self:tcp_socket { accept listen };
+-allow nmbd_t self:unix_dgram_socket sendto;
+-allow nmbd_t self:unix_stream_socket { accept connectto listen };
++allow nmbd_t self:sock_file read_sock_file_perms;
++allow nmbd_t self:tcp_socket create_stream_socket_perms;
++allow nmbd_t self:udp_socket create_socket_perms;
++allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
--files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
-+manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
-+filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
-
- read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +529,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -501,11 +532,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-+files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
+ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
++manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
- allow nmbd_t smbcontrol_t:process signal;
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+ manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
+ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
--allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+-allow nmbd_t { swat_t smbcontrol_t }:process signal;
-
+-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
++allow nmbd_t smbcontrol_t:process signal;
+
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
- kernel_read_kernel_sysctls(nmbd_t)
-@@ -513,7 +546,6 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +546,40 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -59504,113 +67647,192 @@ index 905883f..7e70344 100644
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
-@@ -536,7 +568,6 @@ fs_search_auto_mountpoints(nmbd_t)
+ corenet_tcp_sendrecv_generic_node(nmbd_t)
+ corenet_udp_sendrecv_generic_node(nmbd_t)
++corenet_tcp_sendrecv_all_ports(nmbd_t)
++corenet_udp_sendrecv_all_ports(nmbd_t)
+ corenet_udp_bind_generic_node(nmbd_t)
+-
+-corenet_sendrecv_nmbd_server_packets(nmbd_t)
+ corenet_udp_bind_nmbd_port(nmbd_t)
+-corenet_udp_sendrecv_nmbd_port(nmbd_t)
+-
+-corenet_sendrecv_smbd_client_packets(nmbd_t)
++corenet_sendrecv_nmbd_server_packets(nmbd_t)
++corenet_sendrecv_nmbd_client_packets(nmbd_t)
+ corenet_tcp_connect_smbd_port(nmbd_t)
+-corenet_tcp_sendrecv_smbd_port(nmbd_t)
+
+ dev_read_sysfs(nmbd_t)
+ dev_getattr_mtrr_dev(nmbd_t)
+
++fs_getattr_all_fs(nmbd_t)
++fs_search_auto_mountpoints(nmbd_t)
++
domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
--files_read_etc_files(nmbd_t)
files_list_var_lib(nmbd_t)
+-fs_getattr_all_fs(nmbd_t)
+-fs_search_auto_mountpoints(nmbd_t)
+-
auth_use_nsswitch(nmbd_t)
-@@ -544,12 +575,14 @@ auth_use_nsswitch(nmbd_t)
+
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
-miscfiles_read_localization(nmbd_t)
-
userdom_use_unpriv_users_fds(nmbd_t)
- userdom_dontaudit_search_user_home_dirs(nmbd_t)
+-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+-
+-tunable_policy(`samba_export_all_ro',`
+- fs_read_noxattr_fs_files(nmbd_t)
+- files_list_non_auth_dirs(nmbd_t)
+- files_read_non_auth_files(nmbd_t)
+-')
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
- optional_policy(`
-+ ctdbd_stream_connect(nmbd_t)
-+')
-+
+-tunable_policy(`samba_export_all_rw',`
+- fs_read_noxattr_fs_files(nmbd_t)
+- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
- seutil_sigchld_newrole(nmbd_t)
++ ctdbd_stream_connect(nmbd_t)
')
-@@ -562,18 +595,21 @@ optional_policy(`
- # smbcontrol local policy
+ optional_policy(`
+@@ -600,17 +592,24 @@ optional_policy(`
+
+ ########################################
+ #
+-# Smbcontrol local policy
++# smbcontrol local policy
#
+
-+allow smbcontrol_t self:process signal;
- # internal communication is often done using fifo and unix sockets.
- allow smbcontrol_t self:fifo_file rw_file_perms;
+ allow smbcontrol_t self:process signal;
+-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
++# internal communication is often done using fifo and unix sockets.
++allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
-+allow smbcontrol_t self:process { signal signull };
+ allow smbcontrol_t self:process { signal signull };
- allow smbcontrol_t nmbd_t:process { signal signull };
+-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
+-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
++allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
--allow smbcontrol_t nmbd_var_run_t:file { read lock };
--
--allow smbcontrol_t smbd_t:process signal;
--
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
- allow smbcontrol_t winbind_t:process { signal signull };
-
++allow smbcontrol_t winbind_t:process { signal signull };
++
+files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -581,11 +617,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -620,16 +619,13 @@ domain_use_interactive_fds(smbcontrol_t)
- domain_use_interactive_fds(smbcontrol_t)
+ dev_read_urand(smbcontrol_t)
-files_read_etc_files(smbcontrol_t)
-+dev_read_urand(smbcontrol_t)
-+
+-files_search_var_lib(smbcontrol_t)
+files_read_usr_files(smbcontrol_t)
-+
-+term_use_console(smbcontrol_t)
-+
-+sysnet_use_ldap(smbcontrol_t)
+
+ term_use_console(smbcontrol_t)
-miscfiles_read_localization(smbcontrol_t)
-+userdom_use_inherited_user_terminals(smbcontrol_t)
+-
+ sysnet_use_ldap(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
-+optional_policy(`
-+ ctdbd_stream_connect(smbcontrol_t)
-+')
++userdom_use_inherited_user_terminals(smbcontrol_t)
+
+ optional_policy(`
+ ctdbd_stream_connect(smbcontrol_t)
+@@ -637,22 +633,23 @@ optional_policy(`
########################################
#
-@@ -604,18 +648,20 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+-# Smbmount Local policy
++# smbmount Local policy
+ #
- can_exec(smbmount_t, smbmount_exec_t)
+-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
+-allow smbmount_t self:process signal_perms;
+-allow smbmount_t self:tcp_socket { accept listen };
++allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
++allow smbmount_t self:process { fork signal_perms };
++allow smbmount_t self:tcp_socket create_stream_socket_perms;
++allow smbmount_t self:udp_socket connect;
+ allow smbmount_t self:unix_dgram_socket create_socket_perms;
+ allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+ allow smbmount_t samba_etc_t:dir list_dir_perms;
+ allow smbmount_t samba_etc_t:file read_file_perms;
-allow smbmount_t samba_log_t:dir list_dir_perms;
+-append_files_pattern(smbmount_t, samba_log_t, samba_log_t)
+-create_files_pattern(smbmount_t, samba_log_t, samba_log_t)
+-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t)
++can_exec(smbmount_t, smbmount_exec_t)
++
+allow smbmount_t samba_log_t:dir list_dir_perms;
- allow smbmount_t samba_log_t:file manage_file_perms;
++allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-+manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t)
- manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +658,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
-+files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
-+
- files_list_var_lib(smbmount_t)
+ files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
+
+-can_exec(smbmount_t, smbmount_exec_t)
++files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
-corenet_all_recvfrom_unlabeled(smbmount_t)
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
- corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,31 +691,32 @@ files_list_mnt(smbmount_t)
- files_mounton_mnt(smbmount_t)
- files_manage_etc_runtime_files(smbmount_t)
- files_etc_filetrans_etc_runtime(smbmount_t, file)
--files_read_etc_files(smbmount_t)
-
- auth_use_nsswitch(smbmount_t)
++corenet_raw_sendrecv_generic_if(smbmount_t)
++corenet_udp_sendrecv_generic_if(smbmount_t)
+ corenet_tcp_sendrecv_generic_node(smbmount_t)
+-
+-corenet_sendrecv_all_client_packets(smbmount_t)
+-corenet_tcp_connect_all_ports(smbmount_t)
++corenet_raw_sendrecv_generic_node(smbmount_t)
++corenet_udp_sendrecv_generic_node(smbmount_t)
+ corenet_tcp_sendrecv_all_ports(smbmount_t)
+-
+-corecmd_list_bin(smbmount_t)
+-
+-files_list_mnt(smbmount_t)
+-files_list_var_lib(smbmount_t)
+-files_mounton_mnt(smbmount_t)
+-files_manage_etc_runtime_files(smbmount_t)
+-files_etc_filetrans_etc_runtime(smbmount_t, file)
++corenet_udp_sendrecv_all_ports(smbmount_t)
++corenet_tcp_bind_generic_node(smbmount_t)
++corenet_udp_bind_generic_node(smbmount_t)
++corenet_tcp_connect_all_ports(smbmount_t)
+
+ fs_getattr_cifs(smbmount_t)
+ fs_mount_cifs(smbmount_t)
+@@ -692,58 +685,78 @@ fs_read_cifs_files(smbmount_t)
+ storage_raw_read_fixed_disk(smbmount_t)
+ storage_raw_write_fixed_disk(smbmount_t)
+
+-auth_use_nsswitch(smbmount_t)
++corecmd_list_bin(smbmount_t)
-miscfiles_read_localization(smbmount_t)
--
++files_list_mnt(smbmount_t)
++files_mounton_mnt(smbmount_t)
++files_manage_etc_runtime_files(smbmount_t)
++files_etc_filetrans_etc_runtime(smbmount_t, file)
++
++auth_use_nsswitch(smbmount_t)
+
-mount_use_fds(smbmount_t)
locallogin_use_fds(smbmount_t)
@@ -59631,7 +67853,8 @@ index 905883f..7e70344 100644
+
########################################
#
- # SWAT Local policy
+-# Swat Local policy
++# SWAT Local policy
#
allow swat_t self:capability { dac_override setuid setgid sys_resource };
@@ -59639,43 +67862,80 @@ index 905883f..7e70344 100644
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -684,7 +731,8 @@ samba_domtrans_nmbd(swat_t)
- allow swat_t nmbd_t:process { signal signull };
- allow nmbd_t swat_t:process signal;
+-allow swat_t self:tcp_socket { accept listen };
++allow swat_t self:tcp_socket create_stream_socket_perms;
++allow swat_t self:udp_socket create_socket_perms;
+ allow swat_t self:unix_stream_socket connectto;
--allow swat_t smbd_var_run_t:file { lock unlink };
+-allow swat_t { nmbd_t smbd_t }:process { signal signull };
++samba_domtrans_smbd(swat_t)
++allow swat_t smbd_t:process { signal signull };
+
+-allow swat_t smbd_var_run_t:file read_file_perms;
+-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
++samba_domtrans_nmbd(swat_t)
++allow swat_t nmbd_t:process { signal signull };
++allow nmbd_t swat_t:process signal;
++
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++
++allow swat_t smbd_port_t:tcp_socket name_bind;
++
++allow swat_t nmbd_port_t:udp_socket name_bind;
- allow swat_t smbd_port_t:tcp_socket name_bind;
+ rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+ read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -698,13 +746,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+ manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
+-append_files_pattern(swat_t, samba_log_t, samba_log_t)
+-create_files_pattern(swat_t, samba_log_t, samba_log_t)
+-setattr_files_pattern(swat_t, samba_log_t, samba_log_t)
++manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
-+manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
+ manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
-+files_var_filetrans(swat_t, samba_var_t, dir, "samba")
+-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
+ files_var_filetrans(swat_t, samba_var_t, dir, "samba")
+files_list_var_lib(swat_t)
allow swat_t smbd_exec_t:file mmap_file_perms ;
- allow swat_t smbd_t:process signull;
-
- allow swat_t smbd_var_run_t:file read_file_perms;
+-allow swat_t { winbind_t smbd_t }:process { signal signull };
++allow swat_t smbd_t:process signull;
++
++allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
- domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
- allow swat_t winbind_t:process { signal signull };
+@@ -752,17 +765,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+ manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
+ files_pid_filetrans(swat_t, swat_var_run_t, file)
+-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
+-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
+-
+-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+-
+-samba_domtrans_smbd(swat_t)
+-samba_domtrans_nmbd(swat_t)
+-
++allow swat_t winbind_exec_t:file mmap_file_perms;
+ domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
++allow swat_t winbind_t:process { signal signull };
++
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
- allow swat_t winbind_var_run_t:dir { write add_name remove_name };
- allow swat_t winbind_var_run_t:sock_file { create unlink };
++allow swat_t winbind_var_run_t:dir { write add_name remove_name };
++allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -726,7 +779,6 @@ kernel_read_network_state(swat_t)
+ kernel_read_kernel_sysctls(swat_t)
+ kernel_read_system_state(swat_t)
+@@ -770,28 +779,19 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -59683,47 +67943,97 @@ index 905883f..7e70344 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +796,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
++corenet_raw_sendrecv_generic_if(swat_t)
+ corenet_tcp_sendrecv_generic_node(swat_t)
+ corenet_udp_sendrecv_generic_node(swat_t)
+-corenet_tcp_bind_generic_node(swat_t)
+-corenet_udp_bind_generic_node(swat_t)
+-
+-corenet_sendrecv_nmbd_server_packets(swat_t)
+-corenet_udp_bind_nmbd_port(swat_t)
+-corenet_udp_sendrecv_nmbd_port(swat_t)
+-
+-corenet_sendrecv_smbd_client_packets(swat_t)
++corenet_raw_sendrecv_generic_node(swat_t)
++corenet_tcp_sendrecv_all_ports(swat_t)
++corenet_udp_sendrecv_all_ports(swat_t)
+ corenet_tcp_connect_smbd_port(swat_t)
+-corenet_sendrecv_smbd_server_packets(swat_t)
+-corenet_tcp_bind_smbd_port(swat_t)
+-corenet_tcp_sendrecv_smbd_port(swat_t)
+-
+-corenet_sendrecv_ipp_client_packets(swat_t)
+ corenet_tcp_connect_ipp_port(swat_t)
+-corenet_tcp_sendrecv_ipp_port(swat_t)
++corenet_sendrecv_smbd_client_packets(swat_t)
++corenet_sendrecv_ipp_client_packets(swat_t)
+
dev_read_urand(swat_t)
- files_list_var_lib(swat_t)
--files_read_etc_files(swat_t)
+@@ -799,7 +799,6 @@ files_list_var_lib(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +810,10 @@ logging_send_syslog_msg(swat_t)
+-files_list_var_lib(swat_t)
+
+ auth_domtrans_chk_passwd(swat_t)
+ auth_use_nsswitch(swat_t)
+@@ -811,10 +810,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
-miscfiles_read_localization(swat_t)
-+sysnet_use_ldap(swat_t)
-+
+-
+ sysnet_use_ldap(swat_t)
+
+
+userdom_dontaudit_search_admin_dir(swat_t)
-
++
optional_policy(`
cups_read_rw_config(swat_t)
-@@ -790,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+ cups_stream_connect(swat_t)
+@@ -837,13 +837,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+ dontaudit winbind_t self:capability sys_tty_config;
+ allow winbind_t self:process { signal_perms getsched setsched };
+ allow winbind_t self:fifo_file rw_fifo_file_perms;
+-allow winbind_t self:unix_stream_socket { accept listen };
+-allow winbind_t self:tcp_socket { accept listen };
++allow winbind_t self:unix_dgram_socket create_socket_perms;
++allow winbind_t self:unix_stream_socket create_stream_socket_perms;
++allow winbind_t self:tcp_socket create_stream_socket_perms;
++allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
+-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
+samba_stream_connect_nmbd(winbind_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,6 +861,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+@@ -853,9 +855,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
+
+ manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
+-append_files_pattern(winbind_t, samba_log_t, samba_log_t)
+-create_files_pattern(winbind_t, samba_log_t, samba_log_t)
+-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t)
++manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
+ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+@@ -863,26 +863,25 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
-+manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
-+files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
- files_list_var_lib(winbind_t)
+ manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
+ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
++files_list_var_lib(winbind_t)
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
-@@ -813,21 +870,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
- allow winbind_t winbind_log_t:file manage_file_perms;
+
+-# This needs a file context specification
+-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
@@ -59734,70 +68044,76 @@ index 905883f..7e70344 100644
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
-+manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
+ manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
--files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+ files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
+ filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
-
-+files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
-+filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
+-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+# /run/samba/krb5cc_samba
-+manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-+manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
-+
-+kernel_read_network_state(winbind_t)
- kernel_read_kernel_sysctls(winbind_t)
- kernel_read_system_state(winbind_t)
+ manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
+
+ kernel_read_network_state(winbind_t)
+@@ -891,13 +890,18 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
-corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
- corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,12 +902,15 @@ corenet_udp_sendrecv_all_ports(winbind_t)
- corenet_tcp_bind_generic_node(winbind_t)
- corenet_udp_bind_generic_node(winbind_t)
- corenet_tcp_connect_smbd_port(winbind_t)
++corenet_udp_sendrecv_generic_if(winbind_t)
++corenet_raw_sendrecv_generic_if(winbind_t)
+ corenet_tcp_sendrecv_generic_node(winbind_t)
++corenet_udp_sendrecv_generic_node(winbind_t)
++corenet_raw_sendrecv_generic_node(winbind_t)
+ corenet_tcp_sendrecv_all_ports(winbind_t)
+-
+-corenet_sendrecv_all_client_packets(winbind_t)
++corenet_udp_sendrecv_all_ports(winbind_t)
++corenet_tcp_bind_generic_node(winbind_t)
++corenet_udp_bind_generic_node(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
+ corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-
+@@ -905,10 +909,7 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
+-domain_use_interactive_fds(winbind_t)
+-
+-files_read_usr_symlinks(winbind_t)
+-files_list_var_lib(winbind_t)
+files_read_usr_files(winbind_t)
-+
+
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
+@@ -917,11 +918,17 @@ auth_domtrans_chk_passwd(winbind_t)
+ auth_use_nsswitch(winbind_t)
+ auth_manage_cache(winbind_t)
-@@ -855,12 +920,14 @@ auth_manage_cache(winbind_t)
-
- domain_use_interactive_fds(winbind_t)
-
--files_read_etc_files(winbind_t)
- files_read_usr_symlinks(winbind_t)
++domain_use_interactive_fds(winbind_t)
++
++files_read_usr_symlinks(winbind_t)
+files_list_var_lib(winbind_t)
-
++
logging_send_syslog_msg(winbind_t)
-miscfiles_read_localization(winbind_t)
-+miscfiles_read_generic_certs(winbind_t)
-+
-+sysnet_use_ldap(winbind_t)
+ miscfiles_read_generic_certs(winbind_t)
++sysnet_use_ldap(winbind_t)
++
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +938,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
- userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+ userdom_manage_user_home_content_files(winbind_t)
+@@ -936,6 +943,10 @@ optional_policy(`
+ ')
optional_policy(`
-+ ctdbd_stream_connect(winbind_t)
-+ ctdbd_manage_lib_files(winbind_t)
-+')
-+
-+optional_policy(`
+ dirsrv_stream_connect(winbind_t)
+')
+
@@ -59805,7 +68121,34 @@ index 905883f..7e70344 100644
kerberos_use(winbind_t)
')
-@@ -909,9 +985,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -952,31 +963,29 @@ optional_policy(`
+ # Winbind helper local policy
+ #
+
+-allow winbind_helper_t self:unix_stream_socket { accept listen };
++allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
++allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow winbind_helper_t samba_etc_t:dir list_dir_perms;
+ read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+ read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+
+ allow winbind_helper_t samba_var_t:dir search_dir_perms;
++files_list_var_lib(winbind_helper_t)
+
+ allow winbind_t smbcontrol_t:process signal;
+
+ stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+-domain_use_interactive_fds(winbind_helper_t)
+-
+-files_list_var_lib(winbind_helper_t)
+-
+ term_list_ptys(winbind_helper_t)
+
++domain_use_interactive_fds(winbind_helper_t)
++
+ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -59816,7 +68159,12 @@ index 905883f..7e70344 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +1003,34 @@ optional_policy(`
+@@ -990,25 +999,38 @@ optional_policy(`
+
+ ########################################
+ #
+-# Unconfined script local policy
++# samba_unconfined_script_t local policy
#
optional_policy(`
@@ -59830,11 +68178,9 @@ index 905883f..7e70344 100644
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
-
-- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
+ unconfined_domain(samba_unconfined_net_t)
-
++
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
@@ -59846,10 +68192,12 @@ index 905883f..7e70344 100644
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
-+
+
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-+
+
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
@@ -59857,45 +68205,35 @@ index 905883f..7e70344 100644
- tunable_policy(`samba_run_unconfined',`
+tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+- ',`
+- can_exec(smbd_t, samba_unconfined_script_exec_t)
- ')
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..1d5e802 100644
+index d9f8784..2b2c0dc 100644
--- a/sambagui.te
+++ b/sambagui.te
-@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0)
-
- type sambagui_t;
- type sambagui_exec_t;
--dbus_system_domain(sambagui_t, sambagui_exec_t)
-+application_domain(sambagui_t, sambagui_exec_t)
-+role system_r types sambagui_t;
-
- ########################################
- #
-@@ -27,21 +28,28 @@ corecmd_exec_bin(sambagui_t)
+@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
--files_read_etc_files(sambagui_t)
-+files_read_usr_files(sambagui_t)
- files_search_var_lib(sambagui_t)
- files_read_usr_files(sambagui_t)
+-files_read_usr_files(sambagui_t)
++files_search_var_lib(sambagui_t)
auth_use_nsswitch(sambagui_t)
-+auth_dontaudit_read_shadow(sambagui_t)
-+
-+init_access_check(sambagui_t)
+ auth_dontaudit_read_shadow(sambagui_t)
- logging_send_syslog_msg(sambagui_t)
+-logging_send_syslog_msg(sambagui_t)
++init_access_check(sambagui_t)
-miscfiles_read_localization(sambagui_t)
-+sysnet_use_ldap(sambagui_t)
++logging_send_syslog_msg(sambagui_t)
- optional_policy(`
- consoletype_exec(sambagui_t)
+ sysnet_use_ldap(sambagui_t)
+
+@@ -44,6 +44,10 @@ optional_policy(`
')
optional_policy(`
@@ -59906,7 +68244,7 @@ index 1898dbd..1d5e802 100644
nscd_dontaudit_search_pid(sambagui_t)
')
-@@ -56,6 +64,7 @@ optional_policy(`
+@@ -61,6 +65,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -59915,31 +68253,32 @@ index 1898dbd..1d5e802 100644
samba_domtrans_nmbd(sambagui_t)
')
diff --git a/samhain.if b/samhain.if
-index c040ebf..2b601a5 100644
+index f0236d6..78a792a 100644
--- a/samhain.if
+++ b/samhain.if
-@@ -271,10 +271,14 @@ interface(`samhain_admin',`
- type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
- ')
-
-- allow $1 samhain_t:process { ptrace signal_perms };
-+ allow $1 samhain_t:process signal_perms;
- ps_process_pattern($1, samhain_t)
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 samhain_t:process ptrace;
-+ allow $1 samhaind_t:process ptrace;
-+ ')
+@@ -23,6 +23,8 @@ template(`samhain_service_template',`
+ files_read_all_files($1_t)
-- allow $1 samhaind_t:process { ptrace signal_perms };
-+ allow $1 samhaind_t:process signal_perms;
- ps_process_pattern($1, samhaind_t)
+ mls_file_write_all_levels($1_t)
++
++ logging_send_sylog_msg($1_t)
+ ')
- files_list_var_lib($1)
+ ########################################
diff --git a/samhain.te b/samhain.te
-index acd1700..778d18b 100644
+index 931312b..bd9a4c7 100644
--- a/samhain.te
+++ b/samhain.te
-@@ -55,7 +55,7 @@ domain_use_interactive_fds(samhain_t)
+@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
+
+ init_read_utmp(samhain_domain)
+
+-logging_send_syslog_msg(samhain_domain)
+-
+ ########################################
+ #
+ # Client local policy
+@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t)
seutil_sigchld_newrole(samhain_t)
@@ -59957,7 +68296,7 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..7addd77
+index 0000000..577dfa7
--- /dev/null
+++ b/sandbox.if
@@ -0,0 +1,55 @@
@@ -60014,7 +68353,7 @@ index 0000000..7addd77
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
++ mcs_constrained($1_t)
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
@@ -60098,7 +68437,7 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..f00e5c5
+index 0000000..1b21b7b
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,391 @@
@@ -60188,7 +68527,7 @@ index 0000000..f00e5c5
+
+ type $1_t, sandbox_x_domain, sandbox_type;
+ application_type($1_t)
-+ mcs_untrusted_proc($1_t)
++ mcs_constrained($1_t)
+
+ kernel_read_system_state($1_t)
+ selinux_get_fs_mount($1_t)
@@ -60205,7 +68544,7 @@ index 0000000..f00e5c5
+ application_type($1_client_t)
+ kernel_read_system_state($1_client_t)
+
-+ mcs_untrusted_proc($1_t)
++ mcs_constrained($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
@@ -60495,10 +68834,10 @@ index 0000000..f00e5c5
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..479ece4
+index 0000000..7a746a3
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,463 @@
+@@ -0,0 +1,464 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -60854,9 +69193,10 @@ index 0000000..479ece4
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
-+corenet_tcp_connect_streaming_port(sandbox_web_type)
++corenet_tcp_connect_ms_streaming_port(sandbox_web_type)
++corenet_tcp_connect_rtsp_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
-+corenet_tcp_connect_tor_socks_port(sandbox_web_type)
++corenet_tcp_connect_tor_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
@@ -60963,43 +69303,72 @@ index 0000000..479ece4
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
diff --git a/sanlock.fc b/sanlock.fc
-index 5d1826c..9059165 100644
+index 3df2a0f..9059165 100644
--- a/sanlock.fc
+++ b/sanlock.fc
@@ -1,7 +1,10 @@
+
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
- /var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
-
--/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0)
+-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
++/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
++
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
- /usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
-+
+-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
++/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
+
+-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
diff --git a/sanlock.if b/sanlock.if
-index cfe3172..34b861a 100644
+index cd6c213..34b861a 100644
--- a/sanlock.if
+++ b/sanlock.if
-@@ -1,3 +1,4 @@
+@@ -1,4 +1,5 @@
+-## <summary>shared storage lock manager.</summary>
+
- ## <summary>policy for sanlock</summary>
++## <summary>policy for sanlock</summary>
########################################
-@@ -18,6 +19,7 @@ interface(`sanlock_domtrans',`
+ ## <summary>
+@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',`
+ type sanlock_t, sanlock_exec_t;
+ ')
+
+- corecmd_search_bin($1)
domtrans_pattern($1, sanlock_exec_t, sanlock_t)
')
+
########################################
## <summary>
- ## Execute sanlock server in the sanlock domain.
-@@ -57,21 +59,44 @@ interface(`sanlock_manage_pid_files',`
+-## Execute sanlock init scripts in
+-## the initrc domain.
++## Execute sanlock server in the sanlock domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
++## The type of the process performing this action.
+ ## </summary>
+ ## </param>
+ #
+@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',`
+
+ ######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## sanlock pid files.
++## Create, read, write, and delete sanlock PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',`
########################################
## <summary>
--## Connect to sanlock over an unix stream socket.
+-## Connect to sanlock with a unix
+-## domain stream socket.
+## Connect to sanlock over a unix stream socket.
+## </summary>
+## <param name="domain">
@@ -61046,14 +69415,27 @@ index cfe3172..34b861a 100644
')
########################################
-@@ -95,13 +120,21 @@ interface(`sanlock_admin',`
+ ## <summary>
+-## All of the rules required to
+-## administrate an sanlock environment.
++## All of the rules required to administrate
++## an sanlock environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',`
+ #
+ interface(`sanlock_admin',`
gen_require(`
- type sanlock_t;
- type sanlock_initrc_exec_t;
+- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t;
+- type sanlock_log_t;
++ type sanlock_t;
++ type sanlock_initrc_exec_t;
+ type sanlock_unit_file_t;
')
- allow $1 sanlock_t:process signal_perms;
+- allow $1 sanlock_t:process { ptrace signal_perms };
++ allow $1 sanlock_t:process signal_perms;
ps_process_pattern($1, sanlock_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sanlock_t:process ptrace;
@@ -61063,28 +69445,34 @@ index cfe3172..34b861a 100644
domain_system_change_exemption($1)
role_transition $2 sanlock_initrc_exec_t system_r;
allow $2 system_r;
-+
+
+- files_search_pids($1)
+- admin_pattern($1, sanlock_var_run_t)
+-
+- logging_search_logs($1)
+- admin_pattern($1, sanlock_log_t)
+ virt_systemctl($1)
+ admin_pattern($1, sanlock_unit_file_t)
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..4f4eaf4 100644
+index a34eac4..4f4eaf4 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
--policy_module(sanlock, 1.0.0)
+-policy_module(sanlock, 1.0.2)
+policy_module(sanlock,1.0.0)
########################################
#
-@@ -6,18 +6,25 @@ policy_module(sanlock, 1.0.0)
+@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2)
#
## <desc>
--## <p>
--## Allow confined virtual guests to manage nfs files
--## </p>
+-## <p>
+-## Determine whether sanlock can use
+-## nfs file systems.
+-## </p>
+## <p>
+## Allow sanlock to manage nfs files
+## </p>
@@ -61092,24 +69480,27 @@ index e02eb6c..4f4eaf4 100644
gen_tunable(sanlock_use_nfs, false)
## <desc>
+-## <p>
+-## Determine whether sanlock can use
+-## cifs file systems.
+-## </p>
+## <p>
+## Allow sanlock to manage cifs files
+## </p>
-+## </desc>
-+gen_tunable(sanlock_use_samba, false)
-+
+ ## </desc>
+ gen_tunable(sanlock_use_samba, false)
+
+## <desc>
- ## <p>
--## Allow confined virtual guests to manage cifs files
++## <p>
+## Allow sanlock to read/write fuse files
- ## </p>
- ## </desc>
--gen_tunable(sanlock_use_samba, false)
++## </p>
++## </desc>
+gen_tunable(sanlock_use_fusefs, false)
-
++
type sanlock_t;
type sanlock_exec_t;
-@@ -32,6 +39,9 @@ logging_log_file(sanlock_log_t)
+ init_daemon_domain(sanlock_t, sanlock_exec_t)
+@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t)
type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)
@@ -61119,38 +69510,48 @@ index e02eb6c..4f4eaf4 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')
-@@ -44,8 +54,9 @@ ifdef(`enable_mls',`
+@@ -44,17 +52,15 @@ ifdef(`enable_mls',`
+
+ ########################################
#
- # sanlock local policy
+-# Local policy
++# sanlock local policy
#
--allow sanlock_t self:capability { sys_nice ipc_lock };
--allow sanlock_t self:process { setsched signull };
-+allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
-+allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+-
+ allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
+ allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
- allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+-allow sanlock_t self:unix_stream_socket { accept listen };
++allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -58,36 +69,51 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
- files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
++manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
+ logging_log_filetrans(sanlock_t, sanlock_log_t, file)
+ manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
-+kernel_read_kernel_sysctls(sanlock_t)
+ kernel_read_kernel_sysctls(sanlock_t)
+-dev_read_rand(sanlock_t)
+-dev_read_urand(sanlock_t)
+-
domain_use_interactive_fds(sanlock_t)
--files_read_etc_files(sanlock_t)
+files_read_mnt_symlinks(sanlock_t)
-
++
storage_raw_rw_fixed_disk(sanlock_t)
+dev_read_rand(sanlock_t)
- dev_read_urand(sanlock_t)
-
-+auth_use_nsswitch(sanlock_t)
++dev_read_urand(sanlock_t)
+
+ auth_use_nsswitch(sanlock_t)
+
init_read_utmp(sanlock_t)
- init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -61182,31 +69583,69 @@ index e02eb6c..4f4eaf4 100644
+ fs_manage_cifs_files(sanlock_t)
+ fs_manage_cifs_named_sockets(sanlock_t)
+ fs_read_cifs_symlinks(sanlock_t)
-+')
-+
-+optional_policy(`
-+ wdmd_stream_connect(sanlock_t)
')
optional_policy(`
+@@ -100,7 +113,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
virt_manage_lib_files(sanlock_t)
+- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
')
+diff --git a/sasl.fc b/sasl.fc
+index 54f41c2..7e58679 100644
+--- a/sasl.fc
++++ b/sasl.fc
+@@ -1,7 +1,12 @@
+ /etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+
++#
++# /usr
++#
+ /usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
+-/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
+-
++#
++# /var
++#
++/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
+ /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/sasl.if b/sasl.if
-index f1aea88..3e6a93f 100644
+index b2f388a..3e6a93f 100644
--- a/sasl.if
+++ b/sasl.if
-@@ -38,21 +38,21 @@ interface(`sasl_connect',`
+@@ -1,4 +1,4 @@
+-## <summary>SASL authentication server.</summary>
++## <summary>SASL authentication server</summary>
+
+ ########################################
+ ## <summary>
+@@ -21,8 +21,8 @@ interface(`sasl_connect',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an sasl environment.
++## All of the rules required to administrate
++## an sasl environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -38,11 +38,15 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
-- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+- type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
+ type saslauthd_t, saslauthd_var_run_t;
- type saslauthd_initrc_exec_t;
++ type saslauthd_initrc_exec_t;
')
-- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+- allow $1 saslauthd_t:process { ptrace signal_perms };
+ allow $1 saslauthd_t:process signal_perms;
ps_process_pattern($1, saslauthd_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -61215,80 +69654,92 @@ index f1aea88..3e6a93f 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 saslauthd_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_list_tmp($1)
-- admin_pattern($1, saslauthd_tmp_t)
--
- files_list_pids($1)
- admin_pattern($1, saslauthd_var_run_t)
- ')
diff --git a/sasl.te b/sasl.te
-index 9d9f8ce..88a01c0 100644
+index a63b875..88a01c0 100644
--- a/sasl.te
+++ b/sasl.te
-@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
- ## Allow sasl to read shadow
- ## </p>
+@@ -1,4 +1,4 @@
+-policy_module(sasl, 1.14.3)
++policy_module(sasl, 1.14.0)
+
+ ########################################
+ #
+@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether sasl can
+-## read shadow files.
+-## </p>
++## <p>
++## Allow sasl to read shadow
++## </p>
## </desc>
-gen_tunable(allow_saslauthd_read_shadow, false)
+gen_tunable(saslauthd_read_shadow, false)
type saslauthd_t;
type saslauthd_exec_t;
-@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
- type saslauthd_initrc_exec_t;
- init_script_file(saslauthd_initrc_exec_t)
-
--type saslauthd_tmp_t;
--files_tmp_file(saslauthd_tmp_t)
--
- type saslauthd_var_run_t;
- files_pid_file(saslauthd_var_run_t)
-
-@@ -30,31 +27,32 @@ files_pid_file(saslauthd_var_run_t)
- # Local policy
- #
-
--allow saslauthd_t self:capability { setgid setuid };
-+allow saslauthd_t self:capability { setgid setuid sys_nice };
+@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
dontaudit saslauthd_t self:capability sys_tty_config;
--allow saslauthd_t self:process signal_perms;
-+allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:process { setsched signal_perms };
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
- allow saslauthd_t self:unix_dgram_socket create_socket_perms;
- allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
- allow saslauthd_t self:tcp_socket create_socket_perms;
+-allow saslauthd_t self:unix_stream_socket { accept listen };
++allow saslauthd_t self:unix_dgram_socket create_socket_perms;
++allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
++allow saslauthd_t self:tcp_socket create_socket_perms;
--allow saslauthd_t saslauthd_tmp_t:dir setattr;
--manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
--files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
--
-+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
- manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
--files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
-+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(saslauthd_t)
+@@ -43,29 +44,19 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
-+kernel_rw_afs_state(saslauthd_t)
-+
-+#577519
-+corecmd_exec_bin(saslauthd_t)
+ kernel_rw_afs_state(saslauthd_t)
-corenet_all_recvfrom_unlabeled(saslauthd_t)
++#577519
++corecmd_exec_bin(saslauthd_t)
++
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
corenet_tcp_sendrecv_generic_node(saslauthd_t)
- corenet_tcp_sendrecv_all_ports(saslauthd_t)
+-
+-corenet_sendrecv_pop_client_packets(saslauthd_t)
++corenet_tcp_sendrecv_all_ports(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
-+corenet_tcp_connect_zarafa_port(saslauthd_t)
- corenet_sendrecv_pop_client_packets(saslauthd_t)
+-corenet_tcp_sendrecv_pop_port(saslauthd_t)
+-
+-corenet_sendrecv_zarafa_client_packets(saslauthd_t)
+ corenet_tcp_connect_zarafa_port(saslauthd_t)
+-corenet_tcp_sendrecv_zarafa_port(saslauthd_t)
+-
+-corecmd_exec_bin(saslauthd_t)
++corenet_sendrecv_pop_client_packets(saslauthd_t)
dev_read_urand(saslauthd_t)
-@@ -78,21 +76,20 @@ init_dontaudit_stream_connect_script(saslauthd_t)
+
+-domain_use_interactive_fds(saslauthd_t)
+-
+-files_dontaudit_read_etc_runtime_files(saslauthd_t)
+-files_dontaudit_getattr_home_dir(saslauthd_t)
+-files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+-
+ fs_getattr_all_fs(saslauthd_t)
+ fs_search_auto_mountpoints(saslauthd_t)
+
+@@ -73,33 +64,38 @@ selinux_compute_access_vector(saslauthd_t)
+
+ auth_use_pam(saslauthd_t)
+
++domain_use_interactive_fds(saslauthd_t)
++
++files_read_etc_files(saslauthd_t)
++files_dontaudit_read_etc_runtime_files(saslauthd_t)
++files_search_var_lib(saslauthd_t)
++files_dontaudit_getattr_home_dir(saslauthd_t)
++files_dontaudit_getattr_tmp_dirs(saslauthd_t)
++
+ init_dontaudit_stream_connect_script(saslauthd_t)
logging_send_syslog_msg(saslauthd_t)
@@ -61300,26 +69751,36 @@ index 9d9f8ce..88a01c0 100644
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
userdom_dontaudit_search_user_home_dirs(saslauthd_t)
- # cjp: typeattribute doesnt work in conditionals
++# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
-tunable_policy(`allow_saslauthd_read_shadow',`
+tunable_policy(`saslauthd_read_shadow',`
-+ allow saslauthd_t self:capability dac_override;
+ allow saslauthd_t self:capability dac_override;
auth_tunable_read_shadow(saslauthd_t)
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
kerberos_keytab_template(saslauthd, saslauthd_t)
+- kerberos_manage_host_rcache(saslauthd_t)
+- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
')
+ optional_policy(`
++ mysql_search_db(saslauthd_t)
+ mysql_stream_connect(saslauthd_t)
+- mysql_tcp_connect(saslauthd_t)
+ ')
+
+ optional_policy(`
diff --git a/sblim.if b/sblim.if
-index fa24879..3abfdf2 100644
+index 98c9e0a..df51942 100644
--- a/sblim.if
+++ b/sblim.if
-@@ -1,5 +1,28 @@
- ## <summary> policy for SBLIM Gatherer </summary>
-
+@@ -1,8 +1,36 @@
+-## <summary>Standards Based Linux Instrumentation for Manageability.</summary>
++## <summary> Standards Based Linux Instrumentation for Manageability. </summary>
++
+######################################
+## <summary>
+## Creates types and rules for a basic
@@ -61341,12 +69802,40 @@ index fa24879..3abfdf2 100644
+ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
+
+ kernel_read_system_state(sblim_$1_t)
-+')
+
++ corenet_all_recvfrom_unlabeled(sblim_$1_t)
++ corenet_all_recvfrom_netlabel(sblim_$1_t)
++
++ logging_send_syslog_msg(sblim_$1_t)
++')
+
+ ########################################
+ ## <summary>
+-## Execute gatherd in the gatherd domain.
++## Transition to gatherd.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',`
+
+ ########################################
+ ## <summary>
+-## Read gatherd pid files.
++## Read gatherd PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',`
+
########################################
## <summary>
- ## Transition to gatherd.
-@@ -48,11 +71,6 @@ interface(`sblim_read_pid_files',`
+-## All of the rules required to
+-## administrate an sblim environment.
++## All of the rules required to administrate
++## an gatherd environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
## Domain allowed access.
## </summary>
## </param>
@@ -61358,23 +69847,38 @@ index fa24879..3abfdf2 100644
## <rolecap/>
#
interface(`sblim_admin',`
-@@ -65,6 +83,11 @@ interface(`sblim_admin',`
- allow $1 sblim_gatherd_t:process signal_perms;
- ps_process_pattern($1, sblim_gatherd_t)
+ gen_require(`
+- attribute sblim_domain;
+- type sblim_initrc_exec_t, sblim_var_run_t;
++ type sblim_gatherd_t;
++ type sblim_reposd_t;
++ type sblim_var_run_t;
+ ')
+- allow $1 sblim_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, sblim_domain)
++ allow $1 sblim_gatherd_t:process signal_perms;
++ ps_process_pattern($1, sblim_gatherd_t)
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sblim_gatherd_t:process ptrace;
+ allow $1 sblim_reposd_t:process ptrace;
+ ')
-+
- allow $1 sblim_reposd_t:process signal_perms;
- ps_process_pattern($1, sblim_reposd_t)
+- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 sblim_initrc_exec_t system_r;
+- allow $2 system_r;
++ allow $1 sblim_reposd_t:process signal_perms;
++ ps_process_pattern($1, sblim_reposd_t)
+
+ files_search_pids($1)
+ admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 869f976..5171bda 100644
+index 4a23d84..bc26091 100644
--- a/sblim.te
+++ b/sblim.te
-@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.0)
+@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
attribute sblim_domain;
@@ -61388,231 +69892,188 @@ index 869f976..5171bda 100644
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+sblim_domain_template(reposd)
- type sblim_var_run_t;
- files_pid_file(sblim_var_run_t)
-@@ -41,6 +37,12 @@ dev_read_urand(sblim_gatherd_t)
- domain_read_all_domains_state(sblim_gatherd_t)
-
- fs_getattr_all_fs(sblim_gatherd_t)
-+fs_search_cgroup_dirs(sblim_gatherd_t)
-+
-+storage_raw_read_fixed_disk(sblim_gatherd_t)
-+storage_raw_read_removable_device(sblim_gatherd_t)
-+
-+logging_send_syslog_msg(sblim_gatherd_t)
+ type sblim_initrc_exec_t;
+ init_script_file(sblim_initrc_exec_t)
+@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+ manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
- sysnet_dns_name_resolve(sblim_gatherd_t)
+ kernel_read_network_state(sblim_domain)
+-kernel_read_system_state(sblim_domain)
-@@ -63,7 +65,9 @@ optional_policy(`
- ')
+-corenet_all_recvfrom_unlabeled(sblim_domain)
+-corenet_all_recvfrom_netlabel(sblim_domain)
+ corenet_tcp_sendrecv_generic_if(sblim_domain)
+ corenet_tcp_sendrecv_generic_node(sblim_domain)
- optional_policy(`
-+ virt_read_config(sblim_gatherd_t)
- virt_stream_connect(sblim_gatherd_t)
-+ virt_getattr_exec(sblim_gatherd_t)
- ')
+@@ -44,12 +37,6 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
- optional_policy(`
-@@ -81,6 +85,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
- corenet_tcp_bind_all_nodes(sblim_reposd_t)
- corenet_tcp_bind_repository_port(sblim_reposd_t)
+ dev_read_sysfs(sblim_domain)
-+logging_send_syslog_msg(sblim_reposd_t)
-+
- ######################################
+-logging_send_syslog_msg(sblim_domain)
+-
+-files_read_etc_files(sblim_domain)
+-
+-miscfiles_read_localization(sblim_domain)
+-
+ ########################################
#
- # sblim_domain local policy
-@@ -91,14 +97,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
- manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
- manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
- manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
-+files_pid_filetrans(sblim_domain, sblim_var_run_t, { dir file sock_file })
+ # Gatherd local policy
+@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
- kernel_read_network_state(sblim_domain)
--kernel_read_system_state(sblim_domain)
+ init_read_utmp(sblim_gatherd_t)
- dev_read_sysfs(sblim_domain)
++logging_send_syslog_msg(sblim_gatherd_t)
++
+ sysnet_dns_name_resolve(sblim_gatherd_t)
--logging_send_syslog_msg(sblim_domain)
-+auth_read_passwd(sblim_domain)
+ term_getattr_pty_fs(sblim_gatherd_t)
+@@ -103,8 +92,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- virt_getattr_virtd_exec_files(sblim_gatherd_t)
++ virt_read_config(sblim_gatherd_t)
+ virt_stream_connect(sblim_gatherd_t)
++ virt_getattr_exec(sblim_gatherd_t)
+ ')
- files_read_etc_files(sblim_domain)
+ optional_policy(`
+@@ -119,4 +109,6 @@ optional_policy(`
--miscfiles_read_localization(sblim_domain)
+ corenet_sendrecv_repository_server_packets(sblim_reposd_t)
+ corenet_tcp_bind_repository_port(sblim_reposd_t)
+-corenet_tcp_bind_generic_node(sblim_domain)
++
++logging_send_syslog_msg(sblim_reposd_t)
++
diff --git a/screen.fc b/screen.fc
-index c8254dd..b73334e 100644
+index ac04d27..b73334e 100644
--- a/screen.fc
+++ b/screen.fc
-@@ -1,15 +1,19 @@
- #
- # /home
- #
--HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
- HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+@@ -1,8 +1,19 @@
+-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
++#
++# /home
++#
++HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
-+
+
+-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
+/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
- #
- # /usr
- #
- /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+-/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+-/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
++#
++# /usr
++#
++/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
-
- #
- # /var
- #
- /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
++
++#
++# /var
++#
++/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/screen.if b/screen.if
-index c50a444..ee00be2 100644
+index c21ddcc..ee00be2 100644
--- a/screen.if
+++ b/screen.if
-@@ -25,6 +25,7 @@ template(`screen_role_template',`
+@@ -1,4 +1,4 @@
+-## <summary>GNU terminal multiplexer.</summary>
++## <summary>GNU terminal multiplexer</summary>
+
+ #######################################
+ ## <summary>
+@@ -23,10 +23,9 @@
+ #
+ template(`screen_role_template',`
gen_require(`
+- attribute screen_domain;
+- attribute_role screen_roles;
type screen_exec_t, screen_tmp_t;
type screen_home_t, screen_var_run_t;
+ attribute screen_domain;
')
########################################
-@@ -32,50 +33,24 @@ template(`screen_role_template',`
- # Declarations
+@@ -35,49 +34,48 @@ template(`screen_role_template',`
#
-- type $1_screen_t;
+ type $1_screen_t, screen_domain;
- userdom_user_application_domain($1_screen_t, screen_exec_t)
-+ type $1_screen_t, screen_domain;
+ application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
+- role screen_roles types $1_screen_t;
+ ubac_constrained($1_screen_t)
- role $2 types $1_screen_t;
++ role $2 types $1_screen_t;
-- ########################################
-- #
-- # Local policy
-- #
--
-- allow $1_screen_t self:capability { setuid setgid fsetid };
-- allow $1_screen_t self:process signal_perms;
-- allow $1_screen_t self:fifo_file rw_fifo_file_perms;
-- allow $1_screen_t self:tcp_socket create_stream_socket_perms;
-- allow $1_screen_t self:udp_socket create_socket_perms;
-- # Internal screen networking
-- allow $1_screen_t self:fd use;
-- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
-- allow $1_screen_t self:unix_dgram_socket create_socket_perms;
--
-- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
-- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
--
-- # Create fifo
-- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
-- files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
--
-- allow $1_screen_t screen_home_t:dir list_dir_perms;
-- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
-- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
-- read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+- roleattribute $2 screen_roles;
+ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_screen_t:process ptrace;
+ ')
-- allow $1_screen_t $3:process signal;
+- ########################################
+- #
+- # Local policy
+- #
+ userdom_home_reader($1_screen_t)
domtrans_pattern($3, screen_exec_t, $1_screen_t)
- allow $3 $1_screen_t:process { signal sigchld };
+-
+- ps_process_pattern($3, $1_screen_t)
+- allow $3 $1_screen_t:process { ptrace signal_perms };
+-
++ allow $3 $1_screen_t:process { signal sigchld };
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+ allow $1_screen_t $3:unix_stream_socket { connectto };
allow $1_screen_t $3:process signal;
+ ps_process_pattern($1_screen_t, $3)
- manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
- manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -86,77 +61,46 @@ template(`screen_role_template',`
- relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+- allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
+- allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+-
+- allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 screen_home_t:file { manage_file_perms relabel_file_perms };
+- allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+- allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+-
+- userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
+- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
++ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
++ manage_dirs_pattern($3, screen_home_t, screen_home_t)
++ manage_files_pattern($3, screen_home_t, screen_home_t)
++ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
++ relabel_dirs_pattern($3, screen_home_t, screen_home_t)
++ relabel_files_pattern($3, screen_home_t, screen_home_t)
++ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
- kernel_read_system_state($1_screen_t)
-- kernel_read_kernel_sysctls($1_screen_t)
-
-- corecmd_list_bin($1_screen_t)
-- corecmd_read_bin_files($1_screen_t)
-- corecmd_read_bin_symlinks($1_screen_t)
-- corecmd_read_bin_pipes($1_screen_t)
-- corecmd_read_bin_sockets($1_screen_t)
- # Revert to the user domain when a shell is executed.
+- corecmd_bin_domtrans($1_screen_t, $3)
++ kernel_read_system_state($1_screen_t)
++
++ # Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t, $3)
- corecmd_bin_domtrans($1_screen_t, $3)
-
-- corenet_all_recvfrom_unlabeled($1_screen_t)
-- corenet_all_recvfrom_netlabel($1_screen_t)
-- corenet_tcp_sendrecv_generic_if($1_screen_t)
-- corenet_udp_sendrecv_generic_if($1_screen_t)
-- corenet_tcp_sendrecv_generic_node($1_screen_t)
-- corenet_udp_sendrecv_generic_node($1_screen_t)
-- corenet_tcp_sendrecv_all_ports($1_screen_t)
-- corenet_udp_sendrecv_all_ports($1_screen_t)
-- corenet_tcp_connect_all_ports($1_screen_t)
--
-- dev_dontaudit_getattr_all_chr_files($1_screen_t)
-- dev_dontaudit_getattr_all_blk_files($1_screen_t)
-- # for SSP
-- dev_read_urand($1_screen_t)
--
-- domain_use_interactive_fds($1_screen_t)
--
-- files_search_tmp($1_screen_t)
-- files_search_home($1_screen_t)
-- files_list_home($1_screen_t)
-- files_read_usr_files($1_screen_t)
-- files_read_etc_files($1_screen_t)
--
-- fs_search_auto_mountpoints($1_screen_t)
-- fs_getattr_xattr_fs($1_screen_t)
--
++ corecmd_bin_domtrans($1_screen_t, $3)
+
auth_domtrans_chk_passwd($1_screen_t)
auth_use_nsswitch($1_screen_t)
-- auth_dontaudit_read_shadow($1_screen_t)
-- auth_dontaudit_exec_utempter($1_screen_t)
--
-- # Write to utmp.
-- init_rw_utmp($1_screen_t)
- logging_send_syslog_msg($1_screen_t)
-
-- miscfiles_read_localization($1_screen_t)
--
-- seutil_read_config($1_screen_t)
--
-- userdom_use_user_terminals($1_screen_t)
-- userdom_create_user_pty($1_screen_t)
++ logging_send_syslog_msg($1_screen_t)
++
userdom_user_home_domtrans($1_screen_t, $3)
-- userdom_setattr_user_ptys($1_screen_t)
-- userdom_setattr_user_ttys($1_screen_t)
+ userdom_manage_tmp_role($2, $1_screen_t)
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-- fs_read_cifs_symlinks($1_screen_t)
-- fs_list_cifs($1_screen_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
+@@ -87,3 +85,22 @@ template(`screen_role_template',`
fs_nfs_domtrans($1_screen_t, $3)
-- fs_list_nfs($1_screen_t)
-- fs_read_nfs_symlinks($1_screen_t)
')
')
+
@@ -61635,19 +70096,26 @@ index c50a444..ee00be2 100644
+ can_exec($1, screen_exec_t)
+')
diff --git a/screen.te b/screen.te
-index 2583626..86af6f6 100644
+index f095081..86af6f6 100644
--- a/screen.te
+++ b/screen.te
-@@ -5,6 +5,8 @@ policy_module(screen, 2.5.0)
+@@ -1,13 +1,11 @@
+-policy_module(screen, 2.5.3)
++policy_module(screen, 2.5.0)
+
+ ########################################
+ #
# Declarations
#
+-attribute screen_domain;
+-
+-attribute_role screen_roles;
+attribute screen_domain;
-+
+
type screen_exec_t;
application_executable_file(screen_exec_t)
-
-@@ -13,13 +15,84 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
+@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
userdom_user_home_content(screen_home_t)
@@ -61659,174 +70127,316 @@ index 2583626..86af6f6 100644
type screen_var_run_t;
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
- files_pid_file(screen_var_run_t)
- ubac_constrained(screen_var_run_t)
-+
-+########################################
-+#
+@@ -30,33 +23,33 @@ ubac_constrained(screen_var_run_t)
+
+ ########################################
+ #
+-# Common screen domain local policy
+# Local policy
-+#
-+
-+allow screen_domain self:capability { setuid setgid fsetid };
-+allow screen_domain self:process signal_perms;
-+allow screen_domain self:fifo_file rw_fifo_file_perms;
+ #
+
+ allow screen_domain self:capability { setuid setgid fsetid };
+ allow screen_domain self:process signal_perms;
+-allow screen_domain self:fd use;
+ allow screen_domain self:fifo_file rw_fifo_file_perms;
+-allow screen_domain self:tcp_socket { accept listen };
+-allow screen_domain self:unix_stream_socket connectto;
+-
+-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+allow screen_domain self:tcp_socket create_stream_socket_perms;
+allow screen_domain self:udp_socket create_socket_perms;
+# Internal screen networking
+allow screen_domain self:fd use;
+allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
+allow screen_domain self:unix_dgram_socket create_socket_perms;
-+
+
+# Create fifo
-+manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-+manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-+manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
-+files_pid_filetrans(screen_domain, screen_var_run_t, dir)
-+
+ manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
+ manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
+ manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
+ files_pid_filetrans(screen_domain, screen_var_run_t, dir)
+
+allow screen_domain screen_home_t:dir list_dir_perms;
-+manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
-+manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
+ manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
+-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
+ manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
-+read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
-+
-+kernel_read_kernel_sysctls(screen_domain)
-+
-+corecmd_list_bin(screen_domain)
-+corecmd_read_bin_files(screen_domain)
-+corecmd_read_bin_symlinks(screen_domain)
-+corecmd_read_bin_pipes(screen_domain)
-+corecmd_read_bin_sockets(screen_domain)
-+
-+corenet_tcp_sendrecv_generic_if(screen_domain)
+ read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
+-userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen")
+
+-kernel_read_system_state(screen_domain)
+ kernel_read_kernel_sysctls(screen_domain)
+
+ corecmd_list_bin(screen_domain)
+@@ -65,55 +58,41 @@ corecmd_read_bin_symlinks(screen_domain)
+ corecmd_read_bin_pipes(screen_domain)
+ corecmd_read_bin_sockets(screen_domain)
+
+-corenet_all_recvfrom_unlabeled(screen_domain)
+-corenet_all_recvfrom_netlabel(screen_domain)
+ corenet_tcp_sendrecv_generic_if(screen_domain)
+corenet_udp_sendrecv_generic_if(screen_domain)
-+corenet_tcp_sendrecv_generic_node(screen_domain)
+ corenet_tcp_sendrecv_generic_node(screen_domain)
+corenet_udp_sendrecv_generic_node(screen_domain)
-+corenet_tcp_sendrecv_all_ports(screen_domain)
+ corenet_tcp_sendrecv_all_ports(screen_domain)
+-
+-corenet_sendrecv_all_client_packets(screen_domain)
+corenet_udp_sendrecv_all_ports(screen_domain)
-+corenet_tcp_connect_all_ports(screen_domain)
-+
-+dev_dontaudit_getattr_all_chr_files(screen_domain)
-+dev_dontaudit_getattr_all_blk_files(screen_domain)
+ corenet_tcp_connect_all_ports(screen_domain)
+
+ dev_dontaudit_getattr_all_chr_files(screen_domain)
+ dev_dontaudit_getattr_all_blk_files(screen_domain)
+# for SSP
-+dev_read_urand(screen_domain)
-+
-+domain_sigchld_interactive_fds(screen_domain)
+ dev_read_urand(screen_domain)
+
+-domain_use_interactive_fds(screen_domain)
+ domain_sigchld_interactive_fds(screen_domain)
+domain_use_interactive_fds(screen_domain)
-+domain_read_all_domains_state(screen_domain)
-+
+ domain_read_all_domains_state(screen_domain)
+
+files_search_tmp(screen_domain)
+files_search_home(screen_domain)
-+files_list_home(screen_domain)
-+files_read_usr_files(screen_domain)
+ files_list_home(screen_domain)
+ files_read_usr_files(screen_domain)
+files_read_etc_files(screen_domain)
-+
-+fs_search_auto_mountpoints(screen_domain)
+
+ fs_search_auto_mountpoints(screen_domain)
+-fs_getattr_all_fs(screen_domain)
+fs_getattr_xattr_fs(screen_domain)
-+
-+auth_dontaudit_read_shadow(screen_domain)
-+auth_dontaudit_exec_utempter(screen_domain)
-+
+
+ auth_dontaudit_read_shadow(screen_domain)
+ auth_dontaudit_exec_utempter(screen_domain)
+
+# Write to utmp.
-+init_rw_utmp(screen_domain)
-+
-+seutil_read_config(screen_domain)
-+
-+userdom_use_user_terminals(screen_domain)
-+userdom_create_user_pty(screen_domain)
-+userdom_setattr_user_ptys(screen_domain)
-+userdom_setattr_user_ttys(screen_domain)
+ init_rw_utmp(screen_domain)
+
+-logging_send_syslog_msg(screen_domain)
+-
+-miscfiles_read_localization(screen_domain)
+-
+ seutil_read_config(screen_domain)
+
+ userdom_use_user_terminals(screen_domain)
+ userdom_create_user_pty(screen_domain)
+ userdom_setattr_user_ptys(screen_domain)
+ userdom_setattr_user_ttys(screen_domain)
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(screen_domain)
+- fs_read_cifs_files(screen_domain)
+- fs_manage_cifs_named_pipes(screen_domain)
+- fs_read_cifs_symlinks(screen_domain)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(screen_domain)
+- fs_read_nfs_files(screen_domain)
+- fs_manage_nfs_named_pipes(screen_domain)
+- fs_read_nfs_symlinks(screen_domain)
+-')
diff --git a/sectoolm.fc b/sectoolm.fc
-index 1ed6870..3f1dac5 100644
+index 64a2394..3f1dac5 100644
--- a/sectoolm.fc
+++ b/sectoolm.fc
-@@ -1,4 +1,4 @@
+@@ -1,5 +1,4 @@
/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
- /var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
--/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+-/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+-
+-/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+diff --git a/sectoolm.if b/sectoolm.if
+index c78a569..9007451 100644
+--- a/sectoolm.if
++++ b/sectoolm.if
+@@ -1,24 +1,2 @@
+-## <summary>Sectool security audit tool.</summary>
++## <summary>Sectool security audit tool</summary>
+
+-########################################
+-## <summary>
+-## Role access for sectoolm.
+-## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+-## </param>
+-#
+-interface(`sectoolm_role',`
+- gen_require(`
+- type sectoolm_t;
+- ')
+-
+- allow sectoolm_t $2:unix_dgram_socket sendto;
+-')
diff --git a/sectoolm.te b/sectoolm.te
-index c8ef84b..ffa81dd 100644
+index 8193bf1..ffa81dd 100644
--- a/sectoolm.te
+++ b/sectoolm.te
-@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0)
+@@ -1,4 +1,4 @@
+-policy_module(sectoolm, 1.0.1)
++policy_module(sectoolm, 1.0.0)
+
+ ########################################
+ #
+@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1)
type sectoolm_t;
type sectoolm_exec_t;
--dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+-init_system_domain(sectoolm_t, sectoolm_exec_t)
+init_daemon_domain(sectoolm_t, sectoolm_exec_t)
type sectool_var_lib_t;
files_type(sectool_var_lib_t)
-@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
- # sectool local policy
+@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t)
+
+ ########################################
+ #
+-# Local policy
++# sectool local policy
#
--allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
-+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
+ allow sectoolm_t self:capability { dac_override net_admin sys_nice };
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
+-allow sectoolm_t self:unix_dgram_socket sendto;
++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
- auth_use_nsswitch(sectoolm_t)
+ manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+ manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+ manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+ files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
--# tests related to network
--hostname_exec(sectoolm_t)
--
--# tests related to network
--iptables_domtrans(sectoolm_t)
--
- libs_exec_ld_so(sectoolm_t)
+-allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
++manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
+ logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
+
+ kernel_read_net_sysctls(sectoolm_t)
+@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t)
+
+ selinux_validate_context(sectoolm_t)
+
++# tcp_wrappers test
+ application_exec_all(sectoolm_t)
+
+ auth_use_nsswitch(sectoolm_t)
+@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
-@@ -84,6 +78,21 @@ logging_send_syslog_msg(sectoolm_t)
+
++# tests related to network
sysnet_domtrans_ifconfig(sectoolm_t)
- userdom_manage_user_tmp_sockets(sectoolm_t)
+-userdom_write_user_tmp_sockets(sectoolm_t)
++userdom_manage_user_tmp_sockets(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
-+
-+optional_policy(`
+
+ optional_policy(`
+- mount_exec(sectoolm_t)
+ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+ # tests related to network
+ hostname_exec(sectoolm_t)
+')
-+
+
+- optional_policy(`
+- policykit_dbus_chat(sectoolm_t)
+- ')
+optional_policy(`
+ # tests related to network
+ iptables_domtrans(sectoolm_t)
-+')
+ ')
optional_policy(`
- mount_exec(sectoolm_t)
+- hostname_exec(sectoolm_t)
++ mount_exec(sectoolm_t)
+ ')
+
+ optional_policy(`
+- iptables_domtrans(sectoolm_t)
++ policykit_dbus_chat(sectoolm_t)
+ ')
+
++# suid test using
++# rpm -Vf option
+ optional_policy(`
+ prelink_domtrans(sectoolm_t)
+ ')
diff --git a/sendmail.fc b/sendmail.fc
-index a86ec50..da5d41d 100644
+index d14b6bf..da5d41d 100644
--- a/sendmail.fc
+++ b/sendmail.fc
-@@ -1,5 +1,7 @@
+@@ -1,7 +1,8 @@
+-/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
--/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
+-/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
+-/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
-+
-+/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
- /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
- /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+-/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
++/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
++/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
++
++/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
++/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 7e94c7c..ca74cd9 100644
+index 88e753f..ca74cd9 100644
--- a/sendmail.if
+++ b/sendmail.if
-@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
+@@ -1,4 +1,4 @@
+-## <summary>Internetwork email routing facility.</summary>
++## <summary>Policy for sendmail.</summary>
+
+ ########################################
+ ## <summary>
+@@ -18,7 +18,8 @@ interface(`sendmail_stub',`
+
+ ########################################
+ ## <summary>
+-## Read and write sendmail unnamed pipes.
++## Allow attempts to read and write to
++## sendmail unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',`
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to run sendmail.
++## Domain transition to sendmail.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',`
+ type sendmail_t;
')
+- corecmd_search_bin($1)
mta_sendmail_domtrans($1, sendmail_t)
+')
-+
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_fifo_file_perms;
+- allow sendmail_t $1:process sigchld;
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
@@ -61841,39 +70451,165 @@ index 7e94c7c..ca74cd9 100644
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
-
-- allow sendmail_t $1:fd use;
-- allow sendmail_t $1:fifo_file rw_file_perms;
-- allow sendmail_t $1:process sigchld;
++
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
')
########################################
-@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
- type sendmail_t;
+ ## <summary>
+-## Execute the sendmail program in the
+-## sendmail domain, and allow the
+-## specified role the sendmail domain.
++## Execute the sendmail program in the sendmail domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -70,18 +82,18 @@ interface(`sendmail_domtrans',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to allow the sendmail domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`sendmail_run',`
+ gen_require(`
+- attribute_role sendmail_roles;
++ type sendmail_t;
')
-- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
-+ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ sendmail_domtrans($1)
+- roleattribute $2 sendmail_roles;
++ role $2 types sendmail_t;
')
########################################
-@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
- type sendmail_t;
+@@ -141,8 +153,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
+
+ ########################################
+ ## <summary>
+-## Read and write sendmail unix
+-## domain stream sockets.
++## Read and write sendmail unix_stream_sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -179,7 +190,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+
+ ########################################
+ ## <summary>
+-## Read sendmail log files.
++## Read sendmail logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -199,8 +210,7 @@ interface(`sendmail_read_log',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## sendmail log files.
++## Create, read, write, and delete sendmail logs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -220,8 +230,7 @@ interface(`sendmail_manage_log',`
+
+ ########################################
+ ## <summary>
+-## Create specified objects in generic
+-## log directories sendmail log file type.
++## Create sendmail logs with the correct type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -230,43 +239,16 @@ interface(`sendmail_manage_log',`
+ ## </param>
+ #
+ interface(`sendmail_create_log',`
+- refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
+- sendmail_log_filetrans_sendmail_log($1, $2, $3)
+-')
+-
+-########################################
+-## <summary>
+-## Create specified objects in generic
+-## log directories sendmail log file type.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+-#
+-interface(`sendmail_log_filetrans_sendmail_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+- logging_log_filetrans($1, sendmail_log_t, $2, $3)
++ logging_log_filetrans($1, sendmail_log_t, file)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## sendmail tmp files.
++## Manage sendmail tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -299,18 +281,13 @@ interface(`sendmail_domtrans_unconfined',`
')
-- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
-+ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ mta_sendmail_domtrans($1, unconfined_sendmail_t)
+-
+- allow unconfined_sendmail_t $1:fd use;
+- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
+- allow unconfined_sendmail_t $1:process sigchld;
')
########################################
-@@ -295,3 +309,73 @@ interface(`sendmail_run_unconfined',`
+ ## <summary>
+-## Execute sendmail in the unconfined
+-## sendmail domain, and allow the
+-## specified role the unconfined
+-## sendmail domain.
++## Execute sendmail in the unconfined sendmail domain, and
++## allow the specified role the unconfined sendmail domain,
++## and use the caller's terminal.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -326,17 +303,36 @@ interface(`sendmail_domtrans_unconfined',`
+ #
+ interface(`sendmail_run_unconfined',`
+ gen_require(`
+- attribute_role sendmail_unconfined_roles;
++ type unconfined_sendmail_t;
+ ')
+
sendmail_domtrans_unconfined($1)
- role $2 types unconfined_sendmail_t;
+- roleattribute $2 sendmail_unconfined_roles;
++ role $2 types unconfined_sendmail_t;
')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an sendmail environment.
+## Set the attributes of sendmail pid files.
+## </summary>
+## <param name="domain">
@@ -61895,136 +70631,200 @@ index 7e94c7c..ca74cd9 100644
+## <summary>
+## All of the rules required to administrate
+## an sendmail environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`sendmail_admin',`
-+ gen_require(`
-+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
-+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -354,12 +350,20 @@ interface(`sendmail_admin',`
+ gen_require(`
+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ type mail_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
+ allow $1 sendmail_t:process signal_perms;
+ ps_process_pattern($1, sendmail_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sendmail_t:process ptrace;
+ allow $1 unconfined_sendmail_t:process ptrace;
+ ')
-+
+
+- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ allow $1 unconfined_sendmail_t:process signal_perms;
+ ps_process_pattern($1, unconfined_sendmail_t)
+
+ sendmail_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 sendmail_initrc_exec_t system_r;
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, sendmail_log_t)
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, sendmail_tmp_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, sendmail_var_run_t)
-+
+ domain_system_change_exemption($1)
+ role_transition $2 sendmail_initrc_exec_t system_r;
+
+@@ -372,6 +376,6 @@ interface(`sendmail_admin',`
+ files_list_pids($1)
+ admin_pattern($1, sendmail_var_run_t)
+
+- sendmail_run($1, $2)
+- sendmail_run_unconfined($1, $2)
+ files_list_spool($1)
+ admin_pattern($1, mail_spool_t)
-+')
+ ')
diff --git a/sendmail.te b/sendmail.te
-index 22dac1f..a536819 100644
+index 5f35d78..a536819 100644
--- a/sendmail.te
+++ b/sendmail.te
-@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
+@@ -1,18 +1,10 @@
+-policy_module(sendmail, 1.11.5)
++policy_module(sendmail, 1.11.0)
+
+ ########################################
+ #
+ # Declarations
+ #
+
+-attribute_role sendmail_roles;
+-
+-attribute_role sendmail_unconfined_roles;
+-roleattribute system_r sendmail_unconfined_roles;
+-
+-type sendmail_initrc_exec_t;
+-init_script_file(sendmail_initrc_exec_t)
+-
+ type sendmail_log_t;
+ logging_log_file(sendmail_log_t)
+
+@@ -26,27 +18,25 @@ type sendmail_t;
+ mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
+-role sendmail_roles types sendmail_t;
-type unconfined_sendmail_t;
-application_domain(unconfined_sendmail_t, sendmail_exec_t)
--role system_r types unconfined_sendmail_t;
+-role sendmail_unconfined_roles types unconfined_sendmail_t;
+type sendmail_initrc_exec_t;
+init_script_file(sendmail_initrc_exec_t)
########################################
#
-@@ -52,7 +51,6 @@ kernel_read_kernel_sysctls(sendmail_t)
- # for piping mail to a command
+-# Local policy
++# Sendmail local policy
+ #
+
+-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+ allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
+ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+-allow sendmail_t self:unix_stream_socket { accept listen };
+-allow sendmail_t self:tcp_socket { accept listen };
++allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
++allow sendmail_t self:unix_dgram_socket create_socket_perms;
++allow sendmail_t self:tcp_socket create_stream_socket_perms;
++allow sendmail_t self:udp_socket create_socket_perms;
+
+-allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+-append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+-create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+-setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
++allow sendmail_t sendmail_log_t:dir setattr;
++manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+ logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
+
+ manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+@@ -58,33 +48,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+
+ kernel_read_network_state(sendmail_t)
+ kernel_read_kernel_sysctls(sendmail_t)
++# for piping mail to a command
kernel_read_system_state(sendmail_t)
-corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_generic_if(sendmail_t)
corenet_tcp_sendrecv_generic_node(sendmail_t)
-@@ -79,17 +77,18 @@ corecmd_exec_bin(sendmail_t)
+ corenet_tcp_sendrecv_all_ports(sendmail_t)
+ corenet_tcp_bind_generic_node(sendmail_t)
+-
+-corenet_sendrecv_smtp_server_packets(sendmail_t)
+ corenet_tcp_bind_smtp_port(sendmail_t)
+-
+-corenet_sendrecv_all_client_packets(sendmail_t)
+ corenet_tcp_connect_all_ports(sendmail_t)
++corenet_sendrecv_smtp_server_packets(sendmail_t)
++corenet_sendrecv_smtp_client_packets(sendmail_t)
+
+-corecmd_exec_bin(sendmail_t)
+-corecmd_exec_shell(sendmail_t)
+-
+-dev_read_sysfs(sendmail_t)
+ dev_read_urand(sendmail_t)
+-
+-domain_use_interactive_fds(sendmail_t)
+-
+-files_read_all_tmp_files(sendmail_t)
+-files_read_etc_runtime_files(sendmail_t)
+-files_read_usr_files(sendmail_t)
+-files_search_spool(sendmail_t)
++dev_read_sysfs(sendmail_t)
- domain_use_interactive_fds(sendmail_t)
+ fs_getattr_all_fs(sendmail_t)
+ fs_search_auto_mountpoints(sendmail_t)
+@@ -93,35 +71,50 @@ fs_rw_anon_inodefs_files(sendmail_t)
+ term_dontaudit_use_console(sendmail_t)
+ term_dontaudit_use_generic_ptys(sendmail_t)
--files_read_etc_files(sendmail_t)
- files_read_usr_files(sendmail_t)
- files_search_spool(sendmail_t)
- # for piping mail to a command
- files_read_etc_runtime_files(sendmail_t)
++# for piping mail to a command
++corecmd_exec_shell(sendmail_t)
++corecmd_exec_bin(sendmail_t)
++
++domain_use_interactive_fds(sendmail_t)
++
++files_read_usr_files(sendmail_t)
++files_search_spool(sendmail_t)
++# for piping mail to a command
++files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
-
++
init_use_fds(sendmail_t)
init_use_script_ptys(sendmail_t)
- # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
++# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
init_dontaudit_write_utmp(sendmail_t)
-+init_rw_script_tmp_files(sendmail_t)
+ init_rw_script_tmp_files(sendmail_t)
auth_use_nsswitch(sendmail_t)
-@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t)
++# Read /usr/lib/sasl2/.*
+ libs_read_lib_files(sendmail_t)
+
+ logging_send_syslog_msg(sendmail_t)
logging_dontaudit_write_generic_logs(sendmail_t)
miscfiles_read_generic_certs(sendmail_t)
-miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
--userdom_dontaudit_search_user_home_dirs(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
+userdom_dontaudit_list_user_home_dirs(sendmail_t)
- mta_read_config(sendmail_t)
- mta_etc_filetrans_aliases(sendmail_t)
-@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t)
+-mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
+-mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
+-mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp")
++mta_read_config(sendmail_t)
++mta_etc_filetrans_aliases(sendmail_t)
++# Write to /etc/aliases and /etc/mail.
+ mta_manage_aliases(sendmail_t)
++# Write to /var/spool/mail and /var/spool/mqueue.
+ mta_manage_queue(sendmail_t)
+ mta_manage_spool(sendmail_t)
+-mta_read_config(sendmail_t)
mta_sendmail_exec(sendmail_t)
optional_policy(`
+- cfengine_dontaudit_write_log_files(sendmail_t)
+ cfengine_dontaudit_write_log(sendmail_t)
-+')
-+
-+optional_policy(`
- cron_read_pipes(sendmail_t)
- ')
-
-@@ -128,7 +131,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dovecot_write_inherited_tmp_files(sendmail_t)
-+')
-+
-+optional_policy(`
- exim_domtrans(sendmail_t)
-+ exim_manage_spool_files(sendmail_t)
-+ exim_manage_spool_dirs(sendmail_t)
-+ exim_read_log(sendmail_t)
')
optional_policy(`
-@@ -149,7 +159,14 @@ optional_policy(`
+@@ -166,6 +159,11 @@ optional_policy(`
')
optional_policy(`
@@ -62033,13 +70833,10 @@ index 22dac1f..a536819 100644
+')
+
+optional_policy(`
-+ postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
-+ postfix_domtrans_postqueue(sendmail_t)
- postfix_read_config(sendmail_t)
- postfix_search_spool(sendmail_t)
- ')
-@@ -168,20 +185,13 @@ optional_policy(`
+ postfix_domtrans_postqueue(sendmail_t)
+@@ -187,21 +185,13 @@ optional_policy(`
')
optional_policy(`
@@ -62054,37 +70851,39 @@ index 22dac1f..a536819 100644
-########################################
-#
--# Unconfined sendmail local policy
--# Allow unconfined domain to run newalias and have transitions work
+-# Unconfined local policy
-#
-
optional_policy(`
-- mta_etc_filetrans_aliases(unconfined_sendmail_t)
+- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
+- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
+- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
- unconfined_domain(unconfined_sendmail_t)
+ uucp_domtrans_uux(sendmail_t)
')
diff --git a/sensord.fc b/sensord.fc
-new file mode 100644
-index 0000000..e1ef619
---- /dev/null
+index 8185d5a..719ac47 100644
+--- a/sensord.fc
+++ b/sensord.fc
-@@ -0,0 +1,5 @@
+@@ -1,3 +1,5 @@
+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
+
-+/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
-+
-+/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
+ /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
+
+ /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
diff --git a/sensord.if b/sensord.if
-new file mode 100644
-index 0000000..5eba5fd
---- /dev/null
+index d204752..5eba5fd 100644
+--- a/sensord.if
+++ b/sensord.if
-@@ -0,0 +1,75 @@
+@@ -1,35 +1,75 @@
+-## <summary>Sensor information logging daemon.</summary>
+
+## <summary>Sensor information logging daemon</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an sensord environment.
+## Execute sensord in the sensord domain.
+## </summary>
+## <param name="domain">
@@ -62104,12 +70903,14 @@ index 0000000..5eba5fd
+########################################
+## <summary>
+## Execute sensord server in the sensord domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`sensord_systemctl',`
+ gen_require(`
@@ -62131,97 +70932,113 @@ index 0000000..5eba5fd
+## an sensord environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`sensord_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`sensord_admin',`
+ gen_require(`
+- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
+ type sensord_t;
+ type sensord_unit_file_t;
-+ ')
-+
-+ allow $1 sensord_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, sensord_t)
-+
+ ')
+
+ allow $1 sensord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sensord_t)
+
+- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 sensord_initrc_exec_t system_r;
+- allow $2 system_r;
+ sensord_systemctl($1)
+ admin_pattern($1, sensord_unit_file_t)
+ allow $1 sensord_unit_file_t:service all_service_perms;
-+
+
+- files_search_pids($1)
+- admin_pattern($1, sensord_var_run_t)
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/sensord.te b/sensord.te
-new file mode 100644
-index 0000000..5e92ac9
---- /dev/null
+index 5e82fd6..fa352d8 100644
+--- a/sensord.te
+++ b/sensord.te
-@@ -0,0 +1,35 @@
-+policy_module(sensord, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type sensord_t;
-+type sensord_exec_t;
-+init_daemon_domain(sensord_t, sensord_exec_t)
-+
+@@ -9,6 +9,9 @@ type sensord_t;
+ type sensord_exec_t;
+ init_daemon_domain(sensord_t, sensord_exec_t)
+
+type sensord_unit_file_t;
+systemd_unit_file(sensord_unit_file_t)
+
-+type sensord_var_run_t;
-+files_pid_file(sensord_var_run_t)
-+
-+########################################
-+#
-+# sensord local policy
-+#
-+
-+allow sensord_t self:fifo_file rw_fifo_file_perms;
-+allow sensord_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
-+files_pid_filetrans(sensord_t, sensord_var_run_t, { file })
-+
-+domain_use_interactive_fds(sensord_t)
-+
-+dev_read_sysfs(sensord_t)
-+
-+files_read_etc_files(sensord_t)
-+
-+logging_send_syslog_msg(sensord_t)
+ type sensord_initrc_exec_t;
+ init_script_file(sensord_initrc_exec_t)
+
+@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
+
+ dev_read_sysfs(sensord_t)
+
+-files_read_etc_files(sensord_t)
+-
+ logging_send_syslog_msg(sensord_t)
+
+-miscfiles_read_localization(sensord_t)
+diff --git a/setroubleshoot.fc b/setroubleshoot.fc
+index 0b3a971..397a522 100644
+--- a/setroubleshoot.fc
++++ b/setroubleshoot.fc
+@@ -1,9 +1,9 @@
+ /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
++/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+
+-/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
++/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+-/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
++/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
++/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/setroubleshoot.if b/setroubleshoot.if
-index bcdd16c..039b0c8 100644
+index 3a9a70b..039b0c8 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
-@@ -2,7 +2,7 @@
+@@ -1,9 +1,8 @@
+-## <summary>SELinux troubleshooting service.</summary>
++## <summary>SELinux troubleshooting service</summary>
########################################
## <summary>
--## Connect to setroubleshootd over an unix stream socket.
+-## Connect to setroubleshootd with a
+-## unix domain stream socket.
+## Connect to setroubleshootd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -23,7 +23,7 @@ interface(`setroubleshoot_stream_connect',`
+@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',`
+
########################################
## <summary>
- ## Dontaudit attempts to connect to setroubleshootd
--## over an unix stream socket.
+-## Do not audit attempts to connect to
+-## setroubleshootd with a unix
+-## domain stream socket.
++## Dontaudit attempts to connect to setroubleshootd
+## over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
########################################
## <summary>
+-## All of the rules required to
+-## administrate an setroubleshoot environment.
+## Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
@@ -62241,197 +71058,235 @@ index bcdd16c..039b0c8 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an setroubleshoot environment
++## All of the rules required to administrate
++## an setroubleshoot environment
## </summary>
-@@ -117,15 +136,18 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+ ## <param name="domain">
+ ## <summary>
+@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
#
interface(`setroubleshoot_admin',`
gen_require(`
-- type setroubleshootd_t, setroubleshoot_log_t;
+- type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t;
- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
+ type setroubleshoot_var_lib_t;
')
-- allow $1 setroubleshootd_t:process { ptrace signal_perms };
+- allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t })
+ allow $1 setroubleshootd_t:process signal_perms;
- ps_process_pattern($1, setroubleshootd_t)
++ ps_process_pattern($1, setroubleshootd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 setroubleshootd_t:process ptrace;
+ ')
logging_list_logs($1)
-- admin_pattern($1, setroubleshoot_log_t)
-+ admin_pattern($1, setroubleshoot_var_log_t)
-
- files_list_var_lib($1)
- admin_pattern($1, setroubleshoot_var_lib_t)
+ admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..ab3ba4d 100644
+index 49b12ae..ab3ba4d 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
-@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+@@ -1,4 +1,4 @@
+-policy_module(setroubleshoot, 1.11.2)
++policy_module(setroubleshoot, 1.11.0)
+
+ ########################################
+ #
+@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2)
+
+ type setroubleshootd_t alias setroubleshoot_t;
+ type setroubleshootd_exec_t;
+-init_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
++domain_type(setroubleshootd_t)
++init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
type setroubleshoot_fixit_t;
type setroubleshoot_fixit_exec_t;
--dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+-init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
type setroubleshoot_var_lib_t;
files_type(setroubleshoot_var_lib_t)
-@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t)
- # setroubleshootd local policy
+
++# log files
+ type setroubleshoot_var_log_t;
+ logging_log_file(setroubleshoot_var_log_t)
+
++# pid files
+ type setroubleshoot_var_run_t;
+ files_pid_file(setroubleshoot_var_run_t)
+
+ ########################################
+ #
+-# Local policy
++# setroubleshootd local policy
#
--allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
-+allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
- allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+ allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
+-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
- allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
- allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,19 +51,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+-allow setroubleshootd_t self:tcp_socket { accept listen };
+-allow setroubleshootd_t self:unix_stream_socket { accept connectto listen };
++allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
++allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+
+-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
++# database files
++allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
+ manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
+ files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
+
+-allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms;
+-append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+-create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+-setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
++# log files
++allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
++manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
- # pid file
-+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
++# pid file
+ manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
--files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
-+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
-
- kernel_read_kernel_sysctls(setroubleshootd_t)
- kernel_read_system_state(setroubleshootd_t)
- kernel_read_net_sysctls(setroubleshootd_t)
- kernel_read_network_state(setroubleshootd_t)
-+kernel_dontaudit_list_all_proc(setroubleshootd_t)
-+kernel_read_irq_sysctls(setroubleshootd_t)
-+kernel_read_unlabeled_state(setroubleshootd_t)
-
- corecmd_exec_bin(setroubleshootd_t)
+@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-+corecmd_read_all_executables(setroubleshootd_t)
+ corecmd_read_all_executables(setroubleshootd_t)
-corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
-@@ -74,17 +80,18 @@ dev_read_urand(setroubleshootd_t)
+-
+-corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
++corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
++corenet_tcp_bind_generic_node(setroubleshootd_t)
+ corenet_tcp_connect_smtp_port(setroubleshootd_t)
+-corenet_tcp_sendrecv_smtp_port(setroubleshootd_t)
++corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+ dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
- dev_getattr_all_blk_files(setroubleshootd_t)
- dev_getattr_all_chr_files(setroubleshootd_t)
-+dev_getattr_mtrr_dev(setroubleshootd_t)
-
- domain_dontaudit_search_all_domains_state(setroubleshootd_t)
- domain_signull_all_domains(setroubleshootd_t)
-
- files_read_usr_files(setroubleshootd_t)
--files_read_etc_files(setroubleshootd_t)
- files_list_all(setroubleshootd_t)
- files_getattr_all_files(setroubleshootd_t)
- files_getattr_all_pipes(setroubleshootd_t)
- files_getattr_all_sockets(setroubleshootd_t)
- files_read_all_symlinks(setroubleshootd_t)
-+files_read_mnt_files(setroubleshootd_t)
-
- fs_getattr_all_dirs(setroubleshootd_t)
- fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
-
- selinux_get_enforce_mode(setroubleshootd_t)
- selinux_validate_context(setroubleshootd_t)
-+selinux_read_policy(setroubleshootd_t)
-
- term_dontaudit_use_all_ptys(setroubleshootd_t)
- term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,15 +112,15 @@ auth_use_nsswitch(setroubleshootd_t)
- init_read_utmp(setroubleshootd_t)
- init_dontaudit_write_utmp(setroubleshootd_t)
+@@ -108,13 +114,13 @@ init_dontaudit_write_utmp(setroubleshootd_t)
--miscfiles_read_localization(setroubleshootd_t)
-+libs_exec_ld_so(setroubleshootd_t)
-+
+ libs_exec_ld_so(setroubleshootd_t)
++
locallogin_dontaudit_use_fds(setroubleshootd_t)
logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
-
--modutils_read_module_config(setroubleshootd_t)
+-miscfiles_read_localization(setroubleshootd_t)
+logging_stream_connect_syslog(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-@@ -121,10 +129,27 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -123,11 +129,7 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
+- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+-
+- optional_policy(`
+- abrt_dbus_chat(setroubleshootd_t)
+- ')
+ abrt_dbus_chat(setroubleshootd_t)
-+')
-+
-+optional_policy(`
-+ locate_read_lib_files(setroubleshootd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+@@ -135,10 +137,18 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ mock_getattr_lib(setroubleshootd_t)
+')
+
+optional_policy(`
-+ modutils_read_module_config(setroubleshootd_t)
-+')
-+
-+optional_policy(`
- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+ modutils_read_module_config(setroubleshootd_t)
')
optional_policy(`
-+ rpm_exec(setroubleshootd_t)
++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
++')
++
++optional_policy(`
+ rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
- rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -148,15 +158,17 @@ optional_policy(`
+
+ ########################################
+ #
+-# Fixit local policy
++# setroubleshoot_fixit local policy
+ #
+
+ allow setroubleshoot_fixit_t self:capability sys_nice;
+ allow setroubleshoot_fixit_t self:process { setsched getsched };
+ allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
++allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
+ allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
+
++setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+ setroubleshoot_stream_connect(setroubleshoot_fixit_t)
- corecmd_exec_bin(setroubleshoot_fixit_t)
+ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -165,7 +177,12 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
-+corecmd_getattr_all_executables(setroubleshoot_fixit_t)
-+
+ corecmd_getattr_all_executables(setroubleshoot_fixit_t)
+
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
-
++
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+seutil_read_module_store(setroubleshoot_fixit_t)
files_read_usr_files(setroubleshoot_fixit_t)
--files_read_etc_files(setroubleshoot_fixit_t)
files_list_tmp(setroubleshoot_fixit_t)
-
- auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,9 +192,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
-miscfiles_read_localization(setroubleshoot_fixit_t)
+-
+-userdom_read_all_users_state(setroubleshoot_fixit_t)
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
-+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
-+
-+optional_policy(`
-+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+ userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+ optional_policy(`
+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+- setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+')
-+
+
+- optional_policy(`
+- policykit_dbus_chat(setroubleshoot_fixit_t)
+- ')
+optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
-+')
+ ')
optional_policy(`
+ rpm_exec(setroubleshoot_fixit_t)
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
+ rpm_use_script_fds(setroubleshoot_fixit_t)
+ ')
++
++optional_policy(`
++ policykit_dbus_chat(setroubleshoot_fixit_t)
++ userdom_read_all_users_state(setroubleshoot_fixit_t)
++')
diff --git a/sge.fc b/sge.fc
new file mode 100644
index 0000000..160ddc2
@@ -62673,31 +71528,46 @@ index 0000000..d43336f
+optional_policy(`
+ nslcd_stream_connect(sge_domain)
+')
-diff --git a/shorewall.fc b/shorewall.fc
-index 48d1363..4a5b930 100644
---- a/shorewall.fc
-+++ b/shorewall.fc
-@@ -7,6 +7,9 @@
- /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
- /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-
-+/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-+/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-+
- /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff --git a/shorewall.if b/shorewall.if
-index 781ad7e..d5ce40a 100644
+index 1aeef8a..d5ce40a 100644
--- a/shorewall.if
+++ b/shorewall.if
-@@ -55,28 +55,9 @@ interface(`shorewall_read_config',`
+@@ -1,4 +1,4 @@
+-## <summary>Shoreline Firewall high-level tool for configuring netfilter.</summary>
++## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',`
+ type shorewall_t, shorewall_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+ ')
+
+@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',`
+ type shorewall_t, shorewall_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Read shorewall configuration files.
++## Read shorewall etc configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -57,47 +55,9 @@ interface(`shorewall_read_config',`
read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
')
-#######################################
-## <summary>
--## Read shorewall PID files.
+-## Read shorewall pid files.
-## </summary>
-## <param name="domain">
-## <summary>
@@ -62715,17 +71585,15 @@ index 781ad7e..d5ce40a 100644
-')
-
-#######################################
-+######################################
- ## <summary>
--## Read and write shorewall PID files.
-+## Read shorewall /var/lib files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -84,28 +65,9 @@ interface(`shorewall_read_pid_files',`
- ## </summary>
- ## </param>
- #
+-## <summary>
+-## Read and write shorewall pid files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
-interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
@@ -62735,24 +71603,94 @@ index 781ad7e..d5ce40a 100644
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
--######################################
--## <summary>
--## Read shorewall /var/lib files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
+ ######################################
+ ## <summary>
+-## Read shorewall lib files.
++## Read shorewall /var/lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',`
+ ## </param>
+ #
interface(`shorewall_read_lib_files',`
- gen_require(`
-- type shorewall_t;
-+ type shorewall_var_lib_t;
- ')
+- gen_require(`
++ gen_require(`
+ type shorewall_var_lib_t;
+- ')
++ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++ files_search_var_lib($1)
++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Read and write shorewall lib files.
++## Read and write shorewall /var/lib files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`shorewall_rw_lib_files',`
+- gen_require(`
+- type shorewall_var_lib_t;
+- ')
++ gen_require(`
++ type shorewall_var_lib_t;
++ ')
+
+- files_search_var_lib($1)
+- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++ files_search_var_lib($1)
++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Read shorewall temporary files.
++## Read shorewall tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',`
- files_search_var_lib($1)
-@@ -177,8 +139,11 @@ interface(`shorewall_admin',`
+ #######################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an shorewall environment.
++## All of the rules required to administrate
++## an shorewall environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the syslog domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`shorewall_admin',`
+ gen_require(`
+- type shorewall_t, shorewall_lock_t, shorewall_log_t;
+- type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t;
++ type shorewall_t, shorewall_lock_t;
++ type shorewall_log_t;
++ type shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t, shorewall_etc_t;
')
@@ -62765,23 +71703,19 @@ index 781ad7e..d5ce40a 100644
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 shorewall_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- can_exec($1, shorewall_exec_t)
+-
+ files_list_etc($1)
+ admin_pattern($1, shorewall_etc_t)
+
diff --git a/shorewall.te b/shorewall.te
-index 4723c6b..c55fcaa 100644
+index ca03de6..bcf990d 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t)
- # shorewall local policy
- #
-
--allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
-+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
- dontaudit shorewall_t self:capability sys_tty_config;
- allow shorewall_t self:fifo_file rw_fifo_file_perms;
-+allow shorewall_t self:netlink_socket create_socket_perms;
-
- read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
- list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-@@ -59,6 +60,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -57,6 +57,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -62791,25 +71725,8 @@ index 4723c6b..c55fcaa 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -70,12 +74,12 @@ kernel_rw_net_sysctls(shorewall_t)
- corecmd_exec_bin(shorewall_t)
- corecmd_exec_shell(shorewall_t)
-
-+dev_read_sysfs(shorewall_t)
- dev_read_urand(shorewall_t)
-
- domain_read_all_domains_state(shorewall_t)
-
- files_getattr_kernel_modules(shorewall_t)
--files_read_etc_files(shorewall_t)
- files_read_usr_files(shorewall_t)
- files_search_kernel_modules(shorewall_t)
-
-@@ -83,13 +87,20 @@ fs_getattr_all_fs(shorewall_t)
-
- init_rw_utmp(shorewall_t)
-
-+logging_read_generic_logs(shorewall_t)
+@@ -86,12 +89,13 @@ init_rw_utmp(shorewall_t)
+ logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
-miscfiles_read_localization(shorewall_t)
@@ -62818,41 +71735,64 @@ index 4723c6b..c55fcaa 100644
sysnet_domtrans_ifconfig(shorewall_t)
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+-userdom_use_user_terminals(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+userdom_use_inherited_user_ttys(shorewall_t)
+userdom_use_inherited_user_ptys(shorewall_t)
-+
-+optional_policy(`
-+ brctl_domtrans(shorewall_t)
-+')
optional_policy(`
- hostname_exec(shorewall_t)
+ brctl_domtrans(shorewall_t)
diff --git a/shutdown.fc b/shutdown.fc
-index 97671a3..e317fbe 100644
+index a91f33b..631dbc1 100644
--- a/shutdown.fc
+++ b/shutdown.fc
-@@ -2,6 +2,10 @@
-
- /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+@@ -8,4 +8,4 @@
--/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
-+/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+
-+/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
-+
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/shutdown.if b/shutdown.if
-index d0604cf..b66057c 100644
+index d1706bf..aa97fad 100644
--- a/shutdown.if
+++ b/shutdown.if
-@@ -18,9 +18,18 @@ interface(`shutdown_domtrans',`
+@@ -1,30 +1,4 @@
+-## <summary>System shutdown command.</summary>
+-
+-########################################
+-## <summary>
+-## Role access for shutdown.
+-## </summary>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## User domain for the role.
+-## </summary>
+-## </param>
+-#
+-interface(`shutdown_role',`
+- gen_require(`
+- type shutdown_t;
+- ')
+-
+- shutdown_run($2, $1)
+-
+- allow $2 shutdown_t:process { ptrace signal_perms };
+- ps_process_pattern($2, shutdown_t)
+-')
++## <summary>System shutdown command</summary>
+
+ ########################################
+ ## <summary>
+@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',`
+
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
-
++
+ init_reboot($1)
+ init_halt($1)
+
@@ -62863,17 +71803,38 @@ index d0604cf..b66057c 100644
+ systemd_login_halt($1)
+ ')
+
- ifdef(`hide_broken_symptoms', `
-- dontaudit shutdown_t $1:socket_class_set { read write };
-- dontaudit shutdown_t $1:fifo_file { read write };
++ ifdef(`hide_broken_symptoms', `
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
- ')
++ ')
')
-@@ -51,6 +60,73 @@ interface(`shutdown_run',`
+ ########################################
+ ## <summary>
+-## Execute shutdown in the shutdown
+-## domain, and allow the specified role
+-## the shutdown domain.
++## Execute shutdown in the shutdown domain, and
++## allow the specified role the shutdown domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',`
+ #
+ interface(`shutdown_run',`
+ gen_require(`
++ type shutdown_t;
+ attribute_role shutdown_roles;
+ ')
+
+- shutdown_domtrans($1)
+- roleattribute $2 shutdown_roles;
++ shutdown_domtrans($1)
++ roleattribute $2 shutdown_roles;
+ ')
########################################
## <summary>
+-## Send generic signals to shutdown.
+## Role access for shutdown
+## </summary>
+## <param name="role">
@@ -62892,12 +71853,10 @@ index d0604cf..b66057c 100644
+ type shutdown_t;
+ ')
+
-+ role $1 types shutdown_t;
-+
-+ shutdown_domtrans($2)
++ shutdown_run($2, $1)
+
-+ ps_process_pattern($2, shutdown_t)
-+ allow $2 shutdown_t:process signal;
++ allow $2 shutdown_t:process { ptrace signal_perms };
++ ps_process_pattern($2, shutdown_t
+')
+
+########################################
@@ -62922,148 +71881,92 @@ index d0604cf..b66057c 100644
+## <summary>
+## Send and receive messages from
+## shutdown over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -81,17 +114,19 @@ interface(`shutdown_run',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`shutdown_signal',`
+interface(`shutdown_dbus_chat',`
-+ gen_require(`
-+ type shutdown_t;
+ gen_require(`
+ type shutdown_t;
+ class dbus send_msg;
-+ ')
-+
+ ')
+
+- allow shutdown_t $1:process signal;
+ allow $1 shutdown_t:dbus send_msg;
+ allow shutdown_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
- ## Get attributes of shutdown executable.
+ ')
+
+ ########################################
+ ## <summary>
+-## Get attributes of shutdown executable files.
++## Get attributes of shutdown executable.
## </summary>
## <param name="domain">
+ ## <summary>
diff --git a/shutdown.te b/shutdown.te
-index 8966ec9..2a52a13 100644
+index 7880d1f..8804935 100644
--- a/shutdown.te
+++ b/shutdown.te
-@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
-
- type shutdown_t;
- type shutdown_exec_t;
-+init_system_domain(shutdown_t, shutdown_exec_t)
- application_domain(shutdown_t, shutdown_exec_t)
- role system_r types shutdown_t;
-
-@@ -21,8 +22,8 @@ files_pid_file(shutdown_var_run_t)
- # shutdown local policy
- #
-
--allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
--allow shutdown_t self:process { fork signal signull };
-+allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
-+allow shutdown_t self:process { fork setsched signal signull };
+@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
- allow shutdown_t self:fifo_file manage_fifo_file_perms;
- allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,25 +34,31 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
- manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
- files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
-
-+kernel_read_system_state(shutdown_t)
-+
- domain_use_interactive_fds(shutdown_t)
-
--files_read_etc_files(shutdown_t)
- files_read_generic_pids(shutdown_t)
-+files_delete_boot_flag(shutdown_t)
-+
-+mls_file_write_to_clearance(shutdown_t)
+ mls_file_write_to_clearance(shutdown_t)
-term_use_all_terms(shutdown_t)
+term_use_all_inherited_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
-
--init_dontaudit_write_utmp(shutdown_t)
--init_read_utmp(shutdown_t)
-+init_rw_utmp(shutdown_t)
- init_stream_connect(shutdown_t)
- init_telinit(shutdown_t)
-
+@@ -56,8 +56,6 @@ init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
-miscfiles_read_localization(shutdown_t)
-+
-+optional_policy(`
-+ cron_system_entry(shutdown_t, shutdown_exec_t)
-+')
-
+-
optional_policy(`
- dbus_system_bus_client(shutdown_t)
-@@ -59,5 +66,15 @@ optional_policy(`
+ cron_system_entry(shutdown_t, shutdown_exec_t)
+ ')
+@@ -68,10 +66,15 @@ optional_policy(`
')
optional_policy(`
+- oddjob_dontaudit_rw_fifo_files(shutdown_t)
+- oddjob_sigchld(shutdown_t)
+ oddjob_dontaudit_rw_fifo_file(shutdown_t)
+ oddjob_sigchld(shutdown_t)
+')
+
+optional_policy(`
+ rhev_sigchld_agentd(shutdown_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
-index a225c02..b76ed92 100644
+index ba26427..83d21aa 100644
--- a/slocate.te
+++ b/slocate.te
-@@ -43,7 +43,6 @@ files_getattr_all_files(locate_t)
- files_getattr_all_pipes(locate_t)
- files_getattr_all_sockets(locate_t)
- files_read_etc_runtime_files(locate_t)
--files_read_etc_files(locate_t)
-
- fs_getattr_all_fs(locate_t)
- fs_getattr_all_files(locate_t)
-@@ -58,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
- # getpwnam
+@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+
auth_use_nsswitch(locate_t)
-miscfiles_read_localization(locate_t)
ifdef(`enable_mls',`
- # On MLS machines will not be allowed to getattr Anything but SystemLow
-diff --git a/slpd.fc b/slpd.fc
-new file mode 100644
-index 0000000..5064a4a
---- /dev/null
-+++ b/slpd.fc
-@@ -0,0 +1,7 @@
-+/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0)
-+
-+/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0)
-+
-+/var/log/slpd\.log -- gen_context(system_u:object_r:slpd_var_log_t,s0)
-+
-+/var/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0)
+ files_dontaudit_getattr_all_dirs(locate_t)
diff --git a/slpd.if b/slpd.if
-new file mode 100644
-index 0000000..75931f8
---- /dev/null
+index ca32e89..98278dd 100644
+--- a/slpd.if
+++ b/slpd.if
-@@ -0,0 +1,75 @@
-+
-+## <summary>OpenSLP server daemon to dynamically register services.</summary>
-+
-+########################################
-+## <summary>
+@@ -2,6 +2,43 @@
+
+ ########################################
+ ## <summary>
+## Transition to slpd.
+## </summary>
+## <param name="domain">
@@ -63101,99 +72004,45 @@ index 0000000..75931f8
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an slpd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`slpd_admin',`
-+ gen_require(`
-+ type slpd_t;
-+ type slpd_initrc_exec_t;
-+ ')
-+
-+ allow $1 slpd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, slpd_t)
-+
+ ## All of the rules required to
+ ## administrate an slpd environment.
+ ## </summary>
+@@ -26,7 +63,7 @@ interface(`slpd_admin',`
+ allow $1 slpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, slpd_t)
+
+- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
+ slpd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 slpd_initrc_exec_t system_r;
-+ allow $2 system_r;
+ domain_system_change_exemption($1)
+ role_transition $2 slpd_initrc_exec_t system_r;
+ allow $2 system_r;
+@@ -36,4 +73,10 @@ interface(`slpd_admin',`
+
+ files_search_pids($1)
+ admin_pattern($1, slpd_var_run_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
++
+ ')
diff --git a/slpd.te b/slpd.te
-new file mode 100644
-index 0000000..cd475d6
---- /dev/null
+index 66ac42a..f28fadc 100644
+--- a/slpd.te
+++ b/slpd.te
-@@ -0,0 +1,52 @@
-+policy_module(slpd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type slpd_t;
-+type slpd_exec_t;
-+init_daemon_domain(slpd_t, slpd_exec_t)
-+
-+type slpd_initrc_exec_t;
-+init_script_file(slpd_initrc_exec_t)
-+
-+type slpd_var_log_t;
-+logging_log_file(slpd_var_log_t)
-+
-+type slpd_var_run_t;
-+files_pid_file(slpd_var_run_t)
-+
-+########################################
-+#
-+# slpd local policy
-+#
-+
-+allow slpd_t self:capability { kill setgid setuid };
-+allow slpd_t self:process { fork signal };
-+allow slpd_t self:fifo_file rw_fifo_file_perms;
-+allow slpd_t self:tcp_socket { create_socket_perms listen };
-+allow slpd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(slpd_t, slpd_var_log_t, slpd_var_log_t)
-+logging_log_filetrans(slpd_t, slpd_var_log_t, { file })
-+
-+manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
-+files_pid_filetrans(slpd_t, slpd_var_run_t, { file })
-+
-+corenet_all_recvfrom_netlabel(slpd_t)
-+corenet_tcp_bind_generic_node(slpd_t)
-+corenet_udp_bind_generic_node(slpd_t)
-+corenet_tcp_bind_all_ports(slpd_t)
-+corenet_udp_bind_all_ports(slpd_t)
-+
+@@ -50,6 +50,8 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
+ corenet_tcp_bind_svrloc_port(slpd_t)
+ corenet_udp_bind_svrloc_port(slpd_t)
+
+dev_read_urand(slpd_t)
+
-+domain_use_interactive_fds(slpd_t)
-+
-+files_read_etc_files(slpd_t)
-+
-+auth_use_nsswitch(slpd_t)
-+
+ auth_use_nsswitch(slpd_t)
+
+-miscfiles_read_localization(slpd_t)
+sysnet_dns_name_resolve(slpd_t)
diff --git a/slrnpull.te b/slrnpull.te
-index e5e72fd..84936ca 100644
+index 5437237..d46f779 100644
--- a/slrnpull.te
+++ b/slrnpull.te
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
@@ -63215,108 +72064,85 @@ index e5e72fd..84936ca 100644
userdom_dontaudit_search_user_home_dirs(slrnpull_t)
diff --git a/smartmon.if b/smartmon.if
-index adea9f9..f5dd0fe 100644
+index e0644b5..ea347cc 100644
--- a/smartmon.if
+++ b/smartmon.if
-@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
- type fsdaemon_tmp_t;
+@@ -42,9 +42,13 @@ interface(`smartmon_admin',`
+ type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
')
-+ files_search_tmp($1)
- allow $1 fsdaemon_tmp_t:file read_file_perms;
- ')
-
-@@ -41,8 +42,11 @@ interface(`smartmon_admin',`
- type fsdaemon_initrc_exec_t;
- ')
-
-- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+- allow $1 fsdaemon_t:process { ptrace signal_perms };
+ allow $1 fsdaemon_t:process signal_perms;
ps_process_pattern($1, fsdaemon_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fsdaemon_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 6b3322b..c955ccc 100644
+index 9ade9c5..48444ed 100644
--- a/smartmon.te
+++ b/smartmon.te
-@@ -1,4 +1,4 @@
--policy_module(smartmon, 1.11.0)
-+policy_module(smartmon, 1.14.0)
-
- ########################################
- #
-@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
- # Local policy
- #
-
--allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
-+allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
- dontaudit fsdaemon_t self:capability sys_tty_config;
- allow fsdaemon_t self:process { getcap setcap signal_perms };
- allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
-@@ -52,12 +52,12 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
- files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
-
- kernel_read_kernel_sysctls(fsdaemon_t)
-+kernel_read_network_state(fsdaemon_t)
- kernel_read_software_raid_state(fsdaemon_t)
- kernel_read_system_state(fsdaemon_t)
+@@ -60,6 +60,11 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
--corenet_all_recvfrom_unlabeled(fsdaemon_t)
- corenet_all_recvfrom_netlabel(fsdaemon_t)
- corenet_udp_sendrecv_generic_if(fsdaemon_t)
- corenet_udp_sendrecv_generic_node(fsdaemon_t)
-@@ -73,26 +73,36 @@ files_read_etc_runtime_files(fsdaemon_t)
- files_read_usr_files(fsdaemon_t)
- # for config
- files_read_etc_files(fsdaemon_t)
-+files_read_usr_files(fsdaemon_t)
++corenet_all_recvfrom_netlabel(fsdaemon_t)
++corenet_udp_sendrecv_generic_if(fsdaemon_t)
++corenet_udp_sendrecv_generic_node(fsdaemon_t)
++corenet_udp_sendrecv_all_ports(fsdaemon_t)
++
+ dev_read_sysfs(fsdaemon_t)
+ dev_read_urand(fsdaemon_t)
+
+@@ -72,9 +77,12 @@ files_read_usr_files(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
mls_file_read_all_levels(fsdaemon_t)
- #mls_rangetrans_target(fsdaemon_t)
+storage_create_fixed_disk_dev(fsdaemon_t)
+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
-+storage_read_scsi_generic(fsdaemon_t)
-+storage_write_scsi_generic(fsdaemon_t)
+@@ -85,6 +93,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
- term_dontaudit_search_ptys(fsdaemon_t)
+ application_signull(fsdaemon_t)
-+application_signull(fsdaemon_t)
-+
+auth_read_passwd(fsdaemon_t)
+
-+init_read_utmp(fsdaemon_t)
-+
+ init_read_utmp(fsdaemon_t)
+
libs_exec_ld_so(fsdaemon_t)
- libs_exec_lib_files(fsdaemon_t)
+@@ -92,7 +102,7 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t)
-miscfiles_read_localization(fsdaemon_t)
--
- seutil_sigchld_newrole(fsdaemon_t)
++seutil_sigchld_newrole(fsdaemon_t)
sysnet_dns_name_resolve(fsdaemon_t)
+
+@@ -122,3 +132,7 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(fsdaemon_t)
+ ')
++
++optional_policy(`
++ virt_read_images(fsdaemon_t)
++')
diff --git a/smokeping.if b/smokeping.if
-index 8265278..017b923 100644
+index 1fa51c1..82e111c 100644
--- a/smokeping.if
+++ b/smokeping.if
-@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
- type smokeping_t, smokeping_initrc_exec_t;
+@@ -158,8 +158,11 @@ interface(`smokeping_admin',`
+ type smokeping_var_run_t;
')
- allow $1 smokeping_t:process { ptrace signal_perms };
@@ -63329,23 +72155,10 @@ index 8265278..017b923 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index 740994a..4bfc780 100644
+index a8b1aaf..3769d45 100644
--- a/smokeping.te
+++ b/smokeping.te
-@@ -36,11 +36,10 @@ manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
- manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
- files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
-
--corecmd_read_bin_symlinks(smokeping_t)
-+corecmd_exec_bin(smokeping_t)
-
- dev_read_urand(smokeping_t)
-
--files_read_etc_files(smokeping_t)
- files_read_usr_files(smokeping_t)
- files_search_tmp(smokeping_t)
-
-@@ -49,8 +48,6 @@ auth_dontaudit_read_shadow(smokeping_t)
+@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
logging_send_syslog_msg(smokeping_t)
@@ -63354,49 +72167,31 @@ index 740994a..4bfc780 100644
mta_send_mail(smokeping_t)
netutils_domtrans_ping(smokeping_t)
-@@ -73,5 +70,9 @@ optional_policy(`
+@@ -70,6 +68,8 @@ optional_policy(`
files_search_tmp(httpd_smokeping_cgi_script_t)
files_search_var_lib(httpd_smokeping_cgi_script_t)
+ auth_read_passwd(httpd_smokeping_cgi_script_t)
+
sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
-+
-+ netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
- ')
+
+ netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index bc00875..7dd4e53 100644
+index 9c8f9a5..529487e 100644
--- a/smoltclient.te
+++ b/smoltclient.te
-@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
- type smoltclient_t;
- type smoltclient_exec_t;
- application_domain(smoltclient_t, smoltclient_exec_t)
--cron_system_entry(smoltclient_t, smoltclient_exec_t)
-
- type smoltclient_tmp_t;
- files_tmp_file(smoltclient_tmp_t)
-@@ -39,20 +38,29 @@ corecmd_exec_shell(smoltclient_t)
- corenet_tcp_connect_http_port(smoltclient_t)
-
- dev_read_sysfs(smoltclient_t)
-+dev_read_urand(smoltclient_t)
-
- fs_getattr_all_fs(smoltclient_t)
- fs_getattr_all_dirs(smoltclient_t)
- fs_list_auto_mountpoints(smoltclient_t)
+@@ -51,14 +51,20 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
--files_read_etc_files(smoltclient_t)
-+files_read_etc_runtime_files(smoltclient_t)
- files_read_usr_files(smoltclient_t)
+ files_read_etc_runtime_files(smoltclient_t)
+-files_read_usr_files(smoltclient_t)
auth_use_nsswitch(smoltclient_t)
logging_send_syslog_msg(smoltclient_t)
+ miscfiles_read_hwdata(smoltclient_t)
-miscfiles_read_localization(smoltclient_t)
-+miscfiles_read_hwdata(smoltclient_t)
+
+optional_policy(`
+ abrt_stream_connect(smoltclient_t)
@@ -63407,7 +72202,7 @@ index bc00875..7dd4e53 100644
+')
optional_policy(`
- dbus_system_bus_client(smoltclient_t)
+ abrt_stream_connect(smoltclient_t)
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 0000000..4c3fcec
@@ -63427,11 +72222,10 @@ index 0000000..4c3fcec
+/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0)
diff --git a/smsd.if b/smsd.if
new file mode 100644
-index 0000000..6db3f07
+index 0000000..52450c7
--- /dev/null
+++ b/smsd.if
-@@ -0,0 +1,241 @@
-+
+@@ -0,0 +1,240 @@
+## <summary>The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.</summary>
+
+########################################
@@ -63674,10 +72468,10 @@ index 0000000..6db3f07
+')
diff --git a/smsd.te b/smsd.te
new file mode 100644
-index 0000000..4e822e5
+index 0000000..92c3638
--- /dev/null
+++ b/smsd.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,72 @@
+policy_module(smsd, 1.0.0)
+
+########################################
@@ -63745,61 +72539,56 @@ index 0000000..4e822e5
+
+corecmd_exec_shell(smsd_t)
+
-+files_read_etc_files(smsd_t)
-+
+auth_use_nsswitch(smsd_t)
+
+logging_send_syslog_msg(smsd_t)
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/snmp.fc b/snmp.fc
-index 623c8fa..1ef62d0 100644
+index c73fa24..d852517 100644
--- a/snmp.fc
+++ b/snmp.fc
-@@ -16,9 +16,10 @@
- /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
- /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+@@ -13,6 +13,8 @@
--/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
-+/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
+ /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
--/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
-
-+/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
- /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
++
+ /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/snmp.if b/snmp.if
-index 275f9fb..f1343b7 100644
+index 7a9cc9d..86cbca9 100644
--- a/snmp.if
+++ b/snmp.if
-@@ -11,12 +11,12 @@
- ## </param>
- #
- interface(`snmp_stream_connect',`
-- gen_require(`
-+ gen_require(`
- type snmpd_t, snmpd_var_lib_t;
-- ')
-+ ')
-
-- files_search_var_lib($1)
-- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
- ')
+@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',`
########################################
-@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',`
+ ## <summary>
+-## Create, read, write, and delete
+-## snmp lib directories.
++## Read snmpd lib content.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`snmp_manage_var_lib_dirs',`
++interface(`snmp_read_snmp_var_lib_files',`
+ gen_require(`
type snmpd_var_lib_t;
')
-+ files_search_var_lib($1)
- allow $1 snmpd_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
- ')
-
+ files_search_var_lib($1)
+- allow $1 snmpd_var_lib_t:dir manage_dir_perms;
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++')
++
+#######################################
+## <summary>
+## Read snmpd libraries directories
@@ -63817,74 +72606,65 @@ index 275f9fb..f1343b7 100644
+
+ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## snmp lib files.
+## Manage snmpd libraries directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`snmp_manage_var_lib_files',`
+interface(`snmp_manage_var_lib_dirs',`
-+ gen_require(`
-+ type snmpd_var_lib_t;
-+ ')
-+
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+- files_search_var_lib($1)
+- allow $1 snmpd_var_lib_t:dir list_dir_perms;
+- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
-+')
-+
-+########################################
-+## <summary>
-+## Manage snmpd libraries.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`snmp_manage_var_lib_files',`
-+ gen_require(`
-+ type snmpd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
-+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-+')
-+
+ ')
+
########################################
## <summary>
- ## dontaudit Read snmpd libraries.
-@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+-## Read snmpd lib content.
++## Manage snmpd libraries.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`snmp_read_snmp_var_lib_files',`
++interface(`snmp_manage_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
-+
- dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
- dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
-+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
+
++ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
')
########################################
-@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
- #
- interface(`snmp_admin',`
- gen_require(`
-- type snmpd_t, snmpd_log_t;
-+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
+@@ -179,8 +197,12 @@ interface(`snmp_admin',`
type snmpd_var_lib_t, snmpd_var_run_t;
-- type snmpd_initrc_exec_t;
')
-- allow $1 snmpd_t:process { ptrace signal_perms getattr };
+- allow $1 snmpd_t:process { ptrace signal_perms };
+ allow $1 snmpd_t:process signal_perms;
++
ps_process_pattern($1, snmpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 snmpd_t:process ptrace;
@@ -63893,55 +72673,32 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 56f074c..4909ce8 100644
+index 81864ce..cc44e06 100644
--- a/snmp.te
+++ b/snmp.te
-@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0)
- #
- # Declarations
+@@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
#
-+
- type snmpd_t;
- type snmpd_exec_t;
- init_daemon_domain(snmpd_t, snmpd_exec_t)
-@@ -24,12 +25,14 @@ files_type(snmpd_var_lib_t)
- #
- # Local policy
- #
--allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
-+
-+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+
+ allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
- allow snmpd_t self:unix_dgram_socket create_socket_perms;
--allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+-allow snmpd_t self:unix_stream_socket { accept connectto listen };
+-allow snmpd_t self:tcp_socket { accept listen };
++allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow snmpd_t self:tcp_socket create_stream_socket_perms;
++allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,23 +44,23 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
- manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
- files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
- files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
--files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
-+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file })
-
-+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
- manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
--files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
-+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
-
- kernel_read_device_sysctls(snmpd_t)
- kernel_read_kernel_sysctls(snmpd_t)
+ allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
--kernel_read_proc_symlinks(snmpd_t)
--kernel_read_system_state(snmpd_t)
kernel_read_network_state(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_all_proc(snmpd_t)
+ kernel_read_system_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
@@ -63950,38 +72707,15 @@ index 56f074c..4909ce8 100644
corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_generic_if(snmpd_t)
corenet_udp_sendrecv_generic_if(snmpd_t)
-@@ -73,6 +76,7 @@ corenet_sendrecv_snmp_server_packets(snmpd_t)
- corenet_tcp_connect_agentx_port(snmpd_t)
- corenet_tcp_bind_agentx_port(snmpd_t)
- corenet_udp_bind_agentx_port(snmpd_t)
-+corenet_tcp_connect_snmp_port(snmpd_t)
-
- dev_list_sysfs(snmpd_t)
- dev_read_sysfs(snmpd_t)
-@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t)
- domain_use_interactive_fds(snmpd_t)
- domain_signull_all_domains(snmpd_t)
- domain_read_all_domains_state(snmpd_t)
--domain_dontaudit_ptrace_all_domains(snmpd_t)
- domain_exec_all_entry_files(snmpd_t)
-
--files_read_etc_files(snmpd_t)
- files_read_usr_files(snmpd_t)
- files_read_etc_runtime_files(snmpd_t)
- files_search_home(snmpd_t)
-@@ -94,28 +96,28 @@ files_search_home(snmpd_t)
- fs_getattr_all_dirs(snmpd_t)
- fs_getattr_all_fs(snmpd_t)
+@@ -103,6 +106,7 @@ fs_getattr_all_fs(snmpd_t)
+ files_list_all(snmpd_t)
+ files_search_all_mountpoints(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
+files_search_all_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
-+storage_dontaudit_write_removable_device(snmpd_t)
-
- auth_use_nsswitch(snmpd_t)
--files_list_non_auth_dirs(snmpd_t)
-+files_list_all(snmpd_t)
+@@ -112,16 +116,25 @@ auth_use_nsswitch(snmpd_t)
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
@@ -63991,46 +72725,28 @@ index 56f074c..4909ce8 100644
logging_send_syslog_msg(snmpd_t)
-miscfiles_read_localization(snmpd_t)
--
--seutil_dontaudit_search_config(snmpd_t)
--
- sysnet_read_config(snmpd_t)
++sysnet_read_config(snmpd_t)
+
+ seutil_dontaudit_search_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
--ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
- optional_policy(`
- rpm_read_db(snmpd_t)
- rpm_dontaudit_manage_db(snmpd_t)
-@@ -131,6 +133,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ corosync_stream_connect(snmpd_t)
++ optional_policy(`
++ rpm_read_db(snmpd_t)
++ rpm_dontaudit_manage_db(snmpd_t)
++ ')
+')
+
-+optional_policy(`
- cups_read_rw_config(snmpd_t)
- ')
-
-@@ -140,6 +146,10 @@ optional_policy(`
- ')
-
optional_policy(`
-+ ricci_stream_connect_modclusterd(snmpd_t)
-+')
-+
-+optional_policy(`
- rpc_search_nfs_state_data(snmpd_t)
+ amanda_dontaudit_read_dumpdates(snmpd_t)
')
-
diff --git a/snort.if b/snort.if
-index c117e8b..0eb909b 100644
+index 7d86b34..5f58180 100644
--- a/snort.if
+++ b/snort.if
-@@ -41,8 +41,11 @@ interface(`snort_admin',`
+@@ -42,8 +42,11 @@ interface(`snort_admin',`
type snort_etc_t, snort_initrc_exec_t;
')
@@ -64043,7 +72759,7 @@ index c117e8b..0eb909b 100644
init_labeled_script_domtrans($1, snort_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -50,11 +53,11 @@ interface(`snort_admin',`
+@@ -51,11 +54,11 @@ interface(`snort_admin',`
allow $2 system_r;
admin_pattern($1, snort_etc_t)
@@ -64059,32 +72775,25 @@ index c117e8b..0eb909b 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index 179bc1b..3dbbcc0 100644
+index ccd28bb..b9e856e 100644
--- a/snort.te
+++ b/snort.te
-@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t)
+@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
--allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
-+allow snort_t self:netlink_socket create_socket_perms;
- allow snort_t self:tcp_socket create_stream_socket_perms;
- allow snort_t self:udp_socket create_socket_perms;
+ allow snort_t self:netlink_socket create_socket_perms;
+-allow snort_t self:tcp_socket { accept listen };
++allow snort_t self:tcp_socket create_stream_socket_perms;
++allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
allow snort_t self:socket create_socket_perms;
- # Snort IPS node. unverified.
--allow snort_t self:netlink_firewall_socket { bind create getattr };
-+allow snort_t self:netlink_firewall_socket create_socket_perms;
++# Snort IPS node. unverified.
+ allow snort_t self:netlink_firewall_socket create_socket_perms;
allow snort_t snort_etc_t:dir list_dir_perms;
- allow snort_t snort_etc_t:file read_file_perms;
--allow snort_t snort_etc_t:lnk_file { getattr read };
-+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
-
- manage_files_pattern(snort_t, snort_log_t, snort_log_t)
- create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
-@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
+@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
kernel_dontaudit_read_system_state(snort_t)
kernel_read_network_state(snort_t)
@@ -64092,94 +72801,50 @@ index 179bc1b..3dbbcc0 100644
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
-@@ -95,8 +95,6 @@ init_read_utmp(snort_t)
+@@ -86,7 +88,6 @@ dev_rw_generic_usb_dev(snort_t)
+
+ domain_use_interactive_fds(snort_t)
+
+-files_read_etc_files(snort_t)
+ files_dontaudit_read_etc_runtime_files(snort_t)
+
+ fs_getattr_all_fs(snort_t)
+@@ -96,8 +97,6 @@ init_read_utmp(snort_t)
logging_send_syslog_msg(snort_t)
-miscfiles_read_localization(snort_t)
-
- sysnet_read_config(snort_t)
- # snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
sysnet_dns_name_resolve(snort_t)
-diff --git a/sosreport.fc b/sosreport.fc
-index a40478e..050f521 100644
---- a/sosreport.fc
-+++ b/sosreport.fc
-@@ -1 +1,3 @@
- /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
-+
-+/.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
-diff --git a/sosreport.if b/sosreport.if
-index 94c01b5..f64bd93 100644
---- a/sosreport.if
-+++ b/sosreport.if
-@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',`
- type sosreport_tmp_t;
- ')
-
-- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
-+ allow $1 sosreport_tmp_t:file append_inherited_file_perms;
- ')
- ########################################
+ userdom_dontaudit_use_unpriv_user_fds(snort_t)
diff --git a/sosreport.te b/sosreport.te
-index c6079a5..cb59eff 100644
+index 703efa3..ec61db7 100644
--- a/sosreport.te
+++ b/sosreport.te
-@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
- # sosreport local policy
- #
-
--allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
-+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
- allow sosreport_t self:process { setsched signull };
- allow sosreport_t self:fifo_file rw_fifo_file_perms;
- allow sosreport_t self:tcp_socket create_stream_socket_perms;
-@@ -64,7 +64,6 @@ files_getattr_all_sockets(sosreport_t)
- files_exec_etc_files(sosreport_t)
- files_list_all(sosreport_t)
- files_read_config_files(sosreport_t)
--files_read_etc_files(sosreport_t)
- files_read_generic_tmp_files(sosreport_t)
- files_read_usr_files(sosreport_t)
- files_read_var_lib_files(sosreport_t)
-@@ -74,13 +73,17 @@ files_read_all_symlinks(sosreport_t)
- # for blkid.tab
- files_manage_etc_runtime_files(sosreport_t)
- files_etc_filetrans_etc_runtime(sosreport_t, file)
-+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
-
- fs_getattr_all_fs(sosreport_t)
- fs_list_inotifyfs(sosreport_t)
-
-+storage_dontaudit_read_fixed_disk(sosreport_t)
-+storage_dontaudit_read_removable_device(sosreport_t)
-+
- # some config files do not have configfile attribute
- # sosreport needs to read various files on system
--files_read_non_auth_files(sosreport_t)
+@@ -84,6 +84,10 @@ fs_list_inotifyfs(sosreport_t)
+ storage_dontaudit_read_fixed_disk(sosreport_t)
+ storage_dontaudit_read_removable_device(sosreport_t)
+
++# some config files do not have configfile attribute
++# sosreport needs to read various files on system
+files_read_non_security_files(sosreport_t)
++
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -90,15 +93,11 @@ libs_domtrans_ldconfig(sosreport_t)
+@@ -93,9 +97,8 @@ libs_domtrans_ldconfig(sosreport_t)
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
-miscfiles_read_localization(sosreport_t)
--
--# needed by modinfo
++sysnet_read_config(sosreport_t)
+
-modutils_read_module_deps(sosreport_t)
--
- sysnet_read_config(sosreport_t)
optional_policy(`
abrt_manage_pid_files(sosreport_t)
-+ abrt_manage_cache(sosreport_t)
- ')
-
- optional_policy(`
-@@ -110,6 +109,11 @@ optional_policy(`
+@@ -111,6 +114,11 @@ optional_policy(`
')
optional_policy(`
@@ -64192,41 +72857,37 @@ index c6079a5..cb59eff 100644
')
diff --git a/soundserver.if b/soundserver.if
-index 93fe7bf..1b07ed4 100644
+index a5abc5a..b9eff74 100644
--- a/soundserver.if
+++ b/soundserver.if
-@@ -33,13 +33,15 @@ interface(`soundserver_tcp_connect',`
- #
- interface(`soundserver_admin',`
- gen_require(`
-- type soundd_t, soundd_etc_t;
-+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
- type soundd_tmp_t, soundd_var_run_t;
-- type soundd_initrc_exec_t;
+@@ -38,9 +38,13 @@ interface(`soundserver_admin',`
+ type soundd_state_t;
')
- allow $1 soundd_t:process { ptrace signal_perms };
+ allow $1 soundd_t:process signal_perms;
ps_process_pattern($1, soundd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 soundd_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 soundd_initrc_exec_t system_r;
diff --git a/soundserver.te b/soundserver.te
-index 3217605..e9a4381 100644
+index db1bc6f..40abb06 100644
--- a/soundserver.te
+++ b/soundserver.te
-@@ -68,7 +68,6 @@ kernel_read_kernel_sysctls(soundd_t)
+@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
-corenet_all_recvfrom_unlabeled(soundd_t)
corenet_all_recvfrom_netlabel(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
- corenet_udp_sendrecv_generic_if(soundd_t)
-@@ -94,8 +93,6 @@ fs_search_auto_mountpoints(soundd_t)
+ corenet_tcp_sendrecv_generic_node(soundd_t)
+@@ -89,8 +88,6 @@ fs_search_auto_mountpoints(soundd_t)
logging_send_syslog_msg(soundd_t)
@@ -64236,47 +72897,52 @@ index 3217605..e9a4381 100644
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
-index 6b3abf9..80c9e56 100644
+index e9bd097..80c9e56 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
-@@ -1,15 +1,53 @@
+@@ -1,20 +1,24 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
-+
-+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+
+ /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
--/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
-+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
- /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
- /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
-
- /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
+-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
++/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
+
+-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+-/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+ /usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
-+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
-+
-+/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-+/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-
+ /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
+@@ -25,7 +29,25 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
- /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+-/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+-/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+ /var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+ /var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -64296,108 +72962,267 @@ index 6b3abf9..80c9e56 100644
+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
diff --git a/spamassassin.if b/spamassassin.if
-index c954f31..82fc7f6 100644
+index 1499b0b..82fc7f6 100644
--- a/spamassassin.if
+++ b/spamassassin.if
-@@ -14,6 +14,7 @@
- ## User domain for the role
+@@ -2,39 +2,45 @@
+
+ ########################################
+ ## <summary>
+-## Role access for spamassassin.
++## Role access for spamassassin
+ ## </summary>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## Role allowed access
+ ## </summary>
+ ## </param>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role.
++## User domain for the role
## </summary>
## </param>
+## <rolecap/>
#
interface(`spamassassin_role',`
gen_require(`
-@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
+ type spamc_t, spamc_exec_t, spamc_tmp_t;
+- type spamassassin_t, spamassassin_exec_t, spamd_home_t;
++ type spamassassin_t, spamassassin_exec_t;
+ type spamassassin_home_t, spamassassin_tmp_t;
+ ')
+
role $1 types { spamc_t spamassassin_t };
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+ allow $2 spamassassin_t:process signal_perms;
- ps_process_pattern($2, spamassassin_t)
-
- domtrans_pattern($2, spamc_exec_t, spamc_t)
++ ps_process_pattern($2, spamassassin_t)
+
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
+
+- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
+- ps_process_pattern($2, { spamc_t spamassassin_t })
+ allow $2 spamc_t:process signal_perms;
- ps_process_pattern($2, spamc_t)
++ ps_process_pattern($2, spamc_t)
- manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
-@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
+- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin")
+- userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
++ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
++ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
++ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
++ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
++ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
++ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ ')
+
+ ########################################
+@@ -53,13 +59,12 @@ interface(`spamassassin_exec',`
+ type spamassassin_exec_t;
')
+- corecmd_search_bin($1)
can_exec($1, spamassassin_exec_t)
--
')
########################################
-@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',`
+ ## <summary>
+-## Send generic signals to spamd.
++## Singnal the spam assassin daemon
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',`
+
+ ########################################
+ ## <summary>
+-## Execute spamd in the caller domain.
++## Execute the spamassassin daemon
++## program in the caller directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',`
+ type spamd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, spamd_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute spamc in the spamc domain.
++## Execute spamassassin client in the spamassassin client domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',`
+ type spamc_t, spamc_exec_t;
')
+- corecmd_search_bin($1)
domtrans_pattern($1, spamc_exec_t, spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute spamc in the caller domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`spamassassin_exec_client',`
+- gen_require(`
+- type spamc_exec_t;
+- ')
+-
+- corecmd_search_bin($1)
+- can_exec($1, spamc_exec_t)
+-')
+-
+-########################################
+-## <summary>
+-## Send kill signals to spamc.
+## Send kill signal to spamassassin client
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`spamassassin_kill_client',`
-+ gen_require(`
-+ type spamc_t;
-+ ')
-+
-+ allow $1 spamc_t:process sigkill;
-+')
-+
-+########################################
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',`
+
+ ########################################
+ ## <summary>
+-## Execute spamassassin standalone client
+-## in the user spamassassin domain.
+## Manage spamc home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_domtrans_local_client',`
+interface(`spamassassin_manage_home_client',`
-+ gen_require(`
+ gen_require(`
+- type spamassassin_t, spamassassin_exec_t;
+ type spamc_home_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## spamd home content.
+## Read spamc home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_manage_spamd_home_content',`
+interface(`spamassassin_read_home_client',`
-+ gen_require(`
+ gen_require(`
+- type spamd_home_t;
+ type spamc_home_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
+ ')
+
+ userdom_search_user_home_dirs($1)
+- allow $1 spamd_home_t:dir manage_dir_perms;
+- allow $1 spamd_home_t:file manage_file_perms;
+- allow $1 spamd_home_t:lnk_file manage_lnk_file_perms;
+ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ read_files_pattern($1, spamc_home_t, spamc_home_t)
+ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
-@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
+ ## <summary>
+-## Relabel spamd home content.
++## Execute the spamassassin client
++## program in the caller directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_relabel_spamd_home_content',`
++interface(`spamassassin_exec_client',`
+ gen_require(`
+- type spamd_home_t;
++ type spamc_exec_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 spamd_home_t:dir relabel_dir_perms;
+- allow $1 spamd_home_t:file relabel_file_perms;
+- allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms;
++ can_exec($1, spamc_exec_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in user home
+-## directories with the spamd home type.
++## Execute spamassassin standalone client in the user spamassassin domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_home_filetrans_spamd_home',`
++interface(`spamassassin_domtrans_local_client',`
+ gen_require(`
+- type spamd_home_t;
++ type spamassassin_t, spamassassin_exec_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3)
++ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read spamd lib files.
++## read spamd lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
')
files_search_var_lib($1)
@@ -64407,137 +73232,183 @@ index c954f31..82fc7f6 100644
')
########################################
-@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
- type spamd_tmp_t;
+@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',`
+
+ ########################################
+ ## <summary>
+-## Read spamd pid files.
++## Read temporary spamd file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_read_spamd_pid_files',`
++interface(`spamassassin_read_spamd_tmp_files',`
+ gen_require(`
+- type spamd_var_run_t;
++ type spamd_tmp_t;
')
+- files_search_pids($1)
+- read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
+ files_search_tmp($1)
- allow $1 spamd_tmp_t:file read_file_perms;
++ allow $1 spamd_tmp_t:file read_file_perms;
')
-@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ ########################################
+ ## <summary>
+-## Read temporary spamd files.
++## Do not audit attempts to get attributes of temporary
++## spamd sockets/
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_read_spamd_tmp_files',`
++interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ gen_require(`
type spamd_tmp_t;
')
-- dontaudit $1 spamd_tmp_t:sock_file getattr;
+- allow $1 spamd_tmp_t:file read_file_perms;
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get
+-## attributes of temporary spamd sockets.
+## Connect to run spamd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed to connect.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+interface(`spamd_stream_connect',`
-+ gen_require(`
+ gen_require(`
+- type spamd_tmp_t;
+ type spamd_t, spamd_var_run_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 spamd_tmp_t:sock_file getattr;
+ files_search_pids($1)
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to spamd with a unix
+-## domain stream socket.
+## Read spamd pid files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -348,19 +323,19 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`spamassassin_stream_connect_spamd',`
+interface(`spamassassin_read_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type spamd_t, spamd_var_run_t;
+ type spamd_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
+ ')
+
+ files_search_pids($1)
+- stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an spamassassin environment.
+## All of the rules required to administrate
+## an spamassassin environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -369,20 +344,23 @@ interface(`spamassassin_stream_connect_spamd',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
+## The role to be allowed to manage the spamassassin domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`spamassassin_admin',`
+interface(`spamassassin_spamd_admin',`
-+ gen_require(`
-+ type spamd_t, spamd_tmp_t, spamd_log_t;
-+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
-+ type spamd_initrc_exec_t;
-+ ')
-+
+ gen_require(`
+ type spamd_t, spamd_tmp_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
+ type spamd_initrc_exec_t;
+ ')
+
+- allow $1 spamd_t:process { ptrace signal_perms };
+ allow $1 spamd_t:process signal_perms;
-+ ps_process_pattern($1, spamd_t)
+ ps_process_pattern($1, spamd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 spamd_t:process ptrace;
+ ')
-+
-+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 spamd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, spamd_tmp_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, spamd_log_t)
-+
-+ files_list_spool($1)
-+ admin_pattern($1, spamd_spool_t)
-+
-+ files_list_var_lib($1)
-+ admin_pattern($1, spamd_var_lib_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, spamd_var_run_t)
+
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+@@ -403,6 +381,4 @@ interface(`spamassassin_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+-
+- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..dd3e5e1 100644
+index 4faa7e0..18d0efc 100644
--- a/spamassassin.te
+++ b/spamassassin.te
-@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
+@@ -1,4 +1,4 @@
+-policy_module(spamassassin, 2.5.8)
++policy_module(spamassassin, 2.5.0)
+
+ ########################################
#
+@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8)
## <desc>
--## <p>
--## Allow user spamassassin clients to use the network.
--## </p>
-+## <p>
+ ## <p>
+-## Determine whether spamassassin
+-## clients can use the network.
+## Allow user spamassassin clients to use the network.
-+## </p>
+ ## </p>
## </desc>
gen_tunable(spamassassin_can_network, false)
## <desc>
--## <p>
--## Allow spamd to read/write user home directories.
--## </p>
-+## <p>
+ ## <p>
+-## Determine whether spamd can manage
+-## generic user home content.
+## Allow spamd to read/write user home directories.
-+## </p>
+ ## </p>
## </desc>
- gen_tunable(spamd_enable_home_dirs, true)
+-gen_tunable(spamd_enable_home_dirs, false)
++gen_tunable(spamd_enable_home_dirs, true)
++
+ type spamd_update_t;
+ type spamd_update_exec_t;
+-init_system_domain(spamd_update_t, spamd_update_exec_t)
+-
-type spamassassin_t;
-type spamassassin_exec_t;
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
@@ -64564,35 +73435,42 @@ index 1bbf73b..dd3e5e1 100644
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-userdom_user_tmp_file(spamc_tmp_t)
-+
-+type spamd_update_t;
-+type spamd_update_exec_t;
+application_domain(spamd_update_t, spamd_update_exec_t)
+role system_r types spamd_update_t;
type spamd_t;
type spamd_exec_t;
- init_daemon_domain(spamd_t, spamd_exec_t)
+@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
+ type spamd_compiled_t;
+ files_type(spamd_compiled_t)
+
+-type spamd_etc_t;
+-files_config_file(spamd_etc_t)
+-
+-type spamd_home_t;
+-userdom_user_home_content(spamd_home_t)
+-
+ type spamd_initrc_exec_t;
+ init_script_file(spamd_initrc_exec_t)
+
+@@ -72,49 +39,154 @@ type spamd_log_t;
+ logging_log_file(spamd_log_t)
-+type spamd_compiled_t;
-+files_type(spamd_compiled_t)
-+
-+type spamd_initrc_exec_t;
-+init_script_file(spamd_initrc_exec_t)
-+
-+type spamd_log_t;
-+logging_log_file(spamd_log_t)
-+
type spamd_spool_t;
-files_type(spamd_spool_t)
+files_spool_file(spamd_spool_t)
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
-@@ -63,6 +51,89 @@ files_type(spamd_var_lib_t)
+
++# var/lib files
+ type spamd_var_lib_t;
+ files_type(spamd_var_lib_t)
+
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
+-########################################
+ifdef(`distro_redhat',`
+ # spamassassin client executable
+ type spamc_t;
@@ -64676,25 +73554,60 @@ index 1bbf73b..dd3e5e1 100644
+ ubac_constrained(spamc_tmp_t)
+')
+
- ##############################
++##############################
#
- # Standalone program local policy
-@@ -98,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
- manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
- manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
- userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+-# Standalone local policy
++# Standalone program local policy
+ #
+
+ allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow spamassassin_t self:fd use;
+ allow spamassassin_t self:fifo_file rw_fifo_file_perms;
++allow spamassassin_t self:sock_file read_sock_file_perms;
++allow spamassassin_t self:unix_dgram_socket create_socket_perms;
++allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+ allow spamassassin_t self:unix_dgram_socket sendto;
+-allow spamassassin_t self:unix_stream_socket { accept connectto listen };
++allow spamassassin_t self:unix_stream_socket connectto;
++allow spamassassin_t self:shm create_shm_perms;
++allow spamassassin_t self:sem create_sem_perms;
++allow spamassassin_t self:msgq create_msgq_perms;
++allow spamassassin_t self:msg { send receive };
+
+ manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+ manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+ manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+ manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+ manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")
++userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+ manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+ manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+ files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+
++manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_home_manager(spamassassin_t)
-
++
kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
+-fs_getattr_all_fs(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
-
- # this should probably be removed
- corecmd_list_bin(spamassassin_t)
-@@ -114,7 +187,6 @@ corecmd_read_bin_sockets(spamassassin_t)
++
++# this should probably be removed
++corecmd_list_bin(spamassassin_t)
++corecmd_read_bin_symlinks(spamassassin_t)
++corecmd_read_bin_files(spamassassin_t)
++corecmd_read_bin_pipes(spamassassin_t)
++corecmd_read_bin_sockets(spamassassin_t)
domain_use_interactive_fds(spamassassin_t)
@@ -64702,53 +73615,57 @@ index 1bbf73b..dd3e5e1 100644
files_read_etc_runtime_files(spamassassin_t)
files_list_home(spamassassin_t)
files_read_usr_files(spamassassin_t)
-@@ -122,8 +194,6 @@ files_dontaudit_search_var(spamassassin_t)
+@@ -122,37 +194,44 @@ files_dontaudit_search_var(spamassassin_t)
logging_send_syslog_msg(spamassassin_t)
-miscfiles_read_localization(spamassassin_t)
--
- # cjp: this could probably be removed
- seutil_read_config(spamassassin_t)
++# cjp: this could probably be removed
++seutil_read_config(spamassassin_t)
+
+ sysnet_dns_name_resolve(spamassassin_t)
-@@ -134,8 +204,6 @@ tunable_policy(`spamassassin_can_network',`
- allow spamassassin_t self:tcp_socket create_stream_socket_perms;
- allow spamassassin_t self:udp_socket create_socket_perms;
++# set tunable if you have spamassassin do DNS lookups
+ tunable_policy(`spamassassin_can_network',`
+- allow spamassassin_t self:tcp_socket { accept listen };
++ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
++ allow spamassassin_t self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled(spamassassin_t)
- corenet_all_recvfrom_netlabel(spamassassin_t)
corenet_tcp_sendrecv_generic_if(spamassassin_t)
- corenet_udp_sendrecv_generic_if(spamassassin_t)
++ corenet_udp_sendrecv_generic_if(spamassassin_t)
corenet_tcp_sendrecv_generic_node(spamassassin_t)
-@@ -144,6 +212,9 @@ tunable_policy(`spamassassin_can_network',`
- corenet_udp_sendrecv_all_ports(spamassassin_t)
++ corenet_udp_sendrecv_generic_node(spamassassin_t)
+ corenet_tcp_sendrecv_all_ports(spamassassin_t)
+-
++ corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
+ corenet_udp_bind_generic_node(spamassassin_t)
+ corenet_udp_bind_generic_port(spamassassin_t)
+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
-
- sysnet_read_config(spamassassin_t)
- ')
-@@ -154,25 +225,13 @@ tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_user_home_content_symlinks(spamd_t)
++
++ sysnet_read_config(spamassassin_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamassassin_t)
- fs_manage_nfs_files(spamassassin_t)
- fs_manage_nfs_symlinks(spamassassin_t)
--')
--
++tunable_policy(`spamd_enable_home_dirs',`
++ userdom_manage_user_home_content_dirs(spamd_t)
++ userdom_manage_user_home_content_files(spamd_t)
++ userdom_manage_user_home_content_symlinks(spamd_t)
+ ')
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamassassin_t)
- fs_manage_cifs_files(spamassassin_t)
- fs_manage_cifs_symlinks(spamassassin_t)
--')
--
- optional_policy(`
- # Write pid file and socket in ~/.evolution/cache/tmp
- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
++optional_policy(`
++ # Write pid file and socket in ~/.evolution/cache/tmp
++ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
')
optional_policy(`
@@ -64757,7 +73674,7 @@ index 1bbf73b..dd3e5e1 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -180,6 +239,8 @@ optional_policy(`
+@@ -160,6 +239,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -64766,16 +73683,40 @@ index 1bbf73b..dd3e5e1 100644
')
########################################
-@@ -202,17 +263,37 @@ allow spamc_t self:unix_stream_socket connectto;
- allow spamc_t self:tcp_socket create_stream_socket_perms;
- allow spamc_t self:udp_socket create_socket_perms;
-
-+can_exec(spamc_t, spamc_exec_t)
+@@ -167,72 +248,88 @@ optional_policy(`
+ # Client local policy
+ #
+
+-allow spamc_t self:capability dac_override;
+ allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow spamc_t self:fd use;
+ allow spamc_t self:fifo_file rw_fifo_file_perms;
++allow spamc_t self:sock_file read_sock_file_perms;
++allow spamc_t self:shm create_shm_perms;
++allow spamc_t self:sem create_sem_perms;
++allow spamc_t self:msgq create_msgq_perms;
++allow spamc_t self:msg { send receive };
++allow spamc_t self:unix_dgram_socket create_socket_perms;
++allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+ allow spamc_t self:unix_dgram_socket sendto;
+-allow spamc_t self:unix_stream_socket { accept connectto listen };
+-allow spamc_t self:tcp_socket { accept listen };
++allow spamc_t self:unix_stream_socket connectto;
++allow spamc_t self:tcp_socket create_stream_socket_perms;
++allow spamc_t self:udp_socket create_socket_perms;
+
++can_exec(spamc_t, spamc_exec_t)
+
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
+-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
+-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
+-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
+-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
+-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin")
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
@@ -64786,45 +73727,59 @@ index 1bbf73b..dd3e5e1 100644
+# for /root/.pyzor
+allow spamc_t self:capability dac_override;
+userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")
-+
-+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-+
- # Allow connecting to a local spamd
- allow spamc_t spamd_t:unix_stream_socket connectto;
- allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+
+ list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+ read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
++# Allow connecting to a local spamd
++allow spamc_t spamd_t:unix_stream_socket connectto;
++allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
+allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
kernel_read_kernel_sysctls(spamc_t)
-+kernel_read_system_state(spamc_t)
-+
-+corecmd_exec_bin(spamc_t)
+ kernel_read_system_state(spamc_t)
-corenet_all_recvfrom_unlabeled(spamc_t)
++corecmd_exec_bin(spamc_t)
++
corenet_all_recvfrom_netlabel(spamc_t)
corenet_tcp_sendrecv_generic_if(spamc_t)
- corenet_udp_sendrecv_generic_if(spamc_t)
-@@ -222,6 +303,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
- corenet_udp_sendrecv_all_ports(spamc_t)
++corenet_udp_sendrecv_generic_if(spamc_t)
+ corenet_tcp_sendrecv_generic_node(spamc_t)
++corenet_udp_sendrecv_generic_node(spamc_t)
+ corenet_tcp_sendrecv_all_ports(spamc_t)
+-
+-corenet_sendrecv_all_client_packets(spamc_t)
++corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
- corenet_sendrecv_all_client_packets(spamc_t)
++corenet_sendrecv_all_client_packets(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
- fs_search_auto_mountpoints(spamc_t)
+-corecmd_exec_bin(spamc_t)
++fs_search_auto_mountpoints(spamc_t)
-@@ -234,43 +316,52 @@ corecmd_read_bin_sockets(spamc_t)
+-domain_use_interactive_fds(spamc_t)
++# cjp: these should probably be removed:
++corecmd_list_bin(spamc_t)
++corecmd_read_bin_symlinks(spamc_t)
++corecmd_read_bin_files(spamc_t)
++corecmd_read_bin_pipes(spamc_t)
++corecmd_read_bin_sockets(spamc_t)
- domain_use_interactive_fds(spamc_t)
+-fs_getattr_all_fs(spamc_t)
+-fs_search_auto_mountpoints(spamc_t)
++domain_use_interactive_fds(spamc_t)
--files_read_etc_files(spamc_t)
files_read_etc_runtime_files(spamc_t)
files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
- # cjp: this may be removable:
++# cjp: this may be removable:
files_list_home(spamc_t)
-+files_list_var_lib(spamc_t)
-+
+ files_list_var_lib(spamc_t)
+
+-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
logging_send_syslog_msg(spamc_t)
@@ -64832,96 +73787,123 @@ index 1bbf73b..dd3e5e1 100644
-miscfiles_read_localization(spamc_t)
+auth_use_nsswitch(spamc_t)
--# cjp: this should probably be removed:
--seutil_read_config(spamc_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(spamc_t)
+- fs_manage_nfs_files(spamc_t)
+- fs_manage_nfs_symlinks(spamc_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(spamc_t)
+- fs_manage_cifs_files(spamc_t)
+- fs_manage_cifs_symlinks(spamc_t)
+-')
+userdom_home_manager(spamc_t)
--sysnet_read_config(spamc_t)
-+optional_policy(`
-+ abrt_stream_connect(spamc_t)
-+')
-
optional_policy(`
-- # Allow connection to spamd socket above
-- evolution_stream_connect(spamc_t)
-+ amavis_manage_spool_files(spamc_t)
+ abrt_stream_connect(spamc_t)
+@@ -243,6 +340,7 @@ optional_policy(`
')
optional_policy(`
-- # Needed for pyzor/razor called from spamd
-- milter_manage_spamass_state(spamc_t)
+ # Allow connection to spamd socket above
-+ evolution_stream_connect(spamc_t)
+ evolution_stream_connect(spamc_t)
')
- optional_policy(`
-- nis_use_ypbind(spamc_t)
-+ milter_manage_spamass_state(spamc_t)
+@@ -251,52 +349,55 @@ optional_policy(`
')
optional_policy(`
-- nscd_socket_use(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
-+ postfix_rw_master_pipes(spamc_t)
- ')
-
- optional_policy(`
-+ mta_send_mail(spamc_t)
++ postfix_rw_inherited_master_pipes(spamc_t)
++')
++
++optional_policy(`
+ mta_send_mail(spamc_t)
mta_read_config(spamc_t)
-+ mta_read_queue(spamc_t)
+ mta_read_queue(spamc_t)
+- sendmail_rw_pipes(spamc_t)
sendmail_stub(spamc_t)
+-')
+-
+-optional_policy(`
+- postfix_domtrans_postdrop(spamc_t)
+- postfix_search_spool(spamc_t)
+- postfix_rw_local_pipes(spamc_t)
+- postfix_rw_master_pipes(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
')
########################################
-@@ -282,7 +373,7 @@ optional_policy(`
- # setuids to the user running spamc. Comment this if you are not
- # using this ability.
+ #
+-# Daemon local policy
++# Server local policy
+ #
--allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
-+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
++# Spamassassin, when run as root and using per-user config files,
++# setuids to the user running spamc. Comment this if you are not
++# using this ability.
++
+ allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -298,10 +389,20 @@ allow spamd_t self:unix_dgram_socket sendto;
- allow spamd_t self:unix_stream_socket connectto;
- allow spamd_t self:tcp_socket create_stream_socket_perms;
- allow spamd_t self:udp_socket create_socket_perms;
--allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
-+
+ allow spamd_t self:fifo_file rw_fifo_file_perms;
++allow spamd_t self:sock_file read_sock_file_perms;
++allow spamd_t self:shm create_shm_perms;
++allow spamd_t self:sem create_sem_perms;
++allow spamd_t self:msgq create_msgq_perms;
++allow spamd_t self:msg { send receive };
++allow spamd_t self:unix_dgram_socket create_socket_perms;
++allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+ allow spamd_t self:unix_dgram_socket sendto;
+-allow spamd_t self:unix_stream_socket { accept connectto listen };
+-allow spamd_t self:tcp_socket { accept listen };
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+
+-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
+-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
+-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
+-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
+-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
+-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
+-
+-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
+# needed by razor
+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
-+
+
+can_exec(spamd_t, spamd_compiled_t)
-+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
-+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
-+
+ manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+ manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+
+-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
-+logging_log_filetrans(spamd_t, spamd_log_t, file)
+ logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
- manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
- files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
+@@ -308,6 +409,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+ manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
- manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,16 +411,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
-
- # var/lib files for spamd
++# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
--read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+ manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+ manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+@@ -317,12 +419,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+ manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+ files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
- manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
- manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
--files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
-+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
-+
+-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
+read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
+
+can_exec(spamd_t, spamd_exec_t)
@@ -64933,90 +73915,149 @@ index 1bbf73b..dd3e5e1 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -356,30 +462,30 @@ corecmd_exec_bin(spamd_t)
+@@ -331,78 +434,62 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+ corenet_tcp_sendrecv_all_ports(spamd_t)
+ corenet_udp_sendrecv_all_ports(spamd_t)
+ corenet_tcp_bind_generic_node(spamd_t)
+-corenet_udp_bind_generic_node(spamd_t)
+-
+-corenet_sendrecv_spamd_server_packets(spamd_t)
+ corenet_tcp_bind_spamd_port(spamd_t)
+-
+-corenet_sendrecv_razor_client_packets(spamd_t)
+ corenet_tcp_connect_razor_port(spamd_t)
+-
+-corenet_sendrecv_smtp_client_packets(spamd_t)
+ corenet_tcp_connect_smtp_port(spamd_t)
+-
+-corenet_sendrecv_generic_server_packets(spamd_t)
++corenet_sendrecv_razor_client_packets(spamd_t)
++corenet_sendrecv_spamd_server_packets(spamd_t)
++# spamassassin 3.1 needs this for its
++# DnsResolver.pm module which binds to
++# random ports >= 1024.
++corenet_udp_bind_generic_node(spamd_t)
+ corenet_udp_bind_generic_port(spamd_t)
+-
+-corenet_sendrecv_imaze_server_packets(spamd_t)
+ corenet_udp_bind_imaze_port(spamd_t)
+-
+ corenet_dontaudit_udp_bind_all_ports(spamd_t)
+-
+-corecmd_exec_bin(spamd_t)
++corenet_sendrecv_imaze_server_packets(spamd_t)
++corenet_sendrecv_generic_server_packets(spamd_t)
+
+ dev_read_sysfs(spamd_t)
+ dev_read_urand(spamd_t)
+
++fs_getattr_all_fs(spamd_t)
++fs_search_auto_mountpoints(spamd_t)
++
++auth_dontaudit_read_shadow(spamd_t)
++
++corecmd_exec_bin(spamd_t)
++
domain_use_interactive_fds(spamd_t)
files_read_usr_files(spamd_t)
--files_read_etc_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
- # /var/lib/spamassin
- files_read_var_lib_files(spamd_t)
++# /var/lib/spamassin
++files_read_var_lib_files(spamd_t)
- init_dontaudit_rw_utmp(spamd_t)
+-fs_getattr_all_fs(spamd_t)
+-fs_search_auto_mountpoints(spamd_t)
++init_dontaudit_rw_utmp(spamd_t)
--logging_send_syslog_msg(spamd_t)
-+auth_use_nsswitch(spamd_t)
+ auth_use_nsswitch(spamd_t)
+-auth_dontaudit_read_shadow(spamd_t)
+-
+-init_dontaudit_rw_utmp(spamd_t)
--miscfiles_read_localization(spamd_t)
-+libs_use_ld_so(spamd_t)
-+libs_use_shared_libs(spamd_t)
+ libs_use_ld_so(spamd_t)
+ libs_use_shared_libs(spamd_t)
--sysnet_read_config(spamd_t)
--sysnet_use_ldap(spamd_t)
--sysnet_dns_name_resolve(spamd_t)
-+logging_send_syslog_msg(spamd_t)
+ logging_send_syslog_msg(spamd_t)
+-miscfiles_read_localization(spamd_t)
+-
+-sysnet_use_ldap(spamd_t)
+-
userdom_use_unpriv_users_fds(spamd_t)
- userdom_search_user_home_dirs(spamd_t)
++userdom_search_user_home_dirs(spamd_t)
+userdom_home_manager(spamd_t)
+-tunable_policy(`spamd_enable_home_dirs',`
+- userdom_manage_user_home_content_dirs(spamd_t)
+- userdom_manage_user_home_content_files(spamd_t)
+- userdom_manage_user_home_content_symlinks(spamd_t)
+-')
+-
-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(spamd_t)
- fs_manage_nfs_files(spamd_t)
+- fs_manage_nfs_symlinks(spamd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(spamd_t)
+- fs_manage_cifs_files(spamd_t)
+- fs_manage_cifs_symlinks(spamd_t)
+optional_policy(`
+ clamav_stream_connect(spamd_t)
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_files(spamd_t)
-+optional_policy(`
+ optional_policy(`
+- amavis_manage_lib_files(spamd_t)
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
')
optional_policy(`
-@@ -395,7 +501,9 @@ optional_policy(`
+- clamav_stream_connect(spamd_t)
++ amavis_manage_lib_files(spamd_t)
')
optional_policy(`
-+ dcc_domtrans_cdcc(spamd_t)
- dcc_domtrans_client(spamd_t)
-+ dcc_signal_client(spamd_t)
- dcc_stream_connect_dccifd(spamd_t)
- ')
-
-@@ -404,25 +512,17 @@ optional_policy(`
+@@ -421,21 +508,13 @@ optional_policy(`
')
optional_policy(`
-- corenet_tcp_connect_mysqld_port(spamd_t)
-- corenet_sendrecv_mysqld_client_packets(spamd_t)
+- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+-')
-
-+ mysql_tcp_connect(spamd_t)
- mysql_search_db(spamd_t)
- mysql_stream_connect(spamd_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(spamd_t)
+-optional_policy(`
+- exim_manage_spool_dirs(spamd_t)
+- exim_manage_spool_files(spamd_t)
-')
-
-optional_policy(`
- postfix_read_config(spamd_t)
+ milter_manage_spamass_state(spamd_t)
')
optional_policy(`
-- corenet_tcp_connect_postgresql_port(spamd_t)
-- corenet_sendrecv_postgresql_client_packets(spamd_t)
--
-+ postgresql_tcp_connect(spamd_t)
- postgresql_stream_connect(spamd_t)
+- mysql_stream_connect(spamd_t)
+ mysql_tcp_connect(spamd_t)
++ mysql_search_db(spamd_t)
++ mysql_stream_connect(spamd_t)
+ ')
+
+ optional_policy(`
+@@ -443,8 +522,8 @@ optional_policy(`
')
-@@ -433,6 +533,13 @@ optional_policy(`
+ optional_policy(`
+- postgresql_stream_connect(spamd_t)
+ postgresql_tcp_connect(spamd_t)
++ postgresql_stream_connect(spamd_t)
+ ')
optional_policy(`
+@@ -455,7 +534,12 @@ optional_policy(`
+ optional_policy(`
razor_domtrans(spamd_t)
-+ razor_read_lib_files(spamd_t)
+ razor_read_lib_files(spamd_t)
+- razor_manage_home_content(spamd_t)
+')
+
+optional_policy(`
@@ -65026,71 +74067,85 @@ index 1bbf73b..dd3e5e1 100644
')
optional_policy(`
-@@ -440,6 +547,7 @@ optional_policy(`
+@@ -463,9 +547,9 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(spamd_t)
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
+- mta_send_mail(spamd_t)
')
-@@ -447,3 +555,54 @@ optional_policy(`
+
optional_policy(`
- udev_read_db(spamd_t)
- ')
-+
-+########################################
-+#
+@@ -474,32 +558,29 @@ optional_policy(`
+
+ ########################################
+ #
+-# Update local policy
+# spamd_update local policy
-+#
-+
-+allow spamd_update_t self:fifo_file manage_fifo_file_perms;
-+allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
+ #
+
+-allow spamd_update_t self:capability dac_override;
+ allow spamd_update_t self:fifo_file manage_fifo_file_perms;
+ allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_update_t self:capability dac_read_search;
+dontaudit spamd_update_t self:capability dac_override;
-+
-+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-+manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
-+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
-+
+
+ manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
+ manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
+ files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
+
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
-+manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
-+
+ manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+ manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+ manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
+-kernel_read_system_state(spamd_update_t)
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
-+
+
+-corenet_all_recvfrom_unlabeled(spamd_update_t)
+-corenet_all_recvfrom_netlabel(spamd_update_t)
+-corenet_tcp_sendrecv_generic_if(spamd_update_t)
+-corenet_tcp_sendrecv_generic_node(spamd_update_t)
+-corenet_tcp_sendrecv_all_ports(spamd_update_t)
+kernel_read_system_state(spamd_update_t)
-+
+
+-corenet_sendrecv_http_client_packets(spamd_update_t)
+# for updating rules
-+corenet_tcp_connect_http_port(spamd_update_t)
-+
-+corecmd_exec_bin(spamd_update_t)
-+corecmd_exec_shell(spamd_update_t)
-+
-+dev_read_urand(spamd_update_t)
-+
-+domain_use_interactive_fds(spamd_update_t)
-+
-+files_read_usr_files(spamd_update_t)
-+
-+auth_use_nsswitch(spamd_update_t)
-+auth_dontaudit_read_shadow(spamd_update_t)
-+
+ corenet_tcp_connect_http_port(spamd_update_t)
+-corenet_tcp_sendrecv_http_port(spamd_update_t)
+
+ corecmd_exec_bin(spamd_update_t)
+ corecmd_exec_shell(spamd_update_t)
+@@ -513,20 +594,16 @@ files_read_usr_files(spamd_update_t)
+ auth_use_nsswitch(spamd_update_t)
+ auth_dontaudit_read_shadow(spamd_update_t)
+
+-miscfiles_read_localization(spamd_update_t)
+mta_read_config(spamd_update_t)
-+
+
+-userdom_use_user_terminals(spamd_update_t)
+userdom_use_inherited_user_ptys(spamd_update_t)
-+
-+optional_policy(`
-+ cron_system_entry(spamd_update_t, spamd_update_exec_t)
-+')
-+
-+optional_policy(`
+
+ optional_policy(`
+ cron_system_entry(spamd_update_t, spamd_update_exec_t)
+ ')
+
+-# probably want a solution same as httpd_use_gpg since this will
+-# give spamd_update a path to users gpg keys
+-# optional_policy(`
+-# gpg_domtrans(spamd_update_t)
+-# ')
+-
+ optional_policy(`
+- mta_read_config(spamd_update_t)
+ gpg_domtrans(spamd_update_t)
-+')
++ gpg_manage_home_content(spamd_update_t)
+ ')
+
diff --git a/speedtouch.te b/speedtouch.te
-index ade10f5..bed16af 100644
+index 9025dbd..7e4c41f 100644
--- a/speedtouch.te
+++ b/speedtouch.te
@@ -47,8 +47,6 @@ fs_search_auto_mountpoints(speedmgmt_t)
@@ -65103,31 +74158,43 @@ index ade10f5..bed16af 100644
userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
diff --git a/squid.fc b/squid.fc
-index 2015152..6664de3 100644
+index 0a8b0f7..ebbec17 100644
--- a/squid.fc
+++ b/squid.fc
-@@ -1,8 +1,11 @@
- /etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
- /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+@@ -1,12 +1,15 @@
+-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+-
+-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
++/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
-+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
- /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
- /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+ /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+
+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
- /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
++
+ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+
+ /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+
+ /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+
+@@ -15,6 +18,7 @@
- /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
-@@ -11,3 +14,4 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
- /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
- /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+
+-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
++/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
++/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+
+-/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/squid.if b/squid.if
-index d2496bd..c7614d7 100644
+index 5e1f053..e7820bc 100644
--- a/squid.if
+++ b/squid.if
-@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
+@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',`
type squid_t;
')
@@ -65136,7 +74203,7 @@ index d2496bd..c7614d7 100644
')
########################################
-@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
+@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',`
## Domain to not audit.
## </summary>
## </param>
@@ -65144,26 +74211,23 @@ index d2496bd..c7614d7 100644
#
interface(`squid_dontaudit_search_cache',`
gen_require(`
-@@ -207,12 +206,14 @@ interface(`squid_use',`
- interface(`squid_admin',`
- gen_require(`
- type squid_t, squid_cache_t, squid_conf_t;
-- type squid_log_t, squid_var_run_t;
-- type squid_initrc_exec_t;
-+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
+@@ -213,9 +212,13 @@ interface(`squid_admin',`
+ type squid_initrc_exec_t, squid_tmp_t;
')
- allow $1 squid_t:process { ptrace signal_perms };
+ allow $1 squid_t:process signal_perms;
ps_process_pattern($1, squid_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 squid_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index c38de7a..413146c 100644
+index 221c560..b20a9d9 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -65175,7 +74239,13 @@ index c38de7a..413146c 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -40,9 +40,18 @@ logging_log_file(squid_log_t)
+@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t)
+ type squid_log_t;
+ logging_log_file(squid_log_t)
+
+-type squid_tmp_t;
+-files_tmp_file(squid_tmp_t)
+-
type squid_tmpfs_t;
files_tmpfs_file(squid_tmpfs_t)
@@ -65194,15 +74264,7 @@ index c38de7a..413146c 100644
########################################
#
# Local policy
-@@ -69,6 +78,7 @@ allow squid_t self:udp_socket create_socket_perms;
- manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
- manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
- manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
-+files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
-
- allow squid_t squid_conf_t:dir list_dir_perms;
- read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
-@@ -85,15 +95,19 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+@@ -87,6 +93,10 @@ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
@@ -65213,25 +74275,17 @@ index c38de7a..413146c 100644
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
files_pid_filetrans(squid_t, squid_var_run_t, file)
- kernel_read_kernel_sysctls(squid_t)
+@@ -96,7 +106,8 @@ kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
-+kernel_read_network_state(squid_t)
-
- files_dontaudit_getattr_boot_dirs(squid_t)
+ kernel_read_network_state(squid_t)
-corenet_all_recvfrom_unlabeled(squid_t)
++files_dontaudit_getattr_boot_dirs(squid_t)
++
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
-@@ -145,7 +159,6 @@ corecmd_exec_shell(squid_t)
-
- domain_use_interactive_fds(squid_t)
-
--files_read_etc_files(squid_t)
- files_read_etc_runtime_files(squid_t)
- files_read_usr_files(squid_t)
- files_search_spool(squid_t)
-@@ -161,7 +174,6 @@ libs_exec_lib_files(squid_t)
+@@ -178,7 +189,6 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
@@ -65239,25 +74293,21 @@ index c38de7a..413146c 100644
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -169,7 +181,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
- tunable_policy(`squid_connect_any',`
- corenet_tcp_connect_all_ports(squid_t)
- corenet_tcp_bind_all_ports(squid_t)
-- corenet_sendrecv_all_packets(squid_t)
-+ corenet_sendrecv_all_client_packets(squid_t)
-+ corenet_sendrecv_all_server_packets(squid_t)
- ')
-
- tunable_policy(`squid_use_tproxy',`
-@@ -182,17 +195,19 @@ optional_policy(`
-
- allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+@@ -200,6 +210,8 @@ tunable_policy(`squid_use_tproxy',`
+ optional_policy(`
+ apache_content_template(squid)
-- corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
++ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
++
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
+@@ -209,18 +221,22 @@ optional_policy(`
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
-+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
+ corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(httpd_squid_script_t)
++
sysnet_dns_name_resolve(httpd_squid_script_t)
- squid_read_config(httpd_squid_script_t)
@@ -65272,15 +74322,18 @@ index c38de7a..413146c 100644
')
optional_policy(`
-@@ -206,3 +221,32 @@ optional_policy(`
+- kerberos_manage_host_rcache(squid_t)
+- kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
++ kerberos_manage_host_rcache(squid_t)
+ ')
+
+ optional_policy(`
+@@ -238,3 +254,24 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
+
-+optional_policy(`
-+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
-+')
-+
+########################################
+#
+# squid cron Local policy
@@ -65298,75 +74351,94 @@ index c38de7a..413146c 100644
+
+dev_read_urand(squid_cron_t)
+
-+files_read_etc_files(squid_cron_t)
-+files_read_usr_files(squid_cron_t)
-+
-+
+optional_policy(`
+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
+')
diff --git a/sssd.fc b/sssd.fc
-index 4271815..45291bb 100644
+index dbb005a..45291bb 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -1,9 +1,15 @@
+@@ -1,15 +1,17 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
+/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
-+
- /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
+-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
-+
- /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
-+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
- /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
+-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
+
+-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
++/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..54c45f6 100644
+index a240455..54c45f6 100644
--- a/sssd.if
+++ b/sssd.if
-@@ -1,13 +1,31 @@
- ## <summary>System Security Services Daemon</summary>
+@@ -1,21 +1,21 @@
+-## <summary>System Security Services Daemon.</summary>
++## <summary>System Security Services Daemon</summary>
-+#######################################
-+## <summary>
+ #######################################
+ ## <summary>
+-## Get attributes of sssd executable files.
+## Allow a domain to getattr on sssd binary.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
-+interface(`sssd_getattr_exec',`
+ ## </param>
+ #
+ interface(`sssd_getattr_exec',`
+- gen_require(`
+- type sssd_exec_t;
+- ')
+ gen_require(`
+ type sssd_t, sssd_exec_t;
+ ')
-+
+
+- allow $1 sssd_exec_t:file getattr_file_perms;
+ allow $1 sssd_exec_t:file getattr;
-+')
-+
+ ')
+
+ ########################################
+@@ -33,14 +33,12 @@ interface(`sssd_domtrans',`
+ type sssd_t, sssd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, sssd_exec_t, sssd_t)
+ ')
+
########################################
## <summary>
- ## Execute a domain transition to run sssd.
+-## Execute sssd init scripts in
+-## the initrc domain.
++## Execute sssd server in the sssd domain.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`sssd_domtrans',`
-@@ -38,6 +56,106 @@ interface(`sssd_initrc_domtrans',`
+ ## <summary>
+@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',`
+ init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+ ')
- ########################################
- ## <summary>
++########################################
++## <summary>
+## Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
@@ -65388,37 +74460,54 @@ index 941380a..54c45f6 100644
+ ps_process_pattern($1, sssd_t)
+')
+
-+#######################################
-+## <summary>
+ #######################################
+ ## <summary>
+-## Read sssd configuration content.
+## Read sssd configuration.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`sssd_read_config',`
+ ## </param>
+ #
+ interface(`sssd_read_config',`
+- gen_require(`
+- type sssd_conf_t;
+- ')
+ gen_require(`
+ type sssd_conf_t;
+ ')
-+
+
+- files_search_etc($1)
+- list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
+- read_files_pattern($1, sssd_conf_t, sssd_conf_t)
+ files_search_etc($1)
+ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
+ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+######################################
-+## <summary>
+ ')
+
+ ######################################
+ ## <summary>
+-## Write sssd configuration files.
+## Write sssd configuration.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`sssd_write_config',`
+ ## </param>
+ #
+ interface(`sssd_write_config',`
+- gen_require(`
+- type sssd_conf_t;
+- ')
+ gen_require(`
+ type sssd_conf_t;
+ ')
@@ -65441,166 +74530,186 @@ index 941380a..54c45f6 100644
+ gen_require(`
+ type sssd_conf_t;
+ ')
-+
+
+- files_search_etc($1)
+- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
+ files_search_etc($1)
+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+####################################
-+## <summary>
+ ')
+
+ ####################################
+ ## <summary>
+-## Create, read, write, and delete
+-## sssd configuration files.
+## Manage sssd configuration.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sssd_manage_config',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -107,12 +146,12 @@ interface(`sssd_write_config',`
+ ## </param>
+ #
+ interface(`sssd_manage_config',`
+- gen_require(`
+- type sssd_conf_t;
+- ')
+ gen_require(`
+ type sssd_conf_t;
+ ')
-+
+
+- files_search_etc($1)
+- manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
+ files_search_etc($1)
+ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read sssd public files.
- ## </summary>
- ## <param name="domain">
-@@ -52,9 +170,29 @@ interface(`sssd_read_public_files',`
+ ')
+
+ ########################################
+@@ -131,33 +170,32 @@ interface(`sssd_read_public_files',`
')
sssd_search_lib($1)
+- allow $1 sssd_public_t:dir list_dir_perms;
+ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
read_files_pattern($1, sssd_public_t, sssd_public_t)
')
-+#######################################
-+## <summary>
+ #######################################
+ ## <summary>
+-## Create, read, write, and delete
+-## sssd public files.
+## Manage sssd public files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`sssd_manage_public_files',`
+ ## </param>
+ #
+ interface(`sssd_manage_public_files',`
+- gen_require(`
+- type sssd_public_t;
+- ')
+ gen_require(`
+ type sssd_public_t;
+ ')
-+
+
+- sssd_search_lib($1)
+- manage_files_pattern($1, sssd_public_t, sssd_public_t)
+ sssd_search_lib($1)
+ manage_files_pattern($1, sssd_public_t, sssd_public_t)
-+')
-+
- ########################################
- ## <summary>
- ## Read sssd PID files.
-@@ -89,6 +227,7 @@ interface(`sssd_manage_pids',`
- type sssd_var_run_t;
- ')
-
-+ files_search_pids($1)
- manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
- ')
-@@ -128,7 +267,6 @@ interface(`sssd_dontaudit_search_lib',`
- ')
-
- dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
-- files_search_var_lib($1)
')
########################################
-@@ -148,6 +286,7 @@ interface(`sssd_read_lib_files',`
-
- files_search_var_lib($1)
- read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
-+ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
- ')
+ ## <summary>
+-## Read sssd pid files.
++## Read sssd PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -176,8 +214,7 @@ interface(`sssd_read_pid_files',`
########################################
-@@ -168,6 +307,7 @@ interface(`sssd_manage_lib_files',`
-
- files_search_var_lib($1)
- manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
-+ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
- ')
+ ## <summary>
+-## Create, read, write, and delete
+-## sssd pid content.
++## Manage sssd var_run files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -216,8 +253,7 @@ interface(`sssd_search_lib',`
########################################
-@@ -193,7 +333,7 @@ interface(`sssd_dbus_chat',`
+ ## <summary>
+-## Do not audit attempts to search
+-## sssd lib directories.
++## Do not audit attempts to search sssd lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -297,8 +333,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
--## Connect to sssd over an unix stream socket.
+-## Connect to sssd with a unix
+-## domain stream socket.
+## Connect to sssd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +365,19 @@ interface(`sssd_stream_connect',`
- ## The role to be allowed to manage the sssd domain.
+@@ -317,8 +352,8 @@ interface(`sssd_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an sssd environment.
++## All of the rules required to administrate
++## an sssd environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -327,7 +362,7 @@ interface(`sssd_stream_connect',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
--## <param name="terminal">
--## <summary>
--## The type of the user terminal.
--## </summary>
--## </param>
## <rolecap/>
- #
+@@ -335,27 +370,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
-- type sssd_t, sssd_public_t;
-- type sssd_initrc_exec_t;
-+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
+- type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
+- type sssd_log_t;
+ type sssd_unit_file_t;
')
-- allow $1 sssd_t:process { ptrace signal_perms getattr };
-- read_files_pattern($1, sssd_t, sssd_t)
+- allow $1 sssd_t:process { ptrace signal_perms };
+ allow $1 sssd_t:process signal_perms;
-+ ps_process_pattern($1, sssd_t)
+ ps_process_pattern($1, sssd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sssd_t:process ptrace;
+ ')
- # Allow sssd_t to restart the apache service
++ # Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
-@@ -252,4 +390,9 @@ interface(`sssd_admin',`
- sssd_manage_lib_files($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sssd_initrc_exec_t system_r;
+ allow $2 system_r;
- admin_pattern($1, sssd_public_t)
+- files_search_etc($1)
+- admin_pattern($1, sssd_conf_t)
++ sssd_manage_pids($1)
+
+- files_search_var_lib($1)
+- admin_pattern($1, { sssd_var_lib_t sssd_public_t })
++ sssd_manage_lib_files($1)
+
+- files_search_pids($1)
+- admin_pattern($1, sssd_var_run_t)
++ admin_pattern($1, sssd_public_t)
+
+ sssd_systemctl($1)
+ admin_pattern($1, sssd_unit_file_t)
+ allow $1 sssd_unit_file_t:service all_service_perms;
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index a1b61bc..4253541 100644
+index 8b537aa..4253541 100644
--- a/sssd.te
+++ b/sssd.te
-@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
- type sssd_initrc_exec_t;
- init_script_file(sssd_initrc_exec_t)
-
-+type sssd_conf_t;
-+files_config_file(sssd_conf_t)
-+
- type sssd_public_t;
- files_pid_file(sssd_public_t)
-
- type sssd_var_lib_t;
- files_type(sssd_var_lib_t)
-+mls_trusted_object(sssd_var_lib_t)
+@@ -1,4 +1,4 @@
+-policy_module(sssd, 1.1.4)
++policy_module(sssd, 1.1.0)
- type sssd_var_log_t;
- logging_log_file(sssd_var_log_t)
-@@ -24,22 +28,31 @@ logging_log_file(sssd_var_log_t)
+ ########################################
+ #
+@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
@@ -65609,97 +74718,87 @@ index a1b61bc..4253541 100644
+
########################################
#
- # sssd local policy
+-# Local policy
++# sssd local policy
#
--allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
--allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
--allow sssd_t self:fifo_file rw_file_perms;
-+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-+allow sssd_t self:capability2 block_suspend;
-+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
-+allow sssd_t self:fifo_file rw_fifo_file_perms;
-+allow sssd_t self:key manage_key_perms;
- allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
-+
- manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
- manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend;
+ allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+ allow sssd_t self:fifo_file rw_fifo_file_perms;
+ allow sssd_t self:key manage_key_perms;
+-allow sssd_t self:unix_stream_socket { accept connectto listen };
++allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
- manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
- manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-+manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
--files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
-+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
+ files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
- manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+-create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+-setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,37 +61,57 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
- files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
-+kernel_read_network_state(sssd_t)
+ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+ kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
-+corenet_udp_bind_generic_port(sssd_t)
-+corenet_dontaudit_udp_bind_all_ports(sssd_t)
+-corenet_all_recvfrom_unlabeled(sssd_t)
+-corenet_all_recvfrom_netlabel(sssd_t)
+-corenet_udp_sendrecv_generic_if(sssd_t)
+-corenet_udp_sendrecv_generic_node(sssd_t)
+-corenet_udp_sendrecv_all_ports(sssd_t)
+-corenet_udp_bind_generic_node(sssd_t)
+-
+-corenet_sendrecv_generic_server_packets(sssd_t)
+ corenet_udp_bind_generic_port(sssd_t)
+ corenet_dontaudit_udp_bind_all_ports(sssd_t)
+corenet_tcp_connect_kerberos_password_port(sssd_t)
-+
- corecmd_exec_bin(sssd_t)
-
- dev_read_urand(sssd_t)
-+dev_read_sysfs(sssd_t)
-
- domain_read_all_domains_state(sssd_t)
- domain_obj_id_change_exemption(sssd_t)
-
- files_list_tmp(sssd_t)
- files_read_etc_files(sssd_t)
-+files_read_etc_runtime_files(sssd_t)
- files_read_usr_files(sssd_t)
-+files_list_var_lib(sssd_t)
- fs_list_inotifyfs(sssd_t)
+ corecmd_exec_bin(sssd_t)
- selinux_validate_context(sssd_t)
+@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
-+# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
+ # sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
+-# seutil_rw_login_config_dirs(sssd_t)
+-# seutil_manage_login_config_files(sssd_t)
+seutil_rw_login_config_dirs(sssd_t)
+seutil_manage_login_config_files(sssd_t)
mls_file_read_to_clearance(sssd_t)
-+mls_socket_read_to_clearance(sssd_t)
-+mls_socket_write_to_clearance(sssd_t)
-+mls_trusted_object(sssd_t)
+ mls_socket_read_to_clearance(sssd_t)
+ mls_socket_write_to_clearance(sssd_t)
+ mls_trusted_object(sssd_t)
--auth_use_nsswitch(sssd_t)
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-+auth_manage_cache(sssd_t)
-
- init_read_utmp(sssd_t)
-
- logging_send_syslog_msg(sssd_t)
+ auth_manage_cache(sssd_t)
+@@ -112,18 +107,30 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
+ miscfiles_read_generic_certs(sssd_t)
-miscfiles_read_localization(sssd_t)
-+miscfiles_read_generic_certs(sssd_t)
-+
-+sysnet_dns_name_resolve(sssd_t)
-+sysnet_use_ldap(sssd_t)
-+
-+userdom_manage_tmp_role(system_r, sssd_t)
+ sysnet_dns_name_resolve(sssd_t)
+ sysnet_use_ldap(sssd_t)
+
++userdom_manage_tmp_role(system_r, sssd_t)
++
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,8 +120,17 @@ optional_policy(`
+ dbus_connect_system_bus(sssd_t)
+ ')
optional_policy(`
+- kerberos_read_config(sssd_t)
kerberos_manage_host_rcache(sssd_t)
+- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
+ kerberos_read_home_content(sssd_t)
+')
@@ -65707,10 +74806,10 @@ index a1b61bc..4253541 100644
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
')
-
- optional_policy(`
- ldap_stream_connect(sssd_t)
- ')
++
++optional_policy(`
++ ldap_stream_connect(sssd_t)
++')
+
+userdom_home_reader(sssd_t)
+
@@ -65991,73 +75090,59 @@ index 0000000..b87c79c
+')
+
diff --git a/stunnel.te b/stunnel.te
-index f646c66..a399168 100644
+index 9992e62..47f1802 100644
--- a/stunnel.te
+++ b/stunnel.te
-@@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
-
- allow stunnel_t stunnel_etc_t:dir list_dir_perms;
- allow stunnel_t stunnel_etc_t:file read_file_perms;
--allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
-+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
-
- manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
- manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
-@@ -56,7 +56,6 @@ kernel_read_network_state(stunnel_t)
+@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t)
corecmd_exec_bin(stunnel_t)
-corenet_all_recvfrom_unlabeled(stunnel_t)
corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_generic_if(stunnel_t)
- corenet_udp_sendrecv_generic_if(stunnel_t)
-@@ -73,8 +72,6 @@ auth_use_nsswitch(stunnel_t)
-
+ corenet_tcp_sendrecv_generic_node(stunnel_t)
+@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t)
logging_send_syslog_msg(stunnel_t)
+ miscfiles_read_generic_certs(stunnel_t)
-miscfiles_read_localization(stunnel_t)
--
- sysnet_read_config(stunnel_t)
- ifdef(`distro_gentoo', `
-@@ -106,7 +103,6 @@ ifdef(`distro_gentoo', `
-
- dev_read_urand(stunnel_t)
-
-- files_read_etc_files(stunnel_t)
- files_read_etc_runtime_files(stunnel_t)
- files_search_home(stunnel_t)
-
-@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
+ userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
+ userdom_dontaudit_search_user_home_dirs(stunnel_t)
+@@ -105,4 +103,5 @@ optional_policy(`
gen_require(`
type stunnel_port_t;
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/svnserve.fc b/svnserve.fc
-new file mode 100644
-index 0000000..5ab0840
---- /dev/null
+index effffd0..5ab0840 100644
+--- a/svnserve.fc
+++ b/svnserve.fc
-@@ -0,0 +1,12 @@
+@@ -1,8 +1,12 @@
+-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
-+
+
+-/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
+/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
-+
+
+-/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
+/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
-+
+
+-/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
+-/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
+
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
-new file mode 100644
-index 0000000..dd2ac36
---- /dev/null
+index 2ac91b6..dd2ac36 100644
+--- a/svnserve.if
+++ b/svnserve.if
-@@ -0,0 +1,118 @@
+@@ -1,35 +1,118 @@
+-## <summary>Server for the svn repository access method.</summary>
+
+## <summary>policy for svnserve</summary>
+
@@ -66122,16 +75207,19 @@ index 0000000..dd2ac36
+
+ ps_process_pattern($1, svnserve_t)
+')
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an svnserve environment.
+## Read svnserve PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`svnserve_read_pid_files',`
+ gen_require(`
@@ -66149,22 +75237,31 @@ index 0000000..dd2ac36
+## an svnserve environment
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`svnserve_admin',`
-+ gen_require(`
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`svnserve_admin',`
+ gen_require(`
+- type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t;
+ type svnserve_t;
+ type svnserve_var_run_t;
+ type svnserve_unit_file_t;
-+ ')
-+
-+ allow $1 svnserve_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, svnserve_t)
-+
-+ files_search_pids($1)
+ ')
+
+ allow $1 svnserve_t:process { ptrace signal_perms };
+ ps_process_pattern($1, svnserve_t)
+
+- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 svnserve_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+ files_search_pids($1)
+- admin_pattern($1, httpd_var_run_t)
+ admin_pattern($1, svnserve_var_run_t)
+
+ svnserve_systemctl($1)
@@ -66174,69 +75271,41 @@ index 0000000..dd2ac36
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
+
diff --git a/svnserve.te b/svnserve.te
-new file mode 100644
-index 0000000..ba40a17
---- /dev/null
+index c6aaac7..dc3f167 100644
+--- a/svnserve.te
+++ b/svnserve.te
-@@ -0,0 +1,53 @@
-+policy_module(svnserve, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type svnserve_t;
-+type svnserve_exec_t;
-+init_daemon_domain(svnserve_t, svnserve_exec_t)
-+
-+type svnserve_initrc_exec_t;
-+init_script_file(svnserve_initrc_exec_t)
-+
-+type svnserve_var_run_t;
-+files_pid_file(svnserve_var_run_t)
-+
-+type svnserve_content_t;
-+files_type(svnserve_content_t)
-+
+@@ -12,6 +12,9 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
+ type svnserve_initrc_exec_t;
+ init_script_file(svnserve_initrc_exec_t)
+
+type svnserve_unit_file_t;
+systemd_unit_file(svnserve_unit_file_t)
+
-+########################################
-+#
-+# svnserve local policy
-+#
-+
-+allow svnserve_t self:fifo_file rw_fifo_file_perms;
-+allow svnserve_t self:tcp_socket create_stream_socket_perms;
-+allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
-+manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
-+
-+manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
-+manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
-+files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
-+
-+corenet_udp_bind_generic_node(svnserve_t)
-+#corenet_tcp_connect_svn_port(svnserve_t)
-+#corenet_tcp_bind_svn_port(svnserve_t)
-+#corenet_udp_bind_svn_port(svnserve_t)
-+
-+domain_use_interactive_fds(svnserve_t)
-+
-+files_read_etc_files(svnserve_t)
-+files_read_usr_files(svnserve_t)
-+
-+logging_send_syslog_msg(svnserve_t)
-+
-+sysnet_dns_name_resolve(svnserve_t)
-+
+ type svnserve_content_t;
+ files_type(svnserve_content_t)
+
+@@ -34,9 +37,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
+ manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
+ files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
+
+-files_read_etc_files(svnserve_t)
+-files_read_usr_files(svnserve_t)
+-
+ corenet_all_recvfrom_unlabeled(svnserve_t)
+ corenet_all_recvfrom_netlabel(svnserve_t)
+ corenet_tcp_sendrecv_generic_if(svnserve_t)
+@@ -54,6 +54,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
+
+ logging_send_syslog_msg(svnserve_t)
+
+-miscfiles_read_localization(svnserve_t)
+-
+ sysnet_dns_name_resolve(svnserve_t)
diff --git a/sxid.te b/sxid.te
-index 8296303..50eddef 100644
+index c9824cb..1973f71 100644
--- a/sxid.te
+++ b/sxid.te
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
@@ -66256,96 +75325,232 @@ index 8296303..50eddef 100644
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
-@@ -74,15 +73,17 @@ init_use_script_ptys(sxid_t)
+@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t)
logging_send_syslog_msg(sxid_t)
-miscfiles_read_localization(sxid_t)
-
--mount_exec(sxid_t)
--
sysnet_read_config(sxid_t)
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
-
--cron_system_entry(sxid_t, sxid_exec_t)
-+optional_policy(`
-+ cron_system_entry(sxid_t, sxid_exec_t)
-+')
-+
-+optional_policy(`
-+ mount_exec(sxid_t)
-+')
-
- optional_policy(`
- mta_send_mail(sxid_t)
-diff --git a/sysstat.fc b/sysstat.fc
-index 5d0e77b..5a92938 100644
---- a/sysstat.fc
-+++ b/sysstat.fc
-@@ -6,3 +6,4 @@
- /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
- /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
- /var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
-+/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/sysstat.te b/sysstat.te
-index 0ecd8a7..b532568 100644
+index c8b80b2..33023d7 100644
--- a/sysstat.te
+++ b/sysstat.te
-@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
- # Local policy
- #
-
--allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
--dontaudit sysstat_t self:capability sys_admin;
-+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
- allow sysstat_t self:fifo_file rw_fifo_file_perms;
-
- can_exec(sysstat_t, sysstat_exec_t)
-@@ -36,6 +35,7 @@ kernel_read_kernel_sysctls(sysstat_t)
+@@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t)
kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
+corecmd_exec_shell(sysstat_t)
corecmd_exec_bin(sysstat_t)
- dev_read_urand(sysstat_t)
-@@ -45,19 +45,20 @@ files_search_var(sysstat_t)
- # for mtab
- files_read_etc_runtime_files(sysstat_t)
- #for fstab
--files_read_etc_files(sysstat_t)
-
- fs_getattr_xattr_fs(sysstat_t)
+ dev_read_sysfs(sysstat_t)
+@@ -50,7 +51,7 @@ fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
term_use_console(sysstat_t)
-term_use_all_terms(sysstat_t)
+term_use_all_inherited_terms(sysstat_t)
- init_use_fds(sysstat_t)
+ auth_use_nsswitch(sysstat_t)
+
+@@ -58,12 +59,13 @@ init_use_fds(sysstat_t)
locallogin_use_fds(sysstat_t)
--miscfiles_read_localization(sysstat_t)
+-logging_send_syslog_msg(sysstat_t)
+auth_use_nsswitch(sysstat_t)
-+
+
+-miscfiles_read_localization(sysstat_t)
+logging_send_syslog_msg(sysstat_t)
userdom_dontaudit_list_user_home_dirs(sysstat_t)
-@@ -65,6 +66,3 @@ optional_policy(`
+ optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
-
++
+diff --git a/systemtap.fc b/systemtap.fc
+deleted file mode 100644
+index 1710cbb..0000000
+--- a/systemtap.fc
++++ /dev/null
+@@ -1,11 +0,0 @@
+-/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0)
+-
+-/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0)
+-
+-/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
+-
+-/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
+-
+-/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
+-
+-/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
+diff --git a/systemtap.if b/systemtap.if
+deleted file mode 100644
+index c755e2d..0000000
+--- a/systemtap.if
++++ /dev/null
+@@ -1,45 +0,0 @@
+-## <summary>instrumentation system for Linux.</summary>
+-
+-########################################
+-## <summary>
+-## All of the rules required to
+-## administrate an stapserver environment.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-## <rolecap/>
+-#
+-interface(`stapserver_admin',`
+- gen_require(`
+- type stapserver_t, stapserver_conf_t, stapserver_log_t;
+- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+- ')
+-
+- allow $1 stapserver_t:process { ptrace signal_perms };
+- ps_process_pattern($1, stapserver_t)
+-
+- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 stapserver_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, stapserver_conf_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, stapserver_var_lib_t)
+-
+- logging_search_logs($1)
+- admin_pattern($1, stapserver_log_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, stapserver_var_run_t)
+-')
+diff --git a/systemtap.te b/systemtap.te
+deleted file mode 100644
+index 6c06a84..0000000
+--- a/systemtap.te
++++ /dev/null
+@@ -1,101 +0,0 @@
+-policy_module(systemtap, 1.0.2)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type stapserver_t;
+-type stapserver_exec_t;
+-init_daemon_domain(stapserver_t, stapserver_exec_t)
+-
+-type stapserver_initrc_exec_t;
+-init_script_file(stapserver_initrc_exec_t)
+-
+-type stapserver_conf_t;
+-files_config_file(stapserver_conf_t)
+-
+-type stapserver_var_lib_t;
+-files_type(stapserver_var_lib_t)
+-
+-type stapserver_log_t;
+-logging_log_file(stapserver_log_t)
+-
+-type stapserver_var_run_t;
+-files_pid_file(stapserver_var_run_t)
+-
+-########################################
+-#
+-# Local policy
+-#
+-
+-allow stapserver_t self:capability { dac_override kill setuid setgid };
+-allow stapserver_t self:process { setrlimit setsched signal };
+-allow stapserver_t self:fifo_file rw_fifo_file_perms;
+-allow stapserver_t self:key write;
+-allow stapserver_t self:unix_stream_socket { accept listen };
+-allow stapserver_t self:tcp_socket create_stream_socket_perms;
+-
+-allow stapserver_t stapserver_conf_t:file read_file_perms;
+-
+-manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
+-manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
+-files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
+-
+-manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
+-logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
+-
+-manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+-manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
+-files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
+-
+-kernel_read_kernel_sysctls(stapserver_t)
+-kernel_read_system_state(stapserver_t)
+-
+-corecmd_exec_bin(stapserver_t)
+-corecmd_exec_shell(stapserver_t)
+-
+-domain_read_all_domains_state(stapserver_t)
+-
+-dev_read_rand(stapserver_t)
+-dev_read_sysfs(stapserver_t)
+-dev_read_urand(stapserver_t)
+-
+-files_list_tmp(stapserver_t)
+-files_read_usr_files(stapserver_t)
+-files_search_kernel_modules(stapserver_t)
+-
+-auth_use_nsswitch(stapserver_t)
+-
+-init_read_utmp(stapserver_t)
+-
+-logging_send_audit_msgs(stapserver_t)
+-logging_send_syslog_msg(stapserver_t)
+-
+-miscfiles_read_localization(stapserver_t)
+-miscfiles_read_hwdata(stapserver_t)
+-
+-userdom_use_user_terminals(stapserver_t)
+-
+-optional_policy(`
+- consoletype_exec(stapserver_t)
+-')
+-
+-optional_policy(`
+- dbus_system_bus_client(stapserver_t)
+-')
+-
+-optional_policy(`
+- hostname_exec(stapserver_t)
+-')
+-
+-optional_policy(`
+- plymouthd_exec_plymouth(stapserver_t)
+-')
+-
-optional_policy(`
-- logging_send_syslog_msg(sysstat_t)
+- rpm_exec(stapserver_t)
-')
diff --git a/tcpd.te b/tcpd.te
-index 7038b55..8961067 100644
+index f388db3..92d5fe0 100644
--- a/tcpd.te
+++ b/tcpd.te
-@@ -22,7 +22,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
@@ -66353,7 +75558,7 @@ index 7038b55..8961067 100644
corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_generic_if(tcpd_t)
corenet_tcp_sendrecv_generic_node(tcpd_t)
-@@ -39,8 +38,6 @@ files_dontaudit_search_var(tcpd_t)
+@@ -38,8 +37,6 @@ files_dontaudit_search_var(tcpd_t)
logging_send_syslog_msg(tcpd_t)
@@ -66363,11 +75568,11 @@ index 7038b55..8961067 100644
inetd_domtrans_child(tcpd_t)
diff --git a/tcsd.if b/tcsd.if
-index 595f5a7..4e518cf 100644
+index b42ec1d..91b8f71 100644
--- a/tcsd.if
+++ b/tcsd.if
-@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
- type tcsd_var_lib_t;
+@@ -138,8 +138,11 @@ interface(`tcsd_admin',`
+ type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t;
')
- allow $1 tcsd_t:process { ptrace signal_perms };
@@ -66380,61 +75585,102 @@ index 595f5a7..4e518cf 100644
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
-index ee9f3c6..ac97168 100644
+index ac8213a..20fa71f 100644
--- a/tcsd.te
+++ b/tcsd.te
-@@ -30,7 +30,6 @@ manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
- files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
-
- # Accept connections on the TCS port over loopback.
--corenet_all_recvfrom_unlabeled(tcsd_t)
- corenet_tcp_bind_generic_node(tcsd_t)
- corenet_tcp_bind_tcs_port(tcsd_t)
-
-@@ -38,13 +37,8 @@ dev_read_urand(tcsd_t)
- # Access /dev/tpm0.
+@@ -41,10 +41,6 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
+ dev_read_urand(tcsd_t)
dev_rw_tpm(tcsd_t)
--files_read_etc_files(tcsd_t)
- files_read_usr_files(tcsd_t)
-
+-files_read_usr_files(tcsd_t)
+-
auth_use_nsswitch(tcsd_t)
logging_send_syslog_msg(tcsd_t)
-
-miscfiles_read_localization(tcsd_t)
--
--sysnet_dns_name_resolve(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
-index b07ee19..a275bd6 100644
+index c7de0cf..a275bd6 100644
--- a/telepathy.fc
+++ b/telepathy.fc
-@@ -1,8 +1,11 @@
- HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
--HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
-+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-+HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
- HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
- HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
- HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
-+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
+@@ -1,34 +1,21 @@
+-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
++HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+ HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
+ HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
+-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
+-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
++HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+ HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
+-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
+-HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
+-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
- HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
- HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
-
++HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
++HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+
+-/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
+-/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+-/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
+-/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+-/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
+-/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+-/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0)
+-/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+-/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+-/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
+-/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
+-
+-/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
+-/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+-/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
+-/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+-/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
+-/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+-/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+-/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+-/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+-/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
+-/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
++/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
++/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
++/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
++/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
++/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
++/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
++/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
++/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
++/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
++/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
-index f09171e..95a9aa3 100644
+index 42946bc..95a9aa3 100644
--- a/telepathy.if
+++ b/telepathy.if
-@@ -11,7 +11,6 @@
+@@ -2,45 +2,39 @@
+
+ #######################################
+ ## <summary>
+-## The template to define a telepathy domain.
++## Creates basic types for telepathy
++## domain
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix for the domain.
## </summary>
## </param>
#
--#
template(`telepathy_domain_template',`
gen_require(`
- attribute telepathy_domain;
-@@ -20,19 +19,21 @@ template(`telepathy_domain_template',`
+- attribute telepathy_domain, telepathy_executable, telepathy_tmp_content;
++ attribute telepathy_domain;
++ attribute telepathy_executable;
+ ')
type telepathy_$1_t, telepathy_domain;
type telepathy_$1_exec_t, telepathy_executable;
@@ -66442,25 +75688,37 @@ index f09171e..95a9aa3 100644
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ubac_constrained(telepathy_$1_t)
- type telepathy_$1_tmp_t;
+- type telepathy_$1_tmp_t, telepathy_tmp_content;
++ type telepathy_$1_tmp_t;
userdom_user_tmp_file(telepathy_$1_tmp_t)
-- auth_use_nsswitch(telepathy_$1_t)
+ kernel_read_system_state(telepathy_$1_t)
-
-+ auth_use_nsswitch(telepathy_$1_t)
++
+ auth_use_nsswitch(telepathy_$1_t)
')
#######################################
## <summary>
--## Role access for telepathy domains
--### that executes via dbus-session
+-## The role template for the telepathy module.
+## Role access for telepathy domains
+## that executes via dbus-session
## </summary>
+-## <desc>
+-## <p>
+-## This template creates a derived domains which are used
+-## for window manager applications.
+-## </p>
+-## </desc>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+-## </param>
## <param name="user_role">
## <summary>
-@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
+ ## The role associated with the user domain.
+@@ -51,10 +45,15 @@ template(`telepathy_domain_template',`
## The type of the user domain.
## </summary>
## </param>
@@ -66470,45 +75728,198 @@ index f09171e..95a9aa3 100644
+## </summary>
+## </param>
#
--template(`telepathy_role', `
+-template(`telepathy_role_template',`
+template(`telepathy_role',`
gen_require(`
- attribute telepathy_domain;
+- attribute telepathy_domain, telepathy_tmp_content;
++ attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +82,8 @@ template(`telepathy_role', `
- dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
- dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
- dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
-+
+ type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
+ type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
+@@ -63,91 +62,61 @@ template(`telepathy_role_template',`
+ type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
+ type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
+ type telepathy_msn_exec_t;
+-
+- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
+- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
+- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
+ ')
+
+- role $2 types telepathy_domain;
+-
+- allow $3 telepathy_domain:process { ptrace signal_perms };
+- ps_process_pattern($3, telepathy_domain)
+-
+- telepathy_gabble_stream_connect($3)
+- telepathy_msn_stream_connect($3)
+- telepathy_salut_stream_connect($3)
+-
+- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
+- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
+- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
+- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
+- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
+- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
+-
+- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
+-
+- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
++ role $1 types telepathy_domain;
+
+- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
++ allow $2 telepathy_domain:process signal_perms;
++ ps_process_pattern($2, telepathy_domain)
+
+- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
++ telepathy_gabble_stream_connect($2)
++ telepathy_msn_stream_connect($2)
++ telepathy_salut_stream_connect($2)
+
+- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
+- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
++ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+
+- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+-
+- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
+- # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy")
+-
+- allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
+- allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ telepathy_dbus_chat($2)
')
########################################
-@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
## <summary>
- ## Read telepathy mission control state.
+-## Connect to gabble with a unix
+-## domain stream socket.
++## Stream connect to Telepathy Gabble
## </summary>
--## <param name="role_prefix">
--## <summary>
--## Prefix to be used.
--## </summary>
--## </param>
## <param name="domain">
- ## <summary>
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`telepathy_gabble_stream_connect',`
++interface(`telepathy_gabble_stream_connect', `
+ gen_require(`
+ type telepathy_gabble_t, telepathy_gabble_tmp_t;
+ ')
+
+- files_search_tmp($1)
+ stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
++ files_search_tmp($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Send dbus messages to and from
+-## gabble.
++## Send DBus messages to and from
++## Telepathy Gabble.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
## Domain allowed access.
-@@ -166,7 +169,7 @@ interface(`telepathy_msn_stream_connect', `
- ## Stream connect to Telepathy Salut
+ ## </summary>
+ ## </param>
+ #
+-interface(`telepathy_gabble_dbus_chat',`
++interface(`telepathy_gabble_dbus_chat', `
+ gen_require(`
+ type telepathy_gabble_t;
+ class dbus send_msg;
+@@ -159,10 +128,10 @@ interface(`telepathy_gabble_dbus_chat',`
+
+ ########################################
+ ## <summary>
+-## Read mission control process state files.
++## Read telepathy mission control state.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
+-## <summary>
++## <summary>
## Domain allowed access.
## </summary>
## </param>
-@@ -179,3 +182,130 @@ interface(`telepathy_salut_stream_connect', `
- stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
- files_search_tmp($1)
+@@ -173,15 +142,12 @@ interface(`telepathy_mission_control_read_state',`
+ ')
+
+ kernel_search_proc($1)
+- allow $1 telepathy_mission_control_t:dir list_dir_perms;
+- allow $1 telepathy_mission_control_t:file read_file_perms;
+- allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms;
++ ps_process_pattern($1, telepathy_mission_control_t)
')
+
+ #######################################
+ ## <summary>
+-## Connect to msn with a unix
+-## domain stream socket.
++## Stream connect to telepathy MSN managers
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -189,19 +155,18 @@ interface(`telepathy_mission_control_read_state',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`telepathy_msn_stream_connect',`
++interface(`telepathy_msn_stream_connect', `
+ gen_require(`
+ type telepathy_msn_t, telepathy_msn_tmp_t;
+ ')
+
+- files_search_tmp($1)
+ stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
++ files_search_tmp($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to salut with a unix
+-## domain stream socket.
++## Stream connect to Telepathy Salut
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -209,11 +174,138 @@ interface(`telepathy_msn_stream_connect',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`telepathy_salut_stream_connect',`
++interface(`telepathy_salut_stream_connect', `
+ gen_require(`
+ type telepathy_salut_t, telepathy_salut_tmp_t;
+ ')
+
+- files_search_tmp($1)
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
++ files_search_tmp($1)
++')
+
+#######################################
+## <summary>
@@ -66635,65 +76046,74 @@ index f09171e..95a9aa3 100644
+
+ corecmd_search_bin($1)
+ can_exec($1, telepathy_executable)
-+')
+ ')
diff --git a/telepathy.te b/telepathy.te
-index 964978b..6cc7ecd 100644
+index e9c0964..6cc7ecd 100644
--- a/telepathy.te
+++ b/telepathy.te
-@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0)
+@@ -1,29 +1,28 @@
+-policy_module(telepathy, 1.3.5)
++policy_module(telepathy, 1.3.0)
+
+ ########################################
+ #
+-# Declarations
++# Declarations.
+ #
## <desc>
- ## <p>
--## Allow the Telepathy connection managers
--## to connect to any generic TCP port.
+-## <p>
+-## Determine whether telepathy connection
+-## managers can connect to generic tcp ports.
+-## </p>
++## <p>
+## Allow the Telepathy connection managers
+## to connect to any generic TCP port.
- ## </p>
++## </p>
## </desc>
gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
## <desc>
- ## <p>
--## Allow the Telepathy connection managers
--## to connect to any network port.
+-## <p>
+-## Determine whether telepathy connection
+-## managers can connect to any port.
+-## </p>
++## <p>
+## Allow the Telepathy connection managers
+## to connect to any network port.
- ## </p>
++## </p>
## </desc>
gen_tunable(telepathy_connect_all_ports, false)
-@@ -26,12 +26,18 @@ attribute telepathy_executable;
-
- telepathy_domain_template(gabble)
-+type telepathy_cache_home_t;
-+userdom_user_home_content(telepathy_cache_home_t)
-+
- type telepathy_gabble_cache_home_t;
- userdom_user_home_content(telepathy_gabble_cache_home_t)
+ attribute telepathy_domain;
+ attribute telepathy_executable;
+-attribute telepathy_tmp_content;
- telepathy_domain_template(idle)
- telepathy_domain_template(logger)
+ telepathy_domain_template(gabble)
-+type telepathy_data_home_t;
-+userdom_user_home_content(telepathy_data_home_t)
-+
- type telepathy_logger_cache_home_t;
- userdom_user_home_content(telepathy_logger_cache_home_t)
+@@ -67,176 +66,146 @@ userdom_user_home_content(telepathy_sunshine_home_t)
-@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
- type telepathy_mission_control_home_t;
- userdom_user_home_content(telepathy_mission_control_home_t)
+ #######################################
+ #
+-# Gabble local policy
++# Telepathy Gabble local policy.
+ #
-+type telepathy_mission_control_data_home_t;
-+userdom_user_home_content(telepathy_mission_control_data_home_t)
-+
- type telepathy_mission_control_cache_home_t;
- userdom_user_home_content(telepathy_mission_control_cache_home_t)
+-allow telepathy_gabble_t self:tcp_socket { accept listen };
++allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
+ allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -67,8 +76,16 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+-# ~/.cache/telepathy/gabble/caps-cache.db-journal
+-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
+-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
+-
+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+-corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+# ~/.cache/telepathy/gabble/caps-cache.db-journal
+optional_policy(`
+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
@@ -66704,62 +76124,125 @@ index 964978b..6cc7ecd 100644
+')
+
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
--corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
+-
+-corenet_sendrecv_http_client_packets(telepathy_gabble_t)
corenet_tcp_connect_http_port(telepathy_gabble_t)
-@@ -98,18 +115,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+-corenet_tcp_sendrecv_http_port(telepathy_gabble_t)
+-
+-corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+ corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
+-corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t)
+-
+-corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+ corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+-corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t)
++corenet_sendrecv_http_client_packets(telepathy_gabble_t)
++corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
++corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+
+ dev_read_rand(telepathy_gabble_t)
+
+ files_read_config_files(telepathy_gabble_t)
+ files_read_usr_files(telepathy_gabble_t)
+
++fs_getattr_all_fs(telepathy_gabble_t)
++
+ miscfiles_read_all_certs(telepathy_gabble_t)
+
+ tunable_policy(`telepathy_connect_all_ports',`
+- corenet_sendrecv_all_client_packets(telepathy_gabble_t)
+ corenet_tcp_connect_all_ports(telepathy_gabble_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
++ corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
')
+ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+ corenet_tcp_connect_generic_port(telepathy_gabble_t)
+- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
+-')
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_gabble_t)
- fs_manage_nfs_files(telepathy_gabble_t)
--')
-+userdom_home_manager(telepathy_gabble_t)
++ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+ ')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_gabble_t)
- fs_manage_cifs_files(telepathy_gabble_t)
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_gabble_t)
- ')
+-')
++userdom_home_manager(telepathy_gabble_t)
optional_policy(`
-- dbus_system_bus_client(telepathy_gabble_t)
-+ gnome_manage_home_config(telepathy_gabble_t)
+ dbus_system_bus_client(telepathy_gabble_t)
')
+-# optional_policy(`
+- # ~/.config/dconf/user
+- # gnome_manage_generic_home_content(telepathy_gabble_t)
+-# ')
++optional_policy(`
++ gnome_manage_home_config(telepathy_gabble_t)
++')
+
#######################################
-@@ -118,7 +131,6 @@ optional_policy(`
+ #
+-# Idle local policy
++# Telepathy Idle local policy.
#
corenet_all_recvfrom_netlabel(telepathy_idle_t)
-corenet_all_recvfrom_unlabeled(telepathy_idle_t)
corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
+-
+-corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
-@@ -127,8 +139,6 @@ corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+-corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t)
+-
+-corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+ corenet_tcp_connect_ircd_port(telepathy_idle_t)
+-corenet_tcp_sendrecv_ircd_port(telepathy_idle_t)
++corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
dev_read_rand(telepathy_idle_t)
--files_read_etc_files(telepathy_idle_t)
+-files_read_usr_files(telepathy_idle_t)
-
tunable_policy(`telepathy_connect_all_ports',`
+- corenet_sendrecv_all_client_packets(telepathy_idle_t)
corenet_tcp_connect_all_ports(telepathy_idle_t)
corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
-@@ -147,51 +157,74 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
++ corenet_udp_sendrecv_all_ports(telepathy_idle_t)
+ ')
+
+ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+- corenet_sendrecv_generic_client_packets(telepathy_idle_t)
+ corenet_tcp_connect_generic_port(telepathy_idle_t)
+- corenet_tcp_sendrecv_generic_port(telepathy_idle_t)
++ corenet_sendrecv_generic_client_packets(telepathy_idle_t)
+ ')
+
+ #######################################
+ #
+-# Logger local policy
++# Telepathy Logger local policy.
+ #
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
-+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+ manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
--files_read_etc_files(telepathy_logger_t)
-files_read_usr_files(telepathy_logger_t)
+optional_policy(`
+ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
@@ -66767,37 +76250,48 @@ index 964978b..6cc7ecd 100644
+
files_search_pids(telepathy_logger_t)
- fs_getattr_all_fs(telepathy_logger_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_logger_t)
- fs_manage_nfs_files(telepathy_logger_t)
-')
-+userdom_home_manager(telepathy_logger_t)
++fs_getattr_all_fs(telepathy_logger_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_logger_t)
- fs_manage_cifs_files(telepathy_logger_t)
+-')
++userdom_home_manager(telepathy_logger_t)
+
+-# optional_policy(`
+optional_policy(`
-+ # ~/.config/dconf/user
+ # ~/.config/dconf/user
+- # gnome_manage_generic_home_content(telepathy_logger_t)
+-# ')
+ gnome_manage_home_config(telepathy_logger_t)
- ')
++')
#######################################
#
- # Telepathy Mission-Control local policy.
+-# Mission-Control local policy
++# Telepathy Mission-Control local policy.
#
-+allow telepathy_mission_control_t self:process setsched;
+-
+ allow telepathy_mission_control_t self:process setsched;
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
- userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
++userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
-+
+
+-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
-+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
-+
+
+-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+optional_policy(`
+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
+ gnome_manage_home_config(telepathy_mission_control_t)
@@ -66805,78 +76299,143 @@ index 964978b..6cc7ecd 100644
dev_read_rand(telepathy_mission_control_t)
- fs_getattr_all_fs(telepathy_mission_control_t)
-
--files_read_etc_files(telepathy_mission_control_t)
+-files_list_tmp(telepathy_mission_control_t)
-files_read_usr_files(telepathy_mission_control_t)
-+files_list_tmp(telepathy_mission_control_t)
-+
-+userdom_home_manager(telepathy_mission_control_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(telepathy_mission_control_t)
++fs_getattr_all_fs(telepathy_mission_control_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(telepathy_mission_control_t)
- fs_manage_nfs_files(telepathy_mission_control_t)
-+ optional_policy(`
-+ devicekit_dbus_chat_power(telepathy_mission_control_t)
-+ ')
-+ optional_policy(`
-+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
-+ ')
-+ optional_policy(`
-+ networkmanager_dbus_chat(telepathy_mission_control_t)
-+ ')
- ')
+-')
++files_list_tmp(telepathy_mission_control_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(telepathy_mission_control_t)
- fs_manage_cifs_files(telepathy_mission_control_t)
+-')
++userdom_home_manager(telepathy_mission_control_t)
+
+ optional_policy(`
+ dbus_system_bus_client(telepathy_mission_control_t)
+@@ -245,59 +214,51 @@ optional_policy(`
+ devicekit_dbus_chat_power(telepathy_mission_control_t)
+ ')
+ optional_policy(`
+- gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
+ ')
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_mission_control_t)
+ ')
+ ')
+
+-# optional_policy(`
+- # ~/.config/dconf/user
+- # gnome_manage_generic_home_content(telepathy_mission_control_t)
+-# ')
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
- ')
++')
#######################################
-@@ -205,11 +238,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+ #
+-# Butterfly and Haze local policy
++# Telepathy Butterfly and Haze local policy.
+ #
+
+ allow telepathy_msn_t self:process setsched;
++allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+-
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+-
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
-+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+ can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
corenet_all_recvfrom_netlabel(telepathy_msn_t)
-corenet_all_recvfrom_unlabeled(telepathy_msn_t)
corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
- corenet_tcp_bind_generic_node(telepathy_msn_t)
-@@ -225,8 +260,7 @@ corecmd_exec_bin(telepathy_msn_t)
- corecmd_exec_shell(telepathy_msn_t)
- corecmd_read_bin_symlinks(telepathy_msn_t)
+-
+-corenet_sendrecv_http_client_packets(telepathy_msn_t)
++corenet_tcp_bind_generic_node(telepathy_msn_t)
+ corenet_tcp_connect_http_port(telepathy_msn_t)
+-corenet_tcp_sendrecv_http_port(telepathy_msn_t)
+-
+-corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+-corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t)
+-
+-corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_msnp_port(telepathy_msn_t)
+-corenet_tcp_sendrecv_msnp_port(telepathy_msn_t)
+-
+-corenet_sendrecv_sip_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_sip_port(telepathy_msn_t)
+-corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
++corenet_sendrecv_http_client_packets(telepathy_msn_t)
++corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
++corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
--files_read_etc_files(telepathy_msn_t)
+ corecmd_exec_bin(telepathy_msn_t)
+ corecmd_exec_shell(telepathy_msn_t)
+-
-files_read_usr_files(telepathy_msn_t)
-+init_read_state(telepathy_msn_t)
++corecmd_read_bin_symlinks(telepathy_msn_t)
+
+ init_read_state(telepathy_msn_t)
+
+@@ -307,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t)
- libs_exec_ldconfig(telepathy_msn_t)
+ miscfiles_read_all_certs(telepathy_msn_t)
-@@ -246,6 +280,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+-# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+-
+ tunable_policy(`telepathy_connect_all_ports',`
+- corenet_sendrecv_all_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_all_ports(telepathy_msn_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
++ corenet_udp_sendrecv_all_ports(telepathy_msn_t)
')
- optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_msn_t)
+ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+- corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_generic_port(telepathy_msn_t)
+- corenet_tcp_sendrecv_generic_port(telepathy_msn_t)
++ corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+')
+
+optional_policy(`
- dbus_system_bus_client(telepathy_msn_t)
++ gnome_read_gconf_home_files(telepathy_msn_t)
+ ')
- optional_policy(`
-@@ -264,7 +302,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa
+ optional_policy(`
+@@ -329,43 +291,33 @@ optional_policy(`
+ ')
+ ')
+
+-# optional_policy(`
+- # ~/.config/dconf/user
+- # gnome_manage_generic_home_content(telepathy_msn_t)
+-# ')
+-
+ #######################################
+ #
+-# Salut local policy
++# Telepathy Salut local policy.
+ #
+
+-allow telepathy_salut_t self:tcp_socket { accept listen };
++allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
+
+ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
corenet_all_recvfrom_netlabel(telepathy_salut_t)
@@ -66884,49 +76443,142 @@ index 964978b..6cc7ecd 100644
corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
corenet_tcp_bind_generic_node(telepathy_salut_t)
-@@ -272,8 +309,6 @@ corenet_tcp_bind_presence_port(telepathy_salut_t)
+-
+-corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+ corenet_tcp_bind_presence_port(telepathy_salut_t)
+-corenet_sendrecv_presence_client_packets(telepathy_salut_t)
corenet_tcp_connect_presence_port(telepathy_salut_t)
- corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+-corenet_tcp_sendrecv_presence_port(telepathy_salut_t)
++corenet_sendrecv_presence_server_packets(telepathy_salut_t)
--files_read_etc_files(telepathy_salut_t)
--
tunable_policy(`telepathy_connect_all_ports',`
+- corenet_sendrecv_all_client_packets(telepathy_salut_t)
corenet_tcp_connect_all_ports(telepathy_salut_t)
corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
-@@ -302,7 +337,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
- allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
++ corenet_udp_sendrecv_all_ports(telepathy_salut_t)
+ ')
+
+ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+- corenet_sendrecv_generic_client_packets(telepathy_salut_t)
+ corenet_tcp_connect_generic_port(telepathy_salut_t)
+- corenet_tcp_sendrecv_generic_port(telepathy_salut_t)
++ corenet_sendrecv_generic_client_packets(telepathy_salut_t)
+ ')
+
+ optional_policy(`
+@@ -378,73 +330,53 @@ optional_policy(`
+
+ #######################################
+ #
+-# Sofiasip local policy
++# Telepathy Sofiasip local policy.
+ #
+
+-allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
+-allow telepathy_sofiasip_t self:tcp_socket { accept listen };
++allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
++allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
-@@ -343,9 +377,6 @@ files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+ corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
+ corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
+ corenet_raw_bind_generic_node(telepathy_sofiasip_t)
+-
+-corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
+ corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
+-corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+-
+ corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
+-
+-corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+ corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+-corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t)
++corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+
+ kernel_request_load_module(telepathy_sofiasip_t)
+
+ tunable_policy(`telepathy_connect_all_ports',`
+- corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
+ corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
++ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
+ ')
+
+ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+- corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
+ corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
+- corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t)
++ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
+ ')
+ #######################################
+ #
+-# Sunshine local policy
++# Telepathy Sunshine local policy.
+ #
+
+ manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+ manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+-userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
++userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
++userdom_search_user_home_dirs(telepathy_sunshine_t)
+
+ manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
++exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+ files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+-can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
+-
corecmd_exec_bin(telepathy_sunshine_t)
--files_read_etc_files(telepathy_sunshine_t)
-files_read_usr_files(telepathy_sunshine_t)
-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(telepathy_sunshine_t)
+- fs_manage_nfs_files(telepathy_sunshine_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(telepathy_sunshine_t)
+- fs_manage_cifs_files(telepathy_sunshine_t)
+-')
+-
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -361,18 +392,33 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
- allow telepathy_domain self:tcp_socket create_socket_perms;
- allow telepathy_domain self:udp_socket create_socket_perms;
+@@ -452,31 +384,41 @@ optional_policy(`
+
+ #######################################
+ #
+-# Common telepathy domain local policy
++# telepathy domains common policy
+ #
+
+ allow telepathy_domain self:process { getsched signal sigkill };
+ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
++allow telepathy_domain self:tcp_socket create_socket_perms;
++allow telepathy_domain self:udp_socket create_socket_perms;
-+manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
+ manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
+-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+-
+-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
+-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
+optional_policy(`
+ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
+')
-+
+
dev_read_urand(telepathy_domain)
-kernel_read_system_state(telepathy_domain)
+files_read_etc_files(telepathy_domain)
+files_read_usr_files(telepathy_domain)
-+fs_getattr_all_fs(telepathy_domain)
+ fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
-
-miscfiles_read_localization(telepathy_domain)
@@ -66948,50 +76600,20 @@ index 964978b..6cc7ecd 100644
+optional_policy(`
xserver_rw_xdm_pipes(telepathy_domain)
')
-diff --git a/telnet.if b/telnet.if
-index 58e7ec0..e4119f7 100644
---- a/telnet.if
-+++ b/telnet.if
-@@ -1 +1,19 @@
- ## <summary>Telnet daemon</summary>
-+
-+########################################
-+## <summary>
-+## Read and write a telnetd domain pty.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`telnet_use_ptys',`
-+ gen_require(`
-+ type telnetd_devpts_t;
-+ ')
-+
-+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
-+')
diff --git a/telnet.te b/telnet.te
-index 3858d35..62dca46 100644
+index 9f89916..6a317d0 100644
--- a/telnet.te
+++ b/telnet.te
-@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
- # Local policy
- #
-
--allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
-+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
+ allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
- allow telnetd_t self:tcp_socket connected_stream_socket_perms;
- allow telnetd_t self:udp_socket create_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow telnetd_t self:capability { setuid setgid };
++allow telnetd_t self:tcp_socket connected_stream_socket_perms;
++allow telnetd_t self:udp_socket create_socket_perms;
++# for identd; cjp: this should probably only be inetd_child rules?
++allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
-+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
term_create_pty(telnetd_t, telnetd_devpts_t)
@@ -67001,7 +76623,7 @@ index 3858d35..62dca46 100644
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -47,7 +46,6 @@ kernel_read_kernel_sysctls(telnetd_t)
+@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
@@ -67009,15 +76631,21 @@ index 3858d35..62dca46 100644
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_generic_if(telnetd_t)
corenet_udp_sendrecv_generic_if(telnetd_t)
-@@ -68,7 +66,6 @@ auth_use_nsswitch(telnetd_t)
- corecmd_search_bin(telnetd_t)
+@@ -56,7 +59,6 @@ dev_read_urand(telnetd_t)
+
+ domain_interactive_fd(telnetd_t)
- files_read_usr_files(telnetd_t)
--files_read_etc_files(telnetd_t)
+-files_read_usr_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
- # for identd; cjp: this should probably only be inetd_child rules?
files_search_home(telnetd_t)
-@@ -77,14 +74,12 @@ init_rw_utmp(telnetd_t)
+
+@@ -65,16 +67,18 @@ fs_getattr_xattr_fs(telnetd_t)
+ auth_rw_login_records(telnetd_t)
+ auth_use_nsswitch(telnetd_t)
+
++corecmd_search_bin(telnetd_t)
++
+ init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
@@ -67025,8 +76653,6 @@ index 3858d35..62dca46 100644
-
seutil_read_config(telnetd_t)
--remotelogin_domtrans(telnetd_t)
--
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
+userdom_manage_user_tmp_files(telnetd_t)
@@ -67034,136 +76660,217 @@ index 3858d35..62dca46 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -96,5 +91,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -86,7 +90,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
+- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
kerberos_manage_host_rcache(telnetd_t)
')
-+
-+optional_policy(`
-+ remotelogin_domtrans(telnetd_t)
-+')
+
diff --git a/tftp.fc b/tftp.fc
-index 25eee43..621f343 100644
+index 93a5bf4..621f343 100644
--- a/tftp.fc
+++ b/tftp.fc
-@@ -1,3 +1,4 @@
+@@ -1,9 +1,9 @@
+-/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
+/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+
+-/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+-/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
++/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
++/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+
+-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/tftp.if b/tftp.if
-index 38bb312..d9fe23c 100644
+index 9957e30..cf0b925 100644
--- a/tftp.if
+++ b/tftp.if
-@@ -13,9 +13,34 @@
+@@ -1,8 +1,8 @@
+-## <summary>Trivial file transfer protocol daemon.</summary>
++## <summary>Trivial file transfer protocol daemon</summary>
+
+ ########################################
+ ## <summary>
+-## Read tftp content files.
++## Read tftp content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -13,18 +13,21 @@
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
+ type tftpdir_rw_t;
')
+- files_search_var_lib($1)
+- allow $1 tftpdir_t:dir list_dir_perms;
+- allow $1 tftpdir_t:file read_file_perms;
+- allow $1 tftpdir_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
- read_files_pattern($1, tftpdir_t, tftpdir_t)
++ read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+
++ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## tftp rw content.
+## Search tftp /var/lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -32,20 +35,18 @@ interface(`tftp_read_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`tftp_manage_rw_content',`
+interface(`tftp_search_rw_content',`
-+ gen_require(`
-+ type tftpdir_rw_t;
-+ ')
-+
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
-+ files_search_var_lib($1)
+ files_search_var_lib($1)
+- allow $1 tftpdir_rw_t:dir manage_dir_perms;
+- allow $1 tftpdir_rw_t:file manage_file_perms;
+- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms;
')
########################################
-@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',`
+ ## <summary>
+-## Read tftpd configuration files.
++## Manage tftp /var/lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`tftp_read_config_files',`
++interface(`tftp_manage_rw_content',`
+ gen_require(`
+- type tftpd_conf_t;
++ type tftpdir_rw_t;
+ ')
+
+- files_search_etc($1)
+- allow $1 tftpd_conf_t:file read_file_perms;
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ ')
########################################
## <summary>
+-## Create, read, write, and delete
+-## tftpd configuration files.
+## Read tftp config files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`tftp_manage_config_files',`
+interface(`tftp_read_config',`
-+ gen_require(`
+ gen_require(`
+- type tftpd_conf_t;
+ type tftpd_etc_t;
-+ ')
-+
+ ')
+
+- files_search_etc($1)
+- allow $1 tftpd_conf_t:file manage_file_perms;
+ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in etc directories
+-## with tftp conf type.
+## Manage tftp config files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`tftp_etc_filetrans_config',`
+interface(`tftp_manage_config',`
-+ gen_require(`
+ gen_require(`
+- type tftp_conf_t;
+ type tftpd_etc_t;
-+ ')
-+
+ ')
+
+- files_etc_filetrans($1, tftp_conf_t, $2, $3)
+ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
-+')
-+
-+########################################
-+## <summary>
-+## Create objects in tftpdir directories
+ ')
+
+ ########################################
+ ## <summary>
+ ## Create objects in tftpdir directories
+-## with a private type.
+## with specified types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private_type">
+## <param name="file_type">
-+## <summary>
-+## Private file type.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## Class of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`tftp_filetrans_tftpdir',`
-+ gen_require(`
-+ type tftpdir_rw_t;
-+ ')
-+
+ ## <summary>
+ ## Private file type.
+ ## </summary>
+@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',`
+ ## Class of the object being created.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+ interface(`tftp_filetrans_tftpdir',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
+ files_search_var_lib($1)
+- filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an tftp environment.
+## Transition to tftp named content
+## </summary>
+## <param name="domain">
@@ -67182,25 +76889,34 @@ index 38bb312..d9fe23c 100644
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an tftp environment
++## All of the rules required to administrate
++## an tftp environment
## </summary>
-@@ -55,8 +165,13 @@ interface(`tftp_admin',`
+ ## <param name="domain">
+ ## <summary>
+@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',`
+ interface(`tftp_admin',`
+ gen_require(`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+- type tftpd_conf_t;
')
-- allow $1 tftpd_t:process { ptrace signal_perms getattr };
+- allow $1 tftpd_t:process { ptrace signal_perms };
+ allow $1 tftpd_t:process signal_perms;
ps_process_pattern($1, tftpd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tftpd_t:process ptrace;
+ ')
-+
-+ files_list_var_lib($1)
- admin_pattern($1, tftpdir_rw_t)
+- files_search_etc($1)
+- admin_pattern($1, tftpd_conf_t)
++ files_list_var_lib($1)
-@@ -64,4 +179,6 @@ interface(`tftp_admin',`
+- files_search_var_lib($1)
+- admin_pattern($1, { tftpdir_t tftpdir_rw_t })
++ admin_pattern($1, tftpdir_rw_t)
++
++ admin_pattern($1, tftpdir_t)
files_list_pids($1)
admin_pattern($1, tftpd_var_run_t)
@@ -67208,24 +76924,55 @@ index 38bb312..d9fe23c 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index d50c10d..d2778d3 100644
+index f455e70..d2778d3 100644
--- a/tftp.te
+++ b/tftp.te
-@@ -13,6 +13,13 @@ policy_module(tftp, 1.12.0)
+@@ -1,4 +1,4 @@
+-policy_module(tftp, 1.12.4)
++policy_module(tftp, 1.12.0)
+
+ ########################################
+ #
+@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether tftp can modify
+-## public files used for public file
+-## transfer services. Directories/Files must
+-## be labeled public_content_rw_t.
+-## </p>
++## <p>
++## Allow tftp to modify public files
++## used for public file transfer services.
++## </p>
## </desc>
gen_tunable(tftp_anon_write, false)
-+## <desc>
+ ## <desc>
+-## <p>
+-## Determine whether tftp can manage
+-## generic user home content.
+-## </p>
+## <p>
+## Allow tftp to read and write files in the user home directories
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(tftp_enable_homedir, false)
+gen_tunable(tftp_home_dir, false)
-+
+
type tftpd_t;
type tftpd_exec_t;
init_daemon_domain(tftpd_t, tftpd_exec_t)
-@@ -26,21 +33,26 @@ files_type(tftpdir_t)
+
+-type tftpd_conf_t;
+-files_config_file(tftpd_conf_t)
+-
+ type tftpd_var_run_t;
+ files_pid_file(tftpd_var_run_t)
+
+@@ -39,6 +33,9 @@ files_type(tftpdir_t)
type tftpdir_rw_t;
files_type(tftpdir_rw_t)
@@ -67235,42 +76982,64 @@ index d50c10d..d2778d3 100644
########################################
#
# Local policy
- #
+@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t)
allow tftpd_t self:capability { setgid setuid sys_chroot };
-+dontaudit tftpd_t self:capability sys_tty_config;
- allow tftpd_t self:tcp_socket create_stream_socket_perms;
- allow tftpd_t self:udp_socket create_socket_perms;
- allow tftpd_t self:unix_dgram_socket create_socket_perms;
- allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
--dontaudit tftpd_t self:capability sys_tty_config;
+ dontaudit tftpd_t self:capability sys_tty_config;
+-allow tftpd_t self:tcp_socket { accept listen };
+-allow tftpd_t self:unix_stream_socket { accept listen };
+-
+-allow tftpd_t tftpd_conf_t:file read_file_perms;
++allow tftpd_t self:tcp_socket create_stream_socket_perms;
++allow tftpd_t self:udp_socket create_socket_perms;
++allow tftpd_t self:unix_dgram_socket create_socket_perms;
++allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
--allow tftpd_t tftpdir_t:lnk_file { getattr read };
-+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
-+
-+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
+ allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
++
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
-@@ -52,7 +64,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+ manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
-corenet_all_recvfrom_unlabeled(tftpd_t)
corenet_all_recvfrom_netlabel(tftpd_t)
- corenet_tcp_sendrecv_generic_if(tftpd_t)
++corenet_tcp_sendrecv_generic_if(tftpd_t)
corenet_udp_sendrecv_generic_if(tftpd_t)
-@@ -72,7 +83,6 @@ fs_search_auto_mountpoints(tftpd_t)
++corenet_tcp_sendrecv_generic_node(tftpd_t)
+ corenet_udp_sendrecv_generic_node(tftpd_t)
++corenet_tcp_sendrecv_all_ports(tftpd_t)
++corenet_udp_sendrecv_all_ports(tftpd_t)
++corenet_tcp_bind_generic_node(tftpd_t)
+ corenet_udp_bind_generic_node(tftpd_t)
+-
+-corenet_sendrecv_tftp_server_packets(tftpd_t)
+ corenet_udp_bind_tftp_port(tftpd_t)
+-corenet_udp_sendrecv_tftp_port(tftpd_t)
++corenet_sendrecv_tftp_server_packets(tftpd_t)
+
+ dev_read_sysfs(tftpd_t)
++fs_getattr_all_fs(tftpd_t)
++fs_search_auto_mountpoints(tftpd_t)
++
domain_use_interactive_fds(tftpd_t)
--files_read_etc_files(tftpd_t)
files_read_etc_runtime_files(tftpd_t)
- files_read_var_files(tftpd_t)
+@@ -84,43 +88,44 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
-@@ -82,7 +92,6 @@ auth_use_nsswitch(tftpd_t)
+ files_search_var(tftpd_t)
+
+-fs_getattr_all_fs(tftpd_t)
+-fs_search_auto_mountpoints(tftpd_t)
+-
+ auth_use_nsswitch(tftpd_t)
logging_send_syslog_msg(tftpd_t)
@@ -67278,15 +77047,24 @@ index d50c10d..d2778d3 100644
miscfiles_read_public_files(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-@@ -93,6 +102,36 @@ tunable_policy(`tftp_anon_write',`
+ userdom_dontaudit_use_user_terminals(tftpd_t)
+-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file })
++userdom_dontaudit_search_user_home_dirs(tftpd_t)
+
+ tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
')
+-tunable_policy(`tftp_enable_homedir',`
+- allow tftpd_t self:capability { dac_override dac_read_search };
+tunable_policy(`tftp_home_dir',`
+ allow tftpd_t self:capability { dac_override dac_read_search };
-+
+
+ # allow access to /home
-+ files_list_home(tftpd_t)
+ files_list_home(tftpd_t)
+- userdom_manage_user_home_content_dirs(tftpd_t)
+- userdom_manage_user_home_content_files(tftpd_t)
+- userdom_manage_user_home_content_symlinks(tftpd_t)
+ userdom_read_user_home_content_files(tftpd_t)
+ userdom_manage_user_home_content(tftpd_t)
+
@@ -67296,121 +77074,72 @@ index d50c10d..d2778d3 100644
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
-+')
-+
+ ')
+
+-tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(tftpd_t)
+- fs_manage_nfs_files(tftpd_t)
+- fs_read_nfs_symlinks(tftpd_t)
+tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
+ fs_manage_nfs_files(tftpd_t)
+ fs_read_nfs_symlinks(tftpd_t)
-+')
-+
+ ')
+
+-tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',`
+- fs_manage_cifs_dirs(tftpd_t)
+- fs_manage_cifs_files(tftpd_t)
+- fs_read_cifs_symlinks(tftpd_t)
+tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
+ fs_manage_cifs_files(tftpd_t)
+ fs_read_cifs_symlinks(tftpd_t)
-+')
-+
-+optional_policy(`
-+ cobbler_read_lib_files(tftpd_t)
-+')
-+
- optional_policy(`
- inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
')
+
+ optional_policy(`
diff --git a/tgtd.fc b/tgtd.fc
-index 8294f6f..4847b43 100644
+index 38389e6..4847b43 100644
--- a/tgtd.fc
+++ b/tgtd.fc
-@@ -1,3 +1,4 @@
- /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
- /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
- /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+@@ -1,7 +1,4 @@
+-/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+-
+-/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+-
+-/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+-
+-/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
++/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
++/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
++/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
-diff --git a/tgtd.if b/tgtd.if
-index c2ed23a..d9e875d 100644
---- a/tgtd.if
-+++ b/tgtd.if
-@@ -44,3 +44,22 @@ interface(`tgtd_manage_semaphores',`
-
- allow $1 tgtd_t:sem create_sem_perms;
- ')
-+
-+######################################
-+## <summary>
-+## Connect to tgtd using a unix domain stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`tgtd_stream_connect',`
-+ gen_require(`
-+ type tgtd_t, tgtd_var_run_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t)
-+')
diff --git a/tgtd.te b/tgtd.te
-index 80fe75c..6e81911 100644
+index c93c973..0eff459 100644
--- a/tgtd.te
+++ b/tgtd.te
-@@ -21,15 +21,19 @@ files_tmpfs_file(tgtd_tmpfs_t)
- type tgtd_var_lib_t;
- files_type(tgtd_var_lib_t)
-
-+type tgtd_var_run_t;
-+files_pid_file(tgtd_var_run_t)
-+
- ########################################
- #
- # TGTD personal policy.
- #
-
- allow tgtd_t self:capability sys_resource;
-+allow tgtd_t self:capability2 block_suspend;
- allow tgtd_t self:process { setrlimit signal };
- allow tgtd_t self:fifo_file rw_fifo_file_perms;
--allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
- allow tgtd_t self:shm create_shm_perms;
- allow tgtd_t self:sem create_sem_perms;
- allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -46,10 +50,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
- manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
- files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
-
-+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
-+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
-+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
-+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
-+
-+kernel_read_system_state(tgtd_t)
+@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
-corenet_all_recvfrom_unlabeled(tgtd_t)
corenet_tcp_sendrecv_generic_if(tgtd_t)
corenet_tcp_sendrecv_generic_node(tgtd_t)
- corenet_tcp_sendrecv_iscsi_port(tgtd_t)
-@@ -57,10 +66,16 @@ corenet_tcp_bind_generic_node(tgtd_t)
- corenet_tcp_bind_iscsi_port(tgtd_t)
- corenet_sendrecv_iscsi_server_packets(tgtd_t)
+ corenet_tcp_bind_generic_node(tgtd_t)
+@@ -69,16 +68,12 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
-+dev_read_sysfs(tgtd_t)
-+
- files_read_etc_files(tgtd_t)
+ dev_read_sysfs(tgtd_t)
+
+-files_read_etc_files(tgtd_t)
+-
+ fs_read_anon_inodefs_files(tgtd_t)
-+fs_read_anon_inodefs_files(tgtd_t)
-+
storage_manage_fixed_disk(tgtd_t)
logging_send_syslog_msg(tgtd_t)
-miscfiles_read_localization(tgtd_t)
-+optional_policy(`
-+ iscsi_manage_semaphores(tgtd_t)
-+')
+-
+ optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+ ')
diff --git a/thin.fc b/thin.fc
new file mode 100644
index 0000000..7f4bce8
@@ -67749,10 +77478,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..572ab5d
+index 0000000..0f9dcc7
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,130 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -67879,38 +77608,34 @@ index 0000000..572ab5d
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
++
++optional_policy(`
++ nscd_dontaudit_write_sock_file(thumb_t)
++')
diff --git a/thunderbird.te b/thunderbird.te
-index bf37d98..0d863fc 100644
+index 4257ede..cddc4c6 100644
--- a/thunderbird.te
+++ b/thunderbird.te
-@@ -54,7 +54,6 @@ kernel_read_system_state(thunderbird_t)
- # Startup shellscript
+@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
+
corecmd_exec_shell(thunderbird_t)
-corenet_all_recvfrom_unlabeled(thunderbird_t)
corenet_all_recvfrom_netlabel(thunderbird_t)
corenet_tcp_sendrecv_generic_if(thunderbird_t)
corenet_tcp_sendrecv_generic_node(thunderbird_t)
-@@ -82,7 +81,6 @@ dev_dontaudit_search_sysfs(thunderbird_t)
-
- files_list_tmp(thunderbird_t)
- files_read_usr_files(thunderbird_t)
--files_read_etc_files(thunderbird_t)
- files_read_etc_runtime_files(thunderbird_t)
- files_read_var_files(thunderbird_t)
- files_read_var_symlinks(thunderbird_t)
-@@ -99,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t)
+@@ -98,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t)
auth_use_nsswitch(thunderbird_t)
miscfiles_read_fonts(thunderbird_t)
-miscfiles_read_localization(thunderbird_t)
- userdom_manage_user_tmp_dirs(thunderbird_t)
- userdom_read_user_tmp_files(thunderbird_t)
-@@ -112,17 +109,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
+ userdom_write_user_tmp_sockets(thunderbird_t)
+
+@@ -113,17 +111,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+ xserver_read_xdm_tmp_files(thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
- # Access ~/.thunderbird
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(thunderbird_t)
- fs_manage_nfs_files(thunderbird_t)
@@ -67922,16 +77647,17 @@ index bf37d98..0d863fc 100644
- fs_manage_cifs_files(thunderbird_t)
- fs_manage_cifs_symlinks(thunderbird_t)
-')
++# Access ~/.thunderbird
+userdom_home_manager(thunderbird_t)
- tunable_policy(`mail_read_content && use_nfs_home_dirs',`
- files_list_home(thunderbird_t)
+ ifndef(`enable_mls',`
+ fs_search_removable(thunderbird_t)
diff --git a/timidity.te b/timidity.te
-index 67b5592..ccddff5 100644
+index 67ca5c5..4254563 100644
--- a/timidity.te
+++ b/timidity.te
-@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(timidity_t)
- # read /proc/cpuinfo
+@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
+ kernel_read_kernel_sysctls(timidity_t)
kernel_read_system_state(timidity_t)
-corenet_all_recvfrom_unlabeled(timidity_t)
@@ -67939,102 +77665,93 @@ index 67b5592..ccddff5 100644
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..b08a00a 100644
+index a4a949c..43988e5 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
-@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
-
+@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
type tmpreaper_t;
type tmpreaper_exec_t;
-+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
- application_domain(tmpreaper_t, tmpreaper_exec_t)
- role system_r types tmpreaper_t;
+ init_system_domain(tmpreaper_t, tmpreaper_exec_t)
++application_domain(tmpreaper_t, tmpreaper_exec_t)
-@@ -18,33 +19,48 @@ role system_r types tmpreaper_t;
- allow tmpreaper_t self:process { fork sigchld };
- allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+ ########################################
+ #
+@@ -18,17 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
+ kernel_list_unlabeled(tmpreaper_t)
+ kernel_read_system_state(tmpreaper_t)
++kernel_list_unlabeled(tmpreaper_t)
++kernel_delete_unlabeled(tmpreaper_t)
-+kernel_read_system_state(tmpreaper_t)
-+
dev_read_urand(tmpreaper_t)
fs_getattr_xattr_fs(tmpreaper_t)
-+fs_list_all(tmpreaper_t)
+ fs_list_all(tmpreaper_t)
++fs_setattr_tmpfs_dirs(tmpreaper_t)
++fs_delete_tmpfs_files(tmpreaper_t)
--files_read_etc_files(tmpreaper_t)
+-files_getattr_all_dirs(tmpreaper_t)
+-files_getattr_all_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
+files_delete_all_non_security_files(tmpreaper_t)
- # why does it need setattr?
++# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
+files_setattr_isid_type_dirs(tmpreaper_t)
+files_setattr_usr_dirs(tmpreaper_t)
- files_getattr_all_dirs(tmpreaper_t)
- files_getattr_all_files(tmpreaper_t)
-+kernel_list_unlabeled(tmpreaper_t)
-+kernel_delete_unlabeled(tmpreaper_t)
++files_getattr_all_dirs(tmpreaper_t)
++files_getattr_all_files(tmpreaper_t)
-+mcs_file_read_all(tmpreaper_t)
-+mcs_file_write_all(tmpreaper_t)
- mls_file_read_all_levels(tmpreaper_t)
- mls_file_write_all_levels(tmpreaper_t)
+ mcs_file_read_all(tmpreaper_t)
+ mcs_file_write_all(tmpreaper_t)
+@@ -39,14 +48,20 @@ auth_use_nsswitch(tmpreaper_t)
-+auth_use_nsswitch(tmpreaper_t)
-+
logging_send_syslog_msg(tmpreaper_t)
-miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
--cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+optional_policy(`
+ cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+')
-
++
ifdef(`distro_redhat',`
- userdom_list_user_home_content(tmpreaper_t)
-- userdom_delete_user_home_content_dirs(tmpreaper_t)
-- userdom_delete_user_home_content_files(tmpreaper_t)
-- userdom_delete_user_home_content_symlinks(tmpreaper_t)
+- userdom_list_all_user_home_content(tmpreaper_t)
++ userdom_list_user_home_content(tmpreaper_t)
+ userdom_list_admin_dir(tmpreaper_t)
-+ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
-+ userdom_delete_all_user_home_content_files(tmpreaper_t)
+ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_all_user_home_content_files(tmpreaper_t)
+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
-+ userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
+ userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
+ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
')
optional_policy(`
-@@ -52,7 +68,9 @@ optional_policy(`
+@@ -54,6 +69,7 @@ optional_policy(`
')
optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
apache_list_cache(tmpreaper_t)
-+ apache_delete_cache_dirs(tmpreaper_t)
+ apache_delete_cache_dirs(tmpreaper_t)
apache_delete_cache_files(tmpreaper_t)
- apache_setattr_cache_dirs(tmpreaper_t)
- ')
-@@ -66,9 +84,17 @@ optional_policy(`
+@@ -69,7 +85,15 @@ optional_policy(`
')
optional_policy(`
-- rpm_manage_cache(tmpreaper_t)
+- lpd_manage_spool(tmpreaper_t)
+ mandb_delete_cache(tmpreaper_t)
- ')
-
- optional_policy(`
-- unconfined_domain(tmpreaper_t)
++')
++
++optional_policy(`
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
+ sandbox_delete_sock_files(tmpreaper_t)
+ sandbox_setattr_dirs(tmpreaper_t)
-+')
-+
-+optional_policy(`
-+ rpm_manage_cache(tmpreaper_t)
')
+
+ optional_policy(`
diff --git a/tomcat.fc b/tomcat.fc
new file mode 100644
index 0000000..a8385bc
@@ -68531,23 +78248,23 @@ index 0000000..0557ffc
+ tomcat_search_lib(tomcat_domain)
+')
diff --git a/tor.fc b/tor.fc
-index e2e06b2..6752bc3 100644
+index 6b9d449..ac02092 100644
--- a/tor.fc
+++ b/tor.fc
-@@ -4,6 +4,8 @@
- /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
- /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+@@ -6,6 +6,8 @@
+
+ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
+
- /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
- /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+ /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
diff --git a/tor.if b/tor.if
-index 904f13e..5801347 100644
+index 61c2e07..5e1df41 100644
--- a/tor.if
+++ b/tor.if
-@@ -18,6 +18,29 @@ interface(`tor_domtrans',`
+@@ -19,6 +19,29 @@ interface(`tor_domtrans',`
domtrans_pattern($1, tor_exec_t, tor_t)
')
@@ -68576,24 +78293,29 @@ index 904f13e..5801347 100644
+
########################################
## <summary>
- ## All of the rules required to administrate
-@@ -40,10 +63,14 @@ interface(`tor_admin',`
+ ## All of the rules required to
+@@ -39,12 +62,18 @@ interface(`tor_domtrans',`
+ interface(`tor_admin',`
+ gen_require(`
type tor_t, tor_var_log_t, tor_etc_t;
- type tor_var_lib_t, tor_var_run_t;
- type tor_initrc_exec_t;
+- type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;
++ type tor_var_lib_t, tor_var_run_t;
++ type tor_initrc_exec_t;
+ type tor_unit_file_t;
')
-- allow $1 tor_t:process { ptrace signal_perms getattr };
+- allow $1 tor_t:process { ptrace signal_perms };
+ allow $1 tor_t:process signal_perms;
ps_process_pattern($1, tor_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tor_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -61,4 +88,13 @@ interface(`tor_admin',`
+ role_transition $2 tor_initrc_exec_t system_r;
+@@ -61,4 +90,13 @@ interface(`tor_admin',`
files_list_pids($1)
admin_pattern($1, tor_var_run_t)
@@ -68608,10 +78330,10 @@ index 904f13e..5801347 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index c842cad..a655e4c 100644
+index 964a395..2a5bcc4 100644
--- a/tor.te
+++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.8.0)
+@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
## </desc>
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -68625,66 +78347,52 @@ index c842cad..a655e4c 100644
type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)
-@@ -36,12 +43,16 @@ logging_log_file(tor_var_log_t)
- type tor_var_run_t;
+@@ -33,6 +40,9 @@ type tor_var_run_t;
files_pid_file(tor_var_run_t)
+ init_daemon_run_dir(tor_var_run_t, "tor")
+type tor_unit_file_t;
+systemd_unit_file(tor_unit_file_t)
+
########################################
#
- # tor local policy
- #
-
- allow tor_t self:capability { setgid setuid sys_tty_config };
-+allow tor_t self:process signal;
- allow tor_t self:fifo_file rw_fifo_file_perms;
- allow tor_t self:unix_stream_socket create_stream_socket_perms;
- allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -73,9 +84,10 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
- files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
-
+ # Local policy
+@@ -68,6 +78,8 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
+ kernel_read_kernel_sysctls(tor_t)
+ kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
+kernel_read_net_sysctls(tor_t)
+kernel_read_kernel_sysctls(tor_t)
- # networking basics
--corenet_all_recvfrom_unlabeled(tor_t)
+ corenet_all_recvfrom_unlabeled(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
- corenet_tcp_sendrecv_generic_if(tor_t)
- corenet_udp_sendrecv_generic_if(tor_t)
-@@ -87,6 +99,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+ corenet_udp_sendrecv_generic_node(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_udp_bind_generic_node(tor_t)
- corenet_tcp_bind_tor_port(tor_t)
-+corenet_tcp_bind_tor_socks_port(tor_t)
- corenet_udp_bind_dns_port(tor_t)
- corenet_sendrecv_tor_server_packets(tor_t)
+-
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,13 +108,14 @@ corenet_tcp_connect_all_ports(tor_t)
- corenet_sendrecv_all_client_packets(tor_t)
- # ... especially including port 80 and other privileged ports
- corenet_tcp_connect_all_reserved_ports(tor_t)
-+corenet_udp_bind_dns_port(tor_t)
+ corenet_udp_bind_dns_port(tor_t)
+ corenet_udp_sendrecv_dns_port(tor_t)
+@@ -94,23 +105,27 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
- # tor uses crypto and needs random
+ dev_read_sysfs(tor_t)
dev_read_urand(tor_t)
+dev_read_sysfs(tor_t)
domain_use_interactive_fds(tor_t)
--files_read_etc_files(tor_t)
files_read_etc_runtime_files(tor_t)
- files_read_usr_files(tor_t)
+-files_read_usr_files(tor_t)
-@@ -109,12 +123,16 @@ auth_use_nsswitch(tor_t)
+ auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
-miscfiles_read_localization(tor_t)
-
- tunable_policy(`tor_bind_all_unreserved_ports', `
+ tunable_policy(`tor_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(tor_t)
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
@@ -68698,10 +78406,10 @@ index c842cad..a655e4c 100644
seutil_sigchld_newrole(tor_t)
')
diff --git a/transproxy.te b/transproxy.te
-index 95cf0c0..f191f8a 100644
+index 20d1a28..e90a7e8 100644
--- a/transproxy.te
+++ b/transproxy.te
-@@ -29,7 +29,6 @@ kernel_read_kernel_sysctls(transproxy_t)
+@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
@@ -68709,7 +78417,7 @@ index 95cf0c0..f191f8a 100644
corenet_all_recvfrom_netlabel(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_generic_node(transproxy_t)
-@@ -49,8 +48,6 @@ fs_search_auto_mountpoints(transproxy_t)
+@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(transproxy_t)
logging_send_syslog_msg(transproxy_t)
@@ -68719,10 +78427,10 @@ index 95cf0c0..f191f8a 100644
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
diff --git a/tripwire.te b/tripwire.te
-index 2ae8b62..bfe64af 100644
+index 2e1110d..2c989b4 100644
--- a/tripwire.te
+++ b/tripwire.te
-@@ -80,7 +80,7 @@ files_getattr_all_sockets(tripwire_t)
+@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
@@ -68731,7 +78439,7 @@ index 2ae8b62..bfe64af 100644
optional_policy(`
cron_system_entry(tripwire_t, tripwire_exec_t)
-@@ -99,9 +99,7 @@ domain_use_interactive_fds(twadmin_t)
+@@ -107,9 +107,7 @@ files_search_etc(twadmin_t)
logging_send_syslog_msg(twadmin_t)
@@ -68742,7 +78450,7 @@ index 2ae8b62..bfe64af 100644
########################################
#
-@@ -125,9 +123,7 @@ domain_use_interactive_fds(twprint_t)
+@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t)
logging_send_syslog_msg(twprint_t)
@@ -68753,7 +78461,7 @@ index 2ae8b62..bfe64af 100644
########################################
#
-@@ -141,6 +137,4 @@ files_read_all_files(siggen_t)
+@@ -150,6 +146,4 @@ files_read_all_files(siggen_t)
logging_send_syslog_msg(siggen_t)
@@ -68761,136 +78469,65 @@ index 2ae8b62..bfe64af 100644
-
-userdom_use_user_terminals(siggen_t)
+userdom_use_inherited_user_terminals(siggen_t)
-diff --git a/tuned.fc b/tuned.fc
-index 639c962..e789b2e 100644
---- a/tuned.fc
-+++ b/tuned.fc
-@@ -1,8 +1,12 @@
- /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
-
-+/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
-+/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
-+
- /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
-
- /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
--/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
-+/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0)
-
-+/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
- /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/tuned.if b/tuned.if
-index 54b8605..a04f013 100644
+index e29db63..061fb98 100644
--- a/tuned.if
+++ b/tuned.if
-@@ -5,9 +5,9 @@
- ## Execute a domain transition to run tuned.
- ## </summary>
- ## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed to transition.
--## </summary>
-+## </summary>
- ## </param>
- #
- interface(`tuned_domtrans',`
-@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',`
- #
- interface(`tuned_admin',`
- gen_require(`
-- type tuned_t, tuned_var_run_t;
-- type tuned_initrc_exec_t;
-+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
+@@ -119,9 +119,13 @@ interface(`tuned_admin',`
+ type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
')
- allow $1 tuned_t:process { ptrace signal_perms };
+ allow $1 tuned_t:process signal_perms;
ps_process_pattern($1, tuned_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 tuned_t:process ptrace;
+ ')
-
++
tuned_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
- allow $2 system_r;
-
-- files_search_pids($1)
-+ files_list_pids($1)
- admin_pattern($1, tuned_var_run_t)
- ')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..edfe6ba 100644
+index 7116181..5355bfc 100644
--- a/tuned.te
+++ b/tuned.te
-@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
- type tuned_initrc_exec_t;
- init_script_file(tuned_initrc_exec_t)
-
-+type tuned_etc_t;
-+files_config_file(tuned_etc_t)
-+
-+type tuned_rw_etc_t;
-+files_config_file(tuned_rw_etc_t)
-+
- type tuned_log_t;
- logging_log_file(tuned_log_t)
+@@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t)
-@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t)
- #
- # tuned local policy
- #
--
-+allow tuned_t self:capability { sys_admin sys_nice };
+ allow tuned_t self:capability { sys_admin sys_nice };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
+-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
-+allow tuned_t self:fifo_file rw_fifo_file_perms;
+ allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:udp_socket create_socket_perms;
-+
-+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-+exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-+
-+manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
-+files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
- manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
- manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+ read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
+ exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
+@@ -44,7 +45,7 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+ append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+ create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+ setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-logging_log_filetrans(tuned_t, tuned_log_t, file)
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
--files_pid_filetrans(tuned_t, tuned_var_run_t, file)
-+manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-+files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+ manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+@@ -57,6 +58,7 @@ kernel_request_load_module(tuned_t)
+ kernel_rw_kernel_sysctl(tuned_t)
+ kernel_rw_hotplug_sysctls(tuned_t)
+ kernel_rw_vm_sysctls(tuned_t)
++kernel_setsched(tuned_t)
- corecmd_exec_shell(tuned_t)
corecmd_exec_bin(tuned_t)
+ corecmd_exec_shell(tuned_t)
+@@ -69,26 +71,39 @@ dev_rw_netcontrol(tuned_t)
- kernel_read_system_state(tuned_t)
- kernel_read_network_state(tuned_t)
--
-+kernel_read_kernel_sysctls(tuned_t)
-+kernel_request_load_module(tuned_t)
-+kernel_rw_kernel_sysctl(tuned_t)
-+kernel_rw_hotplug_sysctls(tuned_t)
-+kernel_rw_vm_sysctls(tuned_t)
-+kernel_setsched(tuned_t)
-+
-+dev_getattr_all_blk_files(tuned_t)
-+dev_getattr_all_chr_files(tuned_t)
-+dev_dontaudit_getattr_all(tuned_t)
- dev_read_urand(tuned_t)
--dev_read_sysfs(tuned_t)
-+dev_rw_sysfs(tuned_t)
- # to allow cpu tuning
- dev_rw_netcontrol(tuned_t)
-
--files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
+-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-+
+
+-fs_getattr_xattr_fs(tuned_t)
+fs_getattr_all_fs(tuned_t)
+
+auth_use_nsswitch(tuned_t)
@@ -68899,81 +78536,68 @@ index db9d2a5..edfe6ba 100644
-miscfiles_read_localization(tuned_t)
+mount_read_pid_files(tuned_t)
-+
-+udev_read_pid_files(tuned_t)
+
+ udev_read_pid_files(tuned_t)
userdom_dontaudit_search_user_home_dirs(tuned_t)
-+optional_policy(`
+ optional_policy(`
+ dbus_system_bus_client(tuned_t)
+ dbus_connect_system_bus(tuned_t)
+')
+
- # to allow disk tuning
- optional_policy(`
++# to allow disk tuning
++optional_policy(`
fstools_domtrans(tuned_t)
')
-+optional_policy(`
+ optional_policy(`
+ gnome_dontaudit_search_config(tuned_t)
+')
+
+optional_policy(`
-+ mount_domtrans(tuned_t)
-+')
-+
- # to allow network interface tuning
+ mount_domtrans(tuned_t)
+ ')
+
++# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
')
-+
-+optional_policy(`
-+ unconfined_dbus_send(tuned_t)
-+')
diff --git a/tvtime.te b/tvtime.te
-index 531b1f1..7455f78 100644
+index 3292fcc..fff4b4a 100644
--- a/tvtime.te
+++ b/tvtime.te
-@@ -67,23 +67,13 @@ files_read_etc_files(tvtime_t)
- # X access, Home files
- fs_search_auto_mountpoints(tvtime_t)
+@@ -69,21 +69,12 @@ fs_search_auto_mountpoints(tvtime_t)
+ auth_use_nsswitch(tvtime_t)
--miscfiles_read_localization(tvtime_t)
miscfiles_read_fonts(tvtime_t)
+-miscfiles_read_localization(tvtime_t)
-userdom_use_user_terminals(tvtime_t)
+userdom_use_inherited_user_terminals(tvtime_t)
- userdom_read_user_home_content_files(tvtime_t)
++userdom_read_user_home_content_files(tvtime_t)
- # X access, Home files
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(tvtime_t)
- fs_manage_nfs_files(tvtime_t)
- fs_manage_nfs_symlinks(tvtime_t)
-')
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(tvtime_t)
- fs_manage_cifs_files(tvtime_t)
- fs_manage_cifs_symlinks(tvtime_t)
-')
++# X access, Home files
+userdom_home_manager(tvtime_t)
optional_policy(`
xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
diff --git a/tzdata.te b/tzdata.te
-index d0f2a64..9896b57 100644
+index aa6ae96..9f86987 100644
--- a/tzdata.te
+++ b/tzdata.te
-@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
- # tzdata local policy
- #
-
--files_read_etc_files(tzdata_t)
-+files_read_config_files(tzdata_t)
- files_search_spool(tzdata_t)
-
- fs_getattr_xattr_fs(tzdata_t)
-@@ -24,11 +24,10 @@ term_dontaudit_list_ptys(tzdata_t)
+@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
locallogin_dontaudit_use_fds(tzdata_t)
@@ -68984,52 +78608,10 @@ index d0f2a64..9896b57 100644
-userdom_use_user_terminals(tzdata_t)
+userdom_use_inherited_user_terminals(tzdata_t)
- # tzdata looks for /var/spool/postfix/etc/localtime.
- optional_policy(`
-diff --git a/ucspitcp.if b/ucspitcp.if
-index c1feba4..bf82170 100644
---- a/ucspitcp.if
-+++ b/ucspitcp.if
-@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
-
- role system_r types $1;
-
-- domain_auto_trans(ucspitcp_t, $2, $1)
-- allow $1 ucspitcp_t:fd use;
-- allow $1 ucspitcp_t:process sigchld;
-- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
-+ domtrans_pattern(ucspitcp_t, $2, $1)
- ')
-diff --git a/ucspitcp.te b/ucspitcp.te
-index a0794bf..a05c54c 100644
---- a/ucspitcp.te
-+++ b/ucspitcp.te
-@@ -24,7 +24,6 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
-
- corecmd_search_bin(rblsmtpd_t)
-
--corenet_all_recvfrom_unlabeled(rblsmtpd_t)
- corenet_all_recvfrom_netlabel(rblsmtpd_t)
- corenet_tcp_sendrecv_generic_if(rblsmtpd_t)
- corenet_udp_sendrecv_generic_if(rblsmtpd_t)
-@@ -55,7 +54,6 @@ allow ucspitcp_t self:udp_socket create_socket_perms;
- corecmd_search_bin(ucspitcp_t)
-
- # base networking:
--corenet_all_recvfrom_unlabeled(ucspitcp_t)
- corenet_all_recvfrom_netlabel(ucspitcp_t)
- corenet_tcp_sendrecv_generic_if(ucspitcp_t)
- corenet_udp_sendrecv_generic_if(ucspitcp_t)
-@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t)
-
optional_policy(`
- daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
-+ daemontools_sigchld_run(ucspitcp_t)
- daemontools_read_svc(ucspitcp_t)
- ')
-+
+ postfix_search_spool(tzdata_t)
diff --git a/ulogd.if b/ulogd.if
-index d23be5c..a05cd68 100644
+index 9b95c3e..a892845 100644
--- a/ulogd.if
+++ b/ulogd.if
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
@@ -69046,88 +78628,73 @@ index d23be5c..a05cd68 100644
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/ulogd.te b/ulogd.te
-index 3b953f5..d35a323 100644
+index c6acbbe..46f1120 100644
--- a/ulogd.te
+++ b/ulogd.te
-@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t)
-
- # config files
- type ulogd_etc_t;
--files_type(ulogd_etc_t)
-+files_config_file(ulogd_etc_t)
-
- type ulogd_initrc_exec_t;
- init_script_file(ulogd_initrc_exec_t)
-@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
- # ulogd local policy
+@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t)
#
--allow ulogd_t self:capability net_admin;
-+allow ulogd_t self:capability { net_admin sys_nice };
+ allow ulogd_t self:capability { net_admin sys_nice };
+-allow ulogd_t self:process setsched;
+allow ulogd_t self:process { setsched };
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
-+allow ulogd_t self:netlink_socket create_socket_perms;
+ allow ulogd_t self:netlink_socket create_socket_perms;
+-allow ulogd_t self:tcp_socket create_stream_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
- # config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -46,7 +51,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+@@ -45,7 +47,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
files_read_etc_files(ulogd_t)
files_read_usr_files(ulogd_t)
-miscfiles_read_localization(ulogd_t)
- optional_policy(`
- allow ulogd_t self:tcp_socket create_stream_socket_perms;
+ sysnet_dns_name_resolve(ulogd_t)
+
diff --git a/uml.if b/uml.if
-index d2ab7cb..ddb34f1 100644
+index ab5c1d0..d13105e 100644
--- a/uml.if
+++ b/uml.if
-@@ -31,9 +31,9 @@ interface(`uml_role',`
- allow $2 uml_t:unix_dgram_socket sendto;
+@@ -32,7 +32,7 @@ interface(`uml_role',`
allow uml_t $2:unix_dgram_socket sendto;
-- # allow ps, ptrace, signal
-+ # allow ps, signal
ps_process_pattern($2, uml_t)
- allow $2 uml_t:process { ptrace signal_perms };
+ allow $2 uml_t:process signal_perms;
- allow $2 uml_ro_t:dir list_dir_perms;
- read_files_pattern($2, uml_ro_t, uml_ro_t)
+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
diff --git a/uml.te b/uml.te
-index ff094e5..4ddeb30 100644
+index dc03cc5..fa862cf 100644
--- a/uml.te
+++ b/uml.te
-@@ -50,7 +50,7 @@ files_pid_file(uml_switch_var_run_t)
- #
+@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
- allow uml_t self:fifo_file rw_fifo_file_perms;
--allow uml_t self:process { signal_perms ptrace };
-+allow uml_t self:process signal_perms;
- allow uml_t self:unix_stream_socket create_stream_socket_perms;
- allow uml_t self:unix_dgram_socket create_socket_perms;
- # Use the network.
-@@ -97,7 +97,6 @@ kernel_write_proc_files(uml_t)
- # for xterm
corecmd_exec_bin(uml_t)
-corenet_all_recvfrom_unlabeled(uml_t)
corenet_all_recvfrom_netlabel(uml_t)
corenet_tcp_sendrecv_generic_if(uml_t)
- corenet_udp_sendrecv_generic_if(uml_t)
-@@ -131,7 +130,7 @@ seutil_use_newrole_fds(uml_t)
- # Use the network.
- sysnet_read_config(uml_t)
+ corenet_tcp_sendrecv_generic_node(uml_t)
+@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t)
+
+ libs_exec_lib_files(uml_t)
-userdom_use_user_terminals(uml_t)
++# Inherit and use descriptors from newrole.
++seutil_use_newrole_fds(uml_t)
++
++# Use the network.
++sysnet_read_config(uml_t)
++
+userdom_use_inherited_user_terminals(uml_t)
userdom_attach_admin_tun_iface(uml_t)
- optional_policy(`
-@@ -174,8 +173,6 @@ init_use_script_ptys(uml_switch_t)
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -171,8 +176,6 @@ init_use_script_ptys(uml_switch_t)
logging_send_syslog_msg(uml_switch_t)
@@ -69137,19 +78704,19 @@ index ff094e5..4ddeb30 100644
userdom_dontaudit_search_user_home_dirs(uml_switch_t)
diff --git a/updfstab.te b/updfstab.te
-index ef12ed5..4bd4cea 100644
+index 2d871b8..acbf304 100644
--- a/updfstab.te
+++ b/updfstab.te
-@@ -69,8 +69,6 @@ init_use_script_ptys(updfstab_t)
- logging_send_syslog_msg(updfstab_t)
+@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
logging_search_logs(updfstab_t)
+ logging_send_syslog_msg(updfstab_t)
-miscfiles_read_localization(updfstab_t)
-
seutil_read_config(updfstab_t)
seutil_read_default_contexts(updfstab_t)
seutil_read_file_contexts(updfstab_t)
-@@ -78,9 +76,8 @@ seutil_read_file_contexts(updfstab_t)
+@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t)
userdom_dontaudit_search_user_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
@@ -69160,13 +78727,13 @@ index ef12ed5..4bd4cea 100644
+auth_domtrans_pam_console(updfstab_t)
optional_policy(`
- init_dbus_chat_script(updfstab_t)
+ dbus_system_bus_client(updfstab_t)
diff --git a/uptime.te b/uptime.te
-index c2cf97e..d9105b0 100644
+index 09741f6..8e5b35c 100644
--- a/uptime.te
+++ b/uptime.te
-@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t;
- files_config_file(uptimed_etc_t)
+@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
+ init_script_file(uptimed_initrc_exec_t)
type uptimed_spool_t;
-files_type(uptimed_spool_t)
@@ -69174,15 +78741,6 @@ index c2cf97e..d9105b0 100644
type uptimed_var_run_t;
files_pid_file(uptimed_var_run_t)
-@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
-
- dontaudit uptimed_t self:capability sys_tty_config;
- allow uptimed_t self:process signal_perms;
--allow uptimed_t self:fifo_file write_file_perms;
-+allow uptimed_t self:fifo_file write_fifo_file_perms;
-
- allow uptimed_t uptimed_etc_t:file read_file_perms;
- files_search_etc(uptimed_t)
@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t)
logging_send_syslog_msg(uptimed_t)
@@ -69193,10 +78751,19 @@ index c2cf97e..d9105b0 100644
userdom_dontaudit_search_user_home_dirs(uptimed_t)
diff --git a/usbmodules.te b/usbmodules.te
-index 74354da..f04565f 100644
+index cb9b5bb..3aa7952 100644
--- a/usbmodules.te
+++ b/usbmodules.te
-@@ -34,9 +34,7 @@ init_use_fds(usbmodules_t)
+@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
+ dev_list_usbfs(usbmodules_t)
+ dev_rw_usbfs(usbmodules_t)
+
+-files_list_etc(usbmodules_t)
+-
+ term_read_console(usbmodules_t)
+ term_write_console(usbmodules_t)
+
+@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t)
miscfiles_read_hwdata(usbmodules_t)
@@ -69207,28 +78774,26 @@ index 74354da..f04565f 100644
optional_policy(`
hotplug_read_config(usbmodules_t)
-@@ -45,3 +43,7 @@ optional_policy(`
- optional_policy(`
- logging_send_syslog_msg(usbmodules_t)
')
+
+optional_policy(`
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.fc b/usbmuxd.fc
-index 40b8b8d..cd80b9b 100644
+index 220f6ad..cd80b9b 100644
--- a/usbmuxd.fc
+++ b/usbmuxd.fc
@@ -1,3 +1,4 @@
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
- /var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+-/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
++/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
diff --git a/usbmuxd.if b/usbmuxd.if
-index 53792d3..823ac94 100644
+index 1ec5e99..88e287d 100644
--- a/usbmuxd.if
+++ b/usbmuxd.if
-@@ -37,3 +37,65 @@ interface(`usbmuxd_stream_connect',`
+@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
')
@@ -69285,6 +78850,7 @@ index 53792d3..823ac94 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 usbmuxd_t:process ptrace;
+ ')
++
+ allow $2 system_r;
+
+ files_list_pids($1)
@@ -69295,16 +78861,16 @@ index 53792d3..823ac94 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 4440aa6..8c94194 100644
+index 8840be6..285680c 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
-@@ -7,12 +7,15 @@ policy_module(usbmuxd, 1.1.0)
+@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
type usbmuxd_t;
type usbmuxd_exec_t;
--application_domain(usbmuxd_t, usbmuxd_exec_t)
+init_system_domain(usbmuxd_t, usbmuxd_exec_t)
- role system_r types usbmuxd_t;
+ application_domain(usbmuxd_t, usbmuxd_exec_t)
+ role usbmuxd_roles types usbmuxd_t;
type usbmuxd_var_run_t;
files_pid_file(usbmuxd_var_run_t)
@@ -69314,17 +78880,13 @@ index 4440aa6..8c94194 100644
+
########################################
#
- # usbmuxd local policy
-@@ -33,10 +36,12 @@ kernel_read_system_state(usbmuxd_t)
- dev_read_sysfs(usbmuxd_t)
- dev_rw_generic_usb_dev(usbmuxd_t)
+ # Local policy
+@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
--files_read_etc_files(usbmuxd_t)
--
--miscfiles_read_localization(usbmuxd_t)
--
auth_use_nsswitch(usbmuxd_t)
+-miscfiles_read_localization(usbmuxd_t)
+-
logging_send_syslog_msg(usbmuxd_t)
+
+seutil_dontaudit_read_file_contexts(usbmuxd_t)
@@ -69333,67 +78895,288 @@ index 4440aa6..8c94194 100644
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/userhelper.fc b/userhelper.fc
-index e70b0e8..cd83b89 100644
+index c416a83..cd83b89 100644
--- a/userhelper.fc
+++ b/userhelper.fc
-@@ -7,3 +7,4 @@
- # /usr
- #
- /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+@@ -1,5 +1,10 @@
+-/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
++#
++# /etc
++#
++/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+-/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
+-
+-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+\ No newline at end of file
++#
++# /usr
++#
++/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 65baaac..3b93d32 100644
+index cf118fd..3b93d32 100644
--- a/userhelper.if
+++ b/userhelper.if
-@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
+@@ -1,4 +1,4 @@
+-## <summary>A wrapper that helps users run system programs.</summary>
++## <summary>SELinux utility to run a shell with a new role</summary>
+
+ #######################################
+ ## <summary>
+@@ -23,9 +23,9 @@
+ #
+ template(`userhelper_role_template',`
gen_require(`
- attribute userhelper_type;
- type userhelper_exec_t, userhelper_conf_t;
+- attribute userhelper_type, consolehelper_type;
+- attribute_role userhelper_roles, consolehelper_roles;
+- type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
++ attribute userhelper_type;
++ type userhelper_exec_t, userhelper_conf_t;
+ class dbus send_msg;
')
########################################
-@@ -121,6 +122,9 @@ template(`userhelper_role_template',`
- auth_manage_pam_pid($1_userhelper_t)
- auth_manage_var_auth($1_userhelper_t)
- auth_search_pam_console_data($1_userhelper_t)
-+ auth_use_nsswitch($1_userhelper_t)
-+
-+ logging_send_syslog_msg($1_userhelper_t)
-
- # Inherit descriptors from the current session.
- init_use_fds($1_userhelper_t)
-@@ -128,7 +132,6 @@ template(`userhelper_role_template',`
- init_manage_utmp($1_userhelper_t)
- init_pid_filetrans_utmp($1_userhelper_t)
-
-- miscfiles_read_localization($1_userhelper_t)
-
- seutil_read_config($1_userhelper_t)
- seutil_read_default_contexts($1_userhelper_t)
-@@ -145,18 +148,6 @@ template(`userhelper_role_template',`
- ')
+@@ -33,64 +33,123 @@ template(`userhelper_role_template',`
+ # Declarations
+ #
- optional_policy(`
-- logging_send_syslog_msg($1_userhelper_t)
-- ')
+- type $1_consolehelper_t, consolehelper_type;
+- userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
+-
+- role consolehelper_roles types $1_consolehelper_t;
+- roleattribute $2 consolehelper_roles;
-
-- optional_policy(`
-- nis_use_ypbind($1_userhelper_t)
-- ')
+ type $1_userhelper_t, userhelper_type;
+ userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
-
+ domain_role_change_exemption($1_userhelper_t)
+ domain_obj_id_change_exemption($1_userhelper_t)
+ domain_interactive_fd($1_userhelper_t)
+ domain_subj_id_change_exemption($1_userhelper_t)
+-
+- role userhelper_roles types $1_userhelper_t;
+- roleattribute $2 userhelper_roles;
++ role $2 types $1_userhelper_t;
+
+ ########################################
+ #
+- # Consolehelper local policy
++ # Local policy
+ #
++ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
++ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++ allow $1_userhelper_t self:process setexec;
++ allow $1_userhelper_t self:fd use;
++ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
++ allow $1_userhelper_t self:shm create_shm_perms;
++ allow $1_userhelper_t self:sem create_sem_perms;
++ allow $1_userhelper_t self:msgq create_msgq_perms;
++ allow $1_userhelper_t self:msg { send receive };
++ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
++ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_userhelper_t self:unix_dgram_socket sendto;
++ allow $1_userhelper_t self:unix_stream_socket connectto;
++ allow $1_userhelper_t self:sock_file read_sock_file_perms;
+
+- allow $1_consolehelper_t $3:unix_stream_socket connectto;
++ #Transition to the derived domain.
++ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+
+- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
++ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
++ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
+
+- allow $3 $1_consolehelper_t:process { ptrace signal_perms };
+- ps_process_pattern($3, $1_consolehelper_t)
++ can_exec($1_userhelper_t, userhelper_exec_t)
+
+- auth_use_pam($1_consolehelper_t)
++ dontaudit $3 $1_userhelper_t:process signal;
+
- optional_policy(`
-- nscd_socket_use($1_userhelper_t)
+- dbus_connect_all_session_bus($1_consolehelper_t)
++ kernel_read_all_sysctls($1_userhelper_t)
++ kernel_getattr_debugfs($1_userhelper_t)
++ kernel_read_system_state($1_userhelper_t)
+
+- optional_policy(`
+- userhelper_dbus_chat_all_consolehelper($3)
+- ')
- ')
--
-- optional_policy(`
++ # Execute shells
++ corecmd_exec_shell($1_userhelper_t)
++ # By default, revert to the calling domain when a program is executed
++ corecmd_bin_domtrans($1_userhelper_t, $3)
+
+- ########################################
+- #
+- # Userhelper local policy
+- #
++ # Inherit descriptors from the current session.
++ domain_use_interactive_fds($1_userhelper_t)
++ # for when the user types "exec userhelper" at the command line
++ domain_sigchld_interactive_fds($1_userhelper_t)
+
+- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
++ dev_read_urand($1_userhelper_t)
++ # Read /dev directories and any symbolic links.
++ dev_list_all_dev_nodes($1_userhelper_t)
+
+- dontaudit $3 $1_userhelper_t:process signal;
++ files_list_var_lib($1_userhelper_t)
++ # Read the /etc/security/default_type file
++ files_read_etc_files($1_userhelper_t)
++ # Read /var.
++ files_read_var_files($1_userhelper_t)
++ files_read_var_symlinks($1_userhelper_t)
++ # for some PAM modules and for cwd
++ files_search_home($1_userhelper_t)
+
+- corecmd_bin_domtrans($1_userhelper_t, $3)
++ fs_search_auto_mountpoints($1_userhelper_t)
++ fs_read_nfs_files($1_userhelper_t)
++ fs_read_nfs_symlinks($1_userhelper_t)
++
++ # Allow $1_userhelper to obtain contexts to relabel TTYs
++ selinux_get_fs_mount($1_userhelper_t)
++ selinux_validate_context($1_userhelper_t)
++ selinux_compute_access_vector($1_userhelper_t)
++ selinux_compute_create_context($1_userhelper_t)
++ selinux_compute_relabel_context($1_userhelper_t)
++ selinux_compute_user_contexts($1_userhelper_t)
++
++ # Read the devpts root directory.
++ term_list_ptys($1_userhelper_t)
++ # Relabel terminals.
++ term_relabel_all_ttys($1_userhelper_t)
++ term_relabel_all_ptys($1_userhelper_t)
++ # Access terminals.
++ term_use_all_ttys($1_userhelper_t)
++ term_use_all_ptys($1_userhelper_t)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
++ auth_manage_pam_pid($1_userhelper_t)
++ auth_manage_var_auth($1_userhelper_t)
++ auth_search_pam_console_data($1_userhelper_t)
+ auth_use_nsswitch($1_userhelper_t)
+
++ logging_send_syslog_msg($1_userhelper_t)
++
++ # Inherit descriptors from the current session.
++ init_use_fds($1_userhelper_t)
++ # Write to utmp.
++ init_manage_utmp($1_userhelper_t)
++ init_pid_filetrans_utmp($1_userhelper_t)
++
++
++ seutil_read_config($1_userhelper_t)
++ seutil_read_default_contexts($1_userhelper_t)
++
++ # Allow $1_userhelper_t to transition to user domains.
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
++ ifdef(`distro_redhat',`
++ optional_policy(`
++ # Allow transitioning to rpm_t, for up2date
++ rpm_domtrans($1_userhelper_t)
++ ')
++ ')
++
+ optional_policy(`
tunable_policy(`! secure_mode',`
- #if we are not in secure mode then we can transition to sysadm_t
++ #if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -255,3 +246,91 @@ interface(`userhelper_exec',`
+ sysadm_entry_spec_domtrans($1_userhelper_t)
+ ')
+@@ -99,7 +158,7 @@ template(`userhelper_role_template',`
+
+ ########################################
+ ## <summary>
+-## Search userhelper configuration directories.
++## Search the userhelper configuration directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -118,7 +177,7 @@ interface(`userhelper_search_config',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to search
+-## userhelper configuration directories.
++## the userhelper configuration directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -136,8 +195,7 @@ interface(`userhelper_dontaudit_search_config',`
+
+ ########################################
+ ## <summary>
+-## Send and receive messages from
+-## consolehelper over dbus.
++## Allow domain to use userhelper file descriptor.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -145,19 +203,17 @@ interface(`userhelper_dontaudit_search_config',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userhelper_dbus_chat_all_consolehelper',`
++interface(`userhelper_use_fd',`
+ gen_require(`
+- attribute consolehelper_type;
+- class dbus send_msg;
++ attribute userhelper_type;
+ ')
+
+- allow $1 consolehelper_type:dbus send_msg;
+- allow consolehelper_type $1:dbus send_msg;
++ allow $1 userhelper_type:fd use;
+ ')
+
+ ########################################
+ ## <summary>
+-## Use userhelper all userhelper file descriptors.
++## Allow domain to send sigchld to userhelper.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -165,17 +221,17 @@ interface(`userhelper_dbus_chat_all_consolehelper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userhelper_use_fd',`
++interface(`userhelper_sigchld',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
- can_exec($1, userhelper_exec_t)
+- allow $1 userhelper_type:fd use;
++ allow $1 userhelper_type:process sigchld;
')
+
+ ########################################
+ ## <summary>
+-## Send child terminated signals to all userhelper.
++## Execute the userhelper program in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -183,17 +239,87 @@ interface(`userhelper_use_fd',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userhelper_sigchld',`
++interface(`userhelper_exec',`
+ gen_require(`
+- attribute userhelper_type;
++ type userhelper_exec_t;
+ ')
+
+- allow $1 userhelper_type:process sigchld;
++ can_exec($1, userhelper_exec_t)
++')
+
+#######################################
+## <summary>
@@ -69463,116 +79246,244 @@ index 65baaac..3b93d32 100644
+ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute the userhelper program in the caller domain.
+## Execute the consolehelper program in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -201,11 +327,10 @@ interface(`userhelper_sigchld',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userhelper_exec',`
+interface(`userhelper_exec_console',`
-+ gen_require(`
+ gen_require(`
+- type userhelper_exec_t;
+ type consolehelper_exec_t;
-+ ')
-+
+ ')
+
+- corecmd_search_bin($1)
+- can_exec($1, userhelper_exec_t)
+ can_exec($1, consolehelper_exec_t)
-+')
+ ')
diff --git a/userhelper.te b/userhelper.te
-index f25ed61..1b381f0 100644
+index 274ed9c..1b381f0 100644
--- a/userhelper.te
+++ b/userhelper.te
-@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0)
+@@ -1,18 +1,15 @@
+-policy_module(userhelper, 1.7.3)
++policy_module(userhelper, 1.7.0)
+
+ ########################################
+ #
+ # Declarations
#
+-attribute consolehelper_type;
attribute userhelper_type;
+-
+-attribute_role consolehelper_roles;
+-attribute_role userhelper_roles;
+attribute consolehelper_domain;
type userhelper_conf_t;
- files_type(userhelper_conf_t)
+-files_config_file(userhelper_conf_t)
++files_type(userhelper_conf_t)
type userhelper_exec_t;
application_executable_file(userhelper_exec_t)
-+
-+type consolehelper_exec_t;
-+application_executable_file(consolehelper_exec_t)
-+
-+########################################
-+#
+@@ -22,141 +19,68 @@ application_executable_file(consolehelper_exec_t)
+
+ ########################################
+ #
+-# Common consolehelper domain local policy
+# consolehelper local policy
-+#
-+
+ #
+
+-allow consolehelper_type self:capability { setgid setuid dac_override };
+-allow consolehelper_type self:process signal;
+-allow consolehelper_type self:fifo_file rw_fifo_file_perms;
+-allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
+-allow consolehelper_type self:shm create_shm_perms;
+-
+-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
+-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid dac_override };
+allow consolehelper_domain self:process signal;
-+
+
+-domain_use_interactive_fds(consolehelper_type)
+allow consolehelper_domain userhelper_conf_t:file audit_access;
+dontaudit consolehelper_domain userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
-+
+
+-kernel_read_system_state(consolehelper_type)
+-kernel_read_kernel_sysctls(consolehelper_type)
+# Init script handling
+domain_use_interactive_fds(consolehelper_domain)
-+
+
+-corecmd_exec_bin(consolehelper_type)
+# internal communication is often done using fifo and unix sockets.
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
-+
+
+-dev_getattr_all_chr_files(consolehelper_type)
+-dev_dontaudit_list_all_dev_nodes(consolehelper_type)
+kernel_read_kernel_sysctls(consolehelper_domain)
-+
+
+-files_read_config_files(consolehelper_type)
+-files_read_usr_files(consolehelper_type)
+corecmd_exec_bin(consolehelper_domain)
-+
+
+-fs_getattr_all_dirs(consolehelper_type)
+-fs_getattr_all_fs(consolehelper_type)
+-fs_search_auto_mountpoints(consolehelper_type)
+-files_search_mnt(consolehelper_type)
+dev_getattr_all_chr_files(consolehelper_domain)
+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
+dev_dontaudit_getattr_all(consolehelper_domain)
+fs_getattr_all_fs(consolehelper_domain)
+fs_getattr_all_dirs(consolehelper_domain)
-+
+
+-term_list_ptys(consolehelper_type)
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
-+
+
+-auth_search_pam_console_data(consolehelper_type)
+-auth_read_pam_pid(consolehelper_type)
+term_list_ptys(consolehelper_domain)
-+
+
+-miscfiles_read_localization(consolehelper_type)
+-miscfiles_read_fonts(consolehelper_type)
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
-+
+
+-userhelper_exec(consolehelper_type)
+init_read_utmp(consolehelper_domain)
+init_telinit(consolehelper_domain)
-+
+
+-userdom_use_user_terminals(consolehelper_type)
+miscfiles_read_fonts(consolehelper_domain)
-+
+
+-# might want to make this consolehelper_tmp_t
+-userdom_manage_user_tmp_dirs(consolehelper_type)
+-userdom_manage_user_tmp_files(consolehelper_type)
+-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_search_nfs(consolehelper_type)
+-')
+userhelper_exec(consolehelper_domain)
-+
+
+-tunable_policy(`use_samba_home_dirs',`
+- fs_search_cifs(consolehelper_type)
+-')
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
-+
-+optional_policy(`
+
+ optional_policy(`
+- shutdown_run(consolehelper_type, consolehelper_roles)
+- shutdown_signal(consolehelper_type)
+ gnome_read_gconf_home_files(consolehelper_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- xserver_domtrans_xauth(consolehelper_type)
+- xserver_read_xdm_pid(consolehelper_type)
+- xserver_stream_connect(consolehelper_type)
+ xserver_read_home_fonts(consolehelper_domain)
+ xserver_stream_connect(consolehelper_domain)
-+')
-+
+ ')
+
+-########################################
+-#
+-# Common userhelper domain local policy
+-#
+-
+-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
+-allow userhelper_type self:fd use;
+-allow userhelper_type self:fifo_file rw_fifo_file_perms;
+-allow userhelper_type self:shm create_shm_perms;
+-allow userhelper_type self:sem create_sem_perms;
+-allow userhelper_type self:msgq create_msgq_perms;
+-allow userhelper_type self:msg { send receive };
+-allow userhelper_type self:unix_dgram_socket sendto;
+-allow userhelper_type self:unix_stream_socket { accept connectto listen };
+-
+-dontaudit userhelper_type userhelper_conf_t:file audit_access;
+-read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
+-
+-can_exec(userhelper_type, userhelper_exec_t)
+-
+-kernel_read_all_sysctls(userhelper_type)
+-kernel_getattr_debugfs(userhelper_type)
+-kernel_read_system_state(userhelper_type)
+-
+-corecmd_exec_shell(userhelper_type)
+-
+-domain_use_interactive_fds(userhelper_type)
+-domain_sigchld_interactive_fds(userhelper_type)
+-
+-dev_read_urand(userhelper_type)
+-dev_list_all_dev_nodes(userhelper_type)
+-
+-files_list_var_lib(userhelper_type)
+-files_read_var_files(userhelper_type)
+-files_read_var_symlinks(userhelper_type)
+-files_search_home(userhelper_type)
+-
+-fs_getattr_all_fs(userhelper_type)
+-fs_search_auto_mountpoints(userhelper_type)
+-
+-selinux_get_fs_mount(userhelper_type)
+-selinux_validate_context(userhelper_type)
+-selinux_compute_access_vector(userhelper_type)
+-selinux_compute_create_context(userhelper_type)
+-selinux_compute_relabel_context(userhelper_type)
+-selinux_compute_user_contexts(userhelper_type)
+-
+-term_list_ptys(userhelper_type)
+-term_relabel_all_ttys(userhelper_type)
+-term_relabel_all_ptys(userhelper_type)
+-term_use_all_ttys(userhelper_type)
+-term_use_all_ptys(userhelper_type)
+-
+-auth_manage_pam_pid(userhelper_type)
+-auth_manage_var_auth(userhelper_type)
+-auth_search_pam_console_data(userhelper_type)
+-
+-init_use_fds(userhelper_type)
+-init_manage_utmp(userhelper_type)
+-init_pid_filetrans_utmp(userhelper_type)
+-
+-logging_send_syslog_msg(userhelper_type)
+-
+-miscfiles_read_localization(userhelper_type)
+-
+-seutil_read_config(userhelper_type)
+-seutil_read_default_contexts(userhelper_type)
+tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt(consolehelper_domain)
+ fs_search_nfs(consolehelper_domain)
+')
-+
+
+-optional_policy(`
+- rpm_domtrans(userhelper_type)
+tunable_policy(`use_samba_home_dirs',`
+ files_search_mnt(consolehelper_domain)
+ fs_search_cifs(consolehelper_domain)
-+')
+ ')
diff --git a/usernetctl.if b/usernetctl.if
-index d45c715..2d4f1ba 100644
+index 7deec55..325bb57 100644
--- a/usernetctl.if
+++ b/usernetctl.if
-@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
+@@ -39,9 +39,26 @@ interface(`usernetctl_domtrans',`
#
interface(`usernetctl_run',`
gen_require(`
@@ -69587,7 +79498,7 @@ index d45c715..2d4f1ba 100644
+ #roleattribute $2 usernetctl_roles;
+
+ sysnet_run_ifconfig(usernetctl_t, $2)
-+ sysnet_run_dhcpc(usernetctl_t, $2)
++ sysnet_run_dhcpc(usernetctl_t, $2)
+
+ optional_policy(`
+ iptables_run(usernetctl_t, $2)
@@ -69603,10 +79514,10 @@ index d45c715..2d4f1ba 100644
+
')
diff --git a/usernetctl.te b/usernetctl.te
-index 19c70bb..8a00ab0 100644
+index dd3f01e..a2229f7 100644
--- a/usernetctl.te
+++ b/usernetctl.te
-@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
+@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.1)
# Declarations
#
@@ -69623,15 +79534,7 @@ index 19c70bb..8a00ab0 100644
########################################
#
-@@ -42,7 +43,6 @@ corecmd_exec_shell(usernetctl_t)
-
- domain_dontaudit_read_all_domains_state(usernetctl_t)
-
--files_read_etc_files(usernetctl_t)
- files_exec_etc_files(usernetctl_t)
- files_read_etc_runtime_files(usernetctl_t)
- files_list_pids(usernetctl_t)
-@@ -55,36 +55,36 @@ auth_use_nsswitch(usernetctl_t)
+@@ -48,31 +49,36 @@ auth_use_nsswitch(usernetctl_t)
logging_send_syslog_msg(usernetctl_t)
@@ -69639,19 +79542,19 @@ index 19c70bb..8a00ab0 100644
-
seutil_read_config(usernetctl_t)
- sysnet_read_config(usernetctl_t)
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
-
--userdom_use_user_terminals(usernetctl_t)
-+userdom_use_inherited_user_terminals(usernetctl_t)
++sysnet_read_config(usernetctl_t)
+
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+-userdom_use_user_terminals(usernetctl_t)
++userdom_use_inherited_user_terminals(usernetctl_t)
+
optional_policy(`
- consoletype_run(usernetctl_t, usernetctl_roles)
-+ #consoletype_run(usernetctl_t, usernetctl_roles)
++# consoletype_run(usernetctl_t, usernetctl_roles)
+ consoletype_exec(usernetctl_t)
')
@@ -69674,37 +79577,42 @@ index 19c70bb..8a00ab0 100644
+#')
optional_policy(`
- nis_use_ypbind(usernetctl_t)
- ')
-
--optional_policy(`
- ppp_run(usernetctl_t, usernetctl_roles)
--')
++ nis_use_ypbind(usernetctl_t)
+ ')
++
+#optional_policy(`
+# ppp_run(usernetctl_t, usernetctl_roles)
+#')
diff --git a/uucp.if b/uucp.if
-index ebc5414..8f8ac45 100644
+index af9acc0..0119768 100644
--- a/uucp.if
+++ b/uucp.if
-@@ -99,8 +99,11 @@ interface(`uucp_admin',`
- type uucpd_var_run_t;
+@@ -104,14 +104,13 @@ interface(`uucp_admin',`
+ type uucpd_var_run_t, uucpd_initrc_exec_t;
')
+- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 uucpd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
- allow $1 uucpd_t:process { ptrace signal_perms };
+ allow $1 uucpd_t:process signal_perms;
ps_process_pattern($1, uucpd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 uucpd_t:process ptrace;
+ ')
-
++
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
+
diff --git a/uucp.te b/uucp.te
-index d4349e9..e338438 100644
+index 380902c..3886551 100644
--- a/uucp.te
+++ b/uucp.te
-@@ -24,7 +24,7 @@ type uucpd_ro_t;
+@@ -31,7 +31,7 @@ type uucpd_ro_t;
files_type(uucpd_ro_t)
type uucpd_spool_t;
@@ -69713,85 +79621,60 @@ index d4349e9..e338438 100644
type uucpd_log_t;
logging_log_file(uucpd_log_t)
-@@ -74,7 +74,6 @@ kernel_read_kernel_sysctls(uucpd_t)
+@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
-corenet_all_recvfrom_unlabeled(uucpd_t)
corenet_all_recvfrom_netlabel(uucpd_t)
corenet_tcp_sendrecv_generic_if(uucpd_t)
- corenet_udp_sendrecv_generic_if(uucpd_t)
-@@ -83,6 +82,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t)
- corenet_tcp_sendrecv_all_ports(uucpd_t)
- corenet_udp_sendrecv_all_ports(uucpd_t)
- corenet_tcp_connect_ssh_port(uucpd_t)
-+corenet_tcp_connect_uucpd_port(uucpd_t)
+ corenet_tcp_sendrecv_generic_node(uucpd_t)
++corenet_udp_sendrecv_generic_node(uucpd_t)
++corenet_tcp_sendrecv_all_ports(uucpd_t)
++corenet_udp_sendrecv_all_ports(uucpd_t)
- dev_read_urand(uucpd_t)
+ corenet_sendrecv_ssh_client_packets(uucpd_t)
+ corenet_tcp_connect_ssh_port(uucpd_t)
+ corenet_tcp_sendrecv_ssh_port(uucpd_t)
-@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t)
++corenet_tcp_connect_uucpd_port(uucpd_t)
++
corecmd_exec_bin(uucpd_t)
corecmd_exec_shell(uucpd_t)
--files_read_etc_files(uucpd_t)
- files_search_home(uucpd_t)
- files_search_spool(uucpd_t)
-
-@@ -101,8 +100,6 @@ auth_use_nsswitch(uucpd_t)
+@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
-miscfiles_read_localization(uucpd_t)
--
- mta_send_mail(uucpd_t)
++mta_send_mail(uucpd_t)
optional_policy(`
-@@ -125,18 +122,19 @@ optional_policy(`
- allow uux_t self:capability { setuid setgid };
- allow uux_t self:fifo_file write_fifo_file_perms;
-
-+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
-+
- uucp_append_log(uux_t)
- uucp_manage_spool(uux_t)
-
- corecmd_exec_bin(uux_t)
-
--files_read_etc_files(uux_t)
-
- fs_rw_anon_inodefs_files(uux_t)
-
--logging_send_syslog_msg(uux_t)
-+auth_use_nsswitch(uux_t)
+ cron_system_entry(uucpd_t, uucpd_exec_t)
+@@ -160,10 +164,17 @@ auth_use_nsswitch(uux_t)
+ logging_search_logs(uux_t)
+ logging_send_syslog_msg(uux_t)
-miscfiles_read_localization(uux_t)
+logging_send_syslog_msg(uux_t)
optional_policy(`
mta_send_mail(uux_t)
-@@ -145,5 +143,5 @@ optional_policy(`
- ')
-
- optional_policy(`
-- nscd_socket_use(uux_t)
-+ postfix_rw_master_pipes(uux_t)
+ mta_read_queue(uux_t)
++')
++
++optional_policy(`
+ sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
')
-diff --git a/uuidd.fc b/uuidd.fc
-index a7c9381..d810232 100644
---- a/uuidd.fc
-+++ b/uuidd.fc
-@@ -1,4 +1,5 @@
--/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+
-+/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
-
- /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
-
++optional_policy(`
++ postfix_rw_inherited_master_pipes(uux_t)
++')
diff --git a/uuidd.if b/uuidd.if
-index 5d43bd5..879a5cb 100644
+index 6e48653..29e3648 100644
--- a/uuidd.if
+++ b/uuidd.if
-@@ -176,6 +176,9 @@ interface(`uuidd_admin',`
+@@ -180,6 +180,9 @@ interface(`uuidd_admin',`
allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
@@ -69802,16 +79685,16 @@ index 5d43bd5..879a5cb 100644
uuidd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/uuidd.te b/uuidd.te
-index 04589dc..33b02b5 100644
+index e670f55..43199ee 100644
--- a/uuidd.te
+++ b/uuidd.te
-@@ -41,4 +41,3 @@ domain_use_interactive_fds(uuidd_t)
+@@ -44,4 +44,3 @@ domain_use_interactive_fds(uuidd_t)
files_read_etc_files(uuidd_t)
-miscfiles_read_localization(uuidd_t)
diff --git a/uwimap.te b/uwimap.te
-index 46d9811..f109ba3 100644
+index b81e5c8..d120c52 100644
--- a/uwimap.te
+++ b/uwimap.te
@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
@@ -69822,20 +79705,29 @@ index 46d9811..f109ba3 100644
corenet_all_recvfrom_netlabel(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_generic_node(imapd_t)
-@@ -65,8 +64,6 @@ auth_domtrans_chk_passwd(imapd_t)
+@@ -56,8 +55,6 @@ dev_read_urand(imapd_t)
+
+ domain_use_interactive_fds(imapd_t)
+
+-files_read_etc_files(imapd_t)
+-
+ fs_getattr_all_fs(imapd_t)
+ fs_search_auto_mountpoints(imapd_t)
+
+@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t)
logging_send_syslog_msg(imapd_t)
-miscfiles_read_localization(imapd_t)
-
- sysnet_read_config(imapd_t)
+ sysnet_dns_name_resolve(imapd_t)
userdom_dontaudit_use_unpriv_user_fds(imapd_t)
diff --git a/varnishd.if b/varnishd.if
-index 93975d6..bd248ce 100644
+index 1c35171..2cba4df 100644
--- a/varnishd.if
+++ b/varnishd.if
-@@ -151,12 +151,16 @@ interface(`varnishd_manage_log',`
+@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',`
#
interface(`varnishd_admin_varnishlog',`
gen_require(`
@@ -69853,21 +79745,23 @@ index 93975d6..bd248ce 100644
init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -194,8 +198,11 @@ interface(`varnishd_admin',`
+@@ -196,9 +200,13 @@ interface(`varnishd_admin',`
type varnishd_initrc_exec_t;
')
- allow $1 varnishd_t:process { ptrace signal_perms };
+ allow $1 varnishd_t:process signal_perms;
ps_process_pattern($1, varnishd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 varnishd_t:process ptrace;
+ ')
-
++
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
+ role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index f9310f3..b4dafb7 100644
+index 9d4d8cb..cd79417 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -69895,30 +79789,22 @@ index f9310f3..b4dafb7 100644
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
allow varnishd_t self:fifo_file rw_fifo_file_perms;
- allow varnishd_t self:tcp_socket create_stream_socket_perms;
- allow varnishd_t self:udp_socket create_socket_perms;
-@@ -87,14 +87,14 @@ corenet_tcp_connect_http_port(varnishd_t)
-
- dev_read_urand(varnishd_t)
+ allow varnishd_t self:tcp_socket { accept listen };
-+files_read_usr_files(varnishd_t)
-+
- fs_getattr_all_fs(varnishd_t)
-
- auth_use_nsswitch(varnishd_t)
+@@ -111,7 +111,7 @@ auth_use_nsswitch(varnishd_t)
logging_send_syslog_msg(varnishd_t)
-miscfiles_read_localization(varnishd_t)
--
- sysnet_read_config(varnishd_t)
++sysnet_read_config(varnishd_t)
tunable_policy(`varnishd_connect_any',`
+ corenet_sendrecv_all_client_packets(varnishd_t)
diff --git a/vbetool.te b/vbetool.te
-index 001c93c..f918ed2 100644
+index 14e1eec..b33d259 100644
--- a/vbetool.te
+++ b/vbetool.te
-@@ -22,6 +22,7 @@ init_system_domain(vbetool_t, vbetool_exec_t)
+@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
#
allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
@@ -69926,7 +79812,7 @@ index 001c93c..f918ed2 100644
allow vbetool_t self:process execmem;
dev_wx_raw_memory(vbetool_t)
-@@ -38,7 +39,6 @@ mls_file_write_all_levels(vbetool_t)
+@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t)
term_use_unallocated_ttys(vbetool_t)
@@ -69934,30 +79820,12 @@ index 001c93c..f918ed2 100644
tunable_policy(`vbetool_mmap_zero_ignore',`
dontaudit vbetool_t self:memprotect mmap_zero;
-diff --git a/vdagent.fc b/vdagent.fc
-index 21c5f41..3ae71ae 100644
---- a/vdagent.fc
-+++ b/vdagent.fc
-@@ -1,7 +1,7 @@
- /usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
-
- /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
--/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
-+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0)
-
- /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
--/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
-+/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
diff --git a/vdagent.if b/vdagent.if
-index e59a074..b708678 100644
+index 31c752e..e9c041d 100644
--- a/vdagent.if
+++ b/vdagent.if
-@@ -20,39 +20,39 @@ interface(`vdagent_domtrans',`
-
- #####################################
- ## <summary>
--## Getattr on vdagent executable.
-+## Getattr on vdagent executable.
+@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',`
+ ## Get attributes of vdagent executable files.
## </summary>
## <param name="domain">
-## <summary>
@@ -69975,14 +79843,10 @@ index e59a074..b708678 100644
+ type vdagent_exec_t;
+ ')
-- allow $1 vdagent_exec_t:file getattr;
-+ allow $1 vdagent_exec_t:file getattr;
+ allow $1 vdagent_exec_t:file getattr_file_perms;
')
-
- #######################################
- ## <summary>
--## Get the attributes of vdagent logs.
-+## Get the attributes of vdagent logs.
+@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',`
+ ## Get attributes of vdagent log files.
## </summary>
## <param name="domain">
-## <summary>
@@ -70008,14 +79872,8 @@ index e59a074..b708678 100644
')
########################################
-@@ -76,22 +76,22 @@ interface(`vdagent_read_pid_files',`
-
- #####################################
- ## <summary>
--## Connect to vdagent over a unix domain
--## stream socket.
-+## Connect to vdagent over a unix domain
-+## stream socket.
+@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',`
+ ## domain stream socket.
## </summary>
## <param name="domain">
-## <summary>
@@ -70041,7 +79899,7 @@ index e59a074..b708678 100644
')
########################################
-@@ -104,12 +104,6 @@ interface(`vdagent_stream_connect',`
+@@ -105,12 +105,6 @@ interface(`vdagent_stream_connect',`
## Domain allowed access.
## </summary>
## </param>
@@ -70054,7 +79912,7 @@ index e59a074..b708678 100644
#
interface(`vdagent_admin',`
gen_require(`
-@@ -118,6 +112,9 @@ interface(`vdagent_admin',`
+@@ -120,6 +114,9 @@ interface(`vdagent_admin',`
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
@@ -70062,146 +79920,66 @@ index e59a074..b708678 100644
+ allow $1 vdagent_t:process ptrace;
+ ')
- files_search_pids($1)
- admin_pattern($1, vdagent_var_run_t)
+ init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te
-index 29e24e2..b1ca03a 100644
+index 77be35a..f9c0665 100644
--- a/vdagent.te
+++ b/vdagent.te
-@@ -21,6 +21,7 @@ logging_log_file(vdagent_log_t)
- #
+@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
dontaudit vdagent_t self:capability sys_admin;
-+allow vdagent_t self:process signal;
-
+ allow vdagent_t self:process signal;
++
allow vdagent_t self:fifo_file rw_fifo_file_perms;
- allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,7 +33,7 @@ files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
+ allow vdagent_t self:unix_stream_socket { accept listen };
- manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
- manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
--logging_log_filetrans(vdagent_t, vdagent_log_t, file)
-+logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+@@ -47,9 +48,14 @@ files_read_etc_files(vdagent_t)
- dev_rw_input_dev(vdagent_t)
- dev_read_sysfs(vdagent_t)
-@@ -40,7 +41,16 @@ dev_dontaudit_write_mtrr(vdagent_t)
+ init_read_state(vdagent_t)
- files_read_etc_files(vdagent_t)
-
--miscfiles_read_localization(vdagent_t)
-+init_read_state(vdagent_t)
-+
+-logging_send_syslog_msg(vdagent_t)
+systemd_read_logind_sessions_files(vdagent_t)
+systemd_login_read_pid_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
-+
+
+-miscfiles_read_localization(vdagent_t)
+userdom_read_all_users_state(vdagent_t)
+
+logging_send_syslog_msg(vdagent_t)
- optional_policy(`
- consolekit_dbus_chat(vdagent_t)
+ userdom_read_all_users_state(vdagent_t)
+
diff --git a/vhostmd.if b/vhostmd.if
-index 1f872b5..8af4bce 100644
+index 22edd58..c3a5364 100644
--- a/vhostmd.if
+++ b/vhostmd.if
-@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
- ')
-
- allow $1 vhostmd_tmpfs_t:file read_file_perms;
-- files_search_tmp($1)
-+ fs_search_tmpfs($1)
- ')
-
- ########################################
-@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
- ')
-
- rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-- files_search_tmp($1)
-+ fs_search_tmpfs($1)
- ')
-
- ########################################
-@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
+@@ -216,9 +216,13 @@ interface(`vhostmd_admin',`
+ type vhostmd_tmpfs_t;
')
- manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-- files_search_tmp($1)
-+ fs_search_tmpfs($1)
- ')
-
- ########################################
-@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
- type vhostmd_var_run_t;
- ')
-
-- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
-+ files_search_pids($1)
-+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
- ')
-
- ########################################
-@@ -209,8 +210,11 @@ interface(`vhostmd_admin',`
- type vhostmd_t, vhostmd_initrc_exec_t;
- ')
-
-- allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+- allow $1 vhostmd_t:process { ptrace signal_perms };
+ allow $1 vhostmd_t:process signal_perms;
ps_process_pattern($1, vhostmd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 vhostmd_t:process ptrace;
+ ')
-
++
vhostmd_initrc_domtrans($1)
domain_system_change_exemption($1)
-@@ -220,5 +224,4 @@ interface(`vhostmd_admin',`
- vhostmd_manage_tmpfs_files($1)
-
- vhostmd_manage_pid_files($1)
--
- ')
+ role_transition $2 vhostmd_initrc_exec_t system_r;
diff --git a/vhostmd.te b/vhostmd.te
-index 32a3c13..0cbca75 100644
+index 0be8535..b96e329 100644
--- a/vhostmd.te
+++ b/vhostmd.te
-@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
- #
-
- allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
--allow vhostmd_t self:process { setsched getsched };
--allow vhostmd_t self:fifo_file rw_file_perms;
-+allow vhostmd_t self:process { setsched getsched signal };
-+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
-
- manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
- manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-@@ -35,6 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
- manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
- files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
-
-+kernel_read_kernel_sysctls(vhostmd_t)
- kernel_read_system_state(vhostmd_t)
- kernel_read_network_state(vhostmd_t)
- kernel_write_xen_state(vhostmd_t)
-@@ -44,17 +45,21 @@ corecmd_exec_shell(vhostmd_t)
-
- corenet_tcp_connect_soundd_port(vhostmd_t)
-
--files_read_etc_files(vhostmd_t)
-+dev_read_rand(vhostmd_t)
-+dev_read_urand(vhostmd_t)
-+dev_read_sysfs(vhostmd_t)
-+
-+# 579803
-+files_list_tmp(vhostmd_t)
- files_read_usr_files(vhostmd_t)
-
-+dev_read_rand(vhostmd_t)
+@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
dev_read_sysfs(vhostmd_t)
+ files_list_tmp(vhostmd_t)
+-files_read_usr_files(vhostmd_t)
+
auth_use_nsswitch(vhostmd_t)
logging_send_syslog_msg(vhostmd_t)
@@ -70211,7 +79989,7 @@ index 32a3c13..0cbca75 100644
optional_policy(`
hostname_exec(vhostmd_t)
')
-@@ -66,6 +71,7 @@ optional_policy(`
+@@ -77,6 +74,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
@@ -70220,12 +79998,15 @@ index 32a3c13..0cbca75 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..e55e393 100644
+index c30da4c..014e40c 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,6 +1,14 @@
--HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
--HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+@@ -1,52 +1,80 @@
+-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+-HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -70235,46 +80016,83 @@ index 2124b6a..e55e393 100644
+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
- HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
- /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
- /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
- /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-
+ /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+-/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
++/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+
+-/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
-+
-+/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
+
+-/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
+-/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+-/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+-/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+-
+-/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+-/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+-
+-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+-/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+-
+-/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+-/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
+ /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-
--/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
-+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
-
- /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
- /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
- /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
- /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
--/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
++/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
++/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)
+
+ /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
+
+-/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+-/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+-/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+-/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+-
+-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
++/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
++/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+-
+-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
- /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
-+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
+ /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-
- /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
++/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
+# support for AEOLUS project
+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -70304,58 +80122,92 @@ index 2124b6a..e55e393 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..408a20a 100644
+index 9dec06c..347f807 100644
--- a/virt.if
+++ b/virt.if
-@@ -13,67 +13,30 @@
+@@ -1,120 +1,51 @@
+-## <summary>Libvirt virtualization API.</summary>
++## <summary>Libvirt virtualization API</summary>
+
+-#######################################
++########################################
+ ## <summary>
+-## The template to define a virt domain.
++## Creates types and rules for a basic
++## qemu process domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix for the domain.
+ ## </summary>
+ ## </param>
#
template(`virt_domain_template',`
gen_require(`
-- type virtd_t;
-- attribute virt_image_type;
-- attribute virt_domain;
+- attribute_role virt_domain_roles;
+- attribute virt_image_type, virt_domain, virt_tmpfs_type;
+- attribute virt_ptynode, virt_tmp_type;
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
+ attribute virt_ptynode;
+ type qemu_exec_t;
')
+- ########################################
+- #
+- # Declarations
+- #
+-
type $1_t, virt_domain;
-- domain_type($1_t)
+- application_type($1_t)
+- qemu_entry_type($1_t)
+ application_domain($1_t, qemu_exec_t)
domain_user_exemption_target($1_t)
-+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
- role system_r types $1_t;
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+- role virt_domain_roles types $1_t;
++ role system_r types $1_t;
-- type $1_devpts_t;
-+ type $1_devpts_t, virt_ptynode;
+ type $1_devpts_t, virt_ptynode;
term_pty($1_devpts_t)
-- type $1_tmp_t;
+- type $1_tmp_t, virt_tmp_type;
- files_tmp_file($1_tmp_t)
+-
+- type $1_tmpfs_t, virt_tmpfs_type;
+- files_tmpfs_file($1_tmpfs_t)
+ kernel_read_system_state($1_t)
-- type $1_tmpfs_t;
-- files_tmpfs_file($1_tmpfs_t)
+- optional_policy(`
+- pulseaudio_tmpfs_content($1_tmpfs_t)
+- ')
+ auth_read_passwd($1_t)
- type $1_image_t, virt_image_type;
- files_type($1_image_t)
- dev_node($1_image_t)
+- dev_associate_sysfs($1_image_t)
+ logging_send_syslog_msg($1_t)
-- type $1_var_run_t;
-- files_pid_file($1_var_run_t)
+- ########################################
+- #
+- # Policy
+- #
-
-- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
-
- manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
- manage_files_pattern($1_t, $1_image_t, $1_image_t)
+- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t)
+- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+- fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
-
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
@@ -70367,389 +80219,934 @@ index 6f0736b..408a20a 100644
- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-
-- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
-- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
--
-- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-- files_pid_filetrans($1_t, $1_var_run_t, { dir file })
-- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
--
-- auth_use_nsswitch($1_t)
+- optional_policy(`
+- pulseaudio_run($1_t, virt_domain_roles)
+- ')
-
- optional_policy(`
- xserver_rw_shm($1_t)
- ')
+-')
+-
+-#######################################
+-## <summary>
+-## The template to define a virt lxc domain.
+-## </summary>
+-## <param name="domain_prefix">
+-## <summary>
+-## Domain prefix to be used.
+-## </summary>
+-## </param>
+-#
+-template(`virt_lxc_domain_template',`
+- gen_require(`
+- attribute_role svirt_lxc_domain_roles;
+- attribute svirt_lxc_domain;
+- ')
+-
+- type $1_t, svirt_lxc_domain;
+- domain_type($1_t)
+- domain_user_exemption_target($1_t)
+- mls_rangetrans_target($1_t)
+- mcs_constrained($1_t)
+- role svirt_lxc_domain_roles types $1_t;
')
########################################
-@@ -98,14 +61,32 @@ interface(`virt_image',`
- dev_node($1)
+ ## <summary>
+-## Make the specified type virt image type.
++## Make the specified type usable as a virt image
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+-## Type to be used as a virtual image.
++## Type to be used as a virtual image
+ ## </summary>
+ ## </param>
+ #
+@@ -125,51 +56,32 @@ interface(`virt_image',`
+
+ typeattribute $1 virt_image_type;
+ files_type($1)
+- dev_node($1)
+-')
+-
+-########################################
+-## <summary>
+-## Execute a domain transition to run virtd.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`virt_domtrans',`
+- gen_require(`
+- type virtd_t, virtd_exec_t;
+- ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, virtd_exec_t, virtd_t)
++ # virt images can be assigned to blk devices
++ dev_node($1)
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Execute a domain transition to run virt qmf.
+## Getattr on virt executable.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`virt_domtrans_qmf',`
+- gen_require(`
+- type virt_qmf_t, virt_qmf_exec_t;
+- ')
+interface(`virt_getattr_exec',`
+ gen_require(`
+ type virtd_exec_t;
+ ')
-+
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+ allow $1 virtd_exec_t:file getattr;
-+')
-+
+ ')
+
########################################
## <summary>
- ## Execute a domain transition to run virt.
+-## Execute a domain transition to
+-## run virt bridgehelper.
++## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
+ ## <summary>
+@@ -177,161 +89,53 @@ interface(`virt_domtrans_qmf',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_domtrans_bridgehelper',`
++interface(`virt_domtrans',`
+ gen_require(`
+- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
++ type virtd_t, virtd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
++ domtrans_pattern($1, virtd_exec_t, virtd_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute bridgehelper in the bridgehelper
+-## domain, and allow the specified role
+-## the bridgehelper domain.
++## Transition to virt_qmf.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`virt_run_bridgehelper',`
+- gen_require(`
+- attribute_role virt_bridgehelper_roles;
+- ')
+-
+- virt_domtrans_bridgehelper($1)
+- roleattribute $2 virt_bridgehelper_roles;
+-')
+-
+-########################################
+ ## <summary>
+-## Execute virt domain in the their
+-## domain, and allow the specified
+-## role that virt domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`virt_run_virt_domain',`
+- gen_require(`
+- attribute virt_domain;
+- attribute_role virt_domain_roles;
+- ')
+-
+- allow $1 virt_domain:process { signal transition };
+- roleattribute $2 virt_domain_roles;
+-
+- allow virt_domain $1:fd use;
+- allow virt_domain $1:fifo_file rw_fifo_file_perms;
+- allow virt_domain $1:process sigchld;
+-')
+-
+-########################################
+-## <summary>
+-## Send generic signals to all virt domains.
-## </summary>
-+## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`virt_signal_all_virt_domains',`
+- gen_require(`
+- attribute virt_domain;
+- ')
+-
+- allow $1 virt_domain:process signal;
+-')
+-
+-########################################
+-## <summary>
+-## Send kill signals to all virt domains.
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
## </param>
#
- interface(`virt_domtrans',`
-@@ -116,9 +97,45 @@ interface(`virt_domtrans',`
- domtrans_pattern($1, virtd_exec_t, virtd_t)
- ')
-
-+########################################
-+## <summary>
-+## Transition to virt_qmf.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
+-interface(`virt_kill_all_virt_domains',`
+interface(`virt_domtrans_qmf',`
-+ gen_require(`
+ gen_require(`
+- attribute virt_domain;
+ type virt_qmf_t, virt_qmf_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 virt_domain:process sigkill;
+ corecmd_search_bin($1)
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute svirt lxc domains in their
+-## domain, and allow the specified
+-## role that svirt lxc domain.
+## Transition to virt_bridgehelper.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`virt_run_svirt_lxc_domain',`
+- gen_require(`
+- attribute svirt_lxc_domain;
+- attribute_role svirt_lxc_domain_roles;
+- ')
+-
+- allow $1 svirt_lxc_domain:process { signal transition };
+- roleattribute $2 svirt_lxc_domain_roles;
+-
+- allow svirt_lxc_domain $1:fd use;
+- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
+- allow svirt_lxc_domain $1:process sigchld;
+-')
+-
+-#######################################
+ ## <summary>
+-## Get attributes of virtd executable files.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+ ## </param>
+-#
+-interface(`virt_getattr_virtd_exec_files',`
+interface(`virt_domtrans_bridgehelper',`
-+ gen_require(`
+ gen_require(`
+- type virtd_exec_t;
+ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 virtd_exec_t:file getattr_file_perms;
+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
-+')
-+
+ ')
+
#######################################
## <summary>
--## Connect to virt over an unix domain stream socket.
+-## Connect to virt with a unix
+-## domain stream socket.
+## Connect to virt over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -166,13 +183,13 @@ interface(`virt_attach_tun_iface',`
- #
- interface(`virt_read_config',`
- gen_require(`
-- type virt_etc_t;
-- type virt_etc_rw_t;
-+ type virt_etc_t, virt_etc_rw_t;
+@@ -350,7 +154,7 @@ interface(`virt_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## Attach to virt tun devices.
++## Allow domain to attach to virt TUN devices
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -369,7 +173,7 @@ interface(`virt_attach_tun_iface',`
+
+ ########################################
+ ## <summary>
+-## Read virt configuration content.
++## Read virt config files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -383,7 +187,6 @@ interface(`virt_read_config',`
')
files_search_etc($1)
+- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- ')
+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+@@ -391,8 +194,7 @@ interface(`virt_read_config',`
########################################
-@@ -187,13 +204,13 @@ interface(`virt_read_config',`
- #
- interface(`virt_manage_config',`
- gen_require(`
-- type virt_etc_t;
-- type virt_etc_rw_t;
-+ type virt_etc_t, virt_etc_rw_t;
+ ## <summary>
+-## Create, read, write, and delete
+-## virt configuration content.
++## manage virt config files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -406,7 +208,6 @@ interface(`virt_manage_config',`
')
files_search_etc($1)
+- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- ')
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+@@ -414,8 +215,7 @@ interface(`virt_manage_config',`
########################################
-@@ -233,6 +250,24 @@ interface(`virt_read_content',`
+ ## <summary>
+-## Create, read, write, and delete
+-## virt image files.
++## Allow domain to manage virt image files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -450,8 +250,7 @@ interface(`virt_read_content',`
########################################
## <summary>
+-## Create, read, write, and delete
+-## virt content.
+## Allow domain to write virt image files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -459,35 +258,17 @@ interface(`virt_read_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_content',`
+interface(`virt_write_content',`
-+ gen_require(`
-+ type virt_content_t;
-+ ')
-+
+ gen_require(`
+ type virt_content_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_content_t:dir manage_dir_perms;
+- allow $1 virt_content_t:file manage_file_perms;
+- allow $1 virt_content_t:fifo_file manage_fifo_file_perms;
+- allow $1 virt_content_t:lnk_file manage_lnk_file_perms;
+- allow $1 virt_content_t:sock_file manage_sock_file_perms;
+- allow $1 virt_content_t:blk_file manage_blk_file_perms;
+-
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_manage_nfs_symlinks($1)
+- ')
+-
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
+- ')
+ allow $1 virt_content_t:file write_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Read virt PID files.
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel virt content.
++## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -252,6 +287,28 @@ interface(`virt_read_pid_files',`
+ ## <summary>
+@@ -495,53 +276,40 @@ interface(`virt_manage_virt_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_relabel_virt_content',`
++interface(`virt_read_pid_files',`
+ gen_require(`
+- type virt_content_t;
++ type virt_var_run_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_content_t:dir relabel_dir_perms;
+- allow $1 virt_content_t:file relabel_file_perms;
+- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms;
+- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms;
+- allow $1 virt_content_t:sock_file relabel_sock_file_perms;
+- allow $1 virt_content_t:blk_file relabel_blk_file_perms;
++ files_search_pids($1)
++ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ ')
########################################
## <summary>
+-## Create specified objects in user home
+-## directories with the virt content type.
+## Manage virt pid directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`virt_home_filetrans_virt_content',`
+interface(`virt_manage_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- type virt_content_t;
+ type virt_var_run_t;
+ type virt_lxc_var_run_t;
-+ ')
-+
+ ')
+
+- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+ virt_filetrans_named_content($1)
-+')
-+
-+########################################
-+## <summary>
- ## Manage virt pid files.
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## svirt home content.
++## Manage virt pid files.
## </summary>
## <param name="domain">
-@@ -263,10 +320,47 @@ interface(`virt_read_pid_files',`
- interface(`virt_manage_pid_files',`
+ ## <summary>
+@@ -549,67 +317,36 @@ interface(`virt_home_filetrans_virt_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_svirt_home_content',`
++interface(`virt_manage_pid_files',`
gen_require(`
- type virt_var_run_t;
+- type svirt_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 svirt_home_t:dir manage_dir_perms;
+- allow $1 svirt_home_t:file manage_file_perms;
+- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 svirt_home_t:sock_file manage_sock_file_perms;
+-
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_manage_nfs_symlinks($1)
++ type virt_var_run_t;
+ type virt_lxc_var_run_t;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
+- ')
++ files_search_pids($1)
++ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel svirt home content.
+## Create objects in the pid directory
+## with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-#
+-interface(`virt_relabel_svirt_home_content',`
+- gen_require(`
+- type svirt_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 svirt_home_t:dir relabel_dir_perms;
+- allow $1 svirt_home_t:file relabel_file_perms;
+- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
+- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
+- allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
+-')
+-
+-########################################
+-## <summary>
+-## Create specified objects in user home
+-## directories with the svirt home type.
+-## </summary>
+-## <param name="domain">
+## <param name="file">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to which the created node will be transitioned.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
+## <param name="class">
-+## <summary>
+ ## <summary>
+-## Class of the object being created.
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -618,54 +355,36 @@ interface(`virt_relabel_svirt_home_content',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_home_filetrans_svirt_home',`
+interface(`virt_pid_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type svirt_home_t;
+ type virt_var_run_t;
-+ ')
-+
+ ')
+
+- virt_home_filetrans($1, svirt_home_t, $2, $3)
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
')
########################################
-@@ -310,6 +404,24 @@ interface(`virt_read_lib_files',`
+ ## <summary>
+-## Create specified objects in generic
+-## virt home directories with private
+-## home type.
++## Search virt lib directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private_type">
+-## <summary>
+-## Private file type.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`virt_home_filetrans',`
++interface(`virt_search_lib',`
+ gen_require(`
+- type virt_home_t;
++ type virt_var_lib_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- filetrans_pattern($1, virt_home_t, $2, $3, $4)
++ allow $1 virt_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt home files.
++## Read virt lib files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -673,54 +392,38 @@ interface(`virt_home_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_home_files',`
++interface(`virt_read_lib_files',`
+ gen_require(`
+- type virt_home_t;
++ type virt_var_lib_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- manage_files_pattern($1, virt_home_t, virt_home_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ ')
########################################
## <summary>
+-## Create, read, write, and delete
+-## virt home content.
+## Dontaudit inherited read virt lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_generic_virt_home_content',`
+interface(`virt_dontaudit_read_lib_files',`
-+ gen_require(`
+ gen_require(`
+- type virt_home_t;
+- ')
+-
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_home_t:dir manage_dir_perms;
+- allow $1 virt_home_t:file manage_file_perms;
+- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
+- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
+- allow $1 virt_home_t:sock_file manage_sock_file_perms;
+-
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_manage_nfs_symlinks($1)
+ type virt_var_lib_t;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_dirs($1)
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_symlinks($1)
+- ')
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete
- ## virt lib files.
- ## </summary>
-@@ -354,9 +466,9 @@ interface(`virt_read_log',`
- ## virt log files.
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel virt home content.
++## Create, read, write, and delete
++## virt lib files.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed access.
--## </summary>
-+## </summary>
+ ## <summary>
+@@ -728,52 +431,78 @@ interface(`virt_manage_generic_virt_home_content',`
+ ## </summary>
## </param>
#
- interface(`virt_append_log',`
-@@ -390,6 +502,25 @@ interface(`virt_manage_log',`
+-interface(`virt_relabel_generic_virt_home_content',`
++interface(`virt_manage_lib_files',`
+ gen_require(`
+- type virt_home_t;
++ type virt_var_lib_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 virt_home_t:dir relabel_dir_perms;
+- allow $1 virt_home_t:file relabel_file_perms;
+- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
+- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
+- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
++ files_search_var_lib($1)
++ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ ')
########################################
## <summary>
-+## Allow domain to search virt image direcories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+-## Create specified objects in user home
+-## directories with the generic virt
+-## home type.
++## Allow the specified domain to read virt's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
++## <rolecap/>
+#
-+interface(`virt_search_images',`
++interface(`virt_read_log',`
+ gen_require(`
-+ attribute virt_image_type;
++ type virt_log_t;
+ ')
+
-+ virt_search_lib($1)
-+ allow $1 virt_image_type:dir search_dir_perms;
++ logging_search_logs($1)
++ read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
- ## Allow domain to read virt image files
- ## </summary>
- ## <param name="domain">
-@@ -410,6 +541,7 @@ interface(`virt_read_images',`
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
-@@ -426,6 +558,42 @@ interface(`virt_read_images',`
-
- ########################################
- ## <summary>
-+## Allow domain to read virt blk image files
++## Allow the specified domain to append
++## virt log files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Class of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+#
-+interface(`virt_read_blk_images',`
++interface(`virt_append_log',`
+ gen_require(`
-+ attribute virt_image_type;
++ type virt_log_t;
+ ')
+
-+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++ logging_search_logs($1)
++ append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
-+## Allow domain to read/write virt image chr files
++## Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_home_filetrans_virt_home',`
++interface(`virt_manage_log',`
+ gen_require(`
+- type virt_home_t;
++ type virt_log_t;
+ ')
+
+- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
++ manage_dirs_pattern($1, virt_log_t, virt_log_t)
++ manage_files_pattern($1, virt_log_t, virt_log_t)
++ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read virt pid files.
++## Allow domain to search virt image direcories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -781,19 +510,18 @@ interface(`virt_home_filetrans_virt_home',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_read_pid_files',`
++interface(`virt_search_images',`
+ gen_require(`
+- type virt_var_run_t;
++ attribute virt_image_type;
+ ')
+
+- files_search_pids($1)
+- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt pid files.
++## Allow domain to read virt image files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -801,18 +529,36 @@ interface(`virt_read_pid_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_pid_files',`
++interface(`virt_read_images',`
+ gen_require(`
+- type virt_var_run_t;
++ type virt_var_lib_t;
++ attribute virt_image_type;
+ ')
+
+- files_search_pids($1)
+- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir list_dir_perms;
++ list_dirs_pattern($1, virt_image_type, virt_image_type)
++ read_files_pattern($1, virt_image_type, virt_image_type)
++ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
++ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++ read_chr_files_pattern($1, virt_image_type, virt_image_type)
++
++ tunable_policy(`virt_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ fs_read_nfs_symlinks($1)
++ ')
++
++ tunable_policy(`virt_use_samba',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ fs_read_cifs_symlinks($1)
++ ')
+ ')
+
+ ########################################
+ ## <summary>
+-## Search virt lib directories.
++## Allow domain to read virt blk image files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -820,18 +566,17 @@ interface(`virt_manage_pid_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_search_lib',`
++interface(`virt_read_blk_images',`
+ gen_require(`
+- type virt_var_lib_t;
++ attribute virt_image_type;
+ ')
+
+- files_search_var_lib($1)
+- allow $1 virt_var_lib_t:dir search_dir_perms;
++ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read virt lib files.
++## Allow domain to read/write virt image chr files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -839,20 +584,18 @@ interface(`virt_search_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_read_lib_files',`
+interface(`virt_rw_chr_files',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_lib_t;
+ attribute virt_image_type;
-+ ')
-+
+ ')
+
+- files_search_var_lib($1)
+- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
## Create, read, write, and delete
- ## svirt cache files.
+-## virt lib files.
++## svirt cache files.
## </summary>
-@@ -435,15 +603,15 @@ interface(`virt_read_images',`
+ ## <param name="domain">
+ ## <summary>
+@@ -860,94 +603,205 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
--interface(`virt_manage_svirt_cache',`
+-interface(`virt_manage_lib_files',`
+interface(`virt_manage_cache',`
gen_require(`
-- type svirt_cache_t;
+- type virt_var_lib_t;
+ type virt_cache_t;
')
- files_search_var($1)
-- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
-- manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
-- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+- files_search_var_lib($1)
+- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ files_search_var($1)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
')
########################################
-@@ -468,18 +636,52 @@ interface(`virt_manage_images',`
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
++## Allow domain to manage virt image files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
++#
++interface(`virt_manage_images',`
++ gen_require(`
++ type virt_var_lib_t;
++ attribute virt_image_type;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_type:dir list_dir_perms;
++ manage_dirs_pattern($1, virt_image_type, virt_image_type)
++ manage_files_pattern($1, virt_image_type, virt_image_type)
++ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
++ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
-
-- tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs($1)
-- fs_manage_nfs_files($1)
-- fs_read_nfs_symlinks($1)
-- ')
++
+#######################################
+## <summary>
+## Allow domain to manage virt image files
@@ -70771,47 +81168,67 @@ index 6f0736b..408a20a 100644
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
++
+########################################
+## <summary>
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The type of the object to be created.
+## Domain allowed to transition.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="object">
+#
+interface(`virt_systemctl',`
+ gen_require(`
+ type virtd_unit_file_t;
+ type virtd_t;
- ')
++ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
- ')
-
- ########################################
-@@ -502,10 +704,20 @@ interface(`virt_manage_images',`
- interface(`virt_admin',`
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an virt environment
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The object class of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++## <param name="role">
+ ## <summary>
+-## The name of the object being created.
++## Role allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
++## <rolecap/>
+ #
+-interface(`virt_pid_filetrans',`
++interface(`virt_admin',`
gen_require(`
- type virtd_t, virtd_initrc_exec_t;
+- type virt_var_run_t;
++ type virtd_t, virtd_initrc_exec_t;
+ attribute virt_domain;
+ type virt_lxc_t;
+ type virtd_unit_file_t;
')
-- allow $1 virtd_t:process { ptrace signal_perms };
+- files_search_pids($1)
+- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+ allow $1 virtd_t:process signal_perms;
- ps_process_pattern($1, virtd_t)
++ ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 virtd_t:process ptrace;
+ allow $1 virt_lxc_t:process ptrace;
@@ -70819,13 +81236,17 @@ index 6f0736b..408a20a 100644
+
+ allow $1 virt_lxc_t:process signal_perms;
+ ps_process_pattern($1, virt_lxc_t)
-
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
-@@ -517,4 +729,305 @@ interface(`virt_admin',`
- virt_manage_lib_files($1)
-
- virt_manage_log($1)
++
++ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 virtd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ virt_manage_pid_files($1)
++
++ virt_manage_lib_files($1)
++
++ virt_manage_log($1)
+
+ virt_manage_images($1)
+
@@ -70834,33 +81255,39 @@ index 6f0736b..408a20a 100644
+ virt_systemctl($1)
+ admin_pattern($1, virtd_unit_file_t)
+ allow $1 virtd_unit_file_t:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read virt log files.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`virt_read_log',`
+interface(`virt_transition_svirt',`
-+ gen_require(`
+ gen_require(`
+- type virt_log_t;
+ attribute virt_domain;
+ type virt_bridgehelper_t;
+ type svirt_image_t;
+ type svirt_socket_t;
-+ ')
-+
+ ')
+
+- logging_search_logs($1)
+- read_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
@@ -70875,82 +81302,115 @@ index 6f0736b..408a20a 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_append_log',`
+interface(`virt_dontaudit_write_pipes',`
-+ gen_require(`
+ gen_require(`
+- type virt_log_t;
+ type virtd_t;
-+ ')
-+
+ ')
+
+- logging_search_logs($1)
+- append_files_pattern($1, virt_log_t, virt_log_t)
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt log files.
+## Send a sigkill to virtual machines
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -955,20 +809,17 @@ interface(`virt_append_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_log',`
+interface(`virt_kill_svirt',`
-+ gen_require(`
+ gen_require(`
+- type virt_log_t;
+ attribute virt_domain;
-+ ')
-+
+ ')
+
+- logging_search_logs($1)
+- manage_dirs_pattern($1, virt_log_t, virt_log_t)
+- manage_files_pattern($1, virt_log_t, virt_log_t)
+- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+ allow $1 virt_domain:process sigkill;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search virt image directories.
+## Send a signal to virtual machines
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -976,18 +827,17 @@ interface(`virt_manage_log',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_search_images',`
+interface(`virt_signal_svirt',`
-+ gen_require(`
+ gen_require(`
+- attribute virt_image_type;
+ attribute virt_domain;
-+ ')
-+
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir search_dir_perms;
+ allow $1 virt_domain:process signal;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read virt image files.
+## Manage virt home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -995,57 +845,57 @@ interface(`virt_search_images',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_read_images',`
+interface(`virt_manage_home_files',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
+ type virt_home_t;
-+ ')
-+
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- list_dirs_pattern($1, virt_image_type, virt_image_type)
+- read_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
-+
+
+- tunable_policy(`virt_use_nfs',`
+- fs_list_nfs($1)
+- fs_read_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
+## allow domain to read
@@ -70965,41 +81425,59 @@ index 6f0736b..408a20a 100644
+interface(`virt_read_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_list_cifs($1)
+- fs_read_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+- ')
+ allow $1 virt_tmpfs_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write all virt image
+-## character files.
+## allow domain to manage
+## virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_rw_all_image_chr_files',`
+interface(`virt_manage_tmpfs_files',`
-+ gen_require(`
+ gen_require(`
+- attribute virt_image_type;
+ attribute virt_tmpfs_type;
-+ ')
-+
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ allow $1 virt_tmpfs_type:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## svirt cache files.
+## Create .virt directory in the user home directory
+## with an correct label.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1053,15 +903,27 @@ interface(`virt_rw_all_image_chr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
+interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
@@ -71016,49 +81494,74 @@ index 6f0736b..408a20a 100644
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt cache content.
+## Dontaudit attempts to Read virt_image_type devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1069,117 +931,103 @@ interface(`virt_manage_svirt_cache',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
+interface(`virt_dontaudit_read_chr_dev',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ attribute virt_image_type;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt image files.
+## Creates types and rules for a basic
+## virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="prefix">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Prefix for the domain.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
+template(`virt_lxc_domain_template',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_lib_t;
+- attribute virt_image_type;
+ attribute svirt_lxc_domain;
-+ ')
-+
+ ')
+
+- virt_search_lib($1)
+- allow $1 virt_image_type:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_type, virt_image_type)
+- manage_files_pattern($1, virt_image_type, virt_image_type)
+- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ type $1_t, svirt_lxc_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
-+ mcs_untrusted_proc($1_t)
++ mcs_constrained($1_t)
+ role system_r types $1_t;
-+
+
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+ kernel_read_system_state($1_t)
+')
+
@@ -71075,8 +81578,12 @@ index 6f0736b..408a20a 100644
+interface(`virt_exec_qemu',`
+ gen_require(`
+ type qemu_exec_t;
-+ ')
-+
+ ')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+ can_exec($1, qemu_exec_t)
+')
+
@@ -71094,45 +81601,98 @@ index 6f0736b..408a20a 100644
+ gen_require(`
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
-+ ')
+ ')
+
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an virt environment.
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
+ ## </summary>
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
+## The role to be allowed the sandbox domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`virt_admin',`
+interface(`virt_transition_svirt_lxc',`
-+ gen_require(`
+ gen_require(`
+- attribute virt_domain, virt_image_type, virt_tmpfs_type;
+- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
+- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
+- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
+- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+- type virt_var_run_t, virt_tmp_t, virt_log_t;
+- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+- type virt_etc_t, svirt_cache_t;
+ attribute svirt_lxc_domain;
-+ ')
-+
+ ')
+
+- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
+- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
+-
+- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 virtd_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- fs_search_tmpfs($1)
+- admin_pattern($1, virt_tmpfs_type)
+-
+- files_search_tmp($1)
+- admin_pattern($1, { virt_tmp_type virt_tmp_t })
+-
+- files_search_etc($1)
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
+-
+- logging_search_logs($1)
+- admin_pattern($1, virt_log_t)
+-
+- files_search_pids($1)
+- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
+-
+- files_search_var($1)
+- admin_pattern($1, svirt_cache_t)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
+ allow $1 svirt_lxc_domain:process transition;
+ role $2 types svirt_lxc_domain;
-+
+
+- files_search_locks($1)
+- admin_pattern($1, virt_lock_t)
+-
+- dev_list_all_dev_nodes($1)
+- allow $1 virt_ptynode:chr_file rw_term_perms;
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..12c15cb 100644
+index 1f22fba..e096fc5 100644
--- a/virt.te
+++ b/virt.te
-@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
+@@ -1,94 +1,105 @@
+-policy_module(virt, 1.6.10)
++policy_module(virt, 1.5.0)
+
+ ########################################
+ #
# Declarations
#
@@ -71154,125 +81714,162 @@ index 947bbc6..12c15cb 100644
+dev_associate_sysfs(svirt_image_t)
+
## <desc>
- ## <p>
--## Allow virt to use serial/parallell communication ports
+-## <p>
+-## Determine whether confined virtual guests
+-## can use serial/parallel communication ports.
+-## </p>
++## <p>
+## Allow confined virtual guests to use serial/parallel communication ports
- ## </p>
++## </p>
## </desc>
gen_tunable(virt_use_comm, false)
## <desc>
- ## <p>
--## Allow virt to read fuse files
+-## <p>
+-## Determine whether confined virtual guests
+-## can use executable memory and can make
+-## their stack executable.
+-## </p>
++## <p>
+## Allow confined virtual guests to use executable memory and executable stack
+## </p>
-+## </desc>
-+gen_tunable(virt_use_execmem, false)
-+
-+## <desc>
+ ## </desc>
+ gen_tunable(virt_use_execmem, false)
+
+ ## <desc>
+-## <p>
+-## Determine whether confined virtual guests
+-## can use fuse file systems.
+-## </p>
+## <p>
+## Allow confined virtual guests to read fuse files
- ## </p>
++## </p>
## </desc>
gen_tunable(virt_use_fusefs, false)
## <desc>
- ## <p>
--## Allow virt to manage nfs files
+-## <p>
+-## Determine whether confined virtual guests
+-## can use nfs file systems.
+-## </p>
++## <p>
+## Allow confined virtual guests to manage nfs files
- ## </p>
++## </p>
## </desc>
gen_tunable(virt_use_nfs, false)
## <desc>
- ## <p>
--## Allow virt to manage cifs files
+-## <p>
+-## Determine whether confined virtual guests
+-## can use cifs file systems.
+-## </p>
++## <p>
+## Allow confined virtual guests to manage cifs files
- ## </p>
++## </p>
## </desc>
gen_tunable(virt_use_samba, false)
## <desc>
- ## <p>
--## Allow virt to manage device configuration, (pci)
+-## <p>
+-## Determine whether confined virtual guests
+-## can manage device configuration.
+-## </p>
++## <p>
+## Allow confined virtual guests to manage device configuration, (pci)
- ## </p>
++## </p>
## </desc>
gen_tunable(virt_use_sysfs, false)
## <desc>
+-## <p>
+-## Determine whether confined virtual guests
+-## can use usb devices.
+-## </p>
+## <p>
+## Allow confined virtual guests to interact with the sanlock
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(virt_use_usb, false)
+gen_tunable(virt_use_sanlock, false)
-+
-+## <desc>
+
+ ## <desc>
+-## <p>
+-## Determine whether confined virtual guests
+-## can interact with xserver.
+-## </p>
+## <p>
+## Allow confined virtual guests to interact with rawip sockets
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(virt_use_xserver, false)
+gen_tunable(virt_use_rawip, false)
-+
+
+-attribute virt_ptynode;
+-attribute virt_domain;
+-attribute virt_image_type;
+-attribute virt_tmp_type;
+-attribute virt_tmpfs_type;
+-
+-attribute svirt_lxc_domain;
+## <desc>
+## <p>
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
-+
+
+-attribute_role virt_domain_roles;
+-roleattribute system_r virt_domain_roles;
+## <desc>
- ## <p>
--## Allow virt to use usb devices
++## <p>
+## Allow confined virtual guests to use usb devices
- ## </p>
- ## </desc>
- gen_tunable(virt_use_usb, true)
++## </p>
++## </desc>
++gen_tunable(virt_use_usb, true)
- virt_domain_template(svirt)
- role system_r types svirt_t;
+-attribute_role virt_bridgehelper_roles;
+-roleattribute system_r virt_bridgehelper_roles;
++virt_domain_template(svirt)
++role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
--type svirt_cache_t;
--files_type(svirt_cache_t)
+-attribute_role svirt_lxc_domain_roles;
+-roleattribute system_r svirt_lxc_domain_roles;
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
--attribute virt_domain;
--attribute virt_image_type;
+-virt_domain_template(svirt)
+-virt_domain_template(svirt_prot_exec)
+type qemu_exec_t;
-+
-+type virt_cache_t alias svirt_cache_t;
-+files_type(virt_cache_t)
- type virt_etc_t;
- files_config_file(virt_etc_t)
-@@ -62,26 +110,37 @@ files_config_file(virt_etc_t)
- type virt_etc_rw_t;
- files_type(virt_etc_rw_t)
+ type virt_cache_t alias svirt_cache_t;
+ files_type(virt_cache_t)
+@@ -105,27 +116,25 @@ userdom_user_home_content(virt_home_t)
+ type svirt_home_t;
+ userdom_user_home_content(svirt_home_t)
-+type virt_home_t;
-+userdom_user_home_content(virt_home_t)
-+
-+type svirt_home_t;
-+userdom_user_home_content(svirt_home_t)
-+
- # virt Image files
+-type svirt_var_run_t;
+-files_pid_file(svirt_var_run_t)
+-mls_trusted_object(svirt_var_run_t)
+-
++# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
-+files_mountpoint(virt_image_t)
+ files_mountpoint(virt_image_t)
- # virt Image files
++# virt Image files
type virt_content_t; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
+-type virt_lock_t;
+-files_lock_file(virt_lock_t)
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
-+
+
type virt_log_t;
logging_log_file(virt_log_t)
-+mls_trusted_object(virt_log_t)
+ mls_trusted_object(virt_log_t)
-type virt_tmp_t;
-files_tmp_file(virt_tmp_t)
@@ -71281,14 +81878,7 @@ index 947bbc6..12c15cb 100644
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-
- type virt_var_lib_t;
--files_type(virt_var_lib_t)
-+files_mountpoint(virt_var_lib_t)
-
- type virtd_t;
- type virtd_exec_t;
-@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
+@@ -139,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t)
domain_obj_id_change_exemption(virtd_t)
domain_subj_id_change_exemption(virtd_t)
@@ -71306,19 +81896,16 @@ index 947bbc6..12c15cb 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -100,28 +167,53 @@ ifdef(`enable_mls',`
- init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
- ')
+@@ -155,251 +172,82 @@ type virt_qmf_exec_t;
+ init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
-+type virt_qmf_t;
-+type virt_qmf_exec_t;
-+init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
-+
-+type virt_bridgehelper_t;
-+domain_type(virt_bridgehelper_t)
+ type virt_bridgehelper_t;
+-type virt_bridgehelper_exec_t;
+ domain_type(virt_bridgehelper_t)
+
+type virt_bridgehelper_exec_t;
-+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+ domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
+-role virt_bridgehelper_roles types virt_bridgehelper_t;
+role system_r types virt_bridgehelper_t;
+
+# policy for qemu_ga
@@ -71332,101 +81919,273 @@ index 947bbc6..12c15cb 100644
+type virt_qemu_ga_log_t;
+logging_log_file(virt_qemu_ga_log_t)
+
- ########################################
- #
--# svirt local policy
++########################################
++#
+# Declarations
- #
++#
+attribute svirt_lxc_domain;
--allow svirt_t self:udp_socket create_socket_perms;
-+type virtd_lxc_t;
-+type virtd_lxc_exec_t;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+ type virtd_lxc_t;
+ type virtd_lxc_exec_t;
+ init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
--manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
--manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
--files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+-type virtd_lxc_var_run_t;
+-files_pid_file(virtd_lxc_var_run_t)
+type virt_lxc_var_run_t;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
--read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
+ type svirt_lxc_file_t;
+ files_mountpoint(svirt_lxc_file_t)
+-fs_noxattr_type(svirt_lxc_file_t)
+-term_pty(svirt_lxc_file_t)
+-
+-virt_lxc_domain_template(svirt_lxc_net)
+-
+-type virsh_t;
+-type virsh_exec_t;
+-init_system_domain(virsh_t, virsh_exec_t)
--allow svirt_t svirt_image_t:dir search_dir_perms;
--manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
--manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
--fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
-+########################################
-+#
+ ########################################
+ #
+-# Common virt domain local policy
+# svirt local policy
-+#
+ #
--list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
--read_files_pattern(svirt_t, virt_content_t, virt_content_t)
--dontaudit svirt_t virt_content_t:file write_file_perms;
--dontaudit svirt_t virt_content_t:dir write;
+-allow virt_domain self:process { signal getsched signull };
+-allow virt_domain self:fifo_file rw_fifo_file_perms;
+-allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
+-allow virt_domain self:shm create_shm_perms;
+-allow virt_domain self:tcp_socket create_stream_socket_perms;
+-allow virt_domain self:unix_stream_socket { accept listen };
+-allow virt_domain self:unix_dgram_socket sendto;
+-
+-allow virt_domain virtd_t:fd use;
+-allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
+-allow virt_domain virtd_t:process sigchld;
+-
+-dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+-
+-manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+-manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+-files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+-
+-manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
+-manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
+-manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
+-manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
+-files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
+-
+-stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
+-
+-dontaudit virt_domain virt_tmpfs_type:file { read write };
+-
+-append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+-
+-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+-
+-kernel_read_system_state(virt_domain)
+-
+-fs_getattr_xattr_fs(virt_domain)
+-
+-corecmd_exec_bin(virt_domain)
+-corecmd_exec_shell(virt_domain)
+-
+-corenet_all_recvfrom_unlabeled(virt_domain)
+-corenet_all_recvfrom_netlabel(virt_domain)
+-corenet_tcp_sendrecv_generic_if(virt_domain)
+-corenet_tcp_sendrecv_generic_node(virt_domain)
+-corenet_tcp_bind_generic_node(virt_domain)
+-
+-corenet_sendrecv_vnc_server_packets(virt_domain)
+-corenet_tcp_bind_vnc_port(virt_domain)
+-corenet_tcp_sendrecv_vnc_port(virt_domain)
+-
+-corenet_sendrecv_virt_migration_server_packets(virt_domain)
+-corenet_tcp_bind_virt_migration_port(virt_domain)
+-corenet_sendrecv_virt_migration_client_packets(virt_domain)
+-corenet_tcp_connect_virt_migration_port(virt_domain)
+-corenet_tcp_sendrecv_virt_migration_port(virt_domain)
+-
+-corenet_rw_tun_tap_dev(virt_domain)
+-
+-dev_getattr_fs(virt_domain)
+-dev_list_sysfs(virt_domain)
+-dev_read_generic_symlinks(virt_domain)
+-dev_read_rand(virt_domain)
+-dev_read_sound(virt_domain)
+-dev_read_urand(virt_domain)
+-dev_write_sound(virt_domain)
+-dev_rw_ksm(virt_domain)
+-dev_rw_kvm(virt_domain)
+-dev_rw_qemu(virt_domain)
+-dev_rw_vhost(virt_domain)
+-
+-domain_use_interactive_fds(virt_domain)
+-
+-files_read_etc_files(virt_domain)
+-files_read_mnt_symlinks(virt_domain)
+-files_read_usr_files(virt_domain)
+-files_read_var_files(virt_domain)
+-files_search_all(virt_domain)
+-
+-fs_getattr_all_fs(virt_domain)
+-fs_rw_anon_inodefs_files(virt_domain)
+-fs_rw_tmpfs_files(virt_domain)
+-fs_getattr_hugetlbfs(virt_domain)
+-
+-# fs_rw_inherited_nfs_files(virt_domain)
+-# fs_rw_inherited_cifs_files(virt_domain)
+-# fs_rw_inherited_noxattr_fs_files(virt_domain)
+-
+-storage_raw_write_removable_device(virt_domain)
+-storage_raw_read_removable_device(virt_domain)
+-
+-term_use_all_terms(virt_domain)
+-term_getattr_pty_fs(virt_domain)
+-term_use_generic_ptys(virt_domain)
+-term_use_ptmx(virt_domain)
+-
+-logging_send_syslog_msg(virt_domain)
+-
+-miscfiles_read_localization(virt_domain)
+-miscfiles_read_public_files(virt_domain)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- corenet_udp_sendrecv_generic_if(svirt_t)
- corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,71 @@ corenet_udp_bind_all_ports(svirt_t)
- corenet_tcp_bind_all_ports(svirt_t)
- corenet_tcp_connect_all_ports(svirt_t)
-
--dev_list_sysfs(svirt_t)
-+miscfiles_read_generic_certs(svirt_t)
-
--userdom_search_user_home_content(svirt_t)
--userdom_read_user_home_content_symlinks(svirt_t)
--userdom_read_all_users_state(svirt_t)
+-sysnet_read_config(virt_domain)
+-
+-userdom_search_user_home_dirs(virt_domain)
+-userdom_read_all_users_state(virt_domain)
+-
+-virt_run_bridgehelper(virt_domain, virt_domain_roles)
+-virt_read_config(virt_domain)
+-virt_read_lib_files(virt_domain)
+-virt_read_content(virt_domain)
+-virt_stream_connect(virt_domain)
+-
+-qemu_exec(virt_domain)
+-
+-tunable_policy(`virt_use_execmem',`
+- allow virt_domain self:process { execmem execstack };
+-')
-
-tunable_policy(`virt_use_comm',`
-- term_use_unallocated_ttys(svirt_t)
-- dev_rw_printer(svirt_t)
+- term_use_unallocated_ttys(virt_domain)
+- dev_rw_printer(virt_domain)
-')
-
-tunable_policy(`virt_use_fusefs',`
-- fs_read_fusefs_files(svirt_t)
-- fs_read_fusefs_symlinks(svirt_t)
+- fs_manage_fusefs_dirs(virt_domain)
+- fs_manage_fusefs_files(virt_domain)
+- fs_read_fusefs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_nfs',`
-- fs_manage_nfs_dirs(svirt_t)
-- fs_manage_nfs_files(svirt_t)
+- fs_manage_nfs_dirs(virt_domain)
+- fs_manage_nfs_files(virt_domain)
+- fs_manage_nfs_named_sockets(virt_domain)
+- fs_read_nfs_symlinks(virt_domain)
-')
-
-tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_dirs(svirt_t)
-- fs_manage_cifs_files(svirt_t)
-+optional_policy(`
+- fs_manage_cifs_dirs(virt_domain)
+- fs_manage_cifs_files(virt_domain)
+- fs_manage_cifs_named_sockets(virt_domain)
+- fs_read_cifs_symlinks(virt_domain)
+-')
+-
+-tunable_policy(`virt_use_sysfs',`
+- dev_rw_sysfs(virt_domain)
+-')
+-
+-tunable_policy(`virt_use_usb',`
+- dev_rw_usbfs(virt_domain)
+- dev_read_sysfs(virt_domain)
+- fs_manage_dos_dirs(virt_domain)
+- fs_manage_dos_files(virt_domain)
+-')
+-
+-optional_policy(`
+- tunable_policy(`virt_use_xserver',`
+- xserver_read_xdm_pid(virt_domain)
+- xserver_stream_connect(virt_domain)
+- ')
+-')
+-
+-optional_policy(`
+- dbus_read_lib_files(virt_domain)
+-')
++corenet_udp_sendrecv_generic_if(svirt_t)
++corenet_udp_sendrecv_generic_node(svirt_t)
++corenet_udp_sendrecv_all_ports(svirt_t)
++corenet_udp_bind_generic_node(svirt_t)
++corenet_udp_bind_all_ports(svirt_t)
++corenet_tcp_bind_all_ports(svirt_t)
++corenet_tcp_connect_all_ports(svirt_t)
+
+-optional_policy(`
+- nscd_use(virt_domain)
+-')
++miscfiles_read_generic_certs(svirt_t)
+
+ optional_policy(`
+- samba_domtrans_smbd(virt_domain)
+ xen_rw_image_files(svirt_t)
')
--tunable_policy(`virt_use_sysfs',`
-- dev_rw_sysfs(svirt_t)
-+optional_policy(`
+ optional_policy(`
+- xen_rw_image_files(virt_domain)
+ nscd_use(svirt_t)
')
--tunable_policy(`virt_use_usb',`
-- dev_rw_usbfs(svirt_t)
-- fs_manage_dos_dirs(svirt_t)
-- fs_manage_dos_files(svirt_t)
--')
+-########################################
+#######################################
-+#
+ #
+-# svirt local policy
+# svirt_prot_exec local policy
-+#
+ #
--optional_policy(`
-- xen_rw_image_files(svirt_t)
--')
+-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+-
+-dontaudit svirt_t virt_content_t:file write_file_perms;
+-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
+-
+-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
+-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
+-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
+-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
+-
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
+-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
+-
+-corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
+-
+-corenet_all_recvfrom_unlabeled(svirt_t)
+-corenet_all_recvfrom_netlabel(svirt_t)
+-corenet_tcp_sendrecv_generic_if(svirt_t)
+-corenet_udp_sendrecv_generic_if(svirt_t)
+-corenet_tcp_sendrecv_generic_node(svirt_t)
+-corenet_udp_sendrecv_generic_node(svirt_t)
+-corenet_tcp_sendrecv_all_ports(svirt_t)
+-corenet_udp_sendrecv_all_ports(svirt_t)
+-corenet_tcp_bind_generic_node(svirt_t)
+-corenet_udp_bind_generic_node(svirt_t)
+-
+-corenet_sendrecv_all_server_packets(svirt_t)
+-corenet_udp_bind_all_ports(svirt_t)
+-corenet_tcp_bind_all_ports(svirt_t)
+allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
+-corenet_sendrecv_all_client_packets(svirt_t)
+-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -71437,40 +82196,52 @@ index 947bbc6..12c15cb 100644
########################################
#
- # virtd local policy
+@@ -407,38 +255,41 @@ corenet_tcp_connect_all_ports(svirt_t)
#
--allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
--allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
-+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+ allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
+allow virtd_t self:capability2 compromise_kernel;
-+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit virtd_t self:capability { sys_module sys_ptrace };
+')
-
--allow virtd_t self:fifo_file rw_fifo_file_perms;
--allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
++
+ allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+-allow virtd_t self:unix_stream_socket { accept connectto listen };
+-allow virtd_t self:tcp_socket { accept listen };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow virtd_t self:tcp_socket create_stream_socket_perms;
--allow virtd_t self:tun_socket create_socket_perms;
-+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
-+allow virtd_t self:rawip_socket create_socket_perms;
-+allow virtd_t self:packet_socket create_socket_perms;
++allow virtd_t self:tcp_socket create_stream_socket_perms;
+ allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ allow virtd_t self:rawip_socket create_socket_perms;
+ allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+-allow virtd_t self:netlink_route_socket nlmsg_write;
+-
+-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+-dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
+-
+-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+-allow virtd_t svirt_lxc_domain:process signal_perms;
+-
+-allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+-
+-domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
--manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
--manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
-+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+ manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
+ manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-
- allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
+
+-allow virtd_t svirt_var_run_t:file relabel_file_perms;
+-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+
@@ -71486,120 +82257,128 @@ index 947bbc6..12c15cb 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +298,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +299,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+-manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+-manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+-manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+-manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+-
+-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt")
+-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst")
+-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines")
+-
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
-+manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
+ manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
--allow virtd_t virt_image_type:file { relabelfrom relabelto };
--allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+ manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-
--manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
--manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
--logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:dir setattr;
-+allow virtd_t virt_image_type:file relabel_file_perms;
-+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
-+allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-+allow virtd_t virt_ptynode:chr_file rw_term_perms;
+ allow virtd_t virt_image_type:file relabel_file_perms;
+ allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
+ allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+-
+ allow virtd_t virt_ptynode:chr_file rw_term_perms;
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
- can_exec(virtd_t, virt_tmp_t)
-
-+manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
-+manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
-+manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
-+files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
-+
-+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
++can_exec(virtd_t, virt_tmp_t)
+
+-# This needs a file context specification
+ manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
+ manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
+ manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
+ files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
+
+ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+-append_files_pattern(virtd_t, virt_log_t, virt_log_t)
+-create_files_pattern(virtd_t, virt_log_t, virt_log_t)
+-read_files_pattern(virtd_t, virt_log_t, virt_log_t)
+-setattr_files_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-+
+ logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
- manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
- manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +331,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +333,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
-+
+
+-can_exec(virtd_t, virt_tmp_t)
+-
+-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
-+kernel_read_kernel_sysctls(virtd_t)
- kernel_request_load_module(virtd_t)
- kernel_search_debugfs(virtd_t)
-+kernel_setsched(virtd_t)
-
- corecmd_exec_bin(virtd_t)
- corecmd_exec_shell(virtd_t)
-
--corenet_all_recvfrom_unlabeled(virtd_t)
+@@ -520,22 +352,12 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +359,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
++corenet_tcp_sendrecv_all_ports(virtd_t)
+ corenet_tcp_bind_generic_node(virtd_t)
+-
+-corenet_sendrecv_virt_server_packets(virtd_t)
+ corenet_tcp_bind_virt_port(virtd_t)
+-corenet_tcp_sendrecv_virt_port(virtd_t)
+-
+-corenet_sendrecv_vnc_server_packets(virtd_t)
+ corenet_tcp_bind_vnc_port(virtd_t)
+-corenet_sendrecv_vnc_client_packets(virtd_t)
+ corenet_tcp_connect_vnc_port(virtd_t)
+-corenet_tcp_sendrecv_vnc_port(virtd_t)
+-
+-corenet_sendrecv_soundd_client_packets(virtd_t)
+ corenet_tcp_connect_soundd_port(virtd_t)
+-corenet_tcp_sendrecv_soundd_port(virtd_t)
+-
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-+dev_read_urand(virtd_t)
- dev_read_rand(virtd_t)
- dev_rw_kvm(virtd_t)
- dev_getattr_all_chr_files(virtd_t)
- dev_rw_mtrr(virtd_t)
-+dev_rw_vhost(virtd_t)
-+dev_setattr_generic_usb_dev(virtd_t)
-+dev_relabel_generic_usb_dev(virtd_t)
-
- # Init script handling
+@@ -548,22 +370,25 @@ dev_rw_vhost(virtd_t)
+ dev_setattr_generic_usb_dev(virtd_t)
+ dev_relabel_generic_usb_dev(virtd_t)
+
++# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
+domain_read_all_domains_state(virtd_t)
files_read_usr_files(virtd_t)
--files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
--files_manage_etc_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
-+
-+# Manages /etc/sysconfig/system-config-firewall
+
+ # Manages /etc/sysconfig/system-config-firewall
+-# files_relabelto_system_conf_files(virtd_t)
+-# files_relabelfrom_system_conf_files(virtd_t)
+-# files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
fs_list_auto_mountpoints(virtd_t)
- fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +391,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+-fs_getattr_all_fs(virtd_t)
++fs_getattr_xattr_fs(virtd_t)
+ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
- fs_rw_cgroup_files(virtd_t)
-+fs_manage_hugetlbfs_dirs(virtd_t)
-+fs_rw_hugetlbfs_files(virtd_t)
-+
-+mls_fd_share_all_levels(virtd_t)
-+mls_file_read_to_clearance(virtd_t)
-+mls_file_write_to_clearance(virtd_t)
-+mls_process_read_to_clearance(virtd_t)
-+mls_process_write_to_clearance(virtd_t)
-+mls_net_write_within_range(virtd_t)
-+mls_socket_write_to_clearance(virtd_t)
-+mls_socket_read_to_clearance(virtd_t)
-+mls_rangetrans_source(virtd_t)
-
- mcs_process_set_categories(virtd_t)
-
-@@ -284,7 +417,8 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71609,32 +82388,40 @@ index 947bbc6..12c15cb 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +427,36 @@ modutils_read_module_config(virtd_t)
+ modutils_read_module_deps(virtd_t)
++modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
-+logging_send_audit_msgs(virtd_t)
+ logging_send_audit_msgs(virtd_t)
+logging_stream_connect_syslog(virtd_t)
-+
-+selinux_validate_context(virtd_t)
- seutil_read_config(virtd_t)
- seutil_read_default_contexts(virtd_t)
-+seutil_read_file_contexts(virtd_t)
+ selinux_validate_context(virtd_t)
-+sysnet_signull_ifconfig(virtd_t)
-+sysnet_signal_ifconfig(virtd_t)
+@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
+ sysnet_signull_ifconfig(virtd_t)
+ sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
- sysnet_read_config(virtd_t)
++sysnet_read_config(virtd_t)
+-userdom_read_all_users_state(virtd_t)
+-
+-ifdef(`hide_broken_symptoms',`
+- dontaudit virtd_t self:capability { sys_module sys_ptrace };
+-')
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-+
+
+-tunable_policy(`virt_use_fusefs',`
+- fs_manage_fusefs_dirs(virtd_t)
+- fs_manage_fusefs_files(virtd_t)
+- fs_read_fusefs_symlinks(virtd_t)
+-')
+userdom_list_admin_dir(virtd_t)
- userdom_getattr_all_users(virtd_t)
- userdom_list_user_home_content(virtd_t)
- userdom_read_all_users_state(virtd_t)
- userdom_read_user_home_content_files(virtd_t)
++userdom_getattr_all_users(virtd_t)
++userdom_list_user_home_content(virtd_t)
++userdom_read_all_users_state(virtd_t)
++userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
@@ -71646,21 +82433,35 @@ index 947bbc6..12c15cb 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +475,10 @@ optional_policy(`
+@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
')
- optional_policy(`
-+ consoletype_exec(virtd_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(virtd_t)
+ tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files(virtd_t)
++ fs_manage_nfs_files(virtd_t)
+ fs_manage_cifs_files(virtd_t)
+ fs_read_cifs_symlinks(virtd_t)
+ ')
+@@ -646,107 +480,330 @@ optional_policy(`
+ consoletype_exec(virtd_t)
+ ')
- optional_policy(`
-@@ -335,19 +492,34 @@ optional_policy(`
- optional_policy(`
- hal_dbus_chat(virtd_t)
- ')
+-optional_policy(`
+- dbus_system_bus_client(virtd_t)
++optional_policy(`
++ dbus_system_bus_client(virtd_t)
++
++ optional_policy(`
++ avahi_dbus_chat(virtd_t)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat(virtd_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat(virtd_t)
++ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(virtd_t)
@@ -71669,14 +82470,13 @@ index 947bbc6..12c15cb 100644
+
+optional_policy(`
+ dmidecode_domtrans(virtd_t)
- ')
-
- optional_policy(`
- dnsmasq_domtrans(virtd_t)
- dnsmasq_signal(virtd_t)
- dnsmasq_kill(virtd_t)
-- dnsmasq_read_pid_files(virtd_t)
- dnsmasq_signull(virtd_t)
++')
++
++optional_policy(`
++ dnsmasq_domtrans(virtd_t)
++ dnsmasq_signal(virtd_t)
++ dnsmasq_kill(virtd_t)
++ dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
+ dnsmasq_manage_pid_files(virtd_t)
@@ -71684,67 +82484,79 @@ index 947bbc6..12c15cb 100644
+
+optional_policy(`
+ firewalld_dbus_chat(virtd_t)
- ')
-
- optional_policy(`
- iptables_domtrans(virtd_t)
- iptables_initrc_domtrans(virtd_t)
++')
++
++optional_policy(`
++ iptables_domtrans(virtd_t)
++ iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
-
- # Manages /etc/sysconfig/system-config-firewall
- iptables_manage_config(virtd_t)
-@@ -362,6 +534,12 @@ optional_policy(`
- ')
-
- optional_policy(`
++
++ # Manages /etc/sysconfig/system-config-firewall
++ iptables_manage_config(virtd_t)
++')
++
++optional_policy(`
++ kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
++')
++
++optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(virtd_t)
+ mount_signal(virtd_t)
+')
+
+optional_policy(`
- policykit_dbus_chat(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +547,11 @@ optional_policy(`
- ')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
-- qemu_read_state(virtd_t)
-- qemu_signal(virtd_t)
-- qemu_kill(virtd_t)
-- qemu_setsched(virtd_t)
++ policykit_dbus_chat(virtd_t)
++ policykit_domtrans_auth(virtd_t)
++ policykit_domtrans_resolve(virtd_t)
++ policykit_read_lib(virtd_t)
++')
++
++optional_policy(`
+ qemu_exec(virtd_t)
+')
+
+optional_policy(`
+ sanlock_stream_connect(virtd_t)
- ')
-
- optional_policy(`
-@@ -384,6 +562,7 @@ optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
++')
++
++optional_policy(`
++ sasl_connect(virtd_t)
++')
++
++optional_policy(`
++ kernel_read_xen_state(virtd_t)
++ kernel_write_xen_state(virtd_t)
++
+ xen_exec(virtd_t)
- xen_stream_connect(virtd_t)
- xen_stream_connect_xenstore(virtd_t)
- xen_read_image_files(virtd_t)
-@@ -402,35 +581,85 @@ optional_policy(`
- #
- # virtual domains common policy
- #
--
--allow virt_domain self:capability { dac_read_search dac_override kill };
--allow virt_domain self:process { execmem execstack signal getsched signull };
--allow virt_domain self:fifo_file rw_file_perms;
++ xen_stream_connect(virtd_t)
++ xen_stream_connect_xenstore(virtd_t)
++ xen_read_image_files(virtd_t)
++')
++
++optional_policy(`
++ udev_domtrans(virtd_t)
++ udev_read_db(virtd_t)
++')
++
++optional_policy(`
++ unconfined_domain(virtd_t)
++')
++
++########################################
++#
++# virtual domains common policy
++#
+allow virt_domain self:process { signal getsched signull };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
- allow virt_domain self:shm create_shm_perms;
- allow virt_domain self:unix_stream_socket create_stream_socket_perms;
- allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
- allow virt_domain self:tcp_socket create_stream_socket_perms;
++allow virt_domain self:shm create_shm_perms;
++allow virt_domain self:unix_stream_socket create_stream_socket_perms;
++allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
++allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
+
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
@@ -71798,119 +82610,153 @@ index 947bbc6..12c15cb 100644
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
+
+dontaudit virt_domain virt_tmpfs_type:file { read write };
-
- append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-
- append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
--kernel_read_system_state(virt_domain)
--
- corecmd_exec_bin(virt_domain)
- corecmd_exec_shell(virt_domain)
-
--corenet_all_recvfrom_unlabeled(virt_domain)
--corenet_all_recvfrom_netlabel(virt_domain)
- corenet_tcp_sendrecv_generic_if(virt_domain)
- corenet_tcp_sendrecv_generic_node(virt_domain)
- corenet_tcp_sendrecv_all_ports(virt_domain)
- corenet_tcp_bind_generic_node(virt_domain)
- corenet_tcp_bind_vnc_port(virt_domain)
--corenet_rw_tun_tap_dev(virt_domain)
- corenet_tcp_bind_virt_migration_port(virt_domain)
- corenet_tcp_connect_virt_migration_port(virt_domain)
++
++append_files_pattern(virt_domain, virt_log_t, virt_log_t)
++
++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
++
++corecmd_exec_bin(virt_domain)
++corecmd_exec_shell(virt_domain)
++
++corenet_tcp_sendrecv_generic_if(virt_domain)
++corenet_tcp_sendrecv_generic_node(virt_domain)
++corenet_tcp_sendrecv_all_ports(virt_domain)
++corenet_tcp_bind_generic_node(virt_domain)
++corenet_tcp_bind_vnc_port(virt_domain)
++corenet_tcp_bind_virt_migration_port(virt_domain)
++corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
-
++
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_read_generic_symlinks(virt_domain)
- dev_read_rand(virt_domain)
- dev_read_sound(virt_domain)
- dev_read_urand(virt_domain)
-@@ -438,34 +667,628 @@ dev_write_sound(virt_domain)
- dev_rw_ksm(virt_domain)
- dev_rw_kvm(virt_domain)
- dev_rw_qemu(virt_domain)
++dev_read_rand(virt_domain)
++dev_read_sound(virt_domain)
++dev_read_urand(virt_domain)
++dev_write_sound(virt_domain)
++dev_rw_ksm(virt_domain)
++dev_rw_kvm(virt_domain)
++dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
++
++domain_use_interactive_fds(virt_domain)
- domain_use_interactive_fds(virt_domain)
-
--files_read_etc_files(virt_domain)
+- optional_policy(`
+- avahi_dbus_chat(virtd_t)
+- ')
+files_read_mnt_symlinks(virt_domain)
- files_read_usr_files(virt_domain)
- files_read_var_files(virt_domain)
- files_search_all(virt_domain)
++files_read_usr_files(virt_domain)
++files_read_var_files(virt_domain)
++files_search_all(virt_domain)
+- optional_policy(`
+- consolekit_dbus_chat(virtd_t)
+- ')
+fs_getattr_xattr_fs(virt_domain)
- fs_getattr_tmpfs(virt_domain)
- fs_rw_anon_inodefs_files(virt_domain)
- fs_rw_tmpfs_files(virt_domain)
++fs_getattr_tmpfs(virt_domain)
++fs_rw_anon_inodefs_files(virt_domain)
++fs_rw_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+- optional_policy(`
+- firewalld_dbus_chat(virtd_t)
+- ')
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
--term_use_all_terms(virt_domain)
+- optional_policy(`
+- hal_dbus_chat(virtd_t)
+- ')
+sysnet_read_config(virt_domain)
-+
+
+- optional_policy(`
+- networkmanager_dbus_chat(virtd_t)
+- ')
+term_use_all_inherited_terms(virt_domain)
- term_getattr_pty_fs(virt_domain)
- term_use_generic_ptys(virt_domain)
- term_use_ptmx(virt_domain)
++term_getattr_pty_fs(virt_domain)
++term_use_generic_ptys(virt_domain)
++term_use_ptmx(virt_domain)
--logging_send_syslog_msg(virt_domain)
+- optional_policy(`
+- policykit_dbus_chat(virtd_t)
+- ')
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
-+')
+ ')
--miscfiles_read_localization(virt_domain)
-+optional_policy(`
+ optional_policy(`
+- dmidecode_domtrans(virtd_t)
+ alsa_read_rw_config(virt_domain)
-+')
+ ')
optional_policy(`
- ptchown_domtrans(virt_domain)
+- dnsmasq_domtrans(virtd_t)
+- dnsmasq_signal(virtd_t)
+- dnsmasq_kill(virtd_t)
+- dnsmasq_signull(virtd_t)
+- dnsmasq_create_pid_dirs(virtd_t)
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
+- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
+- dnsmasq_manage_pid_files(virtd_t)
++ ptchown_domtrans(virt_domain)
')
optional_policy(`
+- iptables_domtrans(virtd_t)
+- iptables_initrc_domtrans(virtd_t)
+- iptables_manage_config(virtd_t)
+ pulseaudio_dontaudit_exec(virt_domain)
-+')
-+
-+optional_policy(`
- virt_read_config(virt_domain)
- virt_read_lib_files(virt_domain)
- virt_read_content(virt_domain)
- virt_stream_connect(virt_domain)
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(virtd, virtd_t)
++ virt_read_config(virt_domain)
++ virt_read_lib_files(virt_domain)
++ virt_read_content(virt_domain)
++ virt_stream_connect(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- lvm_domtrans(virtd_t)
+ xserver_rw_shm(virt_domain)
')
-+
+
+-optional_policy(`
+- mount_domtrans(virtd_t)
+- mount_signal(virtd_t)
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- policykit_domtrans_auth(virtd_t)
+- policykit_domtrans_resolve(virtd_t)
+- policykit_read_lib(virtd_t)
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- qemu_exec(virtd_t)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
-+')
-+
+ ')
+
+-optional_policy(`
+- sasl_connect(virtd_t)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@@ -71928,37 +82774,49 @@ index 947bbc6..12c15cb 100644
+ dev_read_sysfs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- kernel_read_xen_state(virtd_t)
+- kernel_write_xen_state(virtd_t)
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
-+
+
+- xen_exec(virtd_t)
+- xen_stream_connect(virtd_t)
+- xen_stream_connect_xenstore(virtd_t)
+- xen_read_image_files(virtd_t)
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_domtrans(virtd_t)
+- udev_read_db(virtd_t)
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Virsh local policy
+# xm local policy
-+#
+ #
+type virsh_t;
+type virsh_exec_t;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
-+
+
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config };
-+allow virsh_t self:process { getcap getsched setsched setcap signal };
-+allow virsh_t self:fifo_file rw_fifo_file_perms;
+ allow virsh_t self:process { getcap getsched setsched setcap signal };
+ allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
@@ -71969,225 +82827,217 @@ index 947bbc6..12c15cb 100644
+virt_manage_images(virsh_t)
+virt_manage_config(virsh_t)
+virt_stream_connect(virsh_t)
-+
-+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-+
-+manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+
+ manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+ manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+@@ -758,23 +815,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+virt_transition_svirt_lxc(virsh_t, system_r)
-+
+
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
-+
+
+-allow virsh_t svirt_lxc_domain:process transition;
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
-+
-+kernel_read_system_state(virsh_t)
-+kernel_read_network_state(virsh_t)
-+kernel_read_kernel_sysctls(virsh_t)
-+kernel_read_sysctl(virsh_t)
-+kernel_read_xen_state(virsh_t)
-+kernel_write_xen_state(virsh_t)
-+
-+corecmd_exec_bin(virsh_t)
-+corecmd_exec_shell(virsh_t)
-+
-+corenet_tcp_sendrecv_generic_if(virsh_t)
-+corenet_tcp_sendrecv_generic_node(virsh_t)
-+corenet_tcp_connect_soundd_port(virsh_t)
-+
-+dev_read_rand(virsh_t)
-+dev_read_urand(virsh_t)
-+dev_read_sysfs(virsh_t)
-+
-+files_read_etc_runtime_files(virsh_t)
-+files_read_etc_files(virsh_t)
-+files_read_usr_files(virsh_t)
-+files_list_mnt(virsh_t)
-+files_list_tmp(virsh_t)
+
+-can_exec(virsh_t, virsh_exec_t)
+-
+-virt_domtrans(virsh_t)
+-virt_manage_images(virsh_t)
+-virt_manage_config(virsh_t)
+-virt_stream_connect(virsh_t)
+-
+-kernel_read_crypto_sysctls(virsh_t)
+ kernel_read_system_state(virsh_t)
+ kernel_read_network_state(virsh_t)
+ kernel_read_kernel_sysctls(virsh_t)
+@@ -785,15 +833,9 @@ kernel_write_xen_state(virsh_t)
+ corecmd_exec_bin(virsh_t)
+ corecmd_exec_shell(virsh_t)
+
+-corenet_all_recvfrom_unlabeled(virsh_t)
+-corenet_all_recvfrom_netlabel(virsh_t)
+ corenet_tcp_sendrecv_generic_if(virsh_t)
+ corenet_tcp_sendrecv_generic_node(virsh_t)
+-corenet_tcp_bind_generic_node(virsh_t)
+-
+-corenet_sendrecv_soundd_client_packets(virsh_t)
+ corenet_tcp_connect_soundd_port(virsh_t)
+-corenet_tcp_sendrecv_soundd_port(virsh_t)
+
+ dev_read_rand(virsh_t)
+ dev_read_urand(virsh_t)
+@@ -804,6 +846,7 @@ files_read_etc_files(virsh_t)
+ files_read_usr_files(virsh_t)
+ files_list_mnt(virsh_t)
+ files_list_tmp(virsh_t)
+# Some common macros (you might be able to remove some)
-+
-+fs_getattr_all_fs(virsh_t)
-+fs_manage_xenfs_dirs(virsh_t)
-+fs_manage_xenfs_files(virsh_t)
-+fs_search_auto_mountpoints(virsh_t)
-+
-+storage_raw_read_fixed_disk(virsh_t)
-+
+
+ fs_getattr_all_fs(virsh_t)
+ fs_manage_xenfs_dirs(virsh_t)
+@@ -812,24 +855,21 @@ fs_search_auto_mountpoints(virsh_t)
+
+ storage_raw_read_fixed_disk(virsh_t)
+
+-term_use_all_terms(virsh_t)
+term_use_all_inherited_terms(virsh_t)
+
+userdom_search_admin_dir(virsh_t)
+userdom_read_home_certs(virsh_t)
-+
-+init_stream_connect_script(virsh_t)
-+init_rw_script_stream_sockets(virsh_t)
-+init_use_fds(virsh_t)
-+
+
+ init_stream_connect_script(virsh_t)
+ init_rw_script_stream_sockets(virsh_t)
+ init_use_fds(virsh_t)
+
+-logging_send_syslog_msg(virsh_t)
+auth_read_passwd(virsh_t)
-+
+
+-miscfiles_read_localization(virsh_t)
+logging_send_syslog_msg(virsh_t)
-+
-+sysnet_dns_name_resolve(virsh_t)
-+
-+tunable_policy(`virt_use_nfs',`
-+ fs_manage_nfs_dirs(virsh_t)
-+ fs_manage_nfs_files(virsh_t)
-+ fs_read_nfs_symlinks(virsh_t)
-+')
-+
-+tunable_policy(`virt_use_samba',`
-+ fs_manage_cifs_files(virsh_t)
-+ fs_manage_cifs_files(virsh_t)
-+ fs_read_cifs_symlinks(virsh_t)
-+')
-+
-+optional_policy(`
-+ cron_system_entry(virsh_t, virsh_exec_t)
-+')
-+
-+optional_policy(`
+
+ sysnet_dns_name_resolve(virsh_t)
+
+-tunable_policy(`virt_use_fusefs',`
+- fs_manage_fusefs_dirs(virsh_t)
+- fs_manage_fusefs_files(virsh_t)
+- fs_read_fusefs_symlinks(virsh_t)
+-')
+-
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virsh_t)
+ fs_manage_nfs_files(virsh_t)
+@@ -847,6 +887,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ rhcs_domtrans_fenced(virsh_t)
+')
+
+optional_policy(`
-+ rpm_exec(virsh_t)
-+')
-+
-+optional_policy(`
-+ xen_manage_image_dirs(virsh_t)
-+ xen_append_log(virsh_t)
-+ xen_domtrans(virsh_t)
+ rpm_exec(virsh_t)
+ ')
+
+@@ -854,7 +898,7 @@ optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
+- xen_read_xenstored_pid_files(virsh_t)
+ xen_read_pid_files_xenstored(virsh_t)
-+ xen_stream_connect(virsh_t)
-+ xen_stream_connect_xenstore(virsh_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(virsh_t)
-+
-+ optional_policy(`
-+ hal_dbus_chat(virsh_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ vhostmd_rw_tmpfs_files(virsh_t)
-+ vhostmd_stream_connect(virsh_t)
-+ vhostmd_dontaudit_rw_stream_connect(virsh_t)
-+')
-+
-+optional_policy(`
-+ ssh_basic_client_template(virsh, virsh_t, system_r)
-+
-+ kernel_read_xen_state(virsh_ssh_t)
-+ kernel_write_xen_state(virsh_ssh_t)
-+
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+ ')
+@@ -879,34 +923,39 @@ optional_policy(`
+ kernel_read_xen_state(virsh_ssh_t)
+ kernel_write_xen_state(virsh_ssh_t)
+
+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+ files_search_tmp(virsh_ssh_t)
-+
-+ fs_manage_xenfs_dirs(virsh_ssh_t)
-+ fs_manage_xenfs_files(virsh_ssh_t)
+ files_search_tmp(virsh_ssh_t)
+
+ fs_manage_xenfs_dirs(virsh_ssh_t)
+ fs_manage_xenfs_files(virsh_ssh_t)
+
+ userdom_search_admin_dir(virsh_ssh_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Lxc local policy
+# virt_lxc local policy
-+#
-+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
+ #
+-
+ allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
+allow virtd_lxc_t self:capability2 compromise_kernel;
+
-+allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
-+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+ allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
+ allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+-allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
+-allow virtd_lxc_t self:unix_stream_socket { accept listen };
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
-+allow virtd_lxc_t self:packet_socket create_socket_perms;
-+
-+allow virtd_lxc_t virt_image_type:dir mounton;
-+manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
-+
+ allow virtd_lxc_t self:packet_socket create_socket_perms;
+
+-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
+-
+ allow virtd_lxc_t virt_image_type:dir mounton;
+ manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
-+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
+ allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
+-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
-+
-+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
-+allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+
+ manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +965,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+ allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+ allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(svirt_lxc_file_t)
-+
-+storage_manage_fixed_disk(virtd_lxc_t)
+
+ storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
-+
-+kernel_read_all_sysctls(virtd_lxc_t)
-+kernel_read_network_state(virtd_lxc_t)
-+kernel_read_system_state(virtd_lxc_t)
+
+ kernel_read_all_sysctls(virtd_lxc_t)
+ kernel_read_network_state(virtd_lxc_t)
+ kernel_read_system_state(virtd_lxc_t)
+kernel_request_load_module(virtd_lxc_t)
-+
-+corecmd_exec_bin(virtd_lxc_t)
-+corecmd_exec_shell(virtd_lxc_t)
-+
-+dev_relabel_all_dev_nodes(virtd_lxc_t)
-+dev_rw_sysfs(virtd_lxc_t)
-+dev_read_sysfs(virtd_lxc_t)
-+dev_read_urand(virtd_lxc_t)
-+
-+domain_use_interactive_fds(virtd_lxc_t)
-+
-+files_search_all(virtd_lxc_t)
-+files_getattr_all_files(virtd_lxc_t)
-+files_read_usr_files(virtd_lxc_t)
-+files_relabel_rootfs(virtd_lxc_t)
-+files_mounton_non_security(virtd_lxc_t)
-+files_mount_all_file_type_fs(virtd_lxc_t)
-+files_unmount_all_file_type_fs(virtd_lxc_t)
-+files_list_isid_type_dirs(virtd_lxc_t)
-+files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
-+
-+fs_getattr_all_fs(virtd_lxc_t)
-+fs_manage_tmpfs_dirs(virtd_lxc_t)
-+fs_manage_tmpfs_chr_files(virtd_lxc_t)
-+fs_manage_tmpfs_symlinks(virtd_lxc_t)
-+fs_manage_cgroup_dirs(virtd_lxc_t)
-+fs_mounton_tmpfs(virtd_lxc_t)
-+fs_remount_all_fs(virtd_lxc_t)
-+fs_rw_cgroup_files(virtd_lxc_t)
-+fs_unmount_all_fs(virtd_lxc_t)
-+fs_relabelfrom_tmpfs(virtd_lxc_t)
-+
+
+ corecmd_exec_bin(virtd_lxc_t)
+ corecmd_exec_shell(virtd_lxc_t)
+@@ -933,7 +985,6 @@ dev_read_urand(virtd_lxc_t)
+
+ domain_use_interactive_fds(virtd_lxc_t)
+
+-files_associate_rootfs(svirt_lxc_file_t)
+ files_search_all(virtd_lxc_t)
+ files_getattr_all_files(virtd_lxc_t)
+ files_read_usr_files(virtd_lxc_t)
+@@ -955,15 +1006,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+ fs_unmount_all_fs(virtd_lxc_t)
+ fs_relabelfrom_tmpfs(virtd_lxc_t)
+
+logging_send_audit_msgs(virtd_lxc_t)
+
-+selinux_mount_fs(virtd_lxc_t)
-+selinux_unmount_fs(virtd_lxc_t)
+ selinux_mount_fs(virtd_lxc_t)
+ selinux_unmount_fs(virtd_lxc_t)
+-selinux_get_enforce_mode(virtd_lxc_t)
+-selinux_get_fs_mount(virtd_lxc_t)
+-selinux_validate_context(virtd_lxc_t)
+-selinux_compute_access_vector(virtd_lxc_t)
+-selinux_compute_create_context(virtd_lxc_t)
+-selinux_compute_relabel_context(virtd_lxc_t)
+-selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
-+
-+term_use_generic_ptys(virtd_lxc_t)
-+term_use_ptmx(virtd_lxc_t)
-+term_relabel_pty_fs(virtd_lxc_t)
-+
-+auth_use_nsswitch(virtd_lxc_t)
-+
-+logging_send_syslog_msg(virtd_lxc_t)
-+
-+seutil_domtrans_setfiles(virtd_lxc_t)
-+seutil_read_default_contexts(virtd_lxc_t)
-+
+
+ term_use_generic_ptys(virtd_lxc_t)
+ term_use_ptmx(virtd_lxc_t)
+@@ -973,20 +1020,39 @@ auth_use_nsswitch(virtd_lxc_t)
+
+ logging_send_syslog_msg(virtd_lxc_t)
+
+-miscfiles_read_localization(virtd_lxc_t)
+-
+ seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+ seutil_read_default_contexts(virtd_lxc_t)
+
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
+selinux_get_enforce_mode(virtd_lxc_t)
+selinux_get_fs_mount(virtd_lxc_t)
+selinux_validate_context(virtd_lxc_t)
@@ -72197,14 +83047,17 @@ index 947bbc6..12c15cb 100644
+selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_default_contexts(virtd_lxc_t)
+
++sysnet_exec_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Common virt lxc domain local policy
+# virt_lxc_domain local policy
-+#
+ #
+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
+
+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
@@ -72215,185 +83068,231 @@ index 947bbc6..12c15cb 100644
+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-+
-+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:fifo_file manage_file_perms;
-+allow svirt_lxc_domain self:sem create_sem_perms;
-+allow svirt_lxc_domain self:shm create_shm_perms;
-+allow svirt_lxc_domain self:msgq create_msgq_perms;
-+allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
-+
-+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+
+-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+ allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+ allow svirt_lxc_domain self:fifo_file manage_file_perms;
+ allow svirt_lxc_domain self:sem create_sem_perms;
+@@ -995,19 +1061,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+ allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+
+-allow svirt_lxc_domain virtd_lxc_t:fd use;
+-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+-
+-allow svirt_lxc_domain virsh_t:fd use;
+-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
+-allow svirt_lxc_domain virsh_t:process sigchld;
+-
+-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
+-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+-
+ manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
-+allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
-+allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
-+
-+kernel_getattr_proc(svirt_lxc_domain)
-+kernel_list_all_proc(svirt_lxc_domain)
-+kernel_read_kernel_sysctls(svirt_lxc_domain)
-+kernel_rw_net_sysctls(svirt_lxc_domain)
-+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
-+
-+corecmd_exec_all_executables(svirt_lxc_domain)
-+
-+files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
-+files_dontaudit_getattr_all_files(svirt_lxc_domain)
-+files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
-+files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
-+files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
-+files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
-+files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+ allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+ allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+
+-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+-
+ kernel_getattr_proc(svirt_lxc_domain)
+ kernel_list_all_proc(svirt_lxc_domain)
+ kernel_read_kernel_sysctls(svirt_lxc_domain)
+ kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_read_system_state(svirt_lxc_domain)
+ kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+
+ corecmd_exec_all_executables(svirt_lxc_domain)
+@@ -1037,21 +1087,21 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+ files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+ files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+ files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-# files_entrypoint_all_files(svirt_lxc_domain)
+files_entrypoint_all_files(svirt_lxc_domain)
-+files_list_var(svirt_lxc_domain)
-+files_list_var_lib(svirt_lxc_domain)
-+files_search_all(svirt_lxc_domain)
-+files_read_config_files(svirt_lxc_domain)
-+files_read_usr_files(svirt_lxc_domain)
-+files_read_usr_symlinks(svirt_lxc_domain)
+ files_list_var(svirt_lxc_domain)
+ files_list_var_lib(svirt_lxc_domain)
+ files_search_all(svirt_lxc_domain)
+ files_read_config_files(svirt_lxc_domain)
+ files_read_usr_files(svirt_lxc_domain)
+ files_read_usr_symlinks(svirt_lxc_domain)
+files_search_locks(svirt_lxc_domain)
-+
-+fs_getattr_all_fs(svirt_lxc_domain)
-+fs_list_inotifyfs(svirt_lxc_domain)
+
+ fs_getattr_all_fs(svirt_lxc_domain)
+ fs_list_inotifyfs(svirt_lxc_domain)
+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-+
++fs_read_fusefs_files(svirt_lxc_net_t)
+
+-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
+-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
+-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+-
+auth_dontaudit_read_passwd(svirt_lxc_domain)
-+auth_dontaudit_read_login_records(svirt_lxc_domain)
-+auth_dontaudit_write_login_records(svirt_lxc_domain)
-+auth_search_pam_console_data(svirt_lxc_domain)
-+
-+clock_read_adjtime(svirt_lxc_domain)
-+
-+init_read_utmp(svirt_lxc_domain)
-+init_dontaudit_write_utmp(svirt_lxc_domain)
-+
-+libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-+
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
-+miscfiles_read_fonts(svirt_lxc_domain)
-+
+ auth_dontaudit_read_login_records(svirt_lxc_domain)
+ auth_dontaudit_write_login_records(svirt_lxc_domain)
+ auth_search_pam_console_data(svirt_lxc_domain)
+@@ -1063,11 +1113,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+
+ libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+
+-miscfiles_read_localization(svirt_lxc_domain)
+ miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+ miscfiles_read_fonts(svirt_lxc_domain)
+
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
+
+systemd_read_unit_files(svirt_lxc_domain)
-+
-+optional_policy(`
-+ udev_read_pid_files(svirt_lxc_domain)
-+')
-+
-+optional_policy(`
-+ apache_exec_modules(svirt_lxc_domain)
-+ apache_read_sys_content(svirt_lxc_domain)
-+')
-+
+
+ optional_policy(`
+ udev_read_pid_files(svirt_lxc_domain)
+@@ -1078,81 +1131,63 @@ optional_policy(`
+ apache_read_sys_content(svirt_lxc_domain)
+ ')
+
+-########################################
+-#
+-# Lxc net local policy
+-#
+virt_lxc_domain_template(svirt_lxc_net)
-+
+
+-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+dontaudit svirt_lxc_net_t self:capability2 block_suspend;
+ dontaudit svirt_lxc_net_t self:capability2 block_suspend;
+allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
-+allow svirt_lxc_net_t self:process setrlimit;
+ allow svirt_lxc_net_t self:process setrlimit;
+-allow svirt_lxc_net_t self:tcp_socket { accept listen };
+-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
+
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
-+allow svirt_lxc_net_t self:packet_socket create_socket_perms;
-+allow svirt_lxc_net_t self:socket create_socket_perms;
-+allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+kernel_read_network_state(svirt_lxc_net_t)
-+kernel_read_irq_sysctls(svirt_lxc_net_t)
-+
+ allow svirt_lxc_net_t self:packet_socket create_socket_perms;
+ allow svirt_lxc_net_t self:socket create_socket_perms;
+ allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
+-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ kernel_read_network_state(svirt_lxc_net_t)
+ kernel_read_irq_sysctls(svirt_lxc_net_t)
+
+-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
+-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
+-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
+-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t)
+-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t)
+-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t)
+-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
+dev_read_sysfs(svirt_lxc_net_t)
+dev_getattr_mtrr_dev(svirt_lxc_net_t)
+dev_read_rand(svirt_lxc_net_t)
+dev_read_urand(svirt_lxc_net_t)
+
-+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-+corenet_udp_bind_generic_node(svirt_lxc_net_t)
+ corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+ corenet_udp_bind_generic_node(svirt_lxc_net_t)
+-
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-+corenet_udp_bind_all_ports(svirt_lxc_net_t)
-+corenet_tcp_bind_all_ports(svirt_lxc_net_t)
-+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
-+
-+files_read_kernel_modules(svirt_lxc_net_t)
-+
+ corenet_udp_bind_all_ports(svirt_lxc_net_t)
+ corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+-
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+ corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+
+-dev_getattr_mtrr_dev(svirt_lxc_net_t)
+-dev_read_rand(svirt_lxc_net_t)
+-dev_read_sysfs(svirt_lxc_net_t)
+-dev_read_urand(svirt_lxc_net_t)
+-
+ files_read_kernel_modules(svirt_lxc_net_t)
+
+fs_noxattr_type(svirt_lxc_file_t)
-+fs_mount_cgroup(svirt_lxc_net_t)
-+fs_manage_cgroup_dirs(svirt_lxc_net_t)
+ fs_mount_cgroup(svirt_lxc_net_t)
+ fs_manage_cgroup_dirs(svirt_lxc_net_t)
+-fs_rw_cgroup_files(svirt_lxc_net_t)
+-
+-auth_use_nsswitch(svirt_lxc_net_t)
+fs_manage_cgroup_files(svirt_lxc_net_t)
-+
+
+-logging_send_audit_msgs(svirt_lxc_net_t)
+term_pty(svirt_lxc_file_t)
-+
+
+-userdom_use_user_ptys(svirt_lxc_net_t)
+auth_use_nsswitch(svirt_lxc_net_t)
-+
+
+-optional_policy(`
+- rpm_read_db(svirt_lxc_net_t)
+-')
+rpm_read_db(svirt_lxc_net_t)
-+
+
+-#######################################
+-#
+-# Prot exec local policy
+-#
+logging_send_audit_msgs(svirt_lxc_net_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+userdom_use_inherited_user_ptys(svirt_lxc_net_t)
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Qmf local policy
+# virt_qmf local policy
-+#
-+allow virt_qmf_t self:capability { sys_nice sys_tty_config };
-+allow virt_qmf_t self:process { setsched signal };
-+allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
+ #
+-
+ allow virt_qmf_t self:capability { sys_nice sys_tty_config };
+ allow virt_qmf_t self:process { setsched signal };
+ allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
+-allow virt_qmf_t self:unix_stream_socket { accept listen };
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
-+allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
-+allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-+
-+can_exec(virt_qmf_t, virtd_exec_t)
-+
-+kernel_read_system_state(virt_qmf_t)
-+kernel_read_network_state(virt_qmf_t)
-+
-+dev_read_sysfs(virt_qmf_t)
-+dev_read_rand(virt_qmf_t)
-+dev_read_urand(virt_qmf_t)
-+
+ allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
+ allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
+
+@@ -1165,12 +1200,12 @@ dev_read_sysfs(virt_qmf_t)
+ dev_read_rand(virt_qmf_t)
+ dev_read_urand(virt_qmf_t)
+
+corenet_tcp_connect_matahari_port(virt_qmf_t)
+
-+domain_use_interactive_fds(virt_qmf_t)
-+
-+logging_send_syslog_msg(virt_qmf_t)
-+
-+sysnet_read_config(virt_qmf_t)
-+
-+optional_policy(`
-+ dbus_read_lib_files(virt_qmf_t)
-+')
-+
-+optional_policy(`
-+ virt_stream_connect(virt_qmf_t)
-+')
-+
-+########################################
-+#
+ domain_use_interactive_fds(virt_qmf_t)
+
+ logging_send_syslog_msg(virt_qmf_t)
+
+-miscfiles_read_localization(virt_qmf_t)
+-
+ sysnet_read_config(virt_qmf_t)
+
+ optional_policy(`
+@@ -1183,9 +1218,8 @@ optional_policy(`
+
+ ########################################
+ #
+-# Bridgehelper local policy
+# virt_bridgehelper local policy
-+#
-+allow virt_bridgehelper_t self:process { setcap getcap };
-+allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
-+allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-+allow virt_bridgehelper_t self:tun_socket create_socket_perms;
-+allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
-+
-+kernel_read_network_state(virt_bridgehelper_t)
-+
-+corenet_rw_tun_tap_dev(virt_bridgehelper_t)
-+
+ #
+-
+ allow virt_bridgehelper_t self:process { setcap getcap };
+ allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
+ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1198,5 +1232,66 @@ kernel_read_network_state(virt_bridgehelper_t)
+
+ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
+
+-userdom_search_user_home_dirs(virt_bridgehelper_t)
+-userdom_use_user_ptys(virt_bridgehelper_t)
+userdom_use_inherited_user_ptys(virt_bridgehelper_t)
+
+#######################################
@@ -72457,27 +83356,26 @@ index 947bbc6..12c15cb 100644
+type svirt_socket_t;
+role system_r types svirt_socket_t;
+allow svirt_t svirt_socket_t:unix_stream_socket connectto;
-+
-+
diff --git a/vlock.te b/vlock.te
-index 2511093..669dc13 100644
+index 9ead775..b5285e7 100644
--- a/vlock.te
+++ b/vlock.te
-@@ -47,7 +47,5 @@ init_dontaudit_rw_utmp(vlock_t)
+@@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
- logging_send_syslog_msg(vlock_t)
+ init_dontaudit_rw_utmp(vlock_t)
-miscfiles_read_localization(vlock_t)
--
++logging_send_syslog_msg(vlock_t)
+
userdom_dontaudit_search_user_home_dirs(vlock_t)
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmware.te b/vmware.te
-index 7d334c4..979e82f 100644
+index 3a56513..1fb1463 100644
--- a/vmware.te
+++ b/vmware.te
-@@ -68,7 +68,8 @@ ifdef(`enable_mcs',`
- # VMWare host local policy
+@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
+ # Host local policy
#
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
@@ -72486,7 +83384,7 @@ index 7d334c4..979e82f 100644
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
-@@ -97,8 +98,8 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t)
kernel_read_kernel_sysctls(vmware_host_t)
kernel_read_system_state(vmware_host_t)
kernel_read_network_state(vmware_host_t)
@@ -72496,7 +83394,7 @@ index 7d334c4..979e82f 100644
corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
-@@ -122,6 +123,7 @@ dev_getattr_all_blk_files(vmware_host_t)
+@@ -115,6 +116,7 @@ dev_getattr_all_blk_files(vmware_host_t)
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
dev_rw_vmware(vmware_host_t)
@@ -72504,7 +83402,7 @@ index 7d334c4..979e82f 100644
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
-@@ -129,7 +131,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -122,7 +124,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
files_list_tmp(vmware_host_t)
files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
@@ -72513,7 +83411,7 @@ index 7d334c4..979e82f 100644
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -145,8 +147,6 @@ libs_exec_ld_so(vmware_host_t)
+@@ -138,8 +140,6 @@ libs_exec_ld_so(vmware_host_t)
logging_send_syslog_msg(vmware_host_t)
@@ -72522,7 +83420,7 @@ index 7d334c4..979e82f 100644
sysnet_dns_name_resolve(vmware_host_t)
sysnet_domtrans_ifconfig(vmware_host_t)
-@@ -156,11 +156,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+@@ -149,11 +149,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
@@ -72551,8 +83449,8 @@ index 7d334c4..979e82f 100644
')
optional_policy(`
-@@ -269,9 +285,8 @@ libs_exec_ld_so(vmware_t)
- # Access X11 config files
+@@ -258,9 +274,8 @@ storage_raw_write_removable_device(vmware_t)
+ libs_exec_ld_so(vmware_t)
libs_read_lib_files(vmware_t)
-miscfiles_read_localization(vmware_t)
@@ -72560,13 +83458,13 @@ index 7d334c4..979e82f 100644
-userdom_use_user_terminals(vmware_t)
+userdom_use_inherited_user_terminals(vmware_t)
userdom_list_user_home_dirs(vmware_t)
- # cjp: why?
- userdom_read_user_home_content_files(vmware_t)
+
+ sysnet_dns_name_resolve(vmware_t)
diff --git a/vnstatd.if b/vnstatd.if
-index 727fe95..47ec114 100644
+index 137ac44..a0089e6 100644
--- a/vnstatd.if
+++ b/vnstatd.if
-@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',`
+@@ -152,12 +152,6 @@ interface(`vnstatd_manage_lib_files',`
## Domain allowed access.
## </summary>
## </param>
@@ -72579,25 +83477,28 @@ index 727fe95..47ec114 100644
#
interface(`vnstatd_admin',`
gen_require(`
- type vnstatd_t, vnstatd_var_lib_t;
+@@ -165,9 +159,13 @@ interface(`vnstatd_admin',`
+ type vnstatd_var_run_t;
')
- allow $1 vnstatd_t:process { ptrace signal_perms };
+ allow $1 vnstatd_t:process signal_perms;
ps_process_pattern($1, vnstatd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 vnstatd_t:process ptrace;
+ ')
-
- files_list_var_lib($1)
- admin_pattern($1, vnstatd_var_lib_t)
++
+ init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 vnstatd_initrc_exec_t system_r;
diff --git a/vnstatd.te b/vnstatd.te
-index 8121937..f90b43b 100644
+index febc3e5..9183e32 100644
--- a/vnstatd.te
+++ b/vnstatd.te
-@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
+@@ -34,9 +34,13 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
- allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+ allow vnstatd_t self:unix_stream_socket { accept listen };
+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
@@ -72610,18 +83511,24 @@ index 8121937..f90b43b 100644
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -47,8 +51,6 @@ fs_getattr_xattr_fs(vnstatd_t)
+@@ -47,14 +51,10 @@ kernel_read_system_state(vnstatd_t)
+
+ domain_use_interactive_fds(vnstatd_t)
+
+-files_read_etc_files(vnstatd_t)
+-
+ fs_getattr_xattr_fs(vnstatd_t)
logging_send_syslog_msg(vnstatd_t)
-miscfiles_read_localization(vnstatd_t)
-
- optional_policy(`
- cron_system_entry(vnstat_t, vnstat_exec_t)
- ')
-@@ -62,9 +64,9 @@ allow vnstat_t self:process signal;
+ ########################################
+ #
+ # Client local policy
+@@ -64,23 +64,19 @@ allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
- allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+ allow vnstat_t self:unix_stream_socket { accept listen };
+files_search_var_lib(vnstat_t)
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
@@ -72630,17 +83537,75 @@ index 8121937..f90b43b 100644
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
-@@ -76,5 +78,3 @@ files_read_etc_files(vnstat_t)
+
+ domain_use_interactive_fds(vnstat_t)
+
+-files_read_etc_files(vnstat_t)
+-
fs_getattr_xattr_fs(vnstat_t)
logging_send_syslog_msg(vnstat_t)
--
+
-miscfiles_read_localization(vnstat_t)
+-
+ optional_policy(`
+ cron_system_entry(vnstat_t, vnstat_exec_t)
+ ')
+diff --git a/vpn.fc b/vpn.fc
+index 524ac2f..076dcc3 100644
+--- a/vpn.fc
++++ b/vpn.fc
+@@ -1,7 +1,13 @@
+-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
++#
++# sbin
++#
++/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
++#
++# /usr
++#
+ /usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
++/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+-/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
++/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/vpn.if b/vpn.if
-index 7b93e07..a4e2f60 100644
+index 7a7f342..a4e2f60 100644
--- a/vpn.if
+++ b/vpn.if
-@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
+@@ -1,8 +1,8 @@
+-## <summary>Virtual Private Networking client.</summary>
++## <summary>Virtual Private Networking client</summary>
+
+ ########################################
+ ## <summary>
+-## Execute vpn clients in the vpnc domain.
++## Execute VPN clients in the vpnc domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -15,15 +15,13 @@ interface(`vpn_domtrans',`
+ type vpnc_t, vpnc_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, vpnc_exec_t, vpnc_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute vpn clients in the vpnc
+-## domain, and allow the specified
+-## role the vpnc domain.
++## Execute VPN clients in the vpnc domain, and
++## allow the specified role the vpnc domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -39,16 +37,21 @@ interface(`vpn_domtrans',`
#
interface(`vpn_run',`
gen_require(`
@@ -72659,22 +83624,59 @@ index 7b93e07..a4e2f60 100644
')
########################################
+ ## <summary>
+-## Send kill signals to vpnc.
++## Send VPN clients the kill signal.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -66,7 +69,7 @@ interface(`vpn_kill',`
+
+ ########################################
+ ## <summary>
+-## Send generic signals to vpnc.
++## Send generic signals to VPN clients.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -84,7 +87,7 @@ interface(`vpn_signal',`
+
+ ########################################
+ ## <summary>
+-## Send null signals to vpnc.
++## Send signull to VPN clients.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -103,7 +106,7 @@ interface(`vpn_signull',`
+ ########################################
+ ## <summary>
+ ## Send and receive messages from
+-## vpnc over dbus.
++## Vpnc over dbus.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
diff --git a/vpn.te b/vpn.te
-index 83a80ba..ddf48c0 100644
+index 9329eae..ddf48c0 100644
--- a/vpn.te
+++ b/vpn.te
-@@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0)
+@@ -1,17 +1,19 @@
+-policy_module(vpn, 1.15.1)
++policy_module(vpn, 1.15.0)
+
+ ########################################
+ #
# Declarations
#
-attribute_role vpnc_roles;
--roleattribute system_r vpnc_roles;
+#attribute_role vpnc_roles;
+#roleattribute system_r vpnc_roles;
type vpnc_t;
type vpnc_exec_t;
-+init_system_domain(vpnc_t, vpnc_exec_t)
+ init_system_domain(vpnc_t, vpnc_exec_t)
application_domain(vpnc_t, vpnc_exec_t)
-role vpnc_roles types vpnc_t;
+#role vpnc_roles types vpnc_t;
@@ -72682,16 +83684,22 @@ index 83a80ba..ddf48c0 100644
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
-@@ -24,7 +26,7 @@ files_pid_file(vpnc_var_run_t)
- # Local policy
- #
-
--allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
-+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
+@@ -28,9 +30,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-@@ -51,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t)
+-allow vpnc_t self:tcp_socket { accept listen };
++allow vpnc_t self:tcp_socket create_stream_socket_perms;
++allow vpnc_t self:udp_socket create_socket_perms;
+ allow vpnc_t self:rawip_socket create_socket_perms;
++allow vpnc_t self:unix_dgram_socket create_socket_perms;
++allow vpnc_t self:unix_stream_socket create_socket_perms;
+ allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
++# cjp: this needs to be fixed
+ allow vpnc_t self:socket create_socket_perms;
+
+ manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+@@ -47,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t)
kernel_request_load_module(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
@@ -72699,7 +83707,40 @@ index 83a80ba..ddf48c0 100644
corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_generic_if(vpnc_t)
corenet_udp_sendrecv_generic_if(vpnc_t)
-@@ -80,18 +81,19 @@ domain_use_interactive_fds(vpnc_t)
+@@ -58,38 +63,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
+ corenet_tcp_sendrecv_all_ports(vpnc_t)
+ corenet_udp_sendrecv_all_ports(vpnc_t)
+ corenet_udp_bind_generic_node(vpnc_t)
+-
+-corenet_sendrecv_all_server_packets(vpnc_t)
+ corenet_udp_bind_generic_port(vpnc_t)
+-
+-corenet_sendrecv_isakmp_server_packets(vpnc_t)
+ corenet_udp_bind_isakmp_port(vpnc_t)
+-
+-corenet_sendrecv_generic_server_packets(vpnc_t)
+ corenet_udp_bind_ipsecnat_port(vpnc_t)
+-
+-corenet_sendrecv_all_client_packets(vpnc_t)
+ corenet_tcp_connect_all_ports(vpnc_t)
+-
++corenet_sendrecv_all_client_packets(vpnc_t)
++corenet_sendrecv_isakmp_server_packets(vpnc_t)
++corenet_sendrecv_generic_server_packets(vpnc_t)
+ corenet_rw_tun_tap_dev(vpnc_t)
+
+-corecmd_exec_all_executables(vpnc_t)
+-
+ dev_read_rand(vpnc_t)
+ dev_read_urand(vpnc_t)
+ dev_read_sysfs(vpnc_t)
+
+ domain_use_interactive_fds(vpnc_t)
+
+-files_exec_etc_files(vpnc_t)
+-files_read_etc_runtime_files(vpnc_t)
+-files_dontaudit_search_home(vpnc_t)
+-
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
@@ -72707,29 +83748,23 @@ index 83a80ba..ddf48c0 100644
-term_use_all_ttys(vpnc_t)
+term_use_all_inherited_ptys(vpnc_t)
+term_use_all_inherited_ttys(vpnc_t)
-
- corecmd_exec_all_executables(vpnc_t)
-
- files_exec_etc_files(vpnc_t)
- files_read_etc_runtime_files(vpnc_t)
--files_read_etc_files(vpnc_t)
- files_dontaudit_search_home(vpnc_t)
++
++corecmd_exec_all_executables(vpnc_t)
++
++files_exec_etc_files(vpnc_t)
++files_read_etc_runtime_files(vpnc_t)
++files_dontaudit_search_home(vpnc_t)
auth_use_nsswitch(vpnc_t)
-+init_dontaudit_use_fds(vpnc_t)
-+
- libs_exec_ld_so(vpnc_t)
- libs_exec_lib_files(vpnc_t)
-
-@@ -100,17 +102,15 @@ locallogin_use_fds(vpnc_t)
+@@ -103,16 +102,15 @@ locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
logging_dontaudit_search_logs(vpnc_t)
-miscfiles_read_localization(vpnc_t)
-
-seutil_dontaudit_search_config(vpnc_t)
- seutil_use_newrole_fds(vpnc_t)
++seutil_use_newrole_fds(vpnc_t)
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
@@ -72743,105 +83778,68 @@ index 83a80ba..ddf48c0 100644
optional_policy(`
dbus_system_bus_client(vpnc_t)
-diff --git a/w3c.te b/w3c.te
-index 1174ad8..bd7a7da 100644
---- a/w3c.te
-+++ b/w3c.te
-@@ -5,20 +5,34 @@ policy_module(w3c, 1.0.0)
- # Declarations
- #
-
--apache_content_template(w3c_validator)
-+
-+type httpd_w3c_validator_tmp_t;
-+files_tmp_file(httpd_w3c_validator_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
--corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
--corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
--corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
--corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
--corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
--corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-+optional_policy(`
-+ apache_content_template(w3c_validator)
-+
-+ manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
-+ manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
-+ files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
-+
-+ corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
-+ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-+
-+ miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
-
--miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
-+ sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
-
--sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
-+ optional_policy(`
-+ apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
-+ ')
-+')
+@@ -125,7 +123,3 @@ optional_policy(`
+ optional_policy(`
+ networkmanager_attach_tun_iface(vpnc_t)
+ ')
+-
+-optional_policy(`
+- seutil_use_newrole_fds(vpnc_t)
+-')
diff --git a/watchdog.te b/watchdog.te
-index b10bb05..f0d56b5 100644
+index 29f79e8..c58abd5 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -42,7 +42,6 @@ kernel_unmount_proc(watchdog_t)
- corecmd_exec_shell(watchdog_t)
+@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t)
+ domain_signal_all_domains(watchdog_t)
+ domain_kill_all_domains(watchdog_t)
- # cjp: why networking?
--corenet_all_recvfrom_unlabeled(watchdog_t)
- corenet_all_recvfrom_netlabel(watchdog_t)
- corenet_tcp_sendrecv_generic_if(watchdog_t)
- corenet_udp_sendrecv_generic_if(watchdog_t)
-@@ -81,8 +80,6 @@ auth_append_login_records(watchdog_t)
+-files_read_etc_files(watchdog_t)
+ files_manage_etc_runtime_files(watchdog_t)
+ files_etc_filetrans_etc_runtime(watchdog_t, file)
+
+@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
-miscfiles_read_localization(watchdog_t)
-
- sysnet_read_config(watchdog_t)
+ sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
diff --git a/wdmd.fc b/wdmd.fc
-new file mode 100644
-index 0000000..0d6257d
---- /dev/null
+index 66f11f7..e051997 100644
+--- a/wdmd.fc
+++ b/wdmd.fc
-@@ -0,0 +1,8 @@
-+
-+/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
-+
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
+
+-/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
+
+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
+/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0)
-+
+
+-/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
diff --git a/wdmd.if b/wdmd.if
-new file mode 100644
-index 0000000..d17ff39
---- /dev/null
+index 1e3aec0..d17ff39 100644
+--- a/wdmd.if
+++ b/wdmd.if
-@@ -0,0 +1,133 @@
+@@ -1,29 +1,47 @@
+-## <summary>Watchdog multiplexing daemon.</summary>
+
+## <summary>watchdog multiplexing daemon</summary>
-+
-+########################################
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Connect to wdmd with a unix
+-## domain stream socket.
+## Execute a domain transition to run wdmd.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -72861,51 +83859,52 @@ index 0000000..d17ff39
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`wdmd_stream_connect',`
+interface(`wdmd_initrc_domtrans',`
-+ gen_require(`
+ gen_require(`
+- type wdmd_t, wdmd_var_run_t;
+ type wdmd_initrc_exec_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
+ init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an wdmd environment.
+## All of the rules required to administrate
+## an wdmd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`wdmd_admin',`
-+ gen_require(`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',`
+ #
+ interface(`wdmd_admin',`
+ gen_require(`
+- type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t;
+ type wdmd_t;
+ type wdmd_initrc_exec_t;
-+ ')
-+
+ ')
+
+- allow $1 wdmd_t:process { ptrace signal_perms };
+ allow $1 wdmd_t:process signal_perms;
-+ ps_process_pattern($1, wdmd_t)
+ ps_process_pattern($1, wdmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 wdmd_t:process ptrace;
+ ')
-+
+
+- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
+ wdmd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 wdmd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
+ domain_system_change_exemption($1)
+ role_transition $2 wdmd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
+
+######################################
@@ -72923,7 +83922,8 @@ index 0000000..d17ff39
+ type wdmd_var_run_t;
+ ')
+
-+ files_search_pids($1)
+ files_search_pids($1)
+- admin_pattern($1, wdmd_var_run_t)
+ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
+')
+
@@ -72964,79 +83964,25 @@ index 0000000..d17ff39
+
+ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
+
-+')
+ ')
diff --git a/wdmd.te b/wdmd.te
-new file mode 100644
-index 0000000..09b45bb
---- /dev/null
+index ebbdaf6..63c53ba 100644
+--- a/wdmd.te
+++ b/wdmd.te
-@@ -0,0 +1,61 @@
-+policy_module(wdmd,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type wdmd_t;
-+type wdmd_exec_t;
-+init_daemon_domain(wdmd_t, wdmd_exec_t)
-+
-+type wdmd_var_run_t;
-+files_pid_file(wdmd_var_run_t)
-+
-+type wdmd_initrc_exec_t;
-+init_script_file(wdmd_initrc_exec_t)
-+
-+type wdmd_tmpfs_t;
-+files_tmpfs_file(wdmd_tmpfs_t)
-+
-+########################################
-+#
-+# wdmd local policy
-+#
-+allow wdmd_t self:capability { chown sys_nice ipc_lock };
-+allow wdmd_t self:process { setsched signal };
-+
-+allow wdmd_t self:fifo_file rw_fifo_file_perms;
-+allow wdmd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
-+manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
-+manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
-+files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file })
-+
-+manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
-+manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
-+fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file })
-+
-+kernel_read_system_state(wdmd_t)
-+
-+corecmd_exec_bin(wdmd_t)
-+corecmd_exec_shell(wdmd_t)
-+
-+dev_read_watchdog(wdmd_t)
-+dev_write_watchdog(wdmd_t)
-+
-+domain_use_interactive_fds(wdmd_t)
-+
-+fs_getattr_tmpfs(wdmd_t)
-+fs_read_anon_inodefs_files(wdmd_t)
-+
-+auth_use_nsswitch(wdmd_t)
-+
-+logging_send_syslog_msg(wdmd_t)
-+
-+optional_policy(`
-+ corosync_initrc_domtrans(wdmd_t)
-+ corosync_stream_connect(wdmd_t)
-+ corosync_rw_tmpfs(wdmd_t)
-+')
+@@ -51,8 +51,6 @@ auth_use_nsswitch(wdmd_t)
+
+ logging_send_syslog_msg(wdmd_t)
+
+-miscfiles_read_localization(wdmd_t)
+-
+ optional_policy(`
+ corosync_initrc_domtrans(wdmd_t)
+ corosync_stream_connect(wdmd_t)
diff --git a/webadm.te b/webadm.te
-index 0ecc786..79a664a 100644
+index 708254f..2db084b 100644
--- a/webadm.te
+++ b/webadm.te
-@@ -23,12 +23,21 @@ role webadm_r;
+@@ -25,6 +25,9 @@ role webadm_r;
userdom_base_user_template(webadm)
@@ -73045,23 +83991,23 @@ index 0ecc786..79a664a 100644
+
########################################
#
- # webadmin local policy
- #
+ # Local policy
+@@ -32,6 +35,12 @@ userdom_base_user_template(webadm)
+
+ allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
--allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
-+
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
+can_exec(webadm_t, webadm_tmp_t)
-
++
files_dontaudit_search_all_dirs(webadm_t)
- files_manage_generic_locks(webadm_t)
-@@ -38,10 +47,13 @@ selinux_get_enforce_mode(webadm_t)
- seutil_domtrans_setfiles(webadm_t)
+ files_list_var(webadm_t)
+@@ -40,10 +49,13 @@ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_audit_msgs(webadm_t)
logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
@@ -73075,23 +84021,25 @@ index 0ecc786..79a664a 100644
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
diff --git a/webalizer.te b/webalizer.te
-index 32b4f76..b00362b 100644
+index cdca8c7..bc76d1b 100644
--- a/webalizer.te
+++ b/webalizer.te
-@@ -59,7 +59,6 @@ files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
+@@ -55,26 +55,38 @@ can_exec(webalizer_t, webalizer_exec_t)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
--corenet_all_recvfrom_unlabeled(webalizer_t)
- corenet_all_recvfrom_netlabel(webalizer_t)
- corenet_tcp_sendrecv_generic_if(webalizer_t)
- corenet_tcp_sendrecv_generic_node(webalizer_t)
-@@ -69,24 +68,26 @@ fs_search_auto_mountpoints(webalizer_t)
+-files_read_etc_runtime_files(webalizer_t)
++corenet_all_recvfrom_netlabel(webalizer_t)
++corenet_tcp_sendrecv_generic_if(webalizer_t)
++corenet_tcp_sendrecv_generic_node(webalizer_t)
++corenet_tcp_sendrecv_all_ports(webalizer_t)
+
+ fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
fs_rw_anon_inodefs_files(webalizer_t)
--files_read_etc_files(webalizer_t)
- files_read_etc_runtime_files(webalizer_t)
+-auth_use_nsswitch(webalizer_t)
++files_read_etc_runtime_files(webalizer_t)
logging_list_logs(webalizer_t)
logging_send_syslog_msg(webalizer_t)
@@ -73101,96 +84049,108 @@ index 32b4f76..b00362b 100644
+
miscfiles_read_public_files(webalizer_t)
- sysnet_dns_name_resolve(webalizer_t)
- sysnet_read_config(webalizer_t)
-
-userdom_use_user_terminals(webalizer_t)
++sysnet_dns_name_resolve(webalizer_t)
++sysnet_read_config(webalizer_t)
++
+userdom_use_inherited_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
userdom_dontaudit_search_user_home_content(webalizer_t)
--apache_read_log(webalizer_t)
--apache_manage_sys_content(webalizer_t)
-+optional_policy(`
-+ apache_read_log(webalizer_t)
+ optional_policy(`
+ apache_read_log(webalizer_t)
+ apache_manage_sys_content(webalizer_t)
+')
-
- optional_policy(`
- cron_system_entry(webalizer_t, webalizer_exec_t)
-diff --git a/wine.fc b/wine.fc
-index 9d24449..2666317 100644
---- a/wine.fc
-+++ b/wine.fc
-@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
-
- /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-
-+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
-@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-
- /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-
++
++optional_policy(`
++ apache_read_log(webalizer_t)
+ apache_content_template(webalizer)
+ manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
diff --git a/wine.if b/wine.if
-index f9a73d0..4b83bb0 100644
+index fd2b6cc..4b83bb0 100644
--- a/wine.if
+++ b/wine.if
-@@ -10,10 +10,9 @@
- ## for wine applications.
- ## </p>
- ## </desc>
--## <param name="userdomain_prefix">
+@@ -1,46 +1,57 @@
+-## <summary>Run Windows programs in Linux.</summary>
++## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
+
+-########################################
++#######################################
+ ## <summary>
+-## Role access for wine.
++## The per role template for the wine module.
+ ## </summary>
+-## <param name="role">
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for wine applications.
++## </p>
++## </desc>
+## <param name="user_role">
## <summary>
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
+-## Role allowed access.
+## The role associated with the user domain.
## </summary>
## </param>
- ## <param name="user_domain">
-@@ -21,20 +20,19 @@
- ## The type of the user domain.
+-## <param name="domain">
++## <param name="user_domain">
+ ## <summary>
+-## User domain for the role.
++## The type of the user domain.
## </summary>
## </param>
--## <param name="user_role">
--## <summary>
--## The role associated with the user domain.
--## </summary>
--## </param>
#
- template(`wine_role',`
+-interface(`wine_role',`
++template(`wine_role',`
gen_require(`
+- attribute_role wine_roles;
+- type wine_exec_t, wine_t, wine_tmp_t;
+ type wine_t;
-+ type wine_home_t;
- type wine_exec_t;
+ type wine_home_t;
++ type wine_exec_t;
')
- role $1 types wine_t;
+- roleattribute $1 wine_roles;
+-
+- domtrans_pattern($2, wine_exec_t, wine_t)
++ role $1 types wine_t;
- domain_auto_trans($2, wine_exec_t, wine_t)
++ domain_auto_trans($2, wine_exec_t, wine_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
- allow wine_t $2:fd use;
- allow wine_t $2:process { sigchld signull };
++ allow wine_t $2:fd use;
++ allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
-@@ -44,8 +42,7 @@ template(`wine_role',`
- allow $2 wine_t:process signal_perms;
+- allow wine_t $2:process signull;
+
++ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, wine_t)
+- allow $2 wine_t:process { ptrace signal_perms };
++ allow $2 wine_t:process signal_perms;
allow $2 wine_t:fd use;
- allow $2 wine_t:shm { associate getattr };
-- allow $2 wine_t:shm { unix_read unix_write };
+- allow $2 wine_t:shm rw_shm_perms;
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
allow $2 wine_t:unix_stream_socket connectto;
- # X access, Home files
-@@ -86,6 +83,7 @@ template(`wine_role',`
+- allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
+- allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+- userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
++ # X access, Home files
++ manage_dirs_pattern($2, wine_home_t, wine_home_t)
++ manage_files_pattern($2, wine_home_t, wine_home_t)
++ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
++ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
++ relabel_files_pattern($2, wine_home_t, wine_home_t)
++ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+ ')
+
+ #######################################
+@@ -72,24 +83,23 @@ interface(`wine_role',`
#
template(`wine_role_template',`
gen_require(`
@@ -73198,14 +84158,23 @@ index f9a73d0..4b83bb0 100644
type wine_exec_t;
')
-@@ -96,12 +94,12 @@ template(`wine_role_template',`
+ type $1_wine_t;
+- userdom_user_application_domain($1_wine_t, wine_exec_t)
++ domain_type($1_wine_t)
++ domain_entry_file($1_wine_t, wine_exec_t)
++ ubac_constrained($1_wine_t)
role $2 types $1_wine_t;
allow $1_wine_t self:process { execmem execstack };
-- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+-
+- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
+- ps_process_pattern($3, $1_wine_t)
+-
+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, wine_exec_t, $1_wine_t)
- corecmd_bin_domtrans($1_wine_t, $1_t)
+-
+- corecmd_bin_domtrans($1_wine_t, $3)
++ corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
@@ -73213,7 +84182,7 @@ index f9a73d0..4b83bb0 100644
domain_mmap_low($1_wine_t)
-@@ -109,6 +107,10 @@ template(`wine_role_template',`
+@@ -97,6 +107,10 @@ template(`wine_role_template',`
dontaudit $1_wine_t self:memprotect mmap_zero;
')
@@ -73224,11 +84193,37 @@ index f9a73d0..4b83bb0 100644
optional_policy(`
xserver_role($1_r, $1_wine_t)
')
+@@ -123,9 +137,8 @@ interface(`wine_domtrans',`
+
+ ########################################
+ ## <summary>
+-## Execute wine in the wine domain,
+-## and allow the specified role
+-## the wine domain.
++## Execute wine in the wine domain, and
++## allow the specified role the wine domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -140,11 +153,11 @@ interface(`wine_domtrans',`
+ #
+ interface(`wine_run',`
+ gen_require(`
+- attribute_role wine_roles;
++ type wine_t;
+ ')
+
+ wine_domtrans($1)
+- roleattribute $2 wine_roles;
++ role $2 types wine_t;
+ ')
+
+ ########################################
diff --git a/wine.te b/wine.te
-index 7a17516..56fbcc2 100644
+index b51923c..335c8c2 100644
--- a/wine.te
+++ b/wine.te
-@@ -38,7 +38,7 @@ domain_mmap_low(wine_t)
+@@ -48,7 +48,7 @@ domain_mmap_low(wine_t)
files_execmod_all_files(wine_t)
@@ -73237,7 +84232,7 @@ index 7a17516..56fbcc2 100644
tunable_policy(`wine_mmap_zero_ignore',`
dontaudit wine_t self:memprotect mmap_zero;
-@@ -53,6 +53,10 @@ optional_policy(`
+@@ -71,6 +71,10 @@ optional_policy(`
')
optional_policy(`
@@ -73249,62 +84244,32 @@ index 7a17516..56fbcc2 100644
')
diff --git a/wireshark.te b/wireshark.te
-index fc0adf8..cf479f3 100644
+index cf5cab6..f0f5dcb 100644
--- a/wireshark.te
+++ b/wireshark.te
-@@ -31,18 +31,19 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
+@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
# Local Policy
#
-allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:capability { net_admin net_raw };
allow wireshark_t self:process { signal getsched };
- allow wireshark_t self:fifo_file { getattr read write };
- allow wireshark_t self:shm destroy;
+ allow wireshark_t self:fifo_file rw_fifo_file_perms;
allow wireshark_t self:shm create_shm_perms;
- allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
--allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
-+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
- allow wireshark_t self:tcp_socket create_socket_perms;
- allow wireshark_t self:udp_socket create_socket_perms;
-
- # Re-execute itself (why?)
- can_exec(wireshark_t, wireshark_exec_t)
-+corecmd_search_bin(wireshark_t)
-
- # /home/.wireshark
- manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
-@@ -67,7 +68,6 @@ kernel_read_system_state(wireshark_t)
- kernel_read_sysctl(wireshark_t)
-
- corecmd_exec_bin(wireshark_t)
--corecmd_search_bin(wireshark_t)
+@@ -90,31 +90,17 @@ fs_search_auto_mountpoints(wireshark_t)
- corenet_tcp_connect_generic_port(wireshark_t)
- corenet_tcp_sendrecv_generic_if(wireshark_t)
-@@ -76,7 +76,6 @@ dev_read_rand(wireshark_t)
- dev_read_sysfs(wireshark_t)
- dev_read_urand(wireshark_t)
-
--files_read_etc_files(wireshark_t)
- files_read_usr_files(wireshark_t)
-
- fs_list_inotifyfs(wireshark_t)
-@@ -84,31 +83,17 @@ fs_search_auto_mountpoints(wireshark_t)
-
- libs_read_lib_files(wireshark_t)
+ auth_use_nsswitch(wireshark_t)
+-libs_read_lib_files(wireshark_t)
+auth_use_nsswitch(wireshark_t)
-+
+
miscfiles_read_fonts(wireshark_t)
-miscfiles_read_localization(wireshark_t)
- seutil_use_newrole_fds(wireshark_t)
-
- sysnet_read_config(wireshark_t)
+ userdom_use_user_terminals(wireshark_t)
userdom_manage_user_home_content_files(wireshark_t)
--userdom_use_user_ptys(wireshark_t)
+-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(wireshark_t)
@@ -73317,121 +84282,199 @@ index fc0adf8..cf479f3 100644
- fs_manage_cifs_files(wireshark_t)
- fs_manage_cifs_symlinks(wireshark_t)
-')
--
++userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
+
-optional_policy(`
-- nscd_socket_use(wireshark_t)
+- seutil_use_newrole_fds(wireshark_t)
-')
+userdom_home_manager(wireshark_t)
- # Manual transition from userhelper
optional_policy(`
+ userhelper_use_fd(wireshark_t)
+diff --git a/wm.fc b/wm.fc
+index 304ae09..c1d10a1 100644
+--- a/wm.fc
++++ b/wm.fc
+@@ -1,4 +1,4 @@
+ /usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
+ /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
+ /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
+-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
++/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/wm.if b/wm.if
-index b3efef7..177cf16 100644
+index 25b702d..177cf16 100644
--- a/wm.if
+++ b/wm.if
-@@ -31,17 +31,14 @@ template(`wm_role_template',`
+@@ -1,4 +1,4 @@
+-## <summary>X Window Managers.</summary>
++## <summary>X Window Managers</summary>
+
+ #######################################
+ ## <summary>
+@@ -29,58 +29,44 @@
+ #
+ template(`wm_role_template',`
gen_require(`
+- attribute wm_domain;
type wm_exec_t;
- class dbus send_msg;
++ class dbus send_msg;
+ attribute wm_domain;
')
-- type $1_wm_t;
-+ type $1_wm_t, wm_domain;
- domain_type($1_wm_t)
- domain_entry_file($1_wm_t, wm_exec_t)
+- ########################################
+- #
+- # Declarations
+- #
+-
+ type $1_wm_t, wm_domain;
+- userdom_user_application_domain($1_wm_t, wm_exec_t)
++ domain_type($1_wm_t)
++ domain_entry_file($1_wm_t, wm_exec_t)
role $2 types $1_wm_t;
-- allow $1_wm_t self:fifo_file rw_fifo_file_perms;
-- allow $1_wm_t self:process getsched;
-- allow $1_wm_t self:shm create_shm_perms;
+- ########################################
+- #
+- # Policy
+- #
-
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
- allow $3 $1_wm_t:process { signal sigchld signull };
-@@ -50,19 +47,19 @@ template(`wm_role_template',`
- allow $1_wm_t $3:dbus send_msg;
- allow $3 $1_wm_t:dbus send_msg;
++ allow $3 $1_wm_t:process { signal sigchld signull };
++ allow $1_wm_t $3:process { signull sigkill };
+
+- allow $3 $1_wm_t:process { ptrace signal_perms };
+- ps_process_pattern($3, $1_wm_t)
++ allow $1_wm_t $3:dbus send_msg;
++ allow $3 $1_wm_t:dbus send_msg;
-- domtrans_pattern($3, wm_exec_t, $1_wm_t)
+- allow $1_wm_t $3:process { signull sigkill };
+ userdom_manage_home_role($2, $1_wm_t)
+ userdom_manage_tmpfs_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
+ userdom_exec_user_tmp_files($1_wm_t)
-- kernel_read_system_state($1_wm_t)
-+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
corecmd_bin_domtrans($1_wm_t, $3)
corecmd_shell_domtrans($1_wm_t, $3)
-- dev_read_urand($1_wm_t)
--
-- files_read_etc_files($1_wm_t)
-- files_read_usr_files($1_wm_t)
+ auth_use_nsswitch($1_wm_t)
-
-- fs_getattr_tmpfs($1_wm_t)
++
+ kernel_read_system_state($1_wm_t)
-
++
mls_file_read_all_levels($1_wm_t)
mls_file_write_all_levels($1_wm_t)
-@@ -70,22 +67,6 @@ template(`wm_role_template',`
+ mls_xwin_read_all_levels($1_wm_t)
mls_xwin_write_all_levels($1_wm_t)
mls_fd_use_all_levels($1_wm_t)
- auth_use_nsswitch($1_wm_t)
-
-- application_signull($1_wm_t)
--
-- miscfiles_read_fonts($1_wm_t)
-- miscfiles_read_localization($1_wm_t)
--
- optional_policy(`
+- dbus_spec_session_bus_client($1, $1_wm_t)
- dbus_system_bus_client($1_wm_t)
-- dbus_session_bus_client($1_wm_t)
+-
+- optional_policy(`
+- wm_dbus_chat($1, $3)
+- ')
- ')
-
- optional_policy(`
-- pulseaudio_stream_connect($1_wm_t)
+- pulseaudio_run($1_wm_t, $2)
- ')
-
optional_policy(`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
+@@ -89,7 +75,7 @@ template(`wm_role_template',`
+
+ ########################################
+ ## <summary>
+-## Execute wm in the caller domain.
++## Execute the wm program in the wm domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -102,33 +88,5 @@ interface(`wm_exec',`
+ type wm_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, wm_exec_t)
+ ')
+-
+-########################################
+-## <summary>
+-## Send and receive messages from
+-## specified wm over dbus.
+-## </summary>
+-## <param name="role_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+-## </param>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`wm_dbus_chat',`
+- gen_require(`
+- type $1_wm_t;
+- class dbus send_msg;
+- ')
+-
+- allow $2 $1_wm_t:dbus send_msg;
+- allow $1_wm_t $2:dbus send_msg;
+-')
diff --git a/wm.te b/wm.te
-index 19d447e..996a3d4 100644
+index 7c7f7fa..996a3d4 100644
--- a/wm.te
+++ b/wm.te
-@@ -1,5 +1,7 @@
- policy_module(wm, 1.2.0)
-
-+attribute wm_domain;
+@@ -1,36 +1,42 @@
+-policy_module(wm, 1.2.5)
++policy_module(wm, 1.2.0)
+
++attribute wm_domain;
+
########################################
#
# Declarations
-@@ -7,3 +9,34 @@ policy_module(wm, 1.2.0)
+ #
+-attribute wm_domain;
+-
type wm_exec_t;
- corecmd_executable_file(wm_exec_t)
-+
-+allow wm_domain self:fifo_file rw_fifo_file_perms;
-+allow wm_domain self:process getsched;
-+allow wm_domain self:shm create_shm_perms;
-+allow wm_domain self:unix_dgram_socket create_socket_perms;
-+
-+dev_read_urand(wm_domain)
-+
+-
+-########################################
+-#
+-# Common wm domain local policy
+-#
++corecmd_executable_file(wm_exec_t)
+
+ allow wm_domain self:fifo_file rw_fifo_file_perms;
+ allow wm_domain self:process getsched;
+ allow wm_domain self:shm create_shm_perms;
+ allow wm_domain self:unix_dgram_socket create_socket_perms;
+
+-kernel_read_system_state(wm_domain)
+-
+ dev_read_urand(wm_domain)
+
+files_read_etc_files(wm_domain)
-+files_read_usr_files(wm_domain)
-+
+ files_read_usr_files(wm_domain)
+
+fs_getattr_tmpfs(wm_domain)
+
+application_signull(wm_domain)
+
-+miscfiles_read_fonts(wm_domain)
-+
+ miscfiles_read_fonts(wm_domain)
+-miscfiles_read_localization(wm_domain)
+
+-userdom_manage_user_tmp_sockets(wm_domain)
+-userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+optional_policy(`
+ dbus_system_bus_client(wm_domain)
+ dbus_session_bus_client(wm_domain)
@@ -73445,110 +84488,195 @@ index 19d447e..996a3d4 100644
+ xserver_manage_core_devices(wm_domain)
+')
+
-+
+
+-userdom_manage_user_home_content_dirs(wm_domain)
+-userdom_manage_user_home_content_files(wm_domain)
+-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
diff --git a/xen.fc b/xen.fc
-index 1a1b374..574794d 100644
+index 42d83b0..7977c2c 100644
--- a/xen.fc
+++ b/xen.fc
-@@ -1,12 +1,10 @@
+@@ -1,38 +1,40 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
--/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
+-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+-/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+-/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+-/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+-/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
-
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
-
--/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
++
+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
-
- ifdef(`distro_debian',`
- /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-@@ -17,6 +15,7 @@ ifdef(`distro_debian',`
++
++ifdef(`distro_debian',`
++/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
++/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
++/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
++/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
++',`
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
- /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
++/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
- /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
- ')
+-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
++')
-@@ -25,11 +24,11 @@ ifdef(`distro_debian',`
- /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
++/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+ /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
+-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
++/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
--/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
-+/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
- /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
--/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
--/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
--/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
-+/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-+/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
-+/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+-/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
++/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+-/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+-/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
++/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
++/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+-/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
++/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+
+-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
++/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/xen.if b/xen.if
-index 77d41b6..cc73c96 100644
+index f93558c..cc73c96 100644
--- a/xen.if
+++ b/xen.if
-@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
+@@ -1,13 +1,13 @@
+-## <summary>Xen hypervisor.</summary>
++## <summary>Xen hypervisor</summary>
########################################
## <summary>
-+## Allow the specified domain to execute xend
-+## in the caller domain.
-+## </summary>
-+## <param name="domain">
+ ## Execute a domain transition to run xend.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+## <summary>
-+## Domain allowed access.
+ ## Domain allowed to transition.
+-## </summary>
+## </summary>
-+## </param>
-+#
-+interface(`xen_exec',`
-+ gen_require(`
-+ type xend_exec_t;
-+ ')
-+
-+ can_exec($1, xend_exec_t)
-+')
-+
-+########################################
-+## <summary>
- ## Inherit and use xen file descriptors.
+ ## </param>
+ #
+ interface(`xen_domtrans',`
+@@ -15,18 +15,18 @@ interface(`xen_domtrans',`
+ type xend_t, xend_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, xend_exec_t, xend_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute xend in the caller domain.
++## Allow the specified domain to execute xend
++## in the caller domain.
## </summary>
## <param name="domain">
-@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`xen_exec',`
+@@ -34,7 +34,6 @@ interface(`xen_exec',`
+ type xend_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ can_exec($1, xend_exec_t)
+ ')
+
+@@ -75,24 +74,24 @@ interface(`xen_dontaudit_use_fds',`
dontaudit $1 xend_t:fd use;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Create, read, write, and delete
+-## xend image directories.
+## Read xend pid files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`xen_manage_image_dirs',`
+- gen_require(`
+- type xend_var_lib_t;
+- ')
+interface(`xen_read_pid_files_xenstored',`
+ gen_require(`
+ type xenstored_var_run_t;
+ ')
-+
+
+- files_search_var_lib($1)
+- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ files_search_pids($1)
+
+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
-+')
-+
+ ')
+
########################################
- ## <summary>
+@@ -100,9 +99,9 @@ interface(`xen_manage_image_dirs',`
## Read xend image files.
-@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
- ## </summary>
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
## </param>
#
+ interface(`xen_read_image_files',`
+@@ -111,18 +110,40 @@ interface(`xen_read_image_files',`
+ ')
+
+ files_list_var_lib($1)
++
+ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write xend image files.
++## Allow the specified domain to read/write
++## xend image files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
++## </param>
++#
+interface(`xen_manage_image_dirs',`
+ gen_require(`
+ type xend_var_lib_t;
@@ -73567,48 +84695,109 @@ index 77d41b6..cc73c96 100644
+## <summary>
+## Domain allowed to transition.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
interface(`xen_rw_image_files',`
- gen_require(`
- type xen_image_t, xend_var_lib_t;
-@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -137,7 +158,8 @@ interface(`xen_rw_image_files',`
+
+ ########################################
+ ## <summary>
+-## Append xend log files.
++## Allow the specified domain to append
++## xend log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -157,13 +179,13 @@ interface(`xen_append_log',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
++## Create, read, write, and delete the
+ ## xend log files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`xen_manage_log',`
+@@ -176,29 +198,11 @@ interface(`xen_manage_log',`
+ manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
+ ')
+
+-#######################################
+-## <summary>
+-## Read xenstored pid files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`xen_read_xenstored_pid_files',`
+- gen_require(`
+- type xenstored_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
+-')
+-
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read and write
+-## Xen unix domain stream sockets.
++## Xen unix domain stream sockets. These
++## are leaked file descriptors.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -216,8 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
--## Connect to xenstored over an unix stream socket.
+-## Connect to xenstored with a unix
+-## domain stream socket.
+## Connect to xenstored over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -236,8 +239,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
--## Connect to xend over an unix domain stream socket.
+-## Connect to xend with a unix
+-## domain stream socket.
+## Connect to xend over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
+@@ -270,16 +272,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
+ attribute virsh_transition_domain;
')
-
+- corecmd_search_bin($1)
+ typeattribute $1 virsh_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
########################################
## <summary>
--## Connect to xm over an unix stream socket.
+-## Connect to xm with a unix
+-## domain stream socket.
+## Connect to xm over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
-@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
+@@ -289,7 +290,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
@@ -73618,39 +84807,164 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index 07033bb..8358a63 100644
+index ed40676..8358a63 100644
--- a/xen.te
+++ b/xen.te
-@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
+@@ -1,42 +1,34 @@
+-policy_module(xen, 1.12.5)
++policy_module(xen, 1.12.0)
+
+ ########################################
#
# Declarations
#
+attribute xm_transition_domain;
## <desc>
- ## <p>
-@@ -65,6 +66,7 @@ type xen_image_t; # customizable
+-## <p>
+-## Determine whether xend can
+-## run blktapctrl and tapdisk.
++## <p>
++## Allow xend to run blktapctrl/tapdisk.
++## Not required if using dedicated logical volumes for disk images.
+ ## </p>
+ ## </desc>
+-gen_tunable(xend_run_blktap, false)
++gen_tunable(xend_run_blktap, true)
+
+ ## <desc>
+-## <p>
+-## Determine whether xen can
+-## use fusefs file systems.
+-## </p>
++## <p>
++## Allow xend to run qemu-dm.
++## Not required if using paravirt and no vfb.
++## </p>
+ ## </desc>
+-gen_tunable(xen_use_fusefs, false)
++gen_tunable(xend_run_qemu, true)
+
+ ## <desc>
+-## <p>
+-## Determine whether xen can
+-## use nfs file systems.
+-## </p>
++## <p>
++## Allow xen to manage nfs files
++## </p>
+ ## </desc>
+ gen_tunable(xen_use_nfs, false)
+
+-## <desc>
+-## <p>
+-## Determine whether xen can
+-## use samba file systems.
+-## </p>
+-## </desc>
+-gen_tunable(xen_use_samba, false)
+-
+ type blktap_t;
+ type blktap_exec_t;
+ domain_type(blktap_t)
+@@ -50,41 +42,55 @@ type evtchnd_t;
+ type evtchnd_exec_t;
+ init_daemon_domain(evtchnd_t, evtchnd_exec_t)
+
++# log files
+ type evtchnd_var_log_t;
+ logging_log_file(evtchnd_var_log_t)
+
++# pid files
+ type evtchnd_var_run_t;
+ files_pid_file(evtchnd_var_run_t)
+
++type qemu_dm_t;
++type qemu_dm_exec_t;
++domain_type(qemu_dm_t)
++domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
++role system_r types qemu_dm_t;
++
++# console ptys
+ type xen_devpts_t;
+ term_pty(xen_devpts_t)
+ files_type(xen_devpts_t)
+
++# Xen Image files
+ type xen_image_t; # customizable
files_type(xen_image_t)
- # xen_image_t can be assigned to blk devices
++# xen_image_t can be assigned to blk devices
dev_node(xen_image_t)
+-
+-optional_policy(`
+- virt_image(xen_image_t)
+-')
+virt_image(xen_image_t)
type xenctl_t;
files_type(xenctl_t)
-@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+
+ type xend_t;
+ type xend_exec_t;
++domain_type(xend_t)
+ init_daemon_domain(xend_t, xend_exec_t)
+
++# tmp files
+ type xend_tmp_t;
+ files_tmp_file(xend_tmp_t)
+
++# var/lib files
+ type xend_var_lib_t;
+ files_type(xend_var_lib_t)
++# for mounting an NFS store
+ files_mountpoint(xend_var_lib_t)
+
++# log files
+ type xend_var_log_t;
+ logging_log_file(xend_var_log_t)
+
++# pid files
+ type xend_var_run_t;
+ files_pid_file(xend_var_run_t)
+ files_mountpoint(xend_var_run_t)
+@@ -96,51 +102,51 @@ init_daemon_domain(xenstored_t, xenstored_exec_t)
+ type xenstored_tmp_t;
+ files_tmp_file(xenstored_tmp_t)
+
++# var/lib files
+ type xenstored_var_lib_t;
+ files_type(xenstored_var_lib_t)
+ files_mountpoint(xenstored_var_lib_t)
+
++# log files
+ type xenstored_var_log_t;
+ logging_log_file(xenstored_var_log_t)
+
++# pid files
+ type xenstored_var_run_t;
+ files_pid_file(xenstored_var_run_t)
+-init_daemon_run_dir(xenstored_var_run_t, "xenstored")
+
+ type xenconsoled_t;
+ type xenconsoled_exec_t;
+ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+
++# pid files
type xenconsoled_var_run_t;
files_pid_file(xenconsoled_var_run_t)
-type xm_t;
-type xm_exec_t;
--domain_type(xm_t)
-init_system_domain(xm_t, xm_exec_t)
-
########################################
#
# blktap local policy
-@@ -135,22 +132,21 @@ tunable_policy(`xend_run_blktap',`
- # If yes, transition to its own domain.
+ #
+-
++# Do we need to allow execution of blktap?
+ tunable_policy(`xend_run_blktap',`
++ # If yes, transition to its own domain.
domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
- allow blktap_t self:fifo_file { read write };
@@ -73675,58 +84989,150 @@ index 07033bb..8358a63 100644
- xen_stream_connect_xenstore(blktap_t)
-',`
-- # If no, then silently refuse to run it.
- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
-')
+xen_stream_connect_xenstore(blktap_t)
#######################################
#
-@@ -170,6 +166,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+@@ -148,9 +154,7 @@ tunable_policy(`xend_run_blktap',`
#
- # qemu-dm local policy
+
+ manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+-append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+-create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+-setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
++manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+ logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
+
+ manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+@@ -160,28 +164,70 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+
+ ########################################
#
++# qemu-dm local policy
++#
+
+# TODO: This part of policy should be removed
+# qemu-dm should run in xend_t domain
+
- # Do we need to allow execution of qemu-dm?
- tunable_policy(`xend_run_qemu',`
- allow qemu_dm_t self:capability sys_resource;
-@@ -195,7 +195,6 @@ tunable_policy(`xend_run_qemu',`
- fs_manage_xenfs_dirs(qemu_dm_t)
- fs_manage_xenfs_files(qemu_dm_t)
-
-- miscfiles_read_localization(qemu_dm_t)
-
- xen_stream_connect_xenstore(qemu_dm_t)
- ',`
-@@ -208,10 +207,13 @@ tunable_policy(`xend_run_qemu',`
++# Do we need to allow execution of qemu-dm?
++tunable_policy(`xend_run_qemu',`
++ allow qemu_dm_t self:capability sys_resource;
++ allow qemu_dm_t self:process setrlimit;
++ allow qemu_dm_t self:fifo_file { read write };
++ allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
++
++ # If yes, transition to its own domain.
++ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
++
++ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
++
++ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
++
++ corenet_tcp_bind_generic_node(qemu_dm_t)
++ corenet_tcp_bind_vnc_port(qemu_dm_t)
++
++ dev_rw_xen(qemu_dm_t)
++
++ files_read_etc_files(qemu_dm_t)
++ files_read_usr_files(qemu_dm_t)
++
++ fs_manage_xenfs_dirs(qemu_dm_t)
++ fs_manage_xenfs_files(qemu_dm_t)
++
++
++ xen_stream_connect_xenstore(qemu_dm_t)
++',`
++ # If no, then silently refuse to run it.
++ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
++')
++
++########################################
++#
# xend local policy
#
--allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
-dontaudit xend_t self:capability { sys_ptrace };
-+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
- allow xend_t self:process { signal sigkill };
+-allow xend_t self:process { setrlimit signal sigkill };
-dontaudit xend_t self:process ptrace;
++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
++allow xend_t self:process { signal sigkill };
+
+# needed by qemu_dm
+allow xend_t self:capability sys_resource;
+allow xend_t self:process setrlimit;
+
- # internal communication is often done using fifo and unix sockets.
++# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_fifo_file_perms;
- allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -219,6 +221,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
- allow xend_t self:netlink_route_socket r_netlink_socket_perms;
- allow xend_t self:tcp_socket create_stream_socket_perms;
+-allow xend_t self:unix_stream_socket { accept listen };
+-allow xend_t self:tcp_socket { accept listen };
++allow xend_t self:unix_stream_socket create_stream_socket_perms;
++allow xend_t self:unix_dgram_socket create_socket_perms;
++allow xend_t self:netlink_route_socket r_netlink_socket_perms;
++allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
-+allow xend_t self:tun_socket create_socket_perms;
+ allow xend_t self:tun_socket create_socket_perms;
allow xend_t xen_image_t:dir list_dir_perms;
manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
-@@ -275,7 +278,6 @@ kernel_read_network_state(xend_t)
+-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
+ manage_files_pattern(xend_t, xen_image_t, xen_image_t)
+ read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
+-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t)
+-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t)
+ rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
+-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file)
+
+ allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(xend_t, xenctl_t, fifo_file)
+@@ -190,33 +236,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+ manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+ files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
++# pid file
+ manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+ manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+ manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+ manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+ files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
+
++# log files
+ manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
++manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+ manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+ logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
+
++# var/lib files for xend
+ manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+ manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+ manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+ manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
+
++# transition to store
++domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
++
++# manage xenstored pid file
+ manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
+
+-allow xend_t xenstored_var_lib_t:dir list_dir_perms;
++# mount tmpfs on /var/lib/xenstored
++allow xend_t xenstored_var_lib_t:dir read;
+
++# transition to console
+ domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
+-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+-
+-xen_stream_connect_xenstore(xend_t)
+
+ kernel_read_kernel_sysctls(xend_t)
+ kernel_read_system_state(xend_t)
+@@ -228,41 +278,31 @@ kernel_read_network_state(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -73734,9 +85140,34 @@ index 07033bb..8358a63 100644
corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_generic_if(xend_t)
corenet_tcp_sendrecv_generic_node(xend_t)
-@@ -294,12 +296,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_tcp_sendrecv_all_ports(xend_t)
+ corenet_tcp_bind_generic_node(xend_t)
+-
+-corenet_sendrecv_xen_server_packets(xend_t)
+ corenet_tcp_bind_xen_port(xend_t)
+-
+-corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_tcp_bind_soundd_port(xend_t)
+-
+-corenet_sendrecv_generic_server_packets(xend_t)
+ corenet_tcp_bind_generic_port(xend_t)
+-
+-corenet_sendrecv_vnc_server_packets(xend_t)
+ corenet_tcp_bind_vnc_port(xend_t)
+-
+-corenet_sendrecv_xserver_client_packets(xend_t)
+ corenet_tcp_connect_xserver_port(xend_t)
+-
+-corenet_sendrecv_xen_client_packets(xend_t)
+ corenet_tcp_connect_xen_port(xend_t)
+-
++corenet_sendrecv_xserver_client_packets(xend_t)
++corenet_sendrecv_xen_server_packets(xend_t)
++corenet_sendrecv_xen_client_packets(xend_t)
++corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
+-dev_getattr_all_chr_files(xend_t)
dev_read_urand(xend_t)
+# run lsscsi
+dev_getattr_all_chr_files(xend_t)
@@ -73749,83 +85180,90 @@ index 07033bb..8358a63 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file)
+@@ -271,14 +311,8 @@ files_manage_etc_runtime_files(xend_t)
+ files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
files_read_default_symlinks(xend_t)
+-files_search_mnt(xend_t)
-+fs_read_removable_blk_files(xend_t)
-+
-+storage_read_scsi_generic(xend_t)
-+
-+term_setattr_generic_ptys(xend_t)
- term_getattr_all_ptys(xend_t)
-+term_setattr_all_ptys(xend_t)
- term_use_generic_ptys(xend_t)
- term_use_ptmx(xend_t)
- term_getattr_pty_fs(xend_t)
-@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t)
+-fs_getattr_all_fs(xend_t)
+-fs_list_auto_mountpoints(xend_t)
+-fs_read_dos_files(xend_t)
+ fs_read_removable_blk_files(xend_t)
+-fs_manage_xenfs_dirs(xend_t)
+-fs_manage_xenfs_files(xend_t)
- logging_send_syslog_msg(xend_t)
+ storage_read_scsi_generic(xend_t)
--lvm_domtrans(xend_t)
-+auth_read_passwd(xend_t)
+@@ -295,7 +329,8 @@ locallogin_dontaudit_use_fds(xend_t)
+
+ logging_send_syslog_msg(xend_t)
-miscfiles_read_localization(xend_t)
++auth_read_passwd(xend_t)
++
miscfiles_read_hwdata(xend_t)
--mount_domtrans(xend_t)
--
sysnet_domtrans_dhcpc(xend_t)
- sysnet_signal_dhcpc(xend_t)
- sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -308,23 +343,7 @@ sysnet_rw_dhcp_config(xend_t)
- xen_stream_connect_xenstore(xend_t)
+ userdom_dontaudit_search_user_home_dirs(xend_t)
--netutils_domtrans(xend_t)
+-tunable_policy(`xen_use_fusefs',`
+- fs_manage_fusefs_dirs(xend_t)
+- fs_manage_fusefs_files(xend_t)
+- fs_read_fusefs_symlinks(xend_t)
+-')
-
+-tunable_policy(`xen_use_nfs',`
+- fs_manage_nfs_dirs(xend_t)
+- fs_manage_nfs_files(xend_t)
+- fs_read_nfs_symlinks(xend_t)
+-')
+-
+-tunable_policy(`xen_use_samba',`
+- fs_manage_cifs_dirs(xend_t)
+- fs_manage_cifs_files(xend_t)
+- fs_read_cifs_symlinks(xend_t)
+-')
++xen_stream_connect_xenstore(xend_t)
+
optional_policy(`
brctl_domtrans(xend_t)
- ')
-@@ -349,6 +353,28 @@ optional_policy(`
- consoletype_exec(xend_t)
+@@ -342,7 +361,7 @@ optional_policy(`
+ mount_domtrans(xend_t)
')
-+optional_policy(`
-+ lvm_domtrans(xend_t)
-+')
-+
-+optional_policy(`
-+ mount_domtrans(xend_t)
-+')
-+
+-optional_policy(`
+optional_policy(`
-+ netutils_domtrans(xend_t)
-+')
-+
-+optional_policy(`
-+ ptchown_exec(xend_t)
-+')
-+
-+optional_policy(`
+ netutils_domtrans(xend_t)
+ ')
+
+@@ -351,6 +370,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+ virt_manage_default_image_type(xend_t)
-+ virt_search_images(xend_t)
-+ virt_read_config(xend_t)
-+')
-+
- ########################################
- #
- # Xen console local policy
-@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit;
+ virt_search_images(xend_t)
+ virt_read_config(xend_t)
+ ')
+@@ -365,13 +385,9 @@ allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
--allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+-allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
+-
+-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
+allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
- # pid file
++# pid file
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
-@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
+ manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+ files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
+@@ -384,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -73834,32 +85272,58 @@ index 07033bb..8358a63 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t)
+@@ -400,10 +414,9 @@ term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
+-logging_search_logs(xenconsoled_t)
+-
-miscfiles_read_localization(xenconsoled_t)
+auth_read_passwd(xenconsoled_t)
- xen_manage_log(xenconsoled_t)
++xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
-@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+
+ optional_policy(`
+@@ -416,24 +429,26 @@ optional_policy(`
+ #
+
+ allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
+-allow xenstored_t self:unix_stream_socket { accept listen };
++allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
++allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+ manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
- # pid file
-+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
++# pid file
+ manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
--files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
-+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
+ files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
- # log files
++# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t)
-
+-append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+-create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+-setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
++manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+ manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+ logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
+
++# var/lib files for xenstored
+ manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+ manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+ manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+@@ -449,156 +464,37 @@ dev_rw_xen(xenstored_t)
+ dev_read_sysfs(xenstored_t)
+
+ files_read_etc_files(xenstored_t)
++
files_read_usr_files(xenstored_t)
-+fs_search_xenfs(xenstored_t)
+ fs_search_xenfs(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
term_use_generic_ptys(xenstored_t)
@@ -73877,26 +85341,35 @@ index 07033bb..8358a63 100644
########################################
#
-# xm local policy
--#
--
--allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
--allow xm_t self:process { getsched signal };
++# SSH component local policy
+ #
-
--# internal communication is often done using fifo and unix sockets.
+-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow xm_t self:process { getcap getsched setsched setcap signal };
-allow xm_t self:fifo_file rw_fifo_file_perms;
--allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow xm_t self:tcp_socket create_stream_socket_perms;
+-allow xm_t self:unix_stream_socket { accept connectto listen };
+-allow xm_t self:tcp_socket { accept listen };
-
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
--files_search_var_lib(xm_t)
-
--allow xm_t xen_image_t:dir rw_dir_perms;
--allow xm_t xen_image_t:file read_file_perms;
--allow xm_t xen_image_t:blk_file read_blk_file_perms;
+-manage_files_pattern(xm_t, xen_image_t, xen_image_t)
+-manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t)
+-manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t)
+-
+-read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t)
+-
+-xen_manage_image_dirs(xm_t)
+-xen_append_log(xm_t)
+-xen_domtrans(xm_t)
+-xen_stream_connect(xm_t)
+-xen_stream_connect_xenstore(xm_t)
+-
+-can_exec(xm_t, xm_exec_t)
-
-kernel_read_system_state(xm_t)
+-kernel_read_network_state(xm_t)
-kernel_read_kernel_sysctls(xm_t)
-kernel_read_sysctl(xm_t)
-kernel_read_xen_state(xm_t)
@@ -73905,22 +85378,33 @@ index 07033bb..8358a63 100644
-corecmd_exec_bin(xm_t)
-corecmd_exec_shell(xm_t)
-
+-corenet_all_recvfrom_unlabeled(xm_t)
+-corenet_all_recvfrom_netlabel(xm_t)
-corenet_tcp_sendrecv_generic_if(xm_t)
-corenet_tcp_sendrecv_generic_node(xm_t)
+-
+-corenet_sendrecv_soundd_client_packets(xm_t)
-corenet_tcp_connect_soundd_port(xm_t)
+-corenet_tcp_sendrecv_soundd_port(xm_t)
-
+-dev_read_rand(xm_t)
-dev_read_urand(xm_t)
-dev_read_sysfs(xm_t)
-
-files_read_etc_runtime_files(xm_t)
+-files_read_etc_files(xm_t)
-files_read_usr_files(xm_t)
+-files_search_pids(xm_t)
+-files_search_var_lib(xm_t)
-files_list_mnt(xm_t)
--# Some common macros (you might be able to remove some)
--files_read_etc_files(xm_t)
+-files_list_tmp(xm_t)
-
-fs_getattr_all_fs(xm_t)
-fs_manage_xenfs_dirs(xm_t)
-fs_manage_xenfs_files(xm_t)
+-fs_search_auto_mountpoints(xm_t)
+-
+-storage_raw_read_fixed_disk(xm_t)
-
-term_use_all_terms(xm_t)
-
@@ -73928,20 +85412,61 @@ index 07033bb..8358a63 100644
-init_rw_script_stream_sockets(xm_t)
-init_use_fds(xm_t)
-
+-logging_send_syslog_msg(xm_t)
+-
-miscfiles_read_localization(xm_t)
-
-sysnet_dns_name_resolve(xm_t)
-
--xen_append_log(xm_t)
--xen_stream_connect(xm_t)
--xen_stream_connect_xenstore(xm_t)
+-tunable_policy(`xen_use_fusefs',`
+- fs_manage_fusefs_dirs(xm_t)
+- fs_manage_fusefs_files(xm_t)
+- fs_read_fusefs_symlinks(xm_t)
+-')
+-
+-tunable_policy(`xen_use_nfs',`
+- fs_manage_nfs_dirs(xm_t)
+- fs_manage_nfs_files(xm_t)
+- fs_read_nfs_symlinks(xm_t)
+-')
+-
+-tunable_policy(`xen_use_samba',`
+- fs_manage_cifs_dirs(xm_t)
+- fs_manage_cifs_files(xm_t)
+- fs_read_cifs_symlinks(xm_t)
+-')
+-
+ optional_policy(`
+- cron_system_entry(xm_t, xm_exec_t)
+-')
-
-optional_policy(`
- dbus_system_bus_client(xm_t)
-
- optional_policy(`
- hal_dbus_chat(xm_t)
-- ')
++ #Should have a boolean wrapping these
++ fs_list_auto_mountpoints(xend_t)
++ files_search_mnt(xend_t)
++ fs_getattr_all_fs(xend_t)
++ fs_read_dos_files(xend_t)
++ fs_manage_xenfs_dirs(xend_t)
++ fs_manage_xenfs_files(xend_t)
++
++ tunable_policy(`xen_use_nfs',`
++ fs_manage_nfs_files(xend_t)
++ fs_read_nfs_symlinks(xend_t)
+ ')
+ ')
+-
+-optional_policy(`
+- rpm_exec(xm_t)
+-')
+-
+-optional_policy(`
+- vhostmd_rw_tmpfs_files(xm_t)
+- vhostmd_stream_connect(xm_t)
+- vhostmd_dontaudit_rw_stream_connect(xm_t)
-')
-
-optional_policy(`
@@ -73951,11 +85476,7 @@ index 07033bb..8358a63 100644
- virt_stream_connect(xm_t)
-')
-
--########################################
--#
- # SSH component local policy
- #
- optional_policy(`
+-optional_policy(`
- ssh_basic_client_template(xm, xm_t, system_r)
-
- kernel_read_xen_state(xm_ssh_t)
@@ -73965,24 +85486,12 @@ index 07033bb..8358a63 100644
-
- fs_manage_xenfs_dirs(xm_ssh_t)
- fs_manage_xenfs_files(xm_ssh_t)
--
- #Should have a boolean wrapping these
- fs_list_auto_mountpoints(xend_t)
- files_search_mnt(xend_t)
-@@ -559,8 +497,4 @@ optional_policy(`
- fs_manage_nfs_files(xend_t)
- fs_read_nfs_symlinks(xend_t)
- ')
--
-- optional_policy(`
-- unconfined_domain(xend_t)
-- ')
- ')
+-')
diff --git a/xfs.te b/xfs.te
-index 11c1b12..fc5d128 100644
+index 0cea2cd..d9518f8 100644
--- a/xfs.te
+++ b/xfs.te
-@@ -37,7 +37,6 @@ files_pid_filetrans(xfs_t, xfs_var_run_t, file)
+@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
@@ -73990,15 +85499,7 @@ index 11c1b12..fc5d128 100644
corenet_all_recvfrom_netlabel(xfs_t)
corenet_tcp_sendrecv_generic_if(xfs_t)
corenet_tcp_sendrecv_generic_node(xfs_t)
-@@ -57,7 +56,6 @@ fs_search_auto_mountpoints(xfs_t)
-
- domain_use_interactive_fds(xfs_t)
-
--files_read_etc_files(xfs_t)
- files_read_etc_runtime_files(xfs_t)
- files_read_usr_files(xfs_t)
-
-@@ -65,7 +63,6 @@ auth_use_nsswitch(xfs_t)
+@@ -71,7 +70,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")
logging_send_syslog_msg(xfs_t)
@@ -74007,27 +85508,69 @@ index 11c1b12..fc5d128 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index e88b95f..3dd3d9a 100644
+index 2882821..cc48c69 100644
--- a/xguest.te
+++ b/xguest.te
-@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
+@@ -1,4 +1,4 @@
+-policy_module(xguest, 1.1.2)
++policy_module(xguest, 1.1.0)
+
+ ########################################
+ #
+@@ -6,46 +6,46 @@ policy_module(xguest, 1.1.2)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether xguest can
+-## mount removable media.
+-## </p>
++## <p>
++## Allow xguest users to mount removable media
++## </p>
+ ## </desc>
+-gen_tunable(xguest_mount_media, false)
++gen_tunable(xguest_mount_media, true)
## <desc>
- ## <p>
--## Allow xguest to configure Network Manager
+-## <p>
+-## Determine whether xguest can
+-## configure network manager.
+-## </p>
++## <p>
+## Allow xguest users to configure Network Manager and connect to apache ports
- ## </p>
++## </p>
+ ## </desc>
+-gen_tunable(xguest_connect_network, false)
++gen_tunable(xguest_connect_network, true)
+
+ ## <desc>
+-## <p>
+-## Determine whether xguest can
+-## use blue tooth devices.
+-## </p>
++## <p>
++## Allow xguest to use blue tooth devices
++## </p>
## </desc>
- gen_tunable(xguest_connect_network, true)
-@@ -29,6 +29,7 @@ gen_tunable(xguest_use_bluetooth, true)
+-gen_tunable(xguest_use_bluetooth, false)
++gen_tunable(xguest_use_bluetooth, true)
+
role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
++
++init_dbus_chat(xguest_t)
++init_status(xguest_t)
########################################
#
-@@ -38,7 +39,7 @@ userdom_restricted_xwindows_user_template(xguest)
+ # Local policy
+ #
+
+-kernel_dontaudit_request_load_module(xguest_t)
+-
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
@@ -74035,12 +85578,14 @@ index e88b95f..3dd3d9a 100644
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
fs_manage_noxattr_fs_files(xguest_t)
fs_manage_noxattr_fs_dirs(xguest_t)
- # Write floppies
-@@ -49,11 +50,22 @@ ifndef(`enable_mls',`
- ')
++ # Write floppies
+ storage_raw_read_removable_device(xguest_t)
+ storage_raw_write_removable_device(xguest_t)
+ ',`
+@@ -54,9 +54,21 @@ ifndef(`enable_mls',`
')
-+optional_policy(`
+ optional_policy(`
+ # Dontaudit fusermount
+ mount_dontaudit_exec_fusermount(xguest_t)
+')
@@ -74051,8 +85596,8 @@ index e88b95f..3dd3d9a 100644
+ allow xguest_t self:process execstack;
+')
+
- # Allow mounting of file systems
- optional_policy(`
++# Allow mounting of file systems
++optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
-
@@ -74060,7 +85605,7 @@ index e88b95f..3dd3d9a 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -62,10 +74,9 @@ optional_policy(`
+@@ -65,10 +77,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -74072,81 +85617,116 @@ index e88b95f..3dd3d9a 100644
')
')
-@@ -76,23 +87,97 @@ optional_policy(`
+@@ -84,88 +95,92 @@ optional_policy(`
+ ')
')
- optional_policy(`
-+ tunable_policy(`xguest_use_bluetooth',`
-+ blueman_dbus_chat(xguest_t)
-+ ')
-+')
-+
+
+optional_policy(`
+ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
- hal_dbus_chat(xguest_t)
++ hal_dbus_chat(xguest_t)
++')
++
+ optional_policy(`
+ apache_role(xguest_r, xguest_t)
')
optional_policy(`
-- java_role(xguest_r, xguest_t)
-+ apache_role(xguest_r, xguest_t)
++ gnome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
-+ gnome_role(xguest_r, xguest_t)
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
')
optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
-+ gnomeclock_dontaudit_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
+- hal_dbus_chat(xguest_t)
+ mozilla_run_plugin(xguest_t, xguest_r)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- java_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_t)
+ pcscd_stream_connect(xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
')
optional_policy(`
tunable_policy(`xguest_connect_network',`
+- kernel_read_network_state(xguest_t)
+-
networkmanager_dbus_chat(xguest_t)
+- networkmanager_read_lib_files(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ ')
+')
-+
+
+- corenet_all_recvfrom_unlabeled(xguest_t)
+- corenet_all_recvfrom_netlabel(xguest_t)
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_t)
+
- corenet_tcp_connect_pulseaudio_port(xguest_t)
-+ corenet_tcp_sendrecv_generic_if(xguest_t)
-+ corenet_raw_sendrecv_generic_if(xguest_t)
-+ corenet_tcp_sendrecv_generic_node(xguest_t)
-+ corenet_raw_sendrecv_generic_node(xguest_t)
-+ corenet_tcp_connect_commplex_port(xguest_t)
-+ corenet_tcp_sendrecv_http_port(xguest_t)
-+ corenet_tcp_sendrecv_http_cache_port(xguest_t)
-+ corenet_tcp_sendrecv_squid_port(xguest_t)
-+ corenet_tcp_sendrecv_ftp_port(xguest_t)
-+ corenet_tcp_sendrecv_ipp_port(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_t)
+ corenet_tcp_sendrecv_generic_if(xguest_t)
+ corenet_raw_sendrecv_generic_if(xguest_t)
+ corenet_tcp_sendrecv_generic_node(xguest_t)
+ corenet_raw_sendrecv_generic_node(xguest_t)
+-
+- corenet_sendrecv_pulseaudio_client_packets(xguest_t)
+- corenet_tcp_connect_pulseaudio_port(xguest_t)
+- corenet_tcp_sendrecv_pulseaudio_port(xguest_t)
+-
+- corenet_sendrecv_http_client_packets(xguest_t)
+- corenet_tcp_connect_http_port(xguest_t)
++ corenet_tcp_connect_commplex_link_port(xguest_t)
+ corenet_tcp_sendrecv_http_port(xguest_t)
+-
+- corenet_sendrecv_http_cache_client_packets(xguest_t)
+- corenet_tcp_connect_http_cache_port(xguest_t)
+ corenet_tcp_sendrecv_http_cache_port(xguest_t)
+-
+- corenet_sendrecv_squid_client_packets(xguest_t)
+- corenet_tcp_connect_squid_port(xguest_t)
+ corenet_tcp_sendrecv_squid_port(xguest_t)
+-
+- corenet_sendrecv_ftp_client_packets(xguest_t)
+- corenet_tcp_connect_ftp_port(xguest_t)
+ corenet_tcp_sendrecv_ftp_port(xguest_t)
+-
+- corenet_sendrecv_ipp_client_packets(xguest_t)
+- corenet_tcp_connect_ipp_port(xguest_t)
+ corenet_tcp_sendrecv_ipp_port(xguest_t)
+-
+- corenet_sendrecv_generic_client_packets(xguest_t)
+ corenet_tcp_connect_http_port(xguest_t)
+ corenet_tcp_connect_http_cache_port(xguest_t)
+ corenet_tcp_connect_squid_port(xguest_t)
+ corenet_tcp_connect_flash_port(xguest_t)
+ corenet_tcp_connect_ftp_port(xguest_t)
- corenet_tcp_connect_ipp_port(xguest_t)
-+ corenet_tcp_connect_generic_port(xguest_t)
-+ corenet_tcp_connect_soundd_port(xguest_t)
++ corenet_tcp_connect_ipp_port(xguest_t)
+ corenet_tcp_connect_generic_port(xguest_t)
+- corenet_tcp_sendrecv_generic_port(xguest_t)
+-
+- corenet_sendrecv_soundd_client_packets(xguest_t)
+ corenet_tcp_connect_soundd_port(xguest_t)
+- corenet_tcp_sendrecv_soundd_port(xguest_t)
+-
+- corenet_sendrecv_speech_client_packets(xguest_t)
+- corenet_tcp_connect_speech_port(xguest_t)
+- corenet_tcp_sendrecv_speech_port(xguest_t)
+-
+- corenet_sendrecv_transproxy_client_packets(xguest_t)
+- corenet_tcp_connect_transproxy_port(xguest_t)
+- corenet_tcp_sendrecv_transproxy_port(xguest_t)
+-
+ corenet_sendrecv_http_client_packets(xguest_t)
+ corenet_sendrecv_http_cache_client_packets(xguest_t)
+ corenet_sendrecv_squid_client_packets(xguest_t)
@@ -74154,27 +85734,29 @@ index e88b95f..3dd3d9a 100644
+ corenet_sendrecv_ipp_client_packets(xguest_t)
+ corenet_sendrecv_generic_client_packets(xguest_t)
+ # Should not need other ports
-+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
-+ corenet_dontaudit_tcp_bind_generic_port(xguest_t)
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
+ corenet_dontaudit_tcp_bind_generic_port(xguest_t)
+ corenet_tcp_connect_speech_port(xguest_t)
+ corenet_tcp_sendrecv_transproxy_port(xguest_t)
+ corenet_tcp_connect_transproxy_port(xguest_t)
')
')
--#gen_user(xguest_u,, xguest_r, s0, s0)
-+optional_policy(`
+ optional_policy(`
+- pcscd_read_pid_files(xguest_t)
+- pcscd_stream_connect(xguest_t)
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
-+')
-+
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/xprint.te b/xprint.te
-index 68d13e5..4fe8668 100644
+index 3c44d84..14b42e5 100644
--- a/xprint.te
+++ b/xprint.te
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
@@ -74194,93 +85776,95 @@ index 68d13e5..4fe8668 100644
sysnet_read_config(xprint_t)
diff --git a/xscreensaver.te b/xscreensaver.te
-index 1487a4e..c099b55 100644
+index c9c9650..4a24446 100644
--- a/xscreensaver.te
+++ b/xscreensaver.te
-@@ -33,9 +33,7 @@ init_read_utmp(xscreensaver_t)
+@@ -35,9 +35,8 @@ init_read_utmp(xscreensaver_t)
logging_send_audit_msgs(xscreensaver_t)
logging_send_syslog_msg(xscreensaver_t)
-miscfiles_read_localization(xscreensaver_t)
-
--userdom_use_user_ptys(xscreensaver_t)
+-userdom_use_user_terminals(xscreensaver_t)
+userdom_use_inherited_user_ptys(xscreensaver_t)
- #access to .icons and ~/.xscreensaver
++#access to .icons and ~/.xscreensaver
userdom_read_user_home_content_files(xscreensaver_t)
+ xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.te b/yam.te
-index 223ad43..a3267e5 100644
+index d837e88..910aeec 100644
--- a/yam.te
+++ b/yam.te
-@@ -58,7 +58,6 @@ corecmd_exec_bin(yam_t)
-
- # Rsync and lftp need to network. They also set files attributes to
- # match whats on the remote server.
--corenet_all_recvfrom_unlabeled(yam_t)
- corenet_all_recvfrom_netlabel(yam_t)
- corenet_tcp_sendrecv_generic_if(yam_t)
- corenet_tcp_sendrecv_generic_node(yam_t)
-@@ -71,7 +70,6 @@ corenet_sendrecv_rsync_client_packets(yam_t)
- # mktemp
- dev_read_urand(yam_t)
-
--files_read_etc_files(yam_t)
- files_read_etc_runtime_files(yam_t)
- # /usr/share/createrepo/genpkgmetadata.py:
- files_exec_usr_files(yam_t)
-@@ -83,16 +81,15 @@ fs_search_auto_mountpoints(yam_t)
- # Content can also be on ISO image files.
- fs_read_iso9660_files(yam_t)
-
--logging_send_syslog_msg(yam_t)
-+auth_use_nsswitch(yam_t)
+@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
--miscfiles_read_localization(yam_t)
-+logging_send_syslog_msg(yam_t)
+ logging_send_syslog_msg(yam_t)
+-miscfiles_read_localization(yam_t)
+-
seutil_read_config(yam_t)
--sysnet_dns_name_resolve(yam_t)
- sysnet_read_config(yam_t)
-
-userdom_use_user_terminals(yam_t)
++sysnet_read_config(yam_t)
++
+userdom_use_inherited_user_terminals(yam_t)
userdom_use_unpriv_users_fds(yam_t)
- # Reading dotfiles...
- # cjp: ?
-diff --git a/zabbix.fc b/zabbix.fc
-index aa5a521..980c0df 100644
---- a/zabbix.fc
-+++ b/zabbix.fc
-@@ -1,8 +1,12 @@
- /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-
- /usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
- /usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
-+/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-+/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-+/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
-
- /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+ userdom_search_user_home_dirs(yam_t)
diff --git a/zabbix.if b/zabbix.if
-index c9981d1..38ce620 100644
+index dd63de0..38ce620 100644
--- a/zabbix.if
+++ b/zabbix.if
-@@ -61,6 +61,26 @@ interface(`zabbix_read_log',`
+@@ -1,4 +1,4 @@
+-## <summary>Distributed infrastructure monitoring.</summary>
++## <summary>Distributed infrastructure monitoring</summary>
+
+ ########################################
+ ## <summary>
+@@ -15,13 +15,12 @@ interface(`zabbix_domtrans',`
+ type zabbix_t, zabbix_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, zabbix_exec_t, zabbix_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Connect to zabbit on the TCP network.
++## Allow connectivity to the zabbix server
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -34,7 +33,7 @@ interface(`zabbix_tcp_connect',`
+ type zabbix_t;
+ ')
+
+- corenet_sendrecv_zabbix_client_packets($1)
++ corenet_sendrecv_zabbix_agent_client_packets($1)
+ corenet_tcp_connect_zabbix_port($1)
+ corenet_tcp_recvfrom_labeled($1, zabbix_t)
+ corenet_tcp_sendrecv_zabbix_port($1)
+@@ -42,7 +41,7 @@ interface(`zabbix_tcp_connect',`
########################################
## <summary>
+-## Read zabbix log files.
++## Allow the specified domain to read zabbix's log files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -62,13 +61,34 @@ interface(`zabbix_read_log',`
+
+ ########################################
+ ## <summary>
+-## Append zabbix log files.
+## Allow the specified domain to read zabbix's tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
+#
+interface(`zabbix_read_tmp',`
@@ -74294,9 +85878,35 @@ index c9981d1..38ce620 100644
+
+########################################
+## <summary>
- ## Allow the specified domain to append
- ## zabbix log files.
++## Allow the specified domain to append
++## zabbix log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+ #
+ interface(`zabbix_append_log',`
+ gen_require(`
+@@ -81,7 +101,7 @@ interface(`zabbix_append_log',`
+
+ ########################################
+ ## <summary>
+-## Read zabbix pid files.
++## Read zabbix PID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -100,7 +120,7 @@ interface(`zabbix_read_pid_files',`
+
+ ########################################
+ ## <summary>
+-## Connect to zabbix agent on the TCP network.
++## Allow connectivity to a zabbix agent
## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
#
interface(`zabbix_agent_tcp_connect',`
@@ -74306,111 +85916,98 @@ index c9981d1..38ce620 100644
')
corenet_sendrecv_zabbix_agent_client_packets($1)
-@@ -142,8 +162,11 @@ interface(`zabbix_admin',`
- type zabbix_initrc_exec_t;
+@@ -121,8 +141,8 @@ interface(`zabbix_agent_tcp_connect',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an zabbix environment.
++## All of the rules required to administrate
++## an zabbix environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -131,7 +151,7 @@ interface(`zabbix_agent_tcp_connect',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the zabbix domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+@@ -139,16 +159,18 @@ interface(`zabbix_agent_tcp_connect',`
+ interface(`zabbix_admin',`
+ gen_require(`
+ type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
+- type zabbit_tmpfs_t;
++ type zabbix_initrc_exec_t;
')
-- allow $1 zabbix_t:process { ptrace signal_perms };
+- allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { zabbix_t zabbix_agent_t })
+ allow $1 zabbix_t:process signal_perms;
- ps_process_pattern($1, zabbix_t)
++ ps_process_pattern($1, zabbix_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 zabbix_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
++ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
+- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
++ role_transition $2 zabbix_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+@@ -156,10 +178,4 @@ interface(`zabbix_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, zabbix_var_run_t)
+-
+- files_list_tmp($1)
+- admin_pattern($1, zabbix_tmp_t)
+-
+- fs_list_tmpfs($1)
+- admin_pattern($1, zabbix_tmpfs_t)
+ ')
diff --git a/zabbix.te b/zabbix.te
-index 8c0bd70..24dd920 100644
+index 46e4cd3..af38ff2 100644
--- a/zabbix.te
+++ b/zabbix.te
-@@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0)
- # Declarations
+@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
#
-+## <desc>
-+## <p>
-+## Allow zabbix to connect to unreserved ports
-+## </p>
-+## </desc>
-+gen_tunable(zabbix_can_network, false)
-+
- type zabbix_t;
- type zabbix_exec_t;
- init_daemon_domain(zabbix_t, zabbix_exec_t)
-@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
- type zabbix_log_t;
- logging_log_file(zabbix_log_t)
-
-+# tmp files
-+type zabbix_tmp_t;
-+files_tmp_file(zabbix_tmp_t)
-+
- # shared memory
- type zabbix_tmpfs_t;
- files_tmpfs_file(zabbix_tmpfs_t)
-@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t)
- # zabbix local policy
- #
-
--allow zabbix_t self:capability { setuid setgid };
--allow zabbix_t self:fifo_file rw_file_perms;
--allow zabbix_t self:process { setsched getsched signal };
-+allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
-+allow zabbix_t self:process { setsched signal_perms };
-+allow zabbix_t self:sem create_sem_perms;
-+allow zabbix_t self:fifo_file rw_fifo_file_perms;
- allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
- allow zabbix_t self:sem create_sem_perms;
- allow zabbix_t self:shm create_shm_perms;
- allow zabbix_t self:tcp_socket create_stream_socket_perms;
-
- # log files
--allow zabbix_t zabbix_log_t:dir setattr;
-+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
- manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
- logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-
-+# tmp files
-+manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-+manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-+files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file })
-+
- # shared memory
- rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
- fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,26 +75,48 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
- manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
- files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
-
-+kernel_read_system_state(zabbix_t)
-+kernel_read_kernel_sysctls(zabbix_t)
-+
-+corecmd_exec_bin(zabbix_t)
-+corecmd_exec_shell(zabbix_t)
-+
- corenet_tcp_bind_generic_node(zabbix_t)
+ ## <desc>
+-## <p>
++## <p>
+ ## Determine whether zabbix can
+ ## connect to all TCP ports
+ ## </p>
+@@ -90,6 +90,12 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
+ corenet_tcp_sendrecv_zabbix_port(zabbix_t)
+
+# needed by zabbix-server-mysql
+corenet_tcp_connect_http_port(zabbix_t)
+# to monitor ftp urls
+corenet_tcp_connect_ftp_port(zabbix_t)
++
++
+ corecmd_exec_bin(zabbix_t)
+ corecmd_exec_shell(zabbix_t)
--files_read_etc_files(zabbix_t)
-+dev_read_urand(zabbix_t)
+@@ -99,7 +105,6 @@ files_read_usr_files(zabbix_t)
--miscfiles_read_localization(zabbix_t)
-+files_read_usr_files(zabbix_t)
-+
-+auth_use_nsswitch(zabbix_t)
+ auth_use_nsswitch(zabbix_t)
--sysnet_dns_name_resolve(zabbix_t)
+-miscfiles_read_localization(zabbix_t)
zabbix_agent_tcp_connect(zabbix_t)
-+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_ports(zabbix_t)
-+')
-+
+@@ -115,7 +120,10 @@ optional_policy(`
+
optional_policy(`
mysql_stream_connect(zabbix_t)
- mysql_tcp_connect(zabbix_t)
@@ -74421,17 +86018,15 @@ index 8c0bd70..24dd920 100644
')
optional_policy(`
- postgresql_stream_connect(zabbix_t)
- ')
+@@ -125,6 +133,7 @@ optional_policy(`
-+optional_policy(`
+ optional_policy(`
+ snmp_read_snmp_var_lib_files(zabbix_t)
+ snmp_read_snmp_var_lib_dirs(zabbix_t)
-+')
-+
+ ')
+
########################################
- #
- # zabbix agent local policy
-@@ -121,7 +160,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -182,7 +191,6 @@ domain_search_all_domains_state(zabbix_agent_t)
files_getattr_all_dirs(zabbix_agent_t)
files_getattr_all_files(zabbix_agent_t)
files_read_all_symlinks(zabbix_agent_t)
@@ -74439,7 +86034,7 @@ index 8c0bd70..24dd920 100644
fs_getattr_all_fs(zabbix_agent_t)
-@@ -129,7 +167,6 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,7 +198,6 @@ init_read_utmp(zabbix_agent_t)
logging_search_logs(zabbix_agent_t)
@@ -74448,75 +86043,233 @@ index 8c0bd70..24dd920 100644
sysnet_dns_name_resolve(zabbix_agent_t)
diff --git a/zarafa.fc b/zarafa.fc
-index 3defaa1..a451e97 100644
+index faf99ed..a451e97 100644
--- a/zarafa.fc
+++ b/zarafa.fc
-@@ -8,19 +8,24 @@
- /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
- /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-
--/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+@@ -1,20 +1,18 @@
+-/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
++/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
+-/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0)
++/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
++/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
++/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
++/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
++/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
++/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+-/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+-/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+-/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+-/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+-/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+-/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+-/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+-
+-/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+ /var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+-/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
--/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
--/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
--/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
--/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
--/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
--/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+-/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
+/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
-+/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
-+/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
-+/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
-+/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
-+/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
-+/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
-
- /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+ /var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+ /var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+ /var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+@@ -22,11 +20,11 @@
+ /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+ /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
+-/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+-/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
++/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
--/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+-/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
-+/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+ /var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
- /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/zarafa.if b/zarafa.if
-index 21ae664..3d08962 100644
+index 36e32df..3d08962 100644
--- a/zarafa.if
+++ b/zarafa.if
-@@ -42,6 +42,12 @@ template(`zarafa_domain_template',`
+@@ -1,55 +1,59 @@
+ ## <summary>Zarafa collaboration platform.</summary>
- manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+-#######################################
++######################################
+ ## <summary>
+-## The template to define a zarafa domain.
++## Creates types and rules for a basic
++## zararfa init daemon domain.
+ ## </summary>
+-## <param name="domain_prefix">
++## <param name="prefix">
+ ## <summary>
+-## Domain prefix to be used.
++## Prefix for the domain.
+ ## </summary>
+ ## </param>
+ #
+ template(`zarafa_domain_template',`
+ gen_require(`
+- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
++ attribute zarafa_domain;
+ ')
+
+- ########################################
++ ##############################
+ #
+- # Declarations
++ # $1_t declarations
+ #
+
+ type zarafa_$1_t, zarafa_domain;
+ type zarafa_$1_exec_t;
+ init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
+
+- type zarafa_$1_log_t, zarafa_logfile;
++ type zarafa_$1_log_t;
+ logging_log_file(zarafa_$1_log_t)
+
+- type zarafa_$1_var_run_t, zarafa_pidfile;
++ type zarafa_$1_var_run_t;
+ files_pid_file(zarafa_$1_var_run_t)
+
+- ########################################
++ ##############################
+ #
+- # Policy
++ # $1_t local policy
+ #
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+
+- append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+- create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+- setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file)
++ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
++ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
+
+ kernel_read_system_state(zarafa_$1_t)
-+
-+ auth_use_nsswitch(zarafa_$1_t)
+
+ auth_use_nsswitch(zarafa_$1_t)
+
+ logging_send_syslog_msg(zarafa_$1_t)
')
######################################
-@@ -118,3 +124,25 @@ interface(`zarafa_stream_connect_server',`
- files_search_var_lib($1)
+ ## <summary>
+-## search zarafa configuration directories.
++## Allow the specified domain to search
++## zarafa configuration dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -68,7 +72,7 @@ interface(`zarafa_search_config',`
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to run zarafa deliver.
++## Execute a domain transition to run zarafa_deliver.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',`
+ type zarafa_deliver_t, zarafa_deliver_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute a domain transition to run zarafa server.
++## Execute a domain transition to run zarafa_server.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',`
+ type zarafa_server_t, zarafa_server_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Connect to zarafa server with a unix
+-## domain stream socket.
++## Connect to zarafa-server unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',`
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
-+
+
+-########################################
+####################################
-+## <summary>
+ ## <summary>
+-## All of the rules required to
+-## administrate an zarafa environment.
+## Allow the specified domain to manage
+## zarafa /var/lib files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`zarafa_admin',`
+- gen_require(`
+- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
+- type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t;
+- type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t;
+- type zarafa_var_lib_t;
+- ')
+-
+- allow $1 zarafa_domain:process { ptrace signal_perms };
+- ps_process_pattern($1, zarafa_domain)
+-
+- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 zarafa_initrc_exec_t system_r;
+- allow $2 system_r;
+-
+- files_search_etc($1)
+- admin_pattern($1, zarafa_etc_t)
+-
+- files_search_tmp($1)
+- admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t })
+-
+- logging_search_log($1)
+- admin_pattern($1, zarafa_logfile)
+-
+- files_search_var_lib($1)
+- admin_pattern($1, { zarafa_var_lib_t zarafa_share_t })
+-
+- files_search_pids($1)
+- admin_pattern($1, zarafa_pidfile)
+interface(`zarafa_manage_lib_files',`
+ gen_require(`
+ type zarafa_var_lib_t;
@@ -74526,39 +86279,70 @@ index 21ae664..3d08962 100644
+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+')
+ ')
diff --git a/zarafa.te b/zarafa.te
-index 91267bc..0aa9870 100644
+index a4479b1..0aa9870 100644
--- a/zarafa.te
+++ b/zarafa.te
-@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
+@@ -1,4 +1,4 @@
+-policy_module(zarafa, 1.1.4)
++policy_module(zarafa, 1.1.0)
+
+ ########################################
+ #
+@@ -6,8 +6,6 @@ policy_module(zarafa, 1.1.4)
+ #
+
+ attribute zarafa_domain;
+-attribute zarafa_logfile;
+-attribute zarafa_pidfile;
+
+ zarafa_domain_template(deliver)
+
+@@ -17,9 +15,6 @@ files_tmp_file(zarafa_deliver_tmp_t)
+ type zarafa_etc_t;
+ files_config_file(zarafa_etc_t)
+
+-type zarafa_initrc_exec_t;
+-init_script_file(zarafa_initrc_exec_t)
+-
zarafa_domain_template(gateway)
zarafa_domain_template(ical)
zarafa_domain_template(indexer)
-+
-+type zarafa_indexer_tmp_t;
-+files_tmp_file(zarafa_indexer_tmp_t)
-+
- zarafa_domain_template(monitor)
- zarafa_domain_template(server)
+@@ -43,61 +38,77 @@ files_tmp_file(zarafa_var_lib_t)
-@@ -48,10 +52,9 @@ auth_use_nsswitch(zarafa_deliver_t)
- # zarafa_gateway local policy
+ ########################################
+ #
+-# Deliver local policy
++# zarafa-deliver local policy
#
--allow zarafa_gateway_t self:capability { chown kill };
-+allow zarafa_gateway_t self:capability { kill };
- allow zarafa_gateway_t self:process setrlimit;
+ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+ manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
++auth_use_nsswitch(zarafa_deliver_t)
++
+ ########################################
+ #
+-# Gateway local policy
++# zarafa_gateway local policy
+ #
-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
++allow zarafa_gateway_t self:capability { kill };
++allow zarafa_gateway_t self:process setrlimit;
++
corenet_all_recvfrom_netlabel(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
-@@ -59,16 +62,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
++corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
+-
+-corenet_sendrecv_pop_server_packets(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
-
--auth_use_nsswitch(zarafa_gateway_t)
+-corenet_tcp_sendrecv_pop_port(zarafa_gateway_t)
++
+######################################
+#
+# zarafa-indexer local policy
@@ -74577,39 +86361,52 @@ index 91267bc..0aa9870 100644
#######################################
#
- # zarafa-ical local policy
+-# Ical local policy
++# zarafa-ical local policy
#
--allow zarafa_ical_t self:capability chown;
-
-corenet_all_recvfrom_unlabeled(zarafa_ical_t)
++
corenet_all_recvfrom_netlabel(zarafa_ical_t)
corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
-@@ -83,7 +98,6 @@ auth_use_nsswitch(zarafa_ical_t)
- # zarafa-monitor local policy
++corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
+ corenet_tcp_bind_generic_node(zarafa_ical_t)
+-
+-corenet_sendrecv_http_cache_client_packets(zarafa_ical_t)
+ corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+-corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t)
++
++auth_use_nsswitch(zarafa_ical_t)
+
+ ######################################
+ #
+-# Indexer local policy
++# zarafa-monitor local policy
#
--allow zarafa_monitor_t self:capability chown;
+-manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+-manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+-files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
- auth_use_nsswitch(zarafa_monitor_t)
+-manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+-manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+-manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++auth_use_nsswitch(zarafa_monitor_t)
-@@ -92,7 +106,7 @@ auth_use_nsswitch(zarafa_monitor_t)
- # zarafa_server local policy
+ ########################################
+ #
+-# Server local policy
++# zarafa_server local policy
#
--allow zarafa_server_t self:capability { chown kill net_bind_service };
+allow zarafa_server_t self:capability { kill net_bind_service };
- allow zarafa_server_t self:process setrlimit;
-
++allow zarafa_server_t self:process setrlimit;
++
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
-@@ -101,11 +115,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
-
- manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
- manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
--files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
-+manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file })
+ manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
+ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+@@ -109,70 +120,89 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
@@ -74617,23 +86414,60 @@ index 91267bc..0aa9870 100644
corenet_all_recvfrom_netlabel(zarafa_server_t)
corenet_tcp_sendrecv_generic_if(zarafa_server_t)
corenet_tcp_sendrecv_generic_node(zarafa_server_t)
-@@ -135,11 +149,10 @@ optional_policy(`
- # zarafa_spooler local policy
++corenet_tcp_sendrecv_all_ports(zarafa_server_t)
+ corenet_tcp_bind_generic_node(zarafa_server_t)
+-
+-corenet_sendrecv_zarafa_server_packets(zarafa_server_t)
+ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+-corenet_tcp_sendrecv_zarafa_port(zarafa_server_t)
+
+ files_read_usr_files(zarafa_server_t)
+
++auth_use_nsswitch(zarafa_server_t)
++
++logging_send_syslog_msg(zarafa_server_t)
+ logging_send_audit_msgs(zarafa_server_t)
+
++sysnet_dns_name_resolve(zarafa_server_t)
++
+ optional_policy(`
+ kerberos_use(zarafa_server_t)
+ ')
+
+ optional_policy(`
+ mysql_stream_connect(zarafa_server_t)
+- mysql_tcp_connect(zarafa_server_t)
+-')
+-
+-optional_policy(`
+- postgresql_stream_connect(zarafa_server_t)
+- postgresql_tcp_connect(zarafa_server_t)
+ ')
+
+ ########################################
+ #
+-# Spooler local policy
++# zarafa_spooler local policy
#
--allow zarafa_spooler_t self:capability { chown kill };
+allow zarafa_spooler_t self:capability { kill };
-
++
can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
-corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
corenet_all_recvfrom_netlabel(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-@@ -150,11 +163,35 @@ auth_use_nsswitch(zarafa_spooler_t)
-
- ########################################
- #
+-
+-corenet_sendrecv_smtp_client_packets(zarafa_spooler_t)
++corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
+ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
++
++auth_use_nsswitch(zarafa_spooler_t)
++
++########################################
++#
+# zarafa_gateway local policy
+#
+
@@ -74655,43 +86489,130 @@ index 91267bc..0aa9870 100644
+# zarafa-monitor local policy
+#
+
-+
-+########################################
-+#
- # zarafa domains local policy
+
+ ########################################
+ #
+-# Zarafa domain local policy
++# zarafa domains local policy
#
- # bad permission on /etc/zarafa
--allow zarafa_domain self:capability { dac_override setgid setuid };
+-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
+-allow zarafa_domain self:process { setrlimit signal };
++# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override chown setgid setuid };
- allow zarafa_domain self:process signal;
++allow zarafa_domain self:process signal;
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
- allow zarafa_domain self:tcp_socket create_stream_socket_perms;
-@@ -164,8 +201,8 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+-allow zarafa_domain self:tcp_socket { accept listen };
+-allow zarafa_domain self:unix_stream_socket { accept listen };
++allow zarafa_domain self:tcp_socket create_stream_socket_perms;
++allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
-kernel_read_system_state(zarafa_domain)
-+dev_read_rand(zarafa_domain)
-+dev_read_urand(zarafa_domain)
+-
+ dev_read_rand(zarafa_domain)
+ dev_read_urand(zarafa_domain)
- files_read_etc_files(zarafa_domain)
+-logging_send_syslog_msg(zarafa_domain)
++files_read_etc_files(zarafa_domain)
-miscfiles_read_localization(zarafa_domain)
+diff --git a/zebra.fc b/zebra.fc
+index 28ee4ca..e1b30b2 100644
+--- a/zebra.fc
++++ b/zebra.fc
+@@ -1,21 +1,22 @@
+-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+-
+ /etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
++
++/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
++
++/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
++/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+
+-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+ /usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
++/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
++/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
++/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+
+ /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+ /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
++/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
-index 6b87605..ef64e73 100644
+index 3416401..ef64e73 100644
--- a/zebra.if
+++ b/zebra.if
-@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
- ')
+@@ -1,8 +1,8 @@
+-## <summary>Zebra border gateway protocol network routing service.</summary>
++## <summary>Zebra border gateway protocol network routing service</summary>
- files_search_pids($1)
-- allow $1 zebra_var_run_t:sock_file write;
-- allow $1 zebra_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+ ########################################
+ ## <summary>
+-## Read zebra configuration content.
++## Read the configuration files for zebra.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -18,14 +18,13 @@ interface(`zebra_read_config',`
+
+ files_search_etc($1)
+ allow $1 zebra_conf_t:dir list_dir_perms;
+- allow $1 zebra_conf_t:file read_file_perms;
+- allow $1 zebra_conf_t:lnk_file read_lnk_file_perms;
++ read_files_pattern($1, zebra_conf_t, zebra_conf_t)
++ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
')
########################################
+ ## <summary>
+-## Connect to zebra with a unix
+-## domain stream socket.
++## Connect to zebra over an unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an zebra environment.
++## All of the rules required to administrate
++## an zebra environment
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',`
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
++## The role to be allowed to manage the zebra domain.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
@@ -74711,14 +86632,29 @@ index 6b87605..ef64e73 100644
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/zebra.te b/zebra.te
-index ade6c2c..ac46eb2 100644
+index b0803c2..ac46eb2 100644
--- a/zebra.te
+++ b/zebra.te
-@@ -11,14 +11,14 @@ policy_module(zebra, 1.12.0)
- ## </p>
- ## </desc>
+@@ -1,4 +1,4 @@
+-policy_module(zebra, 1.12.1)
++policy_module(zebra, 1.12.0)
+
+ ########################################
#
+@@ -6,19 +6,19 @@ policy_module(zebra, 1.12.1)
+ #
+
+ ## <desc>
+-## <p>
+-## Determine whether zebra daemon can
+-## manage its configuration files.
+-## </p>
++## <p>
++## Allow zebra daemon to write it configuration files
++## </p>
+ ## </desc>
-gen_tunable(allow_zebra_write_config, false)
++#
+gen_tunable(zebra_write_config, false)
type zebra_t;
@@ -74731,15 +86667,38 @@ index ade6c2c..ac46eb2 100644
type zebra_initrc_exec_t;
init_script_file(zebra_initrc_exec_t)
-@@ -52,7 +52,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
- read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
- read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
-
--allow zebra_t zebra_log_t:dir setattr;
-+allow zebra_t zebra_log_t:dir setattr_dir_perms;
- manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)
+ allow zebra_t self:capability { setgid setuid net_admin net_raw };
+ dontaudit zebra_t self:capability sys_tty_config;
+ allow zebra_t self:process { signal_perms getcap setcap };
+-allow zebra_t self:fifo_file rw_fifo_file_perms;
+-allow zebra_t self:unix_stream_socket { accept connectto listen };
++allow zebra_t self:file rw_file_perms;
++allow zebra_t self:unix_dgram_socket create_socket_perms;
++allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
+ allow zebra_t self:udp_socket create_socket_perms;
+ allow zebra_t self:rawip_socket create_socket_perms;
+
+ allow zebra_t zebra_conf_t:dir list_dir_perms;
+-allow zebra_t zebra_conf_t:file read_file_perms;
+-allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms;
++read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
++read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+ allow zebra_t zebra_log_t:dir setattr_dir_perms;
+-append_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+-create_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+-setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
++manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+
++# /tmp/.bgpd is such a bad idea!
+ allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+ files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+
@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
@@ -74748,16 +86707,57 @@ index ade6c2c..ac46eb2 100644
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_generic_if(zebra_t)
corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -106,16 +105,16 @@ files_search_etc(zebra_t)
+@@ -79,48 +78,43 @@ corenet_raw_sendrecv_generic_if(zebra_t)
+ corenet_tcp_sendrecv_generic_node(zebra_t)
+ corenet_udp_sendrecv_generic_node(zebra_t)
+ corenet_raw_sendrecv_generic_node(zebra_t)
++corenet_tcp_sendrecv_all_ports(zebra_t)
++corenet_udp_sendrecv_all_ports(zebra_t)
+ corenet_tcp_bind_generic_node(zebra_t)
+ corenet_udp_bind_generic_node(zebra_t)
+-
+-corenet_sendrecv_bgp_server_packets(zebra_t)
+ corenet_tcp_bind_bgp_port(zebra_t)
+-corenet_sendrecv_bgp_client_packets(zebra_t)
++corenet_tcp_bind_zebra_port(zebra_t)
++corenet_udp_bind_router_port(zebra_t)
+ corenet_tcp_connect_bgp_port(zebra_t)
+-corenet_tcp_sendrecv_bgp_port(zebra_t)
+-
+ corenet_sendrecv_zebra_server_packets(zebra_t)
+-corenet_tcp_bind_zebra_port(zebra_t)
+-corenet_tcp_sendrecv_zebra_port(zebra_t)
+-
+ corenet_sendrecv_router_server_packets(zebra_t)
+-corenet_udp_bind_router_port(zebra_t)
+-corenet_udp_sendrecv_router_port(zebra_t)
+
+ dev_associate_usbfs(zebra_var_run_t)
+ dev_list_all_dev_nodes(zebra_t)
+ dev_read_sysfs(zebra_t)
+ dev_rw_zero(zebra_t)
+
++fs_getattr_all_fs(zebra_t)
++fs_search_auto_mountpoints(zebra_t)
++
++term_list_ptys(zebra_t)
++
+ domain_use_interactive_fds(zebra_t)
+
++files_search_etc(zebra_t)
files_read_etc_files(zebra_t)
files_read_etc_runtime_files(zebra_t)
--logging_send_syslog_msg(zebra_t)
+-fs_getattr_all_fs(zebra_t)
+-fs_search_auto_mountpoints(zebra_t)
+-
+-term_list_ptys(zebra_t)
+auth_read_passwd(zebra_t)
--miscfiles_read_localization(zebra_t)
-+logging_send_syslog_msg(zebra_t)
+ logging_send_syslog_msg(zebra_t)
+-miscfiles_read_localization(zebra_t)
+-
sysnet_read_config(zebra_t)
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
@@ -74768,6 +86768,14 @@ index ade6c2c..ac46eb2 100644
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
+@@ -139,3 +133,7 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(zebra_t)
+ ')
++
++optional_policy(`
++ unconfined_sigchld(zebra_t)
++')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
index 0000000..e1602ec
@@ -74800,14 +86808,12 @@ index 0000000..e1602ec
+
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
-index 0000000..b34b8b4
+index 0000000..c72a70d
--- /dev/null
+++ b/zoneminder.if
-@@ -0,0 +1,339 @@
-+
+@@ -0,0 +1,337 @@
+## <summary>policy for zoneminder</summary>
+
-+
+########################################
+## <summary>
+## Transition to zoneminder.
@@ -75271,19 +87277,11 @@ index 0000000..a98b795
+ ')
+
+')
-diff --git a/zosremote.fc b/zosremote.fc
-index d719d0b..7a7fc61 100644
---- a/zosremote.fc
-+++ b/zosremote.fc
-@@ -1 +1,3 @@
- /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
-+
-+/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/zosremote.if b/zosremote.if
-index 702e768..2a4f2cc 100644
+index b14698c..16e1581 100644
--- a/zosremote.if
+++ b/zosremote.if
-@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',`
+@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',`
## Role allowed access.
## </summary>
## </param>
@@ -75292,19 +87290,11 @@ index 702e768..2a4f2cc 100644
interface(`zosremote_run',`
gen_require(`
diff --git a/zosremote.te b/zosremote.te
-index f9a06d2..fade72a 100644
+index 9ba9f81..983b6c8 100644
--- a/zosremote.te
+++ b/zosremote.te
-@@ -16,13 +16,9 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
- #
+@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
- allow zos_remote_t self:process signal;
--allow zos_remote_t self:fifo_file rw_file_perms;
-+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
- allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
-
--files_read_etc_files(zos_remote_t)
--
auth_use_nsswitch(zos_remote_t)
-miscfiles_read_localization(zos_remote_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ca1e686..d66811a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -252,9 +252,9 @@ fi;
. %{_sysconfdir}/selinux/config; \
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
- (cd /etc/selinux/%2/modules/active/modules; rm -f qemu.pp nsplugin.pp razor.pp pyzord.pp phpfpm.pp hotplug.pp consoletype.pp kudzu.pp howl.pp) \
+ (cd /etc/selinux/%2/modules/active/modules; rm -f consolekit.pp ctdbd.pp fcoemon.pp isnsd.pp l2tpd.pp qemu.pp nsplugin.pp razor.pp pyzord.pp phpfpm.pp hotplug.pp consoletype.pp kudzu.pp howl.pp) \
if [ %1 -ne 1 ]; then \
- /usr/sbin/semodule -n -s %2 -r matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype 2>/dev/null; \
+ /usr/sbin/semodule -n -s %2 -r matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp consolekit 2>/dev/null; \
fi \
/usr/sbin/semodule -B -n -s %2; \
else \
@@ -524,6 +524,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-1
+- Mass merge with upstream
+
* Sat Jan 5 2013 Dan Walsh <dwalsh at redhat.com> 3.11.1-69.1
- Bump the policy version to 28 to match selinux userspace
- Rebuild versus latest libsepol
More information about the scm-commits
mailing list