[selinux-policy/f18] - Add label for dns lib files - Allow svirt_t images to compromise_kernel when using pci-passthrough
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jan 10 12:16:01 UTC 2013
commit 2afcf88c82417af4e887acc16ab399d2ed4c1530
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jan 10 13:14:35 2013 +0100
- Add label for dns lib files
- Allow svirt_t images to compromise_kernel when using pci-passthrough
- Blueman uses ctypes which ends up triggering execmem priv.
- Dontaudit attempts by thumb_t to use nscd
- fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it
- Allow abrt to read proc_net_t
- Allw NM to transition to l2tpd
- Dontaudit chrome-nacl to append gnome config files
- Add gnome_dontaudit_append_config_files()
- Allow svirt_tcg_t to create netlink_route_socket
- Label /var/lib/unbound as named_cache_t to allow named to write to this directory
- Allow postfix domains to list /tmp
- Allow dnsmasq to list tftpdir_rw_t content
- Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/me
- Allow tmpreaper to delete tmpfs files in tmp
- Dontaudit access check on tmp_t files/directories
- dontaudit access checks on file systems types by firewalld
- Allow mail_munin_plugins domain to run postconf
- Allow spamd_update to manage gnupg directory
- Add missing postfix_run_postqueue() interface
- Add ntp_exec() interface
- Fix setroubleshoot_fixit_t policy
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Add label for Xvnc
- Add interface to dontaudit access checks on tmp_t
- Fix interface for dontaudit access check to include directory
- interface to dontaudit access checks on file systems types
- Add interface for postgesql_filetrans_name_content to make sure log directories get create
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Additional fix for chroot_user_t backported from RHEL6
- Allow chroot_user_t to getattr on filesystems
- Dontaudit vi attempting to relabel to self files
- Sudo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
policy-f18-base.patch | 603 +++++++++++++++++++++++++---------------------
policy-f18-contrib.patch | 393 +++++++++++++++++++-----------
selinux-policy.spec | 46 ++++-
3 files changed, 627 insertions(+), 415 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 901141a..1a16867 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -111451,10 +111451,10 @@ index 0960199..aa51ab2 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..8ae7673 100644
+index d9fce57..baefb50 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,100 @@ attribute sudodomain;
+@@ -7,3 +7,101 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -111487,8 +111487,9 @@ index d9fce57..8ae7673 100644
+allow sudodomain self:unix_stream_socket connectto;
+allow sudodomain self:key manage_key_perms;
+
-+kernel_read_kernel_sysctls(sudodomain)
++kernel_getattr_core_if(sudodomain)
+kernel_link_key(sudodomain)
++kernel_read_kernel_sysctls(sudodomain)
+
+corecmd_read_bin_symlinks(sudodomain)
+corecmd_exec_all_executables(sudodomain)
@@ -114385,7 +114386,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..72c5a3b 100644
+index fe2ee5e..fe01386 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114641,7 +114642,7 @@ index fe2ee5e..72c5a3b 100644
network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
-+network_port(rndc, tcp,953,s0, tcp,8953,s0)
++network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0)
+network_port(router, udp,520-521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
@@ -117063,7 +117064,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..09a61e6 100644
+index cf04cb5..7219a2a 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -117189,7 +117190,7 @@ index cf04cb5..09a61e6 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -117299,6 +117300,10 @@ index cf04cb5..09a61e6 100644
+')
+
+optional_policy(`
++ postgresql_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ postfix_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -117703,7 +117708,7 @@ index 8796ca3..cb02728 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..360fbbd 100644
+index e1e814d..e9ebe7b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -118087,7 +118092,7 @@ index e1e814d..360fbbd 100644
+ type etc_t;
+ ')
+
-+ dontaudit $1 etc_t:file_class_set audit_access;
++ dontaudit $1 etc_t:dir_file_class_set audit_access;
+')
+
+########################################
@@ -118343,7 +118348,7 @@ index e1e814d..360fbbd 100644
')
-
- dontaudit $1 mnt_t:dir list_dir_perms;
-+ dontaudit $1 mnt_t:file_class_set audit_access;
++ dontaudit $1 mnt_t:dir_file_class_set audit_access;
')
########################################
@@ -118508,7 +118513,7 @@ index e1e814d..360fbbd 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4694,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,17 +4694,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118516,7 +118521,29 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4705,7 @@ interface(`files_getattr_tmp_dirs',`
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_tmp',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 tmp_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -118525,7 +118552,7 @@ index e1e814d..360fbbd 100644
## </summary>
## </param>
#
-@@ -4198,6 +4732,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4751,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118533,7 +118560,7 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4769,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4788,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118541,7 +118568,7 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4779,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4798,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -118550,7 +118577,7 @@ index e1e814d..360fbbd 100644
## </summary>
## </param>
#
-@@ -4255,6 +4791,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4810,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118576,7 +118603,7 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4825,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4844,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118584,7 +118611,7 @@ index e1e814d..360fbbd 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4867,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4886,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -118617,7 +118644,7 @@ index e1e814d..360fbbd 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,7 +4947,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,7 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -118626,7 +118653,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4373,17 +4955,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4373,17 +4974,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -118648,7 +118675,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4391,59 +4973,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4391,59 +4992,53 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -118719,7 +118746,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4451,54 +5027,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4451,27 +5046,105 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@@ -118748,40 +118775,31 @@ index e1e814d..360fbbd 100644
#
-interface(`files_relabel_all_tmp_files',`
+interface(`files_list_all_tmp',`
- gen_require(`
- attribute tmpfile;
-- type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
++')
++
++########################################
++## <summary>
+## Relabel to and from all temporary
+## directory types.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
++#
+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
++ gen_require(`
++ attribute tmpfile;
+ type var_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
--')
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
@@ -118837,37 +118855,19 @@ index e1e814d..360fbbd 100644
+## <rolecap/>
+#
+interface(`files_relabel_all_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ type var_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ gen_require(`
+ attribute tmpfile;
+ type var_t;
+@@ -4488,7 +5161,7 @@ interface(`files_relabel_all_tmp_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ dontaudit $1 tmpfile:sock_file getattr;
-+')
-
- ########################################
- ## <summary>
-@@ -4573,6 +5227,16 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## </param>
+ #
+@@ -4573,6 +5246,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118884,7 +118884,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5150,6 +5814,24 @@ interface(`files_list_var',`
+@@ -5150,6 +5833,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -118909,7 +118909,7 @@ index e1e814d..360fbbd 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6187,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6206,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118935,7 +118935,7 @@ index e1e814d..360fbbd 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6251,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6270,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -118944,7 +118944,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6259,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6278,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -118960,7 +118960,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5581,6 +6283,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6302,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118968,7 +118968,7 @@ index e1e814d..360fbbd 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6310,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6329,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -118996,7 +118996,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6337,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6356,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -119013,7 +119013,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5640,7 +6361,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6380,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -119022,7 +119022,7 @@ index e1e814d..360fbbd 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6394,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6413,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -119030,7 +119030,7 @@ index e1e814d..360fbbd 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6421,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6440,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -119040,7 +119040,7 @@ index e1e814d..360fbbd 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6437,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6456,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -119058,7 +119058,7 @@ index e1e814d..360fbbd 100644
')
########################################
-@@ -5743,8 +6461,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6480,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -119068,7 +119068,7 @@ index e1e814d..360fbbd 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6503,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6522,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -119078,7 +119078,7 @@ index e1e814d..360fbbd 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6525,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6544,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -119088,7 +119088,7 @@ index e1e814d..360fbbd 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6562,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6581,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -119098,7 +119098,7 @@ index e1e814d..360fbbd 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6625,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6644,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -119142,7 +119142,7 @@ index e1e814d..360fbbd 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6684,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6703,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -119168,7 +119168,7 @@ index e1e814d..360fbbd 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6818,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6837,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -119176,7 +119176,7 @@ index e1e814d..360fbbd 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6926,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6945,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -119211,7 +119211,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6188,43 +6952,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6971,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -119262,7 +119262,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6232,21 +6988,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +7007,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -119287,7 +119287,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6254,56 +7006,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +7025,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -119363,7 +119363,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6311,18 +7066,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7085,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -119386,7 +119386,7 @@ index e1e814d..360fbbd 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,9 +7084,273 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,9 +7103,273 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -119662,7 +119662,7 @@ index e1e814d..360fbbd 100644
')
list_dirs_pattern($1, var_t, var_spool_t)
-@@ -6467,3 +7485,457 @@ interface(`files_unconfined',`
+@@ -6467,3 +7504,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -119918,7 +119918,7 @@ index e1e814d..360fbbd 100644
+########################################
+## <summary>
+## Do not audit attempts to check the
-+## write access on all files
++## access on all files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -119931,7 +119931,7 @@ index e1e814d..360fbbd 100644
+ attribute file_type;
+ ')
+
-+ dontaudit $1 file_type:file_class_set audit_access;
++ dontaudit $1 file_type:dir_file_class_set audit_access;
+')
+
+########################################
@@ -119986,6 +119986,7 @@ index e1e814d..360fbbd 100644
+ type mnt_t;
+ type usr_t;
+ type var_t;
++ type tmp_t;
+ ')
+
+ files_pid_filetrans($1, mnt_t, dir, "media")
@@ -120008,6 +120009,7 @@ index e1e814d..360fbbd 100644
+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
++ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+')
+
+########################################
@@ -120332,7 +120334,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..aa86bf7 100644
+index 7c6b791..12947fe 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -120964,32 +120966,41 @@ index 7c6b791..aa86bf7 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2510,81 +2973,137 @@ interface(`fs_dontaudit_read_nfs_files',`
+@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
+ type nfs_t;
+ ')
+
++ fs_search_auto_mountpoints($1)
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2549,42 +3013,97 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
--## Read files on a NFS filesystem.
-+## Read files on a NFS filesystem.
+-## Append files
+-## on a NFS filesystem.
++## Make general progams in nfs an entrypoint for
++## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
-+interface(`fs_write_nfs_files',`
++interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ fs_search_auto_mountpoints($1)
-+ allow $1 nfs_t:dir list_dir_perms;
-+ write_files_pattern($1, nfs_t, nfs_t)
++ domain_entry_file($1, nfs_t)
+')
+
+########################################
+## <summary>
-+## Execute files on a NFS filesystem.
++## Append files
++## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -120998,86 +121009,36 @@ index 7c6b791..aa86bf7 100644
+## </param>
+## <rolecap/>
+#
-+interface(`fs_exec_nfs_files',`
++interface(`fs_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:dir list_dir_perms;
-+ exec_files_pattern($1, nfs_t, nfs_t)
++ append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
-+## Make general progams in nfs an entrypoint for
-+## the specified domain.
++## Do not audit attempts to append files
++## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The domain for which nfs_t is an entrypoint.
++## Domain to not audit.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_nfs_entry_type',`
++interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ domain_entry_file($1, nfs_t)
++ dontaudit $1 nfs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
-+## Append files
-+## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_write_nfs_files',`
-+interface(`fs_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- write_files_pattern($1, nfs_t, nfs_t)
-+ append_files_pattern($1, nfs_t, nfs_t)
- ')
-
- ########################################
- ## <summary>
--## Execute files on a NFS filesystem.
-+## Do not audit attempts to append files
-+## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- ## <rolecap/>
- #
--interface(`fs_exec_nfs_files',`
-+interface(`fs_dontaudit_append_nfs_files',`
- gen_require(`
- type nfs_t;
- ')
-
-- allow $1 nfs_t:dir list_dir_perms;
-- exec_files_pattern($1, nfs_t, nfs_t)
-+ dontaudit $1 nfs_t:file append_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Append files
--## on a NFS filesystem.
+## Read inherited files on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -121449,7 +121410,7 @@ index 7c6b791..aa86bf7 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4944,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4944,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -121485,7 +121446,8 @@ index 7c6b791..aa86bf7 100644
+ type tmpfs_t;
+ ')
+
-+ allow $1 tmpfs_t:file unlink;
++ allow $1 tmpfs_t:dir del_entry_dir_perms;
++ allow $1 tmpfs_t:file_class_set delete_file_perms;
+')
+
+########################################
@@ -121493,7 +121455,7 @@ index 7c6b791..aa86bf7 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +5001,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -121519,7 +121481,7 @@ index 7c6b791..aa86bf7 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +5225,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5226,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -121528,7 +121490,7 @@ index 7c6b791..aa86bf7 100644
')
########################################
-@@ -4513,7 +5273,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5274,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -121537,7 +121499,34 @@ index 7c6b791..aa86bf7 100644
## Example attributes:
## </p>
## <ul>
-@@ -4876,3 +5636,43 @@ interface(`fs_unconfined',`
+@@ -4560,6 +5321,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to check the
++## access on all filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_all_access_check',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:dir_file_class_set audit_access;
++')
++
++
++########################################
++## <summary>
+ ## Get the quotas of all filesystems.
+ ## </summary>
+ ## <param name="domain">
+@@ -4876,3 +5657,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -121582,7 +121571,7 @@ index 7c6b791..aa86bf7 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 376bae8..36a5041 100644
+index 376bae8..9764e00 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -121643,7 +121632,16 @@ index 376bae8..36a5041 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -175,6 +179,7 @@ fs_type(tmpfs_t)
+@@ -166,6 +170,8 @@ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+ files_mountpoint(vxfs_t)
+ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
++genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0)
++genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0)
+
+ #
+ # tmpfs_t is the type for tmpfs filesystems
+@@ -175,6 +181,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -121651,7 +121649,7 @@ index 376bae8..36a5041 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +259,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -121660,7 +121658,7 @@ index 376bae8..36a5041 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +280,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -124797,7 +124795,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..72a70fc 100644
+index 44c198a..e34ec36 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
@@ -124929,14 +124927,14 @@ index 44c198a..72a70fc 100644
- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
+ #cron_role(sysadm_r, sysadm_t)
-+')
-+
-+optional_policy(`
-+ consoletype_exec(sysadm_t)
')
optional_policy(`
- cvs_exec(sysadm_t)
++ consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
@@ -125088,7 +125086,7 @@ index 44c198a..72a70fc 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +351,32 @@ optional_policy(`
+@@ -270,31 +351,36 @@ optional_policy(`
')
optional_policy(`
@@ -125098,37 +125096,41 @@ index 44c198a..72a70fc 100644
optional_policy(`
- quota_run(sysadm_t, sysadm_r)
-+ prelink_run(sysadm_t, sysadm_r)
++ postgresql_admin(sysadm_t, sysadm_r)
')
optional_policy(`
- raid_run_mdadm(sysadm_r, sysadm_t)
-+ puppet_run_puppetca(sysadm_t, sysadm_r)
++ prelink_run(sysadm_t, sysadm_r)
')
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-+ quota_filetrans_named_content(sysadm_t)
++ puppet_run_puppetca(sysadm_t, sysadm_r)
')
optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
-+ raid_domtrans_mdadm(sysadm_t)
++ quota_filetrans_named_content(sysadm_t)
')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r)
-+ rpc_domtrans_nfsd(sysadm_t)
++ raid_domtrans_mdadm(sysadm_t)
')
optional_policy(`
- rssh_role(sysadm_r, sysadm_t)
++ rpc_domtrans_nfsd(sysadm_t)
++')
++
++optional_policy(`
+ rpm_run(sysadm_t, sysadm_r)
+ rpm_dbus_chat(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -319,12 +401,18 @@ optional_policy(`
+@@ -319,12 +405,18 @@ optional_policy(`
')
optional_policy(`
@@ -125148,7 +125150,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -349,7 +437,18 @@ optional_policy(`
+@@ -349,7 +441,18 @@ optional_policy(`
')
optional_policy(`
@@ -125168,7 +125170,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -360,19 +459,15 @@ optional_policy(`
+@@ -360,19 +463,15 @@ optional_policy(`
')
optional_policy(`
@@ -125190,7 +125192,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -384,10 +479,6 @@ optional_policy(`
+@@ -384,10 +483,6 @@ optional_policy(`
')
optional_policy(`
@@ -125201,7 +125203,7 @@ index 44c198a..72a70fc 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +486,9 @@ optional_policy(`
+@@ -395,6 +490,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -125211,7 +125213,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -402,31 +496,34 @@ optional_policy(`
+@@ -402,31 +500,34 @@ optional_policy(`
')
optional_policy(`
@@ -125252,7 +125254,7 @@ index 44c198a..72a70fc 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +540,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -125263,7 +125265,7 @@ index 44c198a..72a70fc 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -460,6 +553,7 @@ ifndef(`distro_redhat',`
+@@ -460,6 +557,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -125271,7 +125273,7 @@ index 44c198a..72a70fc 100644
')
optional_policy(`
-@@ -467,11 +561,66 @@ ifndef(`distro_redhat',`
+@@ -467,11 +565,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -125290,9 +125292,8 @@ index 44c198a..72a70fc 100644
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
@@ -125315,8 +125316,9 @@ index 44c198a..72a70fc 100644
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
@@ -126405,7 +126407,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 9f6d4c3..07ceee0 100644
+index 9f6d4c3..40338bc 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -126421,7 +126423,7 @@ index 9f6d4c3..07ceee0 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,99 @@ role user_r;
+@@ -12,12 +19,100 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -126434,6 +126436,7 @@ index 9f6d4c3..07ceee0 100644
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
++init_dbus_chat(user_t)
+init_status(user_t)
+
+tunable_policy(`selinuxuser_execmod',`
@@ -126522,7 +126525,7 @@ index 9f6d4c3..07ceee0 100644
')
optional_policy(`
-@@ -25,6 +119,18 @@ optional_policy(`
+@@ -25,6 +120,18 @@ optional_policy(`
')
optional_policy(`
@@ -126541,7 +126544,7 @@ index 9f6d4c3..07ceee0 100644
vlock_run(user_t, user_r)
')
-@@ -66,10 +172,6 @@ ifndef(`distro_redhat',`
+@@ -66,10 +173,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -126552,7 +126555,7 @@ index 9f6d4c3..07ceee0 100644
gpg_role(user_r, user_t)
')
-@@ -102,10 +204,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +205,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -126563,7 +126566,7 @@ index 9f6d4c3..07ceee0 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +226,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +227,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -126571,7 +126574,7 @@ index 9f6d4c3..07ceee0 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +258,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +259,15 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -126588,7 +126591,7 @@ index 9f6d4c3..07ceee0 100644
+ ')
+')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index a26f84f..d3cc612 100644
+index a26f84f..947af6c 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -10,6 +10,7 @@
@@ -126599,7 +126602,7 @@ index a26f84f..d3cc612 100644
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-@@ -28,9 +29,9 @@ ifdef(`distro_redhat', `
+@@ -28,9 +29,10 @@ ifdef(`distro_redhat', `
#
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
@@ -126608,17 +126611,18 @@ index a26f84f..d3cc612 100644
/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
-@@ -45,4 +46,4 @@ ifdef(`distro_redhat', `
+@@ -45,4 +47,4 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index ecef19f..fcbc25a 100644
+index ecef19f..149e648 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -126746,7 +126750,37 @@ index ecef19f..fcbc25a 100644
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
-@@ -564,33 +581,38 @@ interface(`postgresql_unconfined',`
+@@ -548,6 +565,29 @@ interface(`postgresql_unconfined',`
+
+ ########################################
+ ## <summary>
++## Transition to postgresql named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postgresql_filetrans_named_content',`
++ gen_require(`
++ type postgresql_db_t;
++ type postgresql_log_t;
++ ')
++
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate an postgresql environment
+ ## </summary>
+ ## <param name="domain">
+@@ -564,35 +604,41 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -126793,8 +126827,11 @@ index ecef19f..fcbc25a 100644
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
+ postgresql_stream_connect($1)
++ postgresql_filetrans_named_content($1)
+ ')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4318f73..e4d0b31 100644
+index 4318f73..b6908cd 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -126849,7 +126886,14 @@ index 4318f73..e4d0b31 100644
allow postgresql_t self:process { setsockcreate };
')
-@@ -275,7 +283,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+@@ -269,13 +277,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
++postgresql_filetrans_named_content(postgresql_t)
+
+ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -127601,7 +127645,7 @@ index fe0c682..2b21421 100644
+ allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..3354b8f 100644
+index b17e27a..2ef4a93 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
@@ -128048,7 +128092,7 @@ index b17e27a..3354b8f 100644
')
optional_policy(`
-@@ -339,3 +446,121 @@ optional_policy(`
+@@ -339,3 +446,124 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -128082,6 +128126,7 @@ index b17e27a..3354b8f 100644
+#
+# chroot_user_t local policy
+#
++allow chroot_user_t self:fifo_file rw_fifo_file_perms;
+allow chroot_user_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_shell(chroot_user_t)
@@ -128089,6 +128134,8 @@ index b17e27a..3354b8f 100644
+term_search_ptys(chroot_user_t)
+term_use_ptmx(chroot_user_t)
+
++fs_getattr_all_fs(chroot_user_t)
++
+userdom_read_user_home_content_files(chroot_user_t)
+userdom_read_inherited_user_home_content_files(chroot_user_t)
+userdom_read_user_home_content_symlinks(chroot_user_t)
@@ -128171,7 +128218,7 @@ index b17e27a..3354b8f 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..ba6be42 100644
+index fc86b7c..ea115aa 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -128229,7 +128276,7 @@ index fc86b7c..ba6be42 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,25 +75,28 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -128260,8 +128307,11 @@ index fc86b7c..ba6be42 100644
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+ /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
+@@ -90,24 +122,47 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -133968,7 +134018,7 @@ index d26fe81..95c1bd8 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..fe91700 100644
+index 4a88fa1..c43e758 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -134111,7 +134161,7 @@ index 4a88fa1..fe91700 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -122,28 +177,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -134126,6 +134176,7 @@ index 4a88fa1..fe91700 100644
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
+dev_filetrans_all_named_dev(init_t)
++dev_write_watchdog(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -134151,7 +134202,7 @@ index 4a88fa1..fe91700 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t)
+@@ -152,6 +218,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -134160,7 +134211,7 @@ index 4a88fa1..fe91700 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t)
+@@ -159,22 +227,41 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -134204,7 +134255,7 @@ index 4a88fa1..fe91700 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -183,29 +269,176 @@ ifdef(`distro_gentoo',`
+@@ -183,29 +270,176 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -134389,7 +134440,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -213,6 +446,27 @@ optional_policy(`
+@@ -213,6 +447,27 @@ optional_policy(`
')
optional_policy(`
@@ -134417,7 +134468,7 @@ index 4a88fa1..fe91700 100644
unconfined_domain(init_t)
')
-@@ -222,8 +476,9 @@ optional_policy(`
+@@ -222,8 +477,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134429,7 +134480,7 @@ index 4a88fa1..fe91700 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +506,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +507,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134446,7 +134497,7 @@ index 4a88fa1..fe91700 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +531,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +532,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -134489,7 +134540,7 @@ index 4a88fa1..fe91700 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,9 +568,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,9 +569,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -134501,7 +134552,7 @@ index 4a88fa1..fe91700 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +581,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -134512,7 +134563,7 @@ index 4a88fa1..fe91700 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +592,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -134532,7 +134583,7 @@ index 4a88fa1..fe91700 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134540,7 +134591,7 @@ index 4a88fa1..fe91700 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +617,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -134552,7 +134603,7 @@ index 4a88fa1..fe91700 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -134566,7 +134617,7 @@ index 4a88fa1..fe91700 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +650,13 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +651,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -134581,7 +134632,7 @@ index 4a88fa1..fe91700 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +666,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +667,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -134589,7 +134640,7 @@ index 4a88fa1..fe91700 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +678,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +679,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -134597,7 +134648,7 @@ index 4a88fa1..fe91700 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +697,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +698,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -134621,7 +134672,7 @@ index 4a88fa1..fe91700 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +762,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +763,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -134632,7 +134683,7 @@ index 4a88fa1..fe91700 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +786,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +787,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -134641,7 +134692,7 @@ index 4a88fa1..fe91700 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +801,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +802,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -134649,7 +134700,7 @@ index 4a88fa1..fe91700 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +822,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +823,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -134657,7 +134708,7 @@ index 4a88fa1..fe91700 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +832,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +833,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -134698,7 +134749,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -549,14 +873,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +874,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -134730,7 +134781,7 @@ index 4a88fa1..fe91700 100644
')
')
-@@ -567,6 +908,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +909,39 @@ ifdef(`distro_suse',`
')
')
@@ -134770,7 +134821,7 @@ index 4a88fa1..fe91700 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +953,8 @@ optional_policy(`
+@@ -579,6 +954,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -134779,7 +134830,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -600,6 +976,7 @@ optional_policy(`
+@@ -600,6 +977,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -134787,7 +134838,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -612,6 +989,17 @@ optional_policy(`
+@@ -612,6 +990,17 @@ optional_policy(`
')
optional_policy(`
@@ -134805,7 +134856,7 @@ index 4a88fa1..fe91700 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1016,13 @@ optional_policy(`
+@@ -628,9 +1017,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -134819,7 +134870,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -655,6 +1047,10 @@ optional_policy(`
+@@ -655,6 +1048,10 @@ optional_policy(`
')
optional_policy(`
@@ -134830,7 +134881,7 @@ index 4a88fa1..fe91700 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1068,15 @@ optional_policy(`
+@@ -672,6 +1069,15 @@ optional_policy(`
')
optional_policy(`
@@ -134846,7 +134897,7 @@ index 4a88fa1..fe91700 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1117,7 @@ optional_policy(`
+@@ -712,6 +1118,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -134854,7 +134905,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -729,7 +1135,14 @@ optional_policy(`
+@@ -729,7 +1136,14 @@ optional_policy(`
')
optional_policy(`
@@ -134869,7 +134920,7 @@ index 4a88fa1..fe91700 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1165,10 @@ optional_policy(`
+@@ -752,6 +1166,10 @@ optional_policy(`
')
optional_policy(`
@@ -134880,7 +134931,7 @@ index 4a88fa1..fe91700 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1178,20 @@ optional_policy(`
+@@ -761,10 +1179,20 @@ optional_policy(`
')
optional_policy(`
@@ -134901,7 +134952,7 @@ index 4a88fa1..fe91700 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1200,10 @@ optional_policy(`
+@@ -773,6 +1201,10 @@ optional_policy(`
')
optional_policy(`
@@ -134912,7 +134963,7 @@ index 4a88fa1..fe91700 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1225,6 @@ optional_policy(`
+@@ -794,8 +1226,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -134921,7 +134972,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -804,6 +1233,10 @@ optional_policy(`
+@@ -804,6 +1234,10 @@ optional_policy(`
')
optional_policy(`
@@ -134932,7 +134983,7 @@ index 4a88fa1..fe91700 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1246,12 @@ optional_policy(`
+@@ -813,10 +1247,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -134945,7 +134996,7 @@ index 4a88fa1..fe91700 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1263,6 @@ optional_policy(`
+@@ -828,8 +1264,6 @@ optional_policy(`
')
optional_policy(`
@@ -134954,7 +135005,7 @@ index 4a88fa1..fe91700 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1273,30 @@ optional_policy(`
+@@ -840,12 +1274,30 @@ optional_policy(`
')
optional_policy(`
@@ -134987,7 +135038,7 @@ index 4a88fa1..fe91700 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1306,18 @@ optional_policy(`
+@@ -855,6 +1307,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -135006,7 +135057,7 @@ index 4a88fa1..fe91700 100644
')
optional_policy(`
-@@ -870,6 +1333,10 @@ optional_policy(`
+@@ -870,6 +1334,10 @@ optional_policy(`
')
optional_policy(`
@@ -135017,7 +135068,7 @@ index 4a88fa1..fe91700 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1347,185 @@ optional_policy(`
+@@ -880,3 +1348,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -148307,7 +148358,7 @@ index e720dcd..53ea674 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 6a4bd85..4f23ca8 100644
+index 6a4bd85..0d03483 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
@@ -148393,7 +148444,7 @@ index 6a4bd85..4f23ca8 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +81,124 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -148518,6 +148569,8 @@ index 6a4bd85..4f23ca8 100644
+ fs_manage_ecryptfs_files(userdom_home_manager_type)
+ fs_manage_ecryptfs_files(userdom_home_manager_type)
+')
++# vi /etc/mtab can cause an avc trying to relabel to self.
++dontaudit userdomain self:file relabelto;
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index e79d545..101086d 100644
--- a/policy/support/misc_patterns.spt
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 1b100a3..dbf0db2 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -366,7 +366,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..864d511 100644
+index 30861ec..6d98338 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -485,22 +485,21 @@ index 30861ec..864d511 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +137,12 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +137,11 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
-+
-+kernel_read_ring_buffer(abrt_t)
-+kernel_request_load_module(abrt_t)
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
++kernel_read_network_state(abrt_t)
++kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t)
+@@ -93,7 +149,6 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -508,7 +507,7 @@ index 30861ec..864d511 100644
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
-@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +159,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -517,7 +516,7 @@ index 30861ec..864d511 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +170,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -527,7 +526,7 @@ index 30861ec..864d511 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +179,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -537,7 +536,7 @@ index 30861ec..864d511 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +193,37 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +192,37 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -579,7 +578,7 @@ index 30861ec..864d511 100644
')
optional_policy(`
-@@ -167,6 +244,7 @@ optional_policy(`
+@@ -167,6 +243,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -587,7 +586,7 @@ index 30861ec..864d511 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,9 +256,36 @@ optional_policy(`
+@@ -178,9 +255,36 @@ optional_policy(`
')
optional_policy(`
@@ -624,7 +623,7 @@ index 30861ec..864d511 100644
########################################
#
# abrt--helper local policy
-@@ -200,9 +305,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,9 +304,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -637,7 +636,7 @@ index 30861ec..864d511 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -211,12 +318,11 @@ auth_use_nsswitch(abrt_helper_t)
+@@ -211,12 +317,11 @@ auth_use_nsswitch(abrt_helper_t)
logging_send_syslog_msg(abrt_helper_t)
@@ -652,7 +651,7 @@ index 30861ec..864d511 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +330,149 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +329,149 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -5816,7 +5815,7 @@ index cf8e59f..ad57d4a 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 59aa54f..b01072c 100644
+index 59aa54f..005bb7e 100644
--- a/bind.fc
+++ b/bind.fc
@@ -4,6 +4,11 @@
@@ -5831,6 +5830,14 @@ index 59aa54f..b01072c 100644
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+@@ -40,6 +45,7 @@ ifdef(`distro_redhat',`
+ /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+ /etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
++/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ /var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+ /var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
diff --git a/bind.if b/bind.if
index 44a1e3d..bc50fd6 100644
--- a/bind.if
@@ -6312,7 +6319,7 @@ index 6355318..98ba16a 100644
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.te b/blueman.te
-index 70969fa..4d18e6e 100644
+index 70969fa..63ed14f 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,23 +7,35 @@ policy_module(blueman, 1.0.0)
@@ -6334,7 +6341,7 @@ index 70969fa..4d18e6e 100644
#
+
+allow blueman_t self:capability { net_admin sys_nice };
-+allow blueman_t self:process { signal_perms setsched };
++allow blueman_t self:process { execmem signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
@@ -8877,10 +8884,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..32ff486
+index 0000000..22ef64d
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,196 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9074,6 +9081,7 @@ index 0000000..32ff486
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+
+optional_policy(`
++ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
@@ -16077,7 +16085,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..087cecf 100644
+index 625cb32..4dee5a0 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -16201,7 +16209,7 @@ index 625cb32..087cecf 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +185,162 @@ optional_policy(`
+@@ -150,12 +185,163 @@ optional_policy(`
')
optional_policy(`
@@ -16336,6 +16344,7 @@ index 625cb32..087cecf 100644
+userdom_tmpfs_filetrans(session_bus_type, file)
+
+optional_policy(`
++ gnome_read_config(session_bus_type)
+ gnome_read_gconf_home_files(session_bus_type)
+')
+
@@ -21292,10 +21301,10 @@ index 0000000..c4c7510
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
-index 0000000..90c8ee3
+index 0000000..b462d7b
--- /dev/null
+++ b/firewalld.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,97 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -21357,8 +21366,10 @@ index 0000000..90c8ee3
+
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
++files_dontaudit_access_check_tmp(firewalld_t)
+
+fs_getattr_xattr_fs(firewalld_t)
++fs_dontaudit_all_access_check(firewalld_t)
+
+auth_use_nsswitch(firewalld_t)
+
@@ -23560,10 +23571,10 @@ index 00a19e3..52e5a3a 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..69577c7 100644
+index f5afe78..2d6e6bb 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,44 +1,1048 @@
+@@ -1,44 +1,1067 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -23822,6 +23833,25 @@ index f5afe78..69577c7 100644
+## </summary>
+## </param>
+#
++interface(`gnome_dontaudit_append_config_files',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:file append;
++')
++
++
++########################################
++## <summary>
++## Dontaudit write gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`gnome_dontaudit_write_config_files',`
+ gen_require(`
+ attribute gnome_home_type;
@@ -24630,7 +24660,7 @@ index f5afe78..69577c7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +1050,91 @@ interface(`gnome_role',`
+@@ -46,37 +1069,91 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -24733,7 +24763,7 @@ index f5afe78..69577c7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1161,107 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -24852,7 +24882,7 @@ index f5afe78..69577c7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1269,36 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -24893,7 +24923,7 @@ index f5afe78..69577c7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1306,279 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -25190,7 +25220,7 @@ index f5afe78..69577c7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..7757943 100644
+index 783c5fb..3a0a272 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -25269,7 +25299,7 @@ index 783c5fb..7757943 100644
logging_send_syslog_msg(gconfd_t)
-@@ -73,3 +113,163 @@ optional_policy(`
+@@ -73,3 +113,167 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -25387,7 +25417,11 @@ index 783c5fb..7757943 100644
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir)
++allow gkeyringd_domain data_home_t:dir create_dir_perms;
++allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
++filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
++filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
++filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
@@ -25410,7 +25444,7 @@ index 783c5fb..7757943 100644
+fs_getattr_xattr_fs(gkeyringd_domain)
+fs_getattr_tmpfs(gkeyringd_domain)
+
-+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir)
++userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
+
+optional_policy(`
+ xserver_append_xdm_home_files(gkeyringd_domain)
@@ -25589,7 +25623,7 @@ index 5207fc2..c02fa56 100644
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff --git a/gpg.if b/gpg.if
-index 6d50300..2f0feca 100644
+index 6d50300..951b790 100644
--- a/gpg.if
+++ b/gpg.if
@@ -54,15 +54,16 @@ interface(`gpg_role',`
@@ -25676,11 +25710,29 @@ index 6d50300..2f0feca 100644
########################################
## <summary>
## Send generic signals to user gpg processes.
-@@ -179,3 +218,21 @@ interface(`gpg_list_user_secrets',`
+@@ -179,3 +218,39 @@ interface(`gpg_list_user_secrets',`
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
userdom_search_user_home_dirs($1)
')
++###########################
++## <summary>
++## Allow to manage gpg named home content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gpg_manage_home_content',`
++ gen_require(`
++ type gpg_secret_t;
++ ')
+
++ manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
++ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
++')
+########################################
+## <summary>
+## Transition to gpg named home content
@@ -26131,7 +26183,7 @@ index a627b34..0120907 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 03742d8..4fefc6e 100644
+index 03742d8..cf95bdd 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@@ -26146,7 +26198,7 @@ index 03742d8..4fefc6e 100644
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,22 +39,34 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,22 +39,35 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
@@ -26170,6 +26222,7 @@ index 03742d8..4fefc6e 100644
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
+term_use_usb_ttys(gpsd_t)
++term_setattr_usb_ttys(gpsd_t)
auth_use_nsswitch(gpsd_t)
@@ -36996,7 +37049,7 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..addfbf2 100644
+index f17583b..fea9b77 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -37144,7 +37197,14 @@ index f17583b..addfbf2 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +244,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -217,34 +240,56 @@ optional_policy(`
+
+ allow mail_munin_plugin_t self:capability dac_override;
+
++allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
++allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++
+ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -37152,21 +37212,23 @@ index f17583b..addfbf2 100644
+logging_read_generic_logs(mail_munin_plugin_t)
-fs_getattr_all_fs(mail_munin_plugin_t)
++sysnet_read_config(mail_munin_plugin_t)
+
+-logging_read_generic_logs(mail_munin_plugin_t)
+optional_policy(`
+ exim_read_log(mail_munin_plugin_t)
+')
--logging_read_generic_logs(mail_munin_plugin_t)
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
+optional_policy(`
+ mta_read_config(mail_munin_plugin_t)
+ mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
+')
-
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
++
+optional_policy(`
+ nscd_socket_use(mail_munin_plugin_t)
+')
@@ -37198,7 +37260,7 @@ index f17583b..addfbf2 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +295,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +300,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -37213,7 +37275,7 @@ index f17583b..addfbf2 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +316,14 @@ optional_policy(`
+@@ -279,6 +321,14 @@ optional_policy(`
')
optional_policy(`
@@ -37228,7 +37290,7 @@ index f17583b..addfbf2 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +331,18 @@ optional_policy(`
+@@ -286,6 +336,18 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -37247,23 +37309,23 @@ index f17583b..addfbf2 100644
##################################
#
# local policy for system plugins
-@@ -295,12 +352,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +357,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-kernel_read_network_state(system_munin_plugin_t)
-kernel_read_all_sysctls(system_munin_plugin_t)
--
--corecmd_exec_shell(system_munin_plugin_t)
+# needed by munin_* plugins
+read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+-corecmd_exec_shell(system_munin_plugin_t)
+-
-fs_getattr_all_fs(system_munin_plugin_t)
+kernel_read_network_state(system_munin_plugin_t)
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +368,47 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +373,47 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -38758,7 +38820,7 @@ index 2324d9e..96dbf6f 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..a953cf1 100644
+index 0619395..c0e8f13 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -38947,7 +39009,7 @@ index 0619395..a953cf1 100644
')
optional_policy(`
-@@ -202,23 +258,45 @@ optional_policy(`
+@@ -202,23 +258,49 @@ optional_policy(`
')
optional_policy(`
@@ -38966,6 +39028,10 @@ index 0619395..a953cf1 100644
')
optional_policy(`
++ l2tpd_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
+ netutils_exec_ping(NetworkManager_t)
+')
+
@@ -38993,7 +39059,7 @@ index 0619395..a953cf1 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +312,10 @@ optional_policy(`
+@@ -234,6 +316,10 @@ optional_policy(`
')
optional_policy(`
@@ -39004,7 +39070,7 @@ index 0619395..a953cf1 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +323,7 @@ optional_policy(`
+@@ -241,6 +327,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -39012,7 +39078,7 @@ index 0619395..a953cf1 100644
')
optional_policy(`
-@@ -254,6 +337,12 @@ optional_policy(`
+@@ -254,6 +341,12 @@ optional_policy(`
')
optional_policy(`
@@ -39025,7 +39091,7 @@ index 0619395..a953cf1 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +352,7 @@ optional_policy(`
+@@ -263,6 +356,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -39033,7 +39099,7 @@ index 0619395..a953cf1 100644
')
########################################
-@@ -284,6 +374,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -284,6 +378,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -39824,10 +39890,10 @@ index 623b731..429bd79 100644
+
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
diff --git a/nscd.if b/nscd.if
-index 85188dc..2b37836 100644
+index 85188dc..685270c 100644
--- a/nscd.if
+++ b/nscd.if
-@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
+@@ -116,7 +116,44 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
@@ -39852,10 +39918,28 @@ index 85188dc..2b37836 100644
+ ',`
+ nscd_socket_use($1)
+ ')
++')
++
++########################################
++## <summary>
++## Do not audit attempts to write nscd sock files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`nscd_dontaudit_write_sock_file',`
++ gen_require(`
++ type nscd_t;
++ ')
++
++ dontaudit $1 nscd_t:sock_file write;
')
########################################
-@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
+@@ -146,11 +183,14 @@ interface(`nscd_shm_use',`
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
@@ -39873,7 +39957,7 @@ index 85188dc..2b37836 100644
')
########################################
-@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -168,7 +208,7 @@ interface(`nscd_dontaudit_search_pid',`
type nscd_var_run_t;
')
@@ -39882,7 +39966,7 @@ index 85188dc..2b37836 100644
')
########################################
-@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
+@@ -224,6 +264,7 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
@@ -39890,7 +39974,7 @@ index 85188dc..2b37836 100644
#
interface(`nscd_run',`
gen_require(`
-@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',`
+@@ -254,6 +295,29 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
@@ -39920,7 +40004,7 @@ index 85188dc..2b37836 100644
## All of the rules required to administrate
## an nscd environment
## </summary>
-@@ -273,10 +319,14 @@ interface(`nscd_admin',`
+@@ -273,10 +337,14 @@ interface(`nscd_admin',`
gen_require(`
type nscd_t, nscd_log_t, nscd_var_run_t;
type nscd_initrc_exec_t;
@@ -39936,7 +40020,7 @@ index 85188dc..2b37836 100644
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -288,4 +338,8 @@ interface(`nscd_admin',`
+@@ -288,4 +356,8 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -43887,10 +43971,10 @@ index 0000000..14f29e4
+')
diff --git a/openvswitch.te b/openvswitch.te
new file mode 100644
-index 0000000..f6e0f04
+index 0000000..b8995a2
--- /dev/null
+++ b/openvswitch.te
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,90 @@
+policy_module(openvswitch, 1.0.0)
+
+########################################
@@ -43953,6 +44037,7 @@ index 0000000..f6e0f04
+
+kernel_read_network_state(openvswitch_t)
+kernel_read_system_state(openvswitch_t)
++kernel_request_load_module(openvswitch_t)
+
+corecmd_exec_bin(openvswitch_t)
+
@@ -43961,6 +44046,7 @@ index 0000000..f6e0f04
+domain_use_interactive_fds(openvswitch_t)
+
+files_read_etc_files(openvswitch_t)
++files_read_kernel_modules(openvswitch_t)
+
+fs_getattr_all_fs(openvswitch_t)
+fs_search_cgroup_dirs(openvswitch_t)
@@ -43969,6 +44055,10 @@ index 0000000..f6e0f04
+
+logging_send_syslog_msg(openvswitch_t)
+
++modutils_exec_insmod(openvswitch_t)
++modutils_list_module_config(openvswitch_t)
++modutils_read_module_config(openvswitch_t)
++
+sysnet_dns_name_resolve(openvswitch_t)
+
+optional_policy(`
@@ -48725,7 +48815,7 @@ index 46bee12..20a3ccd 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..ae56a3e 100644
+index a1e0f60..ca44603 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -49308,7 +49398,7 @@ index a1e0f60..ae56a3e 100644
+files_read_usr_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
+files_search_spool(postfix_domain)
-+files_getattr_tmp_dirs(postfix_domain)
++files_list_tmp(postfix_domain)
+files_search_all_mountpoints(postfix_domain)
+
+init_dontaudit_use_fds(postfix_domain)
@@ -50728,7 +50818,7 @@ index 84f23dc..0e7d875 100644
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index f40c64d..7015dce 100644
+index f40c64d..8a82574 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -35,6 +35,9 @@ interface(`pulseaudio_role',`
@@ -50756,12 +50846,11 @@ index f40c64d..7015dce 100644
')
########################################
-@@ -257,4 +262,88 @@ interface(`pulseaudio_manage_home_files',`
+@@ -257,4 +262,87 @@ interface(`pulseaudio_manage_home_files',`
userdom_search_user_home_dirs($1)
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ pulseaudio_filetrans_home_content($1)
-+ pulseaudio_filetrans_admin_home_content($1)
+')
+
+########################################
@@ -57793,7 +57882,7 @@ index a63e9ee..e4a0c9b 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/rpm.fc b/rpm.fc
-index b2a0b6a..ee55335 100644
+index b2a0b6a..3916381 100644
--- a/rpm.fc
+++ b/rpm.fc
@@ -2,10 +2,12 @@
@@ -57828,9 +57917,11 @@ index b2a0b6a..ee55335 100644
')
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -36,9 +44,10 @@ ifdef(`distro_redhat', `
+@@ -35,10 +43,12 @@ ifdef(`distro_redhat', `
+ /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -63240,7 +63331,7 @@ index adea9f9..f5dd0fe 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/smartmon.te b/smartmon.te
-index 6b3322b..c955ccc 100644
+index 6b3322b..8122434 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -1,4 +1,4 @@
@@ -63311,6 +63402,14 @@ index 6b3322b..c955ccc 100644
seutil_sigchld_newrole(fsdaemon_t)
sysnet_dns_name_resolve(fsdaemon_t)
+@@ -119,3 +129,7 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(fsdaemon_t)
+ ')
++
++optional_policy(`
++ virt_read_images(fsdaemon_t)
++')
diff --git a/smokeping.if b/smokeping.if
index 8265278..017b923 100644
--- a/smokeping.if
@@ -64512,7 +64611,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..dd3e5e1 100644
+index 1bbf73b..40e04ae 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
@@ -65034,7 +65133,7 @@ index 1bbf73b..dd3e5e1 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +555,54 @@ optional_policy(`
+@@ -447,3 +555,55 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -65087,6 +65186,7 @@ index 1bbf73b..dd3e5e1 100644
+
+optional_policy(`
+ gpg_domtrans(spamd_update_t)
++ gpg_manage_home_content(spamd_update_t)
+')
+
diff --git a/speedtouch.te b/speedtouch.te
@@ -67055,10 +67155,10 @@ index 25eee43..621f343 100644
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
diff --git a/tftp.if b/tftp.if
-index 38bb312..d9fe23c 100644
+index 38bb312..cf0b925 100644
--- a/tftp.if
+++ b/tftp.if
-@@ -13,9 +13,34 @@
+@@ -13,9 +13,35 @@
interface(`tftp_read_content',`
gen_require(`
type tftpdir_t;
@@ -67069,6 +67169,7 @@ index 38bb312..d9fe23c 100644
read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+
++ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
@@ -67093,7 +67194,7 @@ index 38bb312..d9fe23c 100644
')
########################################
-@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',`
+@@ -40,6 +66,91 @@ interface(`tftp_manage_rw_content',`
########################################
## <summary>
@@ -67185,7 +67286,7 @@ index 38bb312..d9fe23c 100644
## All of the rules required to administrate
## an tftp environment
## </summary>
-@@ -55,8 +165,13 @@ interface(`tftp_admin',`
+@@ -55,8 +166,13 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
@@ -67200,7 +67301,7 @@ index 38bb312..d9fe23c 100644
admin_pattern($1, tftpdir_rw_t)
-@@ -64,4 +179,6 @@ interface(`tftp_admin',`
+@@ -64,4 +180,6 @@ interface(`tftp_admin',`
files_list_pids($1)
admin_pattern($1, tftpd_var_run_t)
@@ -67749,10 +67850,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..572ab5d
+index 0000000..0f9dcc7
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,130 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -67879,6 +67980,10 @@ index 0000000..572ab5d
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
+')
++
++optional_policy(`
++ nscd_dontaudit_write_sock_file(thumb_t)
++')
diff --git a/thunderbird.te b/thunderbird.te
index bf37d98..0d863fc 100644
--- a/thunderbird.te
@@ -67939,7 +68044,7 @@ index 67b5592..ccddff5 100644
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..b08a00a 100644
+index 0521d5a..b08521b 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
@@ -67950,7 +68055,7 @@ index 0521d5a..b08a00a 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,33 +19,48 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,50 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -67960,6 +68065,8 @@ index 0521d5a..b08a00a 100644
fs_getattr_xattr_fs(tmpreaper_t)
+fs_list_all(tmpreaper_t)
++fs_setattr_tmpfs_dirs(tmpreaper_t)
++fs_delete_tmpfs_files(tmpreaper_t)
-files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
@@ -68005,7 +68112,7 @@ index 0521d5a..b08a00a 100644
')
optional_policy(`
-@@ -52,7 +68,9 @@ optional_policy(`
+@@ -52,7 +70,9 @@ optional_policy(`
')
optional_policy(`
@@ -68015,7 +68122,7 @@ index 0521d5a..b08a00a 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +84,17 @@ optional_policy(`
+@@ -66,9 +86,17 @@ optional_policy(`
')
optional_policy(`
@@ -70220,7 +70327,7 @@ index 32a3c13..0cbca75 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..e55e393 100644
+index 2124b6a..014e40c 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,6 +1,14 @@
@@ -70240,7 +70347,7 @@ index 2124b6a..e55e393 100644
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +20,61 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -70252,6 +70359,8 @@ index 2124b6a..e55e393 100644
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
++/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -71129,7 +71238,7 @@ index 6f0736b..408a20a 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..12c15cb 100644
+index 947bbc6..1e4a204 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71215,15 +71324,15 @@ index 947bbc6..12c15cb 100644
+gen_tunable(virt_use_rawip, false)
+
+## <desc>
-+## <p>
+ ## <p>
+-## Allow virt to use usb devices
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
- ## <p>
--## Allow virt to use usb devices
++## <p>
+## Allow confined virtual guests to use usb devices
## </p>
## </desc>
@@ -71374,17 +71483,17 @@ index 947bbc6..12c15cb 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,71 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +223,73 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
-dev_list_sysfs(svirt_t)
-+miscfiles_read_generic_certs(svirt_t)
-
+-
-userdom_search_user_home_content(svirt_t)
-userdom_read_user_home_content_symlinks(svirt_t)
-userdom_read_all_users_state(svirt_t)
--
++miscfiles_read_generic_certs(svirt_t)
+
-tunable_policy(`virt_use_comm',`
- term_use_unallocated_ttys(svirt_t)
- dev_rw_printer(svirt_t)
@@ -71398,35 +71507,36 @@ index 947bbc6..12c15cb 100644
-tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs(svirt_t)
- fs_manage_nfs_files(svirt_t)
--')
--
++optional_policy(`
++ xen_rw_image_files(svirt_t)
+ ')
+
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(svirt_t)
- fs_manage_cifs_files(svirt_t)
+optional_policy(`
-+ xen_rw_image_files(svirt_t)
++ nscd_use(svirt_t)
')
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(svirt_t)
-+optional_policy(`
-+ nscd_use(svirt_t)
- ')
+-')
++#######################################
++#
++# svirt_prot_exec local policy
++#
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(svirt_t)
- fs_manage_dos_dirs(svirt_t)
- fs_manage_dos_files(svirt_t)
-')
-+#######################################
-+#
-+# svirt_prot_exec local policy
-+#
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-optional_policy(`
- xen_rw_image_files(svirt_t)
-')
-+allow svirt_tcg_t self:process { execmem execstack };
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -71486,7 +71596,7 @@ index 947bbc6..12c15cb 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +298,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +300,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71522,7 +71632,7 @@ index 947bbc6..12c15cb 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +331,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +333,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71546,7 +71656,7 @@ index 947bbc6..12c15cb 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +359,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +361,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71580,7 +71690,7 @@ index 947bbc6..12c15cb 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +391,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +393,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71599,7 +71709,7 @@ index 947bbc6..12c15cb 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +417,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +419,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71609,7 +71719,7 @@ index 947bbc6..12c15cb 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +427,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +429,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71646,7 +71756,7 @@ index 947bbc6..12c15cb 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +475,10 @@ optional_policy(`
+@@ -322,6 +477,10 @@ optional_policy(`
')
optional_policy(`
@@ -71657,7 +71767,7 @@ index 947bbc6..12c15cb 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +492,34 @@ optional_policy(`
+@@ -335,19 +494,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71693,7 +71803,7 @@ index 947bbc6..12c15cb 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +534,12 @@ optional_policy(`
+@@ -362,6 +536,12 @@ optional_policy(`
')
optional_policy(`
@@ -71706,7 +71816,7 @@ index 947bbc6..12c15cb 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +547,11 @@ optional_policy(`
+@@ -369,11 +549,11 @@ optional_policy(`
')
optional_policy(`
@@ -71723,7 +71833,7 @@ index 947bbc6..12c15cb 100644
')
optional_policy(`
-@@ -384,6 +562,7 @@ optional_policy(`
+@@ -384,6 +564,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71731,7 +71841,7 @@ index 947bbc6..12c15cb 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +581,85 @@ optional_policy(`
+@@ -402,35 +583,85 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71826,7 +71936,7 @@ index 947bbc6..12c15cb 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +667,628 @@ dev_write_sound(virt_domain)
+@@ -438,34 +669,630 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -71889,7 +71999,7 @@ index 947bbc6..12c15cb 100644
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
- ')
++')
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
@@ -71920,6 +72030,7 @@ index 947bbc6..12c15cb 100644
+')
+
+tunable_policy(`virt_use_sysfs',`
++ allow svirt_t self:capability2 compromise_kernel;
+ dev_rw_sysfs(virt_domain)
+')
+
@@ -72074,7 +72185,7 @@ index 947bbc6..12c15cb 100644
+ optional_policy(`
+ hal_dbus_chat(virsh_t)
+ ')
-+')
+ ')
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
@@ -72197,6 +72308,8 @@ index 947bbc6..12c15cb 100644
+selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_default_contexts(virtd_lxc_t)
+
++sysnet_exec_ifconfig(virtd_lxc_t)
++
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
@@ -72262,6 +72375,7 @@ index 947bbc6..12c15cb 100644
+fs_getattr_all_fs(svirt_lxc_domain)
+fs_list_inotifyfs(svirt_lxc_domain)
+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
++fs_read_fusefs_files(svirt_lxc_net_t)
+
+auth_dontaudit_read_passwd(svirt_lxc_domain)
+auth_dontaudit_read_login_records(svirt_lxc_domain)
@@ -72457,8 +72571,6 @@ index 947bbc6..12c15cb 100644
+type svirt_socket_t;
+role system_r types svirt_socket_t;
+allow svirt_t svirt_socket_t:unix_stream_socket connectto;
-+
-+
diff --git a/vlock.te b/vlock.te
index 2511093..669dc13 100644
--- a/vlock.te
@@ -73447,7 +73559,7 @@ index 19d447e..996a3d4 100644
+
+
diff --git a/xen.fc b/xen.fc
-index 1a1b374..574794d 100644
+index 1a1b374..7977c2c 100644
--- a/xen.fc
+++ b/xen.fc
@@ -1,12 +1,10 @@
@@ -73464,15 +73576,15 @@ index 1a1b374..574794d 100644
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-@@ -17,6 +15,7 @@ ifdef(`distro_debian',`
+@@ -17,7 +15,6 @@ ifdef(`distro_debian',`
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
- /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
')
-@@ -25,11 +24,11 @@ ifdef(`distro_debian',`
+ /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+@@ -25,11 +22,11 @@ ifdef(`distro_debian',`
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
@@ -74007,7 +74119,7 @@ index 11c1b12..fc5d128 100644
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
diff --git a/xguest.te b/xguest.te
-index e88b95f..3dd3d9a 100644
+index e88b95f..e7427a2 100644
--- a/xguest.te
+++ b/xguest.te
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
@@ -74019,15 +74131,18 @@ index e88b95f..3dd3d9a 100644
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)
-@@ -29,6 +29,7 @@ gen_tunable(xguest_use_bluetooth, true)
+@@ -29,6 +29,10 @@ gen_tunable(xguest_use_bluetooth, true)
role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
++
++init_dbus_chat(xguest_t)
++init_status(xguest_t)
########################################
#
-@@ -38,7 +39,7 @@ userdom_restricted_xwindows_user_template(xguest)
+@@ -38,7 +42,7 @@ userdom_restricted_xwindows_user_template(xguest)
ifndef(`enable_mls',`
fs_exec_noxattr(xguest_t)
@@ -74036,7 +74151,7 @@ index e88b95f..3dd3d9a 100644
fs_manage_noxattr_fs_files(xguest_t)
fs_manage_noxattr_fs_dirs(xguest_t)
# Write floppies
-@@ -49,11 +50,22 @@ ifndef(`enable_mls',`
+@@ -49,11 +53,22 @@ ifndef(`enable_mls',`
')
')
@@ -74060,7 +74175,7 @@ index e88b95f..3dd3d9a 100644
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -62,10 +74,9 @@ optional_policy(`
+@@ -62,10 +77,9 @@ optional_policy(`
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
@@ -74072,7 +74187,7 @@ index e88b95f..3dd3d9a 100644
')
')
-@@ -76,23 +87,97 @@ optional_policy(`
+@@ -76,23 +90,97 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3ca075f..be3bb57 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,50 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jan 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-70
+- Add label for dns lib files
+- Allow svirt_t images to compromise_kernel when using pci-passthrough
+- Blueman uses ctypes which ends up triggering execmem priv.
+- Dontaudit attempts by thumb_t to use nscd
+- fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it
+- Allow abrt to read proc_net_t
+- Allw NM to transition to l2tpd
+- Dontaudit chrome-nacl to append gnome config files
+- Add gnome_dontaudit_append_config_files()
+- Allow svirt_tcg_t to create netlink_route_socket
+- Label /var/lib/unbound as named_cache_t to allow named to write to this directory
+- Allow postfix domains to list /tmp
+- Allow dnsmasq to list tftpdir_rw_t content
+- Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo
+- Allow tmpreaper to delete tmpfs files in tmp
+- Dontaudit access check on tmp_t files/directories
+- dontaudit access checks on file systems types by firewalld
+- Allow mail_munin_plugins domain to run postconf
+- Allow spamd_update to manage gnupg directory
+- Add missing postfix_run_postqueue() interface
+- Add ntp_exec() interface
+- Fix setroubleshoot_fixit_t policy
+- Allow setroubleshoot_fixit to execute rpm
+- zoneminder needs to connect to httpd ports where remote cameras are listening
+- Allow firewalld to execute content created in /run directory
+- Allow svirt_t to read generic certs
+- Add label for Xvnc
+- Add interface to dontaudit access checks on tmp_t
+- Fix interface for dontaudit access check to include directory
+- interface to dontaudit access checks on file systems types
+- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label.
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Additional fix for chroot_user_t backported from RHEL6
+- Allow chroot_user_t to getattr on filesystems
+- Dontaudit vi attempting to relabel to self files
+- Sudo domain is attempting to get the additributes of proc_kcore_t
+- Unbound uses port 8953
+-
+- Creating tmp-inst directory in a tmp_t directory should not transition
+- Allow init_t to write to watchdog device
+- Add file system definition for other vx file systems
+
* Wed Jan 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
More information about the scm-commits
mailing list