[selinux-policy] - Add xserver_xdm_ioctl_log() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 5 10:02:09 UTC 2013
commit da973f372216a40580a28b50dab21d883fe13e97
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 5 11:01:00 2013 +0100
- Add xserver_xdm_ioctl_log() interface
- Allow Xusers to ioctl lxdm.log to make lxdm working
- Add MLS fixes to make MLS boot/log-in working
- Add mls_socket_write_all_levels() also for syslogd
- fsck.xfs needs to read passwd
- Fix ntp_filetrans_named_content calling in init.te
- Allow postgresql to create pg_log dir
- Allow sshd to read rsync_data_t to make rsync <backuphost> working
- Change ntp.conf to be labeled net_conf_t
- Allow useradd to create homedirs in /run. ircd-ratbox does this and we sho
- Allow xdm_t to execute gstreamer home content
- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp
- New policy for openstack swift domains
- More access required for openshift_cron_t
- Use cupsd_log_t instead of cupsd_var_log_t
- rpm_script_roles should be used in rpm_run
- Fix rpm_run() interface
- Fix openshift_initrc_run()
- Fix sssd_dontaudit_stream_connect() interface
- Fix sssd_dontaudit_stream_connect() interface
- Allow LDA's job to deliver mail to the mailbox
- dontaudit block_suspend for mozilla_plugin_t
- Allow l2tpd_t to all signal perms
- Allow uuidgen to read /dev/random
- Allow mozilla-plugin-config to read power_supply info
- Implement cups_domain attribute for cups domains
- We now need access to user terminals since we start by executing a command
- We now need access to user terminals since we start by executing a command
- svirt lxc containers want to execute userhelper apps, need these changes to
- Add containment of openshift cron jobs
- Allow system cron jobs to create tmp directories
- Make userhelp_conf_t a config file
- Change rpm to use rpm_script_roles
- More fixes for rsync to make rsync <backuphost> wokring
- Allow logwatch to domtrans to mdadm
- Allow pacemaker to domtrans to ifconfig
- Allow pacemaker to setattr on corosync.log
- Add pacemaker_use_execmem for memcheck-amd64 command
- Allow block_suspend capability
- Allow create fifo_file in /tmp with pacemaker_tmp_t
- Allow systat to getattr on fixed disk
- Relabel /etc/ntp.conf to be net_conf_t
- ntp_admin should create files in /etc with the correct label
- Add interface to create ntp_conf_t files in /etc
- Add additional labeling for quantum
- Allow quantum to execute dnsmasq with transition
policy-rawhide-base.patch | 621 +++++++++--------
policy-rawhide-contrib.patch | 1626 +++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 52 ++-
3 files changed, 1585 insertions(+), 714 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a8ed505..fe45995 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -205108,7 +205108,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..2f68b4d 100644
+index d555767..fdd0567 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -205173,7 +205173,7 @@ index d555767..2f68b4d 100644
type sysadm_passwd_tmp_t;
files_tmp_file(sysadm_passwd_tmp_t)
-@@ -61,8 +65,10 @@ files_tmp_file(sysadm_passwd_tmp_t)
+@@ -61,8 +65,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exemption(useradd_t)
@@ -205182,10 +205182,13 @@ index d555767..2f68b4d 100644
-role useradd_roles types useradd_t;
+#role useradd_roles types useradd_t;
+role system_r types useradd_t;
++
++type useradd_var_run_t;
++files_pid_file(useradd_var_run_t)
########################################
#
-@@ -86,6 +92,7 @@ allow chfn_t self:unix_stream_socket connectto;
+@@ -86,6 +95,7 @@ allow chfn_t self:unix_stream_socket connectto;
kernel_read_system_state(chfn_t)
kernel_read_kernel_sysctls(chfn_t)
@@ -205193,7 +205196,7 @@ index d555767..2f68b4d 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -94,25 +101,29 @@ selinux_compute_create_context(chfn_t)
+@@ -94,25 +104,29 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -205229,7 +205232,7 @@ index d555767..2f68b4d 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
-@@ -120,19 +131,29 @@ files_dontaudit_search_home(chfn_t)
+@@ -120,19 +134,29 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -205262,7 +205265,7 @@ index d555767..2f68b4d 100644
########################################
#
# Crack local policy
-@@ -209,8 +230,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -205273,7 +205276,7 @@ index d555767..2f68b4d 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -218,8 +239,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -205283,7 +205286,7 @@ index d555767..2f68b4d 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -229,14 +250,15 @@ corecmd_exec_bin(groupadd_t)
+@@ -229,14 +253,15 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -205302,7 +205305,7 @@ index d555767..2f68b4d 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -253,7 +275,8 @@ optional_policy(`
+@@ -253,7 +278,8 @@ optional_policy(`
')
optional_policy(`
@@ -205312,7 +205315,7 @@ index d555767..2f68b4d 100644
')
optional_policy(`
-@@ -285,6 +308,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -285,6 +311,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -205320,7 +205323,7 @@ index d555767..2f68b4d 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -293,6 +317,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -293,6 +320,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -205328,7 +205331,7 @@ index d555767..2f68b4d 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -307,26 +332,38 @@ selinux_compute_create_context(passwd_t)
+@@ -307,26 +335,38 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -205372,7 +205375,7 @@ index d555767..2f68b4d 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -335,12 +372,11 @@ init_use_fds(passwd_t)
+@@ -335,12 +375,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -205386,7 +205389,7 @@ index d555767..2f68b4d 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +385,15 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +388,15 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -205403,7 +205406,7 @@ index d555767..2f68b4d 100644
')
########################################
-@@ -398,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +443,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -205416,7 +205419,7 @@ index d555767..2f68b4d 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +459,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -205424,7 +205427,7 @@ index d555767..2f68b4d 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +465,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +468,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -205446,7 +205449,7 @@ index d555767..2f68b4d 100644
')
########################################
-@@ -443,7 +483,8 @@ optional_policy(`
+@@ -443,7 +486,8 @@ optional_policy(`
# Useradd local policy
#
@@ -205456,7 +205459,18 @@ index d555767..2f68b4d 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -465,36 +506,35 @@ corecmd_exec_shell(useradd_t)
+@@ -458,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
+
++manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
++manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
++files_pid_filetrans(useradd_t, useradd_var_run_t, dir)
++
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+
+@@ -465,36 +513,35 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -205504,7 +205518,7 @@ index d555767..2f68b4d 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +545,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +552,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -205555,7 +205569,7 @@ index d555767..2f68b4d 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +585,8 @@ optional_policy(`
+@@ -542,7 +592,8 @@ optional_policy(`
')
optional_policy(`
@@ -205565,7 +205579,7 @@ index d555767..2f68b4d 100644
')
optional_policy(`
-@@ -550,6 +594,11 @@ optional_policy(`
+@@ -550,6 +601,11 @@ optional_policy(`
')
optional_policy(`
@@ -205577,7 +205591,7 @@ index d555767..2f68b4d 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +608,7 @@ optional_policy(`
+@@ -559,3 +615,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -210351,7 +210365,7 @@ index 6a1e4d1..70c5c72 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ba58454 100644
+index cf04cb5..3980a24 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -210477,7 +210491,7 @@ index cf04cb5..ba58454 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -210587,6 +210601,10 @@ index cf04cb5..ba58454 100644
+')
+
+optional_policy(`
++ ntp_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ nx_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -215653,7 +215671,7 @@ index 649e458..31a14c8 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..6c81d4e 100644
+index 6fac350..e7add10 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -215748,7 +215766,7 @@ index 6fac350..6c81d4e 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -277,25 +294,48 @@ files_list_root(kernel_t)
+@@ -277,25 +294,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -215768,6 +215786,7 @@ index 6fac350..6c81d4e 100644
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
++mls_process_set_level(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
@@ -215797,7 +215816,7 @@ index 6fac350..6c81d4e 100644
')
optional_policy(`
-@@ -305,6 +345,19 @@ optional_policy(`
+@@ -305,6 +346,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -215817,7 +215836,7 @@ index 6fac350..6c81d4e 100644
')
optional_policy(`
-@@ -334,7 +387,6 @@ optional_policy(`
+@@ -334,7 +388,6 @@ optional_policy(`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
@@ -215825,7 +215844,7 @@ index 6fac350..6c81d4e 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +395,7 @@ optional_policy(`
+@@ -343,9 +396,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -215836,7 +215855,7 @@ index 6fac350..6c81d4e 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +404,7 @@ optional_policy(`
+@@ -354,7 +405,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -215845,7 +215864,7 @@ index 6fac350..6c81d4e 100644
')
')
-@@ -367,6 +417,15 @@ optional_policy(`
+@@ -367,6 +418,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -215861,7 +215880,7 @@ index 6fac350..6c81d4e 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +468,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +469,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -218133,7 +218152,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..2268840 100644
+index 88d0028..8c061b9 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1)
@@ -218381,7 +218400,7 @@ index 88d0028..2268840 100644
')
optional_policy(`
-@@ -241,25 +297,47 @@ optional_policy(`
+@@ -241,14 +297,27 @@ optional_policy(`
')
optional_policy(`
@@ -218401,14 +218420,15 @@ index 88d0028..2268840 100644
+optional_policy(`
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
- ')
-
- optional_policy(`
-+ nx_filetrans_named_content(sysadm_t)
++ ntp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
- oav_run_update(sysadm_t, sysadm_r)
++ nx_filetrans_named_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -256,10 +325,20 @@ optional_policy(`
')
optional_policy(`
@@ -218429,7 +218449,7 @@ index 88d0028..2268840 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +348,36 @@ optional_policy(`
+@@ -270,31 +349,36 @@ optional_policy(`
')
optional_policy(`
@@ -218473,7 +218493,7 @@ index 88d0028..2268840 100644
')
optional_policy(`
-@@ -319,12 +402,18 @@ optional_policy(`
+@@ -319,12 +403,18 @@ optional_policy(`
')
optional_policy(`
@@ -218493,7 +218513,7 @@ index 88d0028..2268840 100644
')
optional_policy(`
-@@ -349,7 +438,18 @@ optional_policy(`
+@@ -349,7 +439,18 @@ optional_policy(`
')
optional_policy(`
@@ -218513,7 +218533,7 @@ index 88d0028..2268840 100644
')
optional_policy(`
-@@ -360,19 +460,15 @@ optional_policy(`
+@@ -360,19 +461,15 @@ optional_policy(`
')
optional_policy(`
@@ -218535,7 +218555,7 @@ index 88d0028..2268840 100644
')
optional_policy(`
-@@ -384,10 +480,6 @@ optional_policy(`
+@@ -384,10 +481,6 @@ optional_policy(`
')
optional_policy(`
@@ -218546,7 +218566,7 @@ index 88d0028..2268840 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +487,9 @@ optional_policy(`
+@@ -395,6 +488,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -218556,7 +218576,7 @@ index 88d0028..2268840 100644
')
optional_policy(`
-@@ -402,31 +497,34 @@ optional_policy(`
+@@ -402,31 +498,34 @@ optional_policy(`
')
optional_policy(`
@@ -218597,7 +218617,7 @@ index 88d0028..2268840 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +537,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +538,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -218608,7 +218628,7 @@ index 88d0028..2268840 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +557,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +558,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -220137,7 +220157,7 @@ index 9d2f311..c8a2637 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..d55e727 100644
+index 346d011..59ee2a5 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -220189,7 +220209,7 @@ index 346d011..d55e727 100644
allow postgresql_t self:process { setsockcreate };
')
-@@ -270,13 +278,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
@@ -220205,7 +220225,13 @@ index 346d011..d55e727 100644
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
-@@ -304,7 +312,6 @@ kernel_list_proc(postgresql_t)
+ files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
+
++manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
+ manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
+ logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
+
+@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
@@ -220213,7 +220239,7 @@ index 346d011..d55e727 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +349,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -220223,7 +220249,7 @@ index 346d011..d55e727 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,7 +360,6 @@ init_read_utmp(postgresql_t)
+@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@@ -220231,7 +220257,7 @@ index 346d011..d55e727 100644
seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)
-@@ -367,7 +372,7 @@ optional_policy(`
+@@ -367,7 +373,7 @@ optional_policy(`
mta_getattr_spool(postgresql_t)
')
@@ -220240,7 +220266,7 @@ index 346d011..d55e727 100644
allow postgresql_t self:process execmem;
')
-@@ -488,7 +493,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
+@@ -488,7 +494,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db
# Note that permission of creation/deletion are eventually controlled by
# create or drop permission of individual objects within shared schemas.
# So, it just allows to create/drop user specific types.
@@ -220249,7 +220275,7 @@ index 346d011..d55e727 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +541,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +542,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -220258,7 +220284,7 @@ index 346d011..d55e727 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +594,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +595,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -220940,7 +220966,7 @@ index fe0c682..da12170 100644
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..f0a738c 100644
+index 5fc0391..94900fb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
@@ -221269,10 +221295,14 @@ index 5fc0391..f0a738c 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,6 +338,28 @@ optional_policy(`
+@@ -279,6 +338,32 @@ optional_policy(`
')
optional_policy(`
++ rsync_read_data(sshd_t)
++')
++
++optional_policy(`
+ systemd_exec_systemctl(sshd_t)
+')
+
@@ -221298,7 +221328,7 @@ index 5fc0391..f0a738c 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -286,6 +367,29 @@ optional_policy(`
+@@ -286,6 +371,29 @@ optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -221328,7 +221358,7 @@ index 5fc0391..f0a738c 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +398,26 @@ optional_policy(`
+@@ -294,19 +402,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -221356,7 +221386,7 @@ index 5fc0391..f0a738c 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +434,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +438,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -221369,7 +221399,7 @@ index 5fc0391..f0a738c 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +448,123 @@ optional_policy(`
+@@ -331,3 +452,123 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -221494,7 +221524,7 @@ index 5fc0391..f0a738c 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..c92d1e2 100644
+index d1f64a0..146340a 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -221555,7 +221585,7 @@ index d1f64a0..c92d1e2 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +75,30 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +75,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -221589,10 +221619,11 @@ index d1f64a0..c92d1e2 100644
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,25 +125,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +126,49 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -221648,7 +221679,7 @@ index d1f64a0..c92d1e2 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..f74788a 100644
+index 6bf0ecc..8a8ed32 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -222445,7 +222476,7 @@ index 6bf0ecc..f74788a 100644
')
########################################
-@@ -1284,10 +1618,559 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1618,577 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -222669,6 +222700,24 @@ index 6bf0ecc..f74788a 100644
+
+########################################
+## <summary>
++## Allow ioctl the xdm log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_xdm_ioctl_log',`
++ gen_require(`
++ type xdm_log_t;
++ ')
++
++ allow $1 xdm_log_t:file ioctl;
++')
++
++########################################
++## <summary>
+## Allow append the xdm
+## tmp files.
+## </summary>
@@ -223008,7 +223057,7 @@ index 6bf0ecc..f74788a 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..92cfa7e 100644
+index 2696452..5a2bd5f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -223689,7 +223738,7 @@ index 2696452..92cfa7e 100644
')
optional_policy(`
-@@ -514,12 +739,71 @@ optional_policy(`
+@@ -514,12 +739,72 @@ optional_policy(`
')
optional_policy(`
@@ -223746,6 +223795,7 @@ index 2696452..92cfa7e 100644
optional_policy(`
+ gnome_stream_connect_gkeyringd(xdm_t)
++ gnome_exec_gstreamer_home_files(xdm_t)
+ gnome_exec_keyringd(xdm_t)
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
@@ -223761,7 +223811,7 @@ index 2696452..92cfa7e 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +821,78 @@ optional_policy(`
+@@ -537,28 +822,78 @@ optional_policy(`
')
optional_policy(`
@@ -223849,7 +223899,7 @@ index 2696452..92cfa7e 100644
')
optional_policy(`
-@@ -570,6 +904,14 @@ optional_policy(`
+@@ -570,6 +905,14 @@ optional_policy(`
')
optional_policy(`
@@ -223864,7 +223914,7 @@ index 2696452..92cfa7e 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +936,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -223877,7 +223927,7 @@ index 2696452..92cfa7e 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +953,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -223893,7 +223943,7 @@ index 2696452..92cfa7e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +980,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -223915,7 +223965,7 @@ index 2696452..92cfa7e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1000,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -223929,7 +223979,7 @@ index 2696452..92cfa7e 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1026,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1027,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -223960,7 +224010,7 @@ index 2696452..92cfa7e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1057,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -223974,7 +224024,7 @@ index 2696452..92cfa7e 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1076,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1077,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -223998,7 +224048,7 @@ index 2696452..92cfa7e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1095,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1096,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -224007,7 +224057,7 @@ index 2696452..92cfa7e 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1139,40 @@ optional_policy(`
+@@ -775,16 +1140,44 @@ optional_policy(`
')
optional_policy(`
@@ -224040,6 +224090,10 @@ index 2696452..92cfa7e 100644
+')
+
+optional_policy(`
++ tcpd_wrapped_domain(xserver_t, xserver_exec_t)
++')
++
++optional_policy(`
udev_read_db(xserver_t)
')
@@ -224049,7 +224103,7 @@ index 2696452..92cfa7e 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1181,10 @@ optional_policy(`
+@@ -793,6 +1186,10 @@ optional_policy(`
')
optional_policy(`
@@ -224060,7 +224114,7 @@ index 2696452..92cfa7e 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1205,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -224074,7 +224128,7 @@ index 2696452..92cfa7e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1216,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -224083,7 +224137,7 @@ index 2696452..92cfa7e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1229,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -224118,7 +224172,7 @@ index 2696452..92cfa7e 100644
')
optional_policy(`
-@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1294,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -224127,7 +224181,7 @@ index 2696452..92cfa7e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1348,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -224159,7 +224213,7 @@ index 2696452..92cfa7e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1394,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -225773,7 +225827,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..417f5e5 100644
+index 6c4b6ee..4ea7640 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -225821,7 +225875,7 @@ index 6c4b6ee..417f5e5 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +147,24 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -225830,6 +225884,8 @@ index 6c4b6ee..417f5e5 100644
term_use_console(fsadm_t)
++auth_read_passwd(fsadm_t)
++
+init_read_state(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
@@ -225848,7 +225904,7 @@ index 6c4b6ee..417f5e5 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +183,11 @@ optional_policy(`
+@@ -166,6 +185,11 @@ optional_policy(`
')
optional_policy(`
@@ -225860,7 +225916,7 @@ index 6c4b6ee..417f5e5 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +201,10 @@ optional_policy(`
+@@ -179,6 +203,10 @@ optional_policy(`
')
optional_policy(`
@@ -225871,7 +225927,7 @@ index 6c4b6ee..417f5e5 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +218,10 @@ optional_policy(`
+@@ -192,6 +220,10 @@ optional_policy(`
')
optional_policy(`
@@ -227302,7 +227358,7 @@ index 24e7804..386109d 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..aab0c5a 100644
+index dd3be8d..6114976 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -227488,7 +227544,7 @@ index dd3be8d..aab0c5a 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +221,45 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +221,48 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -227496,8 +227552,11 @@ index dd3be8d..aab0c5a 100644
mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
++mls_file_downgrade(init_t)
++mls_file_upgrade(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
++mls_fd_share_all_levels(init_t)
+mls_socket_read_all_levels(init_t)
+mls_socket_write_all_levels(init_t)
+
@@ -227537,7 +227596,7 @@ index dd3be8d..aab0c5a 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +268,177 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +271,177 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -227723,7 +227782,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -216,6 +446,27 @@ optional_policy(`
+@@ -216,6 +449,27 @@ optional_policy(`
')
optional_policy(`
@@ -227751,7 +227810,7 @@ index dd3be8d..aab0c5a 100644
unconfined_domain(init_t)
')
-@@ -225,8 +476,9 @@ optional_policy(`
+@@ -225,8 +479,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -227763,7 +227822,7 @@ index dd3be8d..aab0c5a 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +509,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -227780,7 +227839,7 @@ index dd3be8d..aab0c5a 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +534,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -227823,7 +227882,7 @@ index dd3be8d..aab0c5a 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +571,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -227835,7 +227894,7 @@ index dd3be8d..aab0c5a 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +583,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +586,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -227846,7 +227905,7 @@ index dd3be8d..aab0c5a 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +594,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +597,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -227856,7 +227915,7 @@ index dd3be8d..aab0c5a 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +603,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +606,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -227864,7 +227923,7 @@ index dd3be8d..aab0c5a 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +610,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -227872,7 +227931,7 @@ index dd3be8d..aab0c5a 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +618,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +621,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -227890,7 +227949,7 @@ index dd3be8d..aab0c5a 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -227904,7 +227963,7 @@ index dd3be8d..aab0c5a 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +651,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -227918,7 +227977,7 @@ index dd3be8d..aab0c5a 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +664,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -227926,7 +227985,7 @@ index dd3be8d..aab0c5a 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +676,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -227934,7 +227993,7 @@ index dd3be8d..aab0c5a 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +695,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -227958,7 +228017,7 @@ index dd3be8d..aab0c5a 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +728,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +731,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -227966,7 +228025,7 @@ index dd3be8d..aab0c5a 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +762,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +765,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -227977,7 +228036,7 @@ index dd3be8d..aab0c5a 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +786,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +789,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -227986,7 +228045,7 @@ index dd3be8d..aab0c5a 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +801,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +804,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -227994,7 +228053,7 @@ index dd3be8d..aab0c5a 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +822,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +825,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -228002,7 +228061,7 @@ index dd3be8d..aab0c5a 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +832,40 @@ ifdef(`distro_redhat',`
+@@ -549,8 +835,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -228039,11 +228098,15 @@ index dd3be8d..aab0c5a 100644
+ ')
+
+ optional_policy(`
++ ntp_filetrans_named_content(initrc_t)
++ ')
++
++ optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
')
optional_policy(`
-@@ -558,14 +873,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +880,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -228075,7 +228138,7 @@ index dd3be8d..aab0c5a 100644
')
')
-@@ -576,6 +908,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +915,39 @@ ifdef(`distro_suse',`
')
')
@@ -228115,7 +228178,7 @@ index dd3be8d..aab0c5a 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +953,8 @@ optional_policy(`
+@@ -588,6 +960,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -228124,7 +228187,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -609,6 +976,7 @@ optional_policy(`
+@@ -609,6 +983,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -228132,7 +228195,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -625,6 +993,17 @@ optional_policy(`
+@@ -625,6 +1000,17 @@ optional_policy(`
')
optional_policy(`
@@ -228150,7 +228213,7 @@ index dd3be8d..aab0c5a 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1020,13 @@ optional_policy(`
+@@ -641,9 +1027,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -228164,7 +228227,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -656,15 +1039,11 @@ optional_policy(`
+@@ -656,15 +1046,11 @@ optional_policy(`
')
optional_policy(`
@@ -228182,7 +228245,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -685,6 +1064,15 @@ optional_policy(`
+@@ -685,6 +1071,15 @@ optional_policy(`
')
optional_policy(`
@@ -228198,7 +228261,7 @@ index dd3be8d..aab0c5a 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1113,7 @@ optional_policy(`
+@@ -725,6 +1120,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -228206,7 +228269,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -742,7 +1131,14 @@ optional_policy(`
+@@ -742,7 +1138,14 @@ optional_policy(`
')
optional_policy(`
@@ -228221,7 +228284,7 @@ index dd3be8d..aab0c5a 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1161,10 @@ optional_policy(`
+@@ -765,6 +1168,10 @@ optional_policy(`
')
optional_policy(`
@@ -228232,7 +228295,7 @@ index dd3be8d..aab0c5a 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1174,20 @@ optional_policy(`
+@@ -774,10 +1181,20 @@ optional_policy(`
')
optional_policy(`
@@ -228253,7 +228316,7 @@ index dd3be8d..aab0c5a 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1196,10 @@ optional_policy(`
+@@ -786,6 +1203,10 @@ optional_policy(`
')
optional_policy(`
@@ -228264,7 +228327,7 @@ index dd3be8d..aab0c5a 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1221,6 @@ optional_policy(`
+@@ -807,8 +1228,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -228273,7 +228336,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -817,6 +1229,10 @@ optional_policy(`
+@@ -817,6 +1236,10 @@ optional_policy(`
')
optional_policy(`
@@ -228284,7 +228347,7 @@ index dd3be8d..aab0c5a 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1242,12 @@ optional_policy(`
+@@ -826,10 +1249,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -228297,7 +228360,7 @@ index dd3be8d..aab0c5a 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1274,27 @@ optional_policy(`
+@@ -856,12 +1281,27 @@ optional_policy(`
')
optional_policy(`
@@ -228326,7 +228389,7 @@ index dd3be8d..aab0c5a 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1304,18 @@ optional_policy(`
+@@ -871,6 +1311,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -228345,7 +228408,7 @@ index dd3be8d..aab0c5a 100644
')
optional_policy(`
-@@ -886,6 +1331,10 @@ optional_policy(`
+@@ -886,6 +1338,10 @@ optional_policy(`
')
optional_policy(`
@@ -228356,7 +228419,7 @@ index dd3be8d..aab0c5a 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1345,185 @@ optional_policy(`
+@@ -896,3 +1352,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -230379,7 +230442,7 @@ index 4e94884..23894f4 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..d9a4b9b 100644
+index 39ea221..9437d6f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -230657,7 +230720,7 @@ index 39ea221..d9a4b9b 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +507,18 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +507,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -230666,6 +230729,7 @@ index 39ea221..d9a4b9b 100644
+fs_search_cgroup_dirs(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram
term_write_console(syslogd_t)
# Allow syslog to a terminal
@@ -230676,7 +230740,7 @@ index 39ea221..d9a4b9b 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +530,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +531,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -230690,7 +230754,7 @@ index 39ea221..d9a4b9b 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +571,36 @@ optional_policy(`
+@@ -502,15 +572,36 @@ optional_policy(`
')
optional_policy(`
@@ -230727,7 +230791,7 @@ index 39ea221..d9a4b9b 100644
')
optional_policy(`
-@@ -521,3 +611,24 @@ optional_policy(`
+@@ -521,3 +612,24 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -234038,10 +234102,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..1285089 100644
+index 346a7cc..2fa1253 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,10 +17,10 @@ ifdef(`distro_debian',`
+@@ -17,14 +17,15 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -234055,7 +234119,12 @@ index 346a7cc..1285089 100644
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-@@ -55,6 +55,20 @@ ifdef(`distro_redhat',`
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+
+ /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+@@ -55,6 +56,20 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -234076,14 +234145,14 @@ index 346a7cc..1285089 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -72,3 +86,5 @@ ifdef(`distro_redhat',`
+@@ -72,3 +87,5 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..729dc8c 100644
+index 6944526..ec17624 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -234309,7 +234378,7 @@ index 6944526..729dc8c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +883,73 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +883,74 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -234382,6 +234451,7 @@ index 6944526..729dc8c 100644
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
+ files_etc_filetrans($1, net_conf_t, file, "ethers")
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
++ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b7686d5..7f2928d 100644
@@ -234702,10 +234772,10 @@ index b7686d5..7f2928d 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..4c08b36
+index 0000000..4221a94
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,38 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -234726,6 +234796,7 @@ index 0000000..4c08b36
+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
++/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:systemd_timedated_exec_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_localed_exec_t,s0)
@@ -235792,10 +235863,10 @@ index 0000000..a4b0917
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..26a2c8a
+index 0000000..9b74225
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,590 @@
+@@ -0,0 +1,612 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -235871,6 +235942,10 @@ index 0000000..26a2c8a
+type systemd_timedated_exec_t;
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
+
++type systemd_sysctl_t;
++type systemd_sysctl_exec_t;
++init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
++
+#######################################
+#
+# Systemd_logind local policy
@@ -236045,8 +236120,8 @@ index 0000000..26a2c8a
+logging_send_syslog_msg(systemd_passwd_agent_t)
+logging_stream_connect_syslog(systemd_passwd_agent_t)
+
-+
+userdom_use_user_ptys(systemd_passwd_agent_t)
++userdom_use_inherited_user_ttys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
@@ -236386,6 +236461,24 @@ index 0000000..26a2c8a
+ policykit_read_lib(systemd_timedated_t)
+ policykit_read_reload(systemd_timedated_t)
+')
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++allow systemd_sysctl_t self:capability net_admin;
++allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
++
++kernel_dgram_send(systemd_sysctl_t)
++kernel_rw_all_sysctls(systemd_sysctl_t)
++
++files_read_system_conf_files(systemd_sysctl_t)
++
++domain_use_interactive_fds(systemd_sysctl_t)
++
++files_read_etc_files(systemd_sysctl_t)
++
++logging_stream_connect_syslog(systemd_sysctl_t)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644
--- a/policy/modules/system/udev.fc
@@ -237757,7 +237850,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..f2fe86e 100644
+index 3c5dba7..a598a86 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -238943,7 +239036,7 @@ index 3c5dba7..f2fe86e 100644
')
optional_policy(`
-@@ -951,12 +1213,26 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1213,30 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -238968,10 +239061,14 @@ index 3c5dba7..f2fe86e 100644
+ optional_policy(`
+ udev_read_db($1_usertype)
+ ')
++
++ optional_policy(`
++ xserver_xdm_ioctl_log($1_t)
++ ')
')
#######################################
-@@ -990,27 +1266,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1270,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -239009,7 +239106,7 @@ index 3c5dba7..f2fe86e 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1303,57 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1307,57 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -239054,15 +239151,15 @@ index 3c5dba7..f2fe86e 100644
+ optional_policy(`
+ systemd_dbus_chat_timedated($1_t)
+ systemd_dbus_chat_hostnamed($1_t)
-+ ')
-+
-+ optional_policy(`
-+ gpm_stream_connect($1_usertype)
')
optional_policy(`
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
++ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
@@ -239077,7 +239174,7 @@ index 3c5dba7..f2fe86e 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1362,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1366,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -239088,7 +239185,7 @@ index 3c5dba7..f2fe86e 100644
')
')
-@@ -1082,7 +1400,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1404,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -239097,7 +239194,7 @@ index 3c5dba7..f2fe86e 100644
')
##############################
-@@ -1109,6 +1427,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1431,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -239105,7 +239202,7 @@ index 3c5dba7..f2fe86e 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1436,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1440,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -239115,7 +239212,7 @@ index 3c5dba7..f2fe86e 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1453,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1457,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -239123,7 +239220,7 @@ index 3c5dba7..f2fe86e 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1471,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1475,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -239138,7 +239235,7 @@ index 3c5dba7..f2fe86e 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1489,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1493,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -239181,7 +239278,7 @@ index 3c5dba7..f2fe86e 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1530,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1534,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -239190,7 +239287,7 @@ index 3c5dba7..f2fe86e 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1539,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1543,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -239209,7 +239306,7 @@ index 3c5dba7..f2fe86e 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1595,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1599,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -239218,7 +239315,7 @@ index 3c5dba7..f2fe86e 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1609,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1613,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -239230,7 +239327,7 @@ index 3c5dba7..f2fe86e 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,35 +1623,37 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1627,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -239259,29 +239356,21 @@ index 3c5dba7..f2fe86e 100644
- optional_policy(`
- dmesg_exec($1)
+- ')
+-
+- optional_policy(`
+- ipsec_run_setkey($1, $2)
+ optional_policy(`
+ ipsec_run_setkey($1,$2)
')
optional_policy(`
-- ipsec_run_setkey($1, $2)
+- netlabel_run_mgmt($1, $2)
+ netlabel_run_mgmt($1,$2)
')
optional_policy(`
-- netlabel_run_mgmt($1, $2)
-+ samhain_run($1, $2)
- ')
--
-- optional_policy(`
-- samhain_run($1, $2)
-- ')
--')
-+')
-
- ########################################
- ## <summary>
-@@ -1360,14 +1708,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1712,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -239300,7 +239389,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1408,6 +1759,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1763,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -239352,7 +239441,7 @@ index 3c5dba7..f2fe86e 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1908,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1912,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -239384,7 +239473,7 @@ index 3c5dba7..f2fe86e 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1974,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1978,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -239399,7 +239488,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1573,9 +1997,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2001,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -239411,7 +239500,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1632,6 +2058,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2062,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -239454,7 +239543,7 @@ index 3c5dba7..f2fe86e 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2173,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2177,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -239463,7 +239552,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1744,10 +2208,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2212,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -239478,7 +239567,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1772,7 +2238,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2242,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -239487,7 +239576,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,19 +2246,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2250,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -239511,7 +239600,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1800,31 +2264,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2268,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -239551,7 +239640,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1848,6 +2312,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2316,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -239577,7 +239666,7 @@ index 3c5dba7..f2fe86e 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2361,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2365,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -239615,7 +239704,7 @@ index 3c5dba7..f2fe86e 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2401,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2405,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -239633,7 +239722,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -1941,7 +2449,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2453,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -239660,7 +239749,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2477,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2481,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -239681,7 +239770,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2493,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2497,48 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -239732,7 +239821,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -2010,8 +2570,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2574,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -239742,7 +239831,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -2027,20 +2586,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2590,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -239767,7 +239856,7 @@ index 3c5dba7..f2fe86e 100644
########################################
## <summary>
-@@ -2123,7 +2676,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2680,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -239776,7 +239865,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2684,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2688,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -239800,7 +239889,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2702,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2706,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -239816,7 +239905,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -2393,11 +2944,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2948,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -239831,7 +239920,7 @@ index 3c5dba7..f2fe86e 100644
files_search_tmp($1)
')
-@@ -2417,7 +2968,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2972,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -239840,7 +239929,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -2664,6 +3215,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3219,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -239866,7 +239955,7 @@ index 3c5dba7..f2fe86e 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3250,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3254,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -239882,7 +239971,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3278,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3282,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -239891,7 +239980,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,19 +3286,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3290,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -239905,78 +239994,28 @@ index 3c5dba7..f2fe86e 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of a user domain tty.
++')
++
++########################################
++## <summary>
+## Execute user tmpfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2735,35 +3304,53 @@ interface(`userdom_manage_user_tmpfs_files',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_getattr_user_ttys',`
-+interface(`userdom_execute_user_tmpfs_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmpfs_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of a user domain tty.
-+## Get the attributes of a user domain tty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_getattr_user_ttys',`
-+interface(`userdom_getattr_user_ttys',`
- gen_require(`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Set the attributes of a user domain tty.
-+## Do not audit attempts to get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_getattr_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
+ gen_require(`
-+ type user_tty_device_t;
++ type user_tmpfs_t;
+ ')
+
-+ dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of a user domain tty.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2817,6 +3404,24 @@ interface(`userdom_use_user_ttys',`
++ allow $1 user_tmpfs_t:file execute;
+ ')
+
+ ########################################
+@@ -2817,6 +3408,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -240001,7 +240040,7 @@ index 3c5dba7..f2fe86e 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3440,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3444,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -240044,7 +240083,7 @@ index 3c5dba7..f2fe86e 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3476,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3480,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -240082,7 +240121,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -2885,8 +3521,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3525,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -240112,7 +240151,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -2958,69 +3613,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3617,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -240213,7 +240252,7 @@ index 3c5dba7..f2fe86e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3682,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3686,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -240228,7 +240267,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -3097,7 +3751,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3755,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -240237,7 +240276,7 @@ index 3c5dba7..f2fe86e 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3767,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3771,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -240271,7 +240310,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -3217,7 +3855,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3859,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -240280,7 +240319,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -3272,7 +3910,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3914,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -240346,7 +240385,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -3290,7 +3985,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3989,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -240355,7 +240394,7 @@ index 3c5dba7..f2fe86e 100644
')
########################################
-@@ -3309,6 +4004,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4008,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -240363,7 +240402,7 @@ index 3c5dba7..f2fe86e 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4081,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4085,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -240406,7 +240445,7 @@ index 3c5dba7..f2fe86e 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4137,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4141,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -240431,7 +240470,7 @@ index 3c5dba7..f2fe86e 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3439,3 +4189,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3439,3 +4193,1365 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fe2816c..eadbfcc 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -12581,10 +12581,36 @@ index da39f0f..6a96733 100644
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/corosync.if b/corosync.if
-index 694a037..283cf03 100644
+index 694a037..b836c07 100644
--- a/corosync.if
+++ b/corosync.if
-@@ -91,29 +91,54 @@ interface(`corosync_read_log',`
+@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
+ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+ ')
+
++#######################################
++## <summary>
++## Setattr corosync log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corosync_setattr_log',`
++ gen_require(`
++ type corosync_var_log_t;
++ ')
++
++ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
++')
++
++
+ #####################################
+ ## <summary>
+ ## Connect to corosync over a unix
+@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
@@ -12645,7 +12671,7 @@ index 694a037..283cf03 100644
')
######################################
-@@ -160,12 +185,17 @@ interface(`corosync_admin',`
+@@ -160,12 +204,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -12665,7 +12691,7 @@ index 694a037..283cf03 100644
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
-@@ -183,4 +213,8 @@ interface(`corosync_admin',`
+@@ -183,4 +232,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -14303,7 +14329,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..69722fa 100644
+index 28e1b86..5f68577 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -14706,7 +14732,7 @@ index 28e1b86..69722fa 100644
')
optional_policy(`
-@@ -353,102 +292,135 @@ optional_policy(`
+@@ -353,102 +292,136 @@ optional_policy(`
')
optional_policy(`
@@ -14854,10 +14880,13 @@ index 28e1b86..69722fa 100644
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+# write temporary files
++manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
- filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
- files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
++filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
++files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
@@ -14871,7 +14900,7 @@ index 28e1b86..69722fa 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -457,11 +429,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -14884,7 +14913,7 @@ index 28e1b86..69722fa 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +453,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -14892,7 +14921,7 @@ index 28e1b86..69722fa 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +464,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -14915,7 +14944,7 @@ index 28e1b86..69722fa 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +488,23 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -14942,7 +14971,7 @@ index 28e1b86..69722fa 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +514,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -14960,7 +14989,7 @@ index 28e1b86..69722fa 100644
')
optional_policy(`
-@@ -546,10 +533,6 @@ optional_policy(`
+@@ -546,10 +534,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -14971,7 +15000,7 @@ index 28e1b86..69722fa 100644
')
optional_policy(`
-@@ -581,6 +564,7 @@ optional_policy(`
+@@ -581,6 +565,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -14979,7 +15008,7 @@ index 28e1b86..69722fa 100644
')
optional_policy(`
-@@ -588,15 +572,19 @@ optional_policy(`
+@@ -588,15 +573,19 @@ optional_policy(`
')
optional_policy(`
@@ -15001,7 +15030,7 @@ index 28e1b86..69722fa 100644
')
optional_policy(`
-@@ -606,6 +594,7 @@ optional_policy(`
+@@ -606,6 +595,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15009,7 +15038,7 @@ index 28e1b86..69722fa 100644
')
optional_policy(`
-@@ -613,12 +602,24 @@ optional_policy(`
+@@ -613,12 +603,24 @@ optional_policy(`
')
optional_policy(`
@@ -15035,7 +15064,7 @@ index 28e1b86..69722fa 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +627,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -15069,7 +15098,7 @@ index 28e1b86..69722fa 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +660,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +661,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -15550,7 +15579,7 @@ index 6ce66e7..1d0337a 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
-index 949011e..f3c8888 100644
+index 949011e..85b210b 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,85 @@
@@ -15583,7 +15612,7 @@ index 949011e..f3c8888 100644
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
++/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -15607,26 +15636,27 @@ index 949011e..f3c8888 100644
-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -15637,7 +15667,7 @@ index 949011e..f3c8888 100644
-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -15650,7 +15680,7 @@ index 949011e..f3c8888 100644
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
-+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
++/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
@@ -15659,16 +15689,18 @@ index 949011e..f3c8888 100644
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0)
++/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
- /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
++/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
@@ -15686,7 +15718,7 @@ index 949011e..f3c8888 100644
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 06da9a0..f0f1da3 100644
+index 06da9a0..ca832e1 100644
--- a/cups.if
+++ b/cups.if
@@ -15,6 +15,11 @@
@@ -15746,27 +15778,29 @@ index 06da9a0..f0f1da3 100644
## All of the rules required to
## administrate an cups environment.
## </summary>
-@@ -330,13 +361,18 @@ interface(`cups_admin',`
+@@ -329,13 +360,18 @@ interface(`cups_admin',`
+ type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
- type hplip_t, ptal_t;
+- type hplip_t, ptal_t;
++ type ptal_t;
+ type cupsd_unit_file_t;
')
- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
-+ allow $1 { cups_pdf_t hplip_t ptal_t }:process { signal_perms };
++ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
-
+- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
++ ps_process_pattern($1, { cups_pdf_t ptal_t })
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+ ')
-+
+
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
- role_transition $2 cupsd_initrc_exec_t system_r;
@@ -353,8 +389,61 @@ interface(`cups_admin',`
files_list_tmp($1)
@@ -15832,30 +15866,146 @@ index 06da9a0..f0f1da3 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..c7a0a97 100644
+index 9f34c2e..f3e4a3e 100644
--- a/cups.te
+++ b/cups.te
-@@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t)
+@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
+ # Declarations
+ #
+
+-type cupsd_config_t;
++attribute cups_domain;
++
++type cupsd_config_t, cups_domain;
+ type cupsd_config_exec_t;
+ init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
+
+ type cupsd_config_var_run_t;
+ files_pid_file(cupsd_config_var_run_t)
+
+-type cupsd_t;
++type cupsd_t, cups_domain;
+ type cupsd_exec_t;
++typealias cupsd_t alias hplip_t;
++typealias cupsd_exec_t alias hplip_exec_t;
+ init_daemon_domain(cupsd_t, cupsd_exec_t)
+ mls_trusted_object(cupsd_t)
+
+ type cupsd_etc_t;
++typealias cupsd_etc_t alias hplip_etc_t;
+ files_config_file(cupsd_etc_t)
+
+ type cupsd_initrc_exec_t;
+@@ -33,9 +38,13 @@ type cupsd_lock_t;
+ files_lock_file(cupsd_lock_t)
+
+ type cupsd_log_t;
++typealias cupsd_log_t alias hplip_var_log_t;
+ logging_log_file(cupsd_log_t)
+
+-type cupsd_lpd_t;
++type cupsd_var_lib_t;
++files_type(cupsd_var_lib_t)
++
++type cupsd_lpd_t, cups_domain;
+ type cupsd_lpd_exec_t;
+ domain_type(cupsd_lpd_t)
+ domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+ type cupsd_lpd_var_run_t;
+ files_pid_file(cupsd_lpd_var_run_t)
+
+-type cups_pdf_t;
++type cups_pdf_t, cups_domain;
+ type cups_pdf_exec_t;
+ cups_backend(cups_pdf_t, cups_pdf_exec_t)
+
+@@ -55,29 +64,17 @@ type cups_pdf_tmp_t;
+ files_tmp_file(cups_pdf_tmp_t)
+
+ type cupsd_tmp_t;
++typealias cupsd_tmp_t alias hplip_tmp_t;
+ files_tmp_file(cupsd_tmp_t)
+
+ type cupsd_var_run_t;
++typealias cupsd_var_run_t alias hplip_var_run_t;
+ files_pid_file(cupsd_var_run_t)
init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
+-type hplip_t;
+-type hplip_exec_t;
+-init_daemon_domain(hplip_t, hplip_exec_t)
+-cups_backend(hplip_t, hplip_exec_t)
+-
+-type hplip_etc_t;
+-files_config_file(hplip_etc_t)
+-
+-type hplip_tmp_t;
+-files_tmp_file(hplip_tmp_t)
+-
+-type hplip_var_lib_t;
+-files_type(hplip_var_lib_t)
+-
+-type hplip_var_run_t;
+-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
-+
- type hplip_t;
- type hplip_exec_t;
- init_daemon_domain(hplip_t, hplip_exec_t)
-@@ -76,6 +79,9 @@ files_tmp_file(hplip_tmp_t)
- type hplip_var_lib_t;
- files_type(hplip_var_lib_t)
-+type hplip_var_log_t;
-+logging_log_file(hplip_var_log_t)
+ type ptal_t;
+ type ptal_exec_t;
+@@ -97,21 +94,46 @@ ifdef(`enable_mls',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
+ ')
+
++#######################################
++#
++# Cups general local policy
++#
++
++allow cups_domain self:capability { setuid setgid };
++allow cups_domain self:process signal_perms;
++allow cups_domain self:fifo_file rw_fifo_file_perms;
++allow cups_domain self:tcp_socket { accept listen };
++
++kernel_read_kernel_sysctls(cups_domain)
++kernel_read_network_state(cups_domain)
+
- type hplip_var_run_t;
- files_pid_file(hplip_var_run_t)
++corecmd_exec_bin(cups_domain)
++corecmd_exec_shell(cups_domain)
++
++dev_read_urand(cups_domain)
++dev_read_rand(cups_domain)
++dev_read_sysfs(cups_domain)
++
++miscfiles_read_fonts(cups_domain)
++miscfiles_setattr_fonts_cache_dirs(cups_domain)
++
++optional_policy(`
++ lpd_manage_spool(cups_domain)
++')
++
+ ########################################
+ #
+ # Cups local policy
+ #
-@@ -120,6 +126,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+ allow cupsd_t self:capability2 block_suspend;
+-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+-allow cupsd_t self:fifo_file rw_fifo_file_perms;
++allow cupsd_t self:process { getpgid setpgid setsched };
+ allow cupsd_t self:unix_stream_socket { accept connectto listen };
+ allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+ allow cupsd_t self:shm create_shm_perms;
+ allow cupsd_t self:sem create_sem_perms;
+-allow cupsd_t self:tcp_socket { accept listen };
+ allow cupsd_t self:appletalk_socket create_socket_perms;
+
+ allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
+@@ -120,6 +142,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -15863,7 +16013,15 @@ index 9f34c2e..c7a0a97 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -144,6 +151,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+@@ -139,22 +162,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+
++manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
++manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
++
+ manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
@@ -15871,7 +16029,23 @@ index 9f34c2e..c7a0a97 100644
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-@@ -166,7 +174,6 @@ kernel_read_network_state(cupsd_t)
+ manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+ files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
+
+-allow cupsd_t hplip_t:process { signal sigkill };
+-
+-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
++allow cupsd_t cupsd_unit_file_t:file read_file_perms;
+
+-allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+ stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +186,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+ can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
+
+ kernel_read_system_state(cupsd_t)
+-kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_request_load_module(cupsd_t)
@@ -15879,7 +16053,32 @@ index 9f34c2e..c7a0a97 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -206,7 +213,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -189,12 +211,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+ corenet_tcp_bind_all_rpc_ports(cupsd_t)
+ corenet_tcp_connect_all_ports(cupsd_t)
+
+-corecmd_exec_bin(cupsd_t)
+-corecmd_exec_shell(cupsd_t)
++corenet_sendrecv_hplip_client_packets(cupsd_t)
++corenet_receive_hplip_server_packets(cupsd_t)
++corenet_tcp_bind_hplip_port(cupsd_t)
++corenet_tcp_connect_hplip_port(cupsd_t)
++corenet_tcp_bind_glance_port(cupsd_t)
++corenet_tcp_connect_glance_port(cupsd_t)
++
++corenet_sendrecv_ipp_client_packets(cupsd_t)
++corenet_tcp_connect_ipp_port(cupsd_t)
++
++corenet_sendrecv_howl_server_packets(cupsd_t)
++corenet_udp_bind_howl_port(cupsd_t)
+
+ dev_rw_printer(cupsd_t)
+-dev_read_urand(cupsd_t)
+-dev_read_sysfs(cupsd_t)
+ dev_rw_input_dev(cupsd_t)
+ dev_rw_generic_usb_dev(cupsd_t)
+ dev_rw_usbfs(cupsd_t)
+@@ -206,7 +236,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -15887,7 +16086,7 @@ index 9f34c2e..c7a0a97 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,7 +221,6 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +244,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -15895,7 +16094,26 @@ index 9f34c2e..c7a0a97 100644
files_dontaudit_getattr_all_tmp_files(cupsd_t)
files_dontaudit_list_home(cupsd_t)
# for /etc/printcap
-@@ -247,13 +252,11 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+ files_dontaudit_write_etc_files(cupsd_t)
++files_dontaudit_write_usr_dirs(cupsd_t)
+
+ fs_getattr_all_fs(cupsd_t)
+ fs_search_auto_mountpoints(cupsd_t)
+ fs_search_fusefs(cupsd_t)
+ fs_read_anon_inodefs_files(cupsd_t)
++fs_rw_anon_inodefs_files(cupsd_t)
+
+ mls_fd_use_all_levels(cupsd_t)
+ mls_file_downgrade(cupsd_t)
+@@ -235,6 +265,7 @@ mls_socket_write_all_levels(cupsd_t)
+
+ term_search_ptys(cupsd_t)
+ term_use_unallocated_ttys(cupsd_t)
++term_use_ptmx(cupsd_t)
+
+ selinux_compute_access_vector(cupsd_t)
+ selinux_validate_context(cupsd_t)
+@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -15906,10 +16124,22 @@ index 9f34c2e..c7a0a97 100644
logging_send_syslog_msg(cupsd_t)
-miscfiles_read_localization(cupsd_t)
- miscfiles_read_fonts(cupsd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+-miscfiles_read_fonts(cupsd_t)
+-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+-
+ seutil_read_config(cupsd_t)
+
+ sysnet_exec_ifconfig(cupsd_t)
++sysnet_dns_name_resolve(cupsd_t)
-@@ -275,6 +278,8 @@ optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_user_home_dirs(cupsd_t)
++userdom_dontaudit_search_user_home_content(cupsd_t)
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+ userdom_dontaudit_search_user_home_content(cupsd_t)
+
+ optional_policy(`
+@@ -275,6 +305,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -15918,7 +16148,7 @@ index 9f34c2e..c7a0a97 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +290,10 @@ optional_policy(`
+@@ -285,8 +317,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -15929,7 +16159,7 @@ index 9f34c2e..c7a0a97 100644
')
')
-@@ -299,8 +306,8 @@ optional_policy(`
+@@ -299,8 +333,8 @@ optional_policy(`
')
optional_policy(`
@@ -15939,7 +16169,15 @@ index 9f34c2e..c7a0a97 100644
')
optional_policy(`
-@@ -337,7 +344,7 @@ optional_policy(`
+@@ -309,7 +343,6 @@ optional_policy(`
+
+ optional_policy(`
+ lpd_exec_lpr(cupsd_t)
+- lpd_manage_spool(cupsd_t)
+ lpd_read_config(cupsd_t)
+ lpd_relabel_spool(cupsd_t)
+ ')
+@@ -337,7 +370,7 @@ optional_policy(`
')
optional_policy(`
@@ -15948,7 +16186,33 @@ index 9f34c2e..c7a0a97 100644
')
########################################
-@@ -386,7 +393,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+@@ -345,11 +378,9 @@ optional_policy(`
+ # Configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
++allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+-allow cupsd_config_t self:process { getsched signal_perms };
+-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_config_t self:tcp_socket { accept listen };
++allow cupsd_config_t self:process { getsched };
+
+ allow cupsd_config_t cupsd_t:process signal;
+ ps_process_pattern(cupsd_config_t, cupsd_t)
+@@ -375,18 +406,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+ manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
+
+-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
++read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+
+ stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+
+ can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+-
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -15956,7 +16220,16 @@ index 9f34c2e..c7a0a97 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -404,7 +410,6 @@ dev_read_rand(cupsd_config_t)
+@@ -395,16 +423,9 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+ corenet_sendrecv_all_client_packets(cupsd_config_t)
+ corenet_tcp_connect_all_ports(cupsd_config_t)
+
+-corecmd_exec_bin(cupsd_config_t)
+-corecmd_exec_shell(cupsd_config_t)
+-
+-dev_read_sysfs(cupsd_config_t)
+-dev_read_urand(cupsd_config_t)
+-dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
@@ -15964,19 +16237,19 @@ index 9f34c2e..c7a0a97 100644
files_read_var_symlinks(cupsd_config_t)
files_search_all_mountpoints(cupsd_config_t)
-@@ -420,11 +425,8 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +441,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
-miscfiles_read_localization(cupsd_config_t)
- miscfiles_read_hwdata(cupsd_config_t)
-
+-miscfiles_read_hwdata(cupsd_config_t)
+-
-seutil_dontaudit_search_config(cupsd_config_t)
-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,6 +454,10 @@ optional_policy(`
+@@ -452,9 +468,12 @@ optional_policy(`
')
optional_policy(`
@@ -15986,10 +16259,26 @@ index 9f34c2e..c7a0a97 100644
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
-@@ -513,13 +519,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+- hal_dontaudit_use_fds(hplip_t)
+ ')
+
+ optional_policy(`
+@@ -490,10 +509,6 @@ optional_policy(`
+ # Lpd local policy
+ #
+
+-allow cupsd_lpd_t self:capability { setuid setgid };
+-allow cupsd_lpd_t self:process signal_perms;
+-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
+-allow cupsd_lpd_t self:tcp_socket { accept listen };
+ allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+ allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
+@@ -511,20 +526,16 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+
+ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
- kernel_read_network_state(cupsd_lpd_t)
+-kernel_read_network_state(cupsd_lpd_t)
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
@@ -16001,102 +16290,180 @@ index 9f34c2e..c7a0a97 100644
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
- dev_read_urand(cupsd_lpd_t)
-@@ -533,7 +539,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+-dev_read_urand(cupsd_lpd_t)
+-dev_read_rand(cupsd_lpd_t)
+-
+ fs_getattr_xattr_fs(cupsd_lpd_t)
+
+ files_search_home(cupsd_lpd_t)
+@@ -533,9 +544,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
-miscfiles_read_localization(cupsd_lpd_t)
- miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
+-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+-
optional_policy(`
-@@ -562,14 +567,12 @@ fs_search_auto_mountpoints(cups_pdf_t)
+ inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+ ')
+@@ -546,7 +554,6 @@ optional_policy(`
+ #
- kernel_read_system_state(cups_pdf_t)
+ allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
--files_read_usr_files(cups_pdf_t)
+ append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
- corecmd_exec_bin(cups_pdf_t)
- corecmd_exec_shell(cups_pdf_t)
+ kernel_read_system_state(cups_pdf_t)
+-files_read_usr_files(cups_pdf_t)
+-
+-corecmd_exec_bin(cups_pdf_t)
+-corecmd_exec_shell(cups_pdf_t)
+-
auth_use_nsswitch(cups_pdf_t)
-miscfiles_read_localization(cups_pdf_t)
- miscfiles_read_fonts(cups_pdf_t)
- miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
-@@ -582,9 +585,10 @@ tunable_policy(`use_nfs_home_dirs',`
+-miscfiles_read_fonts(cups_pdf_t)
+-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+-
+ userdom_manage_user_home_content_dirs(cups_pdf_t)
+ userdom_manage_user_home_content_files(cups_pdf_t)
+ userdom_home_filetrans_user_home_dir(cups_pdf_t)
+@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
+-')
+userdom_home_manager(cups_pdf_t)
-+
-+optional_policy(`
-+ gnome_read_config(cups_pdf_t)
- ')
optional_policy(`
-@@ -613,9 +617,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
- allow hplip_t hplip_etc_t:file read_file_perms;
- allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-+allow hplip_t cupsd_unit_file_t:file read_file_perms;
-+
- manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
- manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t)
-+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file })
-+
- manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
- files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-@@ -627,7 +638,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
- kernel_read_system_state(hplip_t)
- kernel_read_kernel_sysctls(hplip_t)
+- lpd_manage_spool(cups_pdf_t)
++ gnome_read_config(cups_pdf_t)
+ ')
+-########################################
+-#
+-# HPLIP local policy
+-#
+-
+-allow hplip_t self:capability { dac_override dac_read_search net_raw };
+-dontaudit hplip_t self:capability sys_tty_config;
+-allow hplip_t self:fifo_file rw_fifo_file_perms;
+-allow hplip_t self:process signal_perms;
+-allow hplip_t self:tcp_socket { accept listen };
+-allow hplip_t self:rawip_socket create_socket_perms;
+-
+-allow hplip_t cupsd_etc_t:dir search_dir_perms;
+-
+-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
+-
+-allow hplip_t hplip_etc_t:dir list_dir_perms;
+-allow hplip_t hplip_etc_t:file read_file_perms;
+-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
+-
+-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+-
+-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
+-
+-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+-
+-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+-
+-kernel_read_system_state(hplip_t)
+-kernel_read_kernel_sysctls(hplip_t)
+-
-corenet_all_recvfrom_unlabeled(hplip_t)
- corenet_all_recvfrom_netlabel(hplip_t)
- corenet_tcp_sendrecv_generic_if(hplip_t)
- corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -644,6 +654,8 @@ corenet_sendrecv_hplip_client_packets(hplip_t)
- corenet_receive_hplip_server_packets(hplip_t)
- corenet_tcp_bind_hplip_port(hplip_t)
- corenet_tcp_connect_hplip_port(hplip_t)
-+corenet_tcp_bind_glance_port(hplip_t)
-+corenet_tcp_connect_glance_port(hplip_t)
-
- corenet_sendrecv_ipp_client_packets(hplip_t)
- corenet_tcp_connect_ipp_port(hplip_t)
-@@ -662,17 +674,18 @@ dev_rw_usbfs(hplip_t)
-
- domain_use_interactive_fds(hplip_t)
-
+-corenet_all_recvfrom_netlabel(hplip_t)
+-corenet_tcp_sendrecv_generic_if(hplip_t)
+-corenet_udp_sendrecv_generic_if(hplip_t)
+-corenet_raw_sendrecv_generic_if(hplip_t)
+-corenet_tcp_sendrecv_generic_node(hplip_t)
+-corenet_udp_sendrecv_generic_node(hplip_t)
+-corenet_raw_sendrecv_generic_node(hplip_t)
+-corenet_tcp_sendrecv_all_ports(hplip_t)
+-corenet_udp_sendrecv_all_ports(hplip_t)
+-corenet_tcp_bind_generic_node(hplip_t)
+-corenet_udp_bind_generic_node(hplip_t)
+-
+-corenet_sendrecv_hplip_client_packets(hplip_t)
+-corenet_receive_hplip_server_packets(hplip_t)
+-corenet_tcp_bind_hplip_port(hplip_t)
+-corenet_tcp_connect_hplip_port(hplip_t)
+-
+-corenet_sendrecv_ipp_client_packets(hplip_t)
+-corenet_tcp_connect_ipp_port(hplip_t)
+-
+-corenet_sendrecv_howl_server_packets(hplip_t)
+-corenet_udp_bind_howl_port(hplip_t)
+-
+-corecmd_exec_bin(hplip_t)
+-
+-dev_read_sysfs(hplip_t)
+-dev_rw_printer(hplip_t)
+-dev_read_urand(hplip_t)
+-dev_read_rand(hplip_t)
+-dev_rw_generic_usb_dev(hplip_t)
+-dev_rw_usbfs(hplip_t)
+-
+-domain_use_interactive_fds(hplip_t)
+-
-files_read_etc_files(hplip_t)
- files_read_etc_runtime_files(hplip_t)
+-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-+files_dontaudit_write_usr_dirs(hplip_t)
-
- fs_getattr_all_fs(hplip_t)
- fs_search_auto_mountpoints(hplip_t)
- fs_rw_anon_inodefs_files(hplip_t)
-
+-
+-fs_getattr_all_fs(hplip_t)
+-fs_search_auto_mountpoints(hplip_t)
+-fs_rw_anon_inodefs_files(hplip_t)
+-
-logging_send_syslog_msg(hplip_t)
-+term_use_ptmx(hplip_t)
-
+-
-miscfiles_read_localization(hplip_t)
-+auth_read_passwd(hplip_t)
-+
-+logging_send_syslog_msg(hplip_t)
-
- sysnet_dns_name_resolve(hplip_t)
+-
+-sysnet_dns_name_resolve(hplip_t)
+-
+-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+-userdom_dontaudit_search_user_home_dirs(hplip_t)
+-userdom_dontaudit_search_user_home_content(hplip_t)
+-
+-optional_policy(`
+- dbus_system_bus_client(hplip_t)
+-
+- optional_policy(`
+- userdom_dbus_send_all_users(hplip_t)
+- ')
+-')
+-
+-optional_policy(`
+- lpd_read_config(hplip_t)
+- lpd_manage_spool(hplip_t)
+-')
+-
+-optional_policy(`
+- seutil_sigchld_newrole(hplip_t)
+-')
+-
+-optional_policy(`
+- snmp_read_snmp_var_lib_files(hplip_t)
+-')
+-
+-optional_policy(`
+- udev_read_db(hplip_t)
+-')
-@@ -731,7 +744,6 @@ kernel_read_kernel_sysctls(ptal_t)
+ ########################################
+ #
+@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16104,7 +16471,13 @@ index 9f34c2e..c7a0a97 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -747,7 +759,6 @@ dev_rw_printer(ptal_t)
+@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+ corenet_tcp_bind_ptal_port(ptal_t)
+ corenet_tcp_sendrecv_ptal_port(ptal_t)
+
+-dev_read_sysfs(ptal_t)
+ dev_read_usbfs(ptal_t)
+ dev_rw_printer(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -16112,7 +16485,7 @@ index 9f34c2e..c7a0a97 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +766,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -19430,6 +19803,36 @@ index 5818418..674367b 100644
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+diff --git a/dmidecode.if b/dmidecode.if
+index 41c3f67..653a1ec 100644
+--- a/dmidecode.if
++++ b/dmidecode.if
+@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
+ domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
+ ')
+
++######################################
++## <summary>
++## Execute dmidecode in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dmidecode_exec',`
++ gen_require(`
++ type dmidecode_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, dmidecode_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index c947c2c..441d3f4 100644
--- a/dmidecode.te
@@ -19652,7 +20055,7 @@ index 19aa0b8..b303b37 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..363af2a 100644
+index ba14bcf..12a8962 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -19682,7 +20085,7 @@ index ba14bcf..363af2a 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,11 +98,16 @@ optional_policy(`
+@@ -98,11 +98,20 @@ optional_policy(`
')
optional_policy(`
@@ -19695,11 +20098,15 @@ index ba14bcf..363af2a 100644
')
optional_policy(`
++ dnsmasq_domtrans(dnsmasq_t)
++')
++
++optional_policy(`
+ networkmanager_read_conf(dnsmasq_t)
networkmanager_read_pid_files(dnsmasq_t)
')
-@@ -124,6 +129,7 @@ optional_policy(`
+@@ -124,6 +133,7 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -20141,7 +20548,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..c482695 100644
+index a7bfaf0..412f08d 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -20482,7 +20889,7 @@ index a7bfaf0..c482695 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,31 +299,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +299,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -20515,6 +20922,8 @@ index a7bfaf0..c482695 100644
- fs_manage_nfs_symlinks(dovecot_deliver_t)
-')
+fs_getattr_all_fs(dovecot_deliver_t)
++fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
++fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
@@ -20534,7 +20943,12 @@ index a7bfaf0..c482695 100644
')
optional_policy(`
-@@ -326,5 +339,6 @@ optional_policy(`
+ mta_mailserver_delivery(dovecot_deliver_t)
++ mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
+ ')
+
+@@ -326,5 +342,6 @@ optional_policy(`
')
optional_policy(`
@@ -31172,9 +31586,18 @@ index 73e2803..562d25b 100644
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..17f1883 100644
+index 19f2b97..23321e4 100644
--- a/l2tp.te
+++ b/l2tp.te
+@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
+ #
+
+ allow l2tpd_t self:capability net_admin;
+-allow l2tpd_t self:process signal;
++allow l2tpd_t self:process signal_perms;
+ allow l2tpd_t self:fifo_file rw_fifo_file_perms;
+ allow l2tpd_t self:netlink_socket create_socket_perms;
+ allow l2tpd_t self:rawip_socket create_socket_perms;
@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -32263,7 +32686,7 @@ index 7bab8e5..5c6ac99 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..8023bf3 100644
+index 4256a4c..0311d82 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
@@ -32304,10 +32727,11 @@ index 4256a4c..8023bf3 100644
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
mta_getattr_spool(logwatch_t)
-@@ -137,6 +138,10 @@ optional_policy(`
+@@ -137,6 +138,11 @@ optional_policy(`
')
optional_policy(`
++ raid_domtrans_mdadm(logwatch_t)
+ raid_access_check_mdadm(logwatch_t)
+')
+
@@ -32315,7 +32739,7 @@ index 4256a4c..8023bf3 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -164,6 +169,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +170,12 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -35923,7 +36347,7 @@ index 6194b80..60bb004 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..c4829d1 100644
+index 6a306ee..5f21325 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -36356,7 +36780,7 @@ index 6a306ee..c4829d1 100644
')
optional_policy(`
-@@ -300,63 +316,53 @@ optional_policy(`
+@@ -300,63 +316,54 @@ optional_policy(`
########################################
#
@@ -36367,7 +36791,8 @@ index 6a306ee..c4829d1 100644
-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
-+dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config };
++dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
++dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -36438,18 +36863,18 @@ index 6a306ee..c4829d1 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_all_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
-@@ -366,155 +372,111 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+@@ -366,155 +373,113 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -36569,6 +36994,7 @@ index 6a306ee..c4829d1 100644
+files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
++files_dontaudit_all_access_check(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
@@ -36596,6 +37022,7 @@ index 6a306ee..c4829d1 100644
-miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
miscfiles_read_generic_certs(mozilla_plugin_t)
++miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
@@ -36665,7 +37092,7 @@ index 6a306ee..c4829d1 100644
')
optional_policy(`
-@@ -523,36 +485,43 @@ optional_policy(`
+@@ -523,36 +488,43 @@ optional_policy(`
')
optional_policy(`
@@ -36703,18 +37130,18 @@ index 6a306ee..c4829d1 100644
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
++')
++
++optional_policy(`
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_manage_generic_home_content(mozilla_plugin_t)
++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
')
optional_policy(`
- mplayer_exec(mozilla_plugin_t)
- mplayer_manage_generic_home_content(mozilla_plugin_t)
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
-+ mplayer_exec(mozilla_plugin_t)
-+ mplayer_manage_generic_home_content(mozilla_plugin_t)
-+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
-+')
-+
-+optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
@@ -36723,7 +37150,7 @@ index 6a306ee..c4829d1 100644
')
optional_policy(`
-@@ -560,7 +529,7 @@ optional_policy(`
+@@ -560,7 +532,7 @@ optional_policy(`
')
optional_policy(`
@@ -36732,7 +37159,7 @@ index 6a306ee..c4829d1 100644
')
optional_policy(`
-@@ -568,108 +537,104 @@ optional_policy(`
+@@ -568,108 +540,104 @@ optional_policy(`
')
optional_policy(`
@@ -36760,12 +37187,12 @@ index 6a306ee..c4829d1 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -36788,7 +37215,7 @@ index 6a306ee..c4829d1 100644
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
-+dev_search_sysfs(mozilla_plugin_config_t)
++dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
@@ -44779,7 +45206,7 @@ index af3c91e..6882a3f 100644
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/ntp.if b/ntp.if
-index b59196f..d60b451 100644
+index b59196f..017b36f 100644
--- a/ntp.if
+++ b/ntp.if
@@ -1,4 +1,4 @@
@@ -44944,7 +45371,7 @@ index b59196f..d60b451 100644
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
-@@ -164,5 +246,7 @@ interface(`ntp_admin',`
+@@ -164,5 +246,28 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -44952,6 +45379,27 @@ index b59196f..d60b451 100644
+ ntp_systemctl($1)
+ admin_pattern($1, ntpd_unit_file_t)
+ allow $1 ntpd_unit_file_t:service all_service_perms;
++
++ ntp_filetrans_named_content($1)
++')
++
++########################################
++## <summary>
++## Transition content labels to ntp named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ntp_filetrans_named_content',`
++ gen_require(`
++ type ntp_conf_t;
++ ')
++
++ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
++ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
')
diff --git a/ntp.te b/ntp.te
index b90e343..71042cd 100644
@@ -46420,13 +46868,15 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..c9a5f74
+index 0000000..e108d48
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,24 @@
+@@ -0,0 +1,26 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
++/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0)
++
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
@@ -46450,10 +46900,10 @@ index 0000000..c9a5f74
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..98ce2c3
+index 0000000..1a26cd5
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,644 @@
+@@ -0,0 +1,664 @@
+
+## <summary> policy for openshift </summary>
+
@@ -46476,6 +46926,26 @@ index 0000000..98ce2c3
+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
+')
+
++#######################################
++## <summary>
++## Execute openshift server in the openshift domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`openshift_initrc_run',`
++ gen_require(`
++ type openshift_initrc_t;
++ type openshift_initrc_exec_t;
++ ')
++
++ openshift_initrc_domtrans($1)
++ role $2 types openshift_initrc_t;
++')
++
+########################################
+## <summary>
+## Send a null signal to openshift init scripts.
@@ -47100,10 +47570,10 @@ index 0000000..98ce2c3
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..c69ca3f
+index 0000000..4bc6574
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,378 @@
+@@ -0,0 +1,463 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -47135,7 +47605,6 @@ index 0000000..c69ca3f
+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+')
+
-+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
@@ -47171,6 +47640,19 @@ index 0000000..c69ca3f
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
++type openshift_cron_t;
++type openshift_cron_exec_t;
++domain_type(openshift_cron_t)
++domain_entry_file(openshift_cron_t, openshift_cron_exec_t)
++role system_r types openshift_cron_t;
++
++optional_policy(`
++ cron_system_entry(openshift_cron_t, openshift_cron_exec_t)
++')
++
++type openshift_cron_tmp_t, openshift_file_type;
++files_tmp_file(openshift_cron_tmp_t)
++
+########################################
+#
+# Template to create openshift_t and openshift_app_t
@@ -47290,6 +47772,7 @@ index 0000000..c69ca3f
+dev_dontaudit_write_urand(openshift_domain)
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
+dev_dontaudit_getattr_all_chr_files(openshift_domain)
++dev_dontaudit_all_access_check(openshift_domain)
+
+domain_use_interactive_fds(openshift_domain)
+domain_dontaudit_read_all_domains_state(openshift_domain)
@@ -47482,6 +47965,78 @@ index 0000000..c69ca3f
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
+read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
++
++########################################
++#
++# openshift_cron local policy
++#
++allow openshift_cron_t self:capability net_admin;
++allow openshift_cron_t self:process signal_perms;
++allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
++allow openshift_cron_t self:udp_socket create_socket_perms;
++allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
++allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
++
++manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
++manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
++manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
++manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
++manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
++files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
++
++openshift_manage_lib_dirs(openshift_cron_t)
++openshift_manage_lib_files(openshift_cron_t)
++
++kernel_search_network_sysctl(openshift_cron_t)
++kernel_read_network_state(openshift_cron_t)
++kernel_read_system_state(openshift_cron_t)
++
++corecmd_exec_bin(openshift_cron_t)
++corecmd_exec_shell(openshift_cron_t)
++
++dev_read_raw_memory(openshift_cron_t)
++dev_read_urand(openshift_cron_t)
++
++corenet_udp_bind_generic_node(openshift_cron_t)
++corenet_udp_bind_generic_port(openshift_cron_t)
++
++dev_getattr_fs(openshift_cron_t)
++dev_list_sysfs(openshift_cron_t)
++dev_read_sysfs(openshift_cron_t)
++
++files_getattr_home_dir(openshift_cron_t)
++files_manage_etc_files(openshift_cron_t)
++
++fs_getattr_tmpfs_dirs(openshift_cron_t)
++fs_getattr_all_fs(openshift_cron_t)
++fs_list_hugetlbfs(openshift_cron_t)
++fs_search_cgroup_dirs(openshift_cron_t)
++
++seutil_domtrans_setfiles(openshift_cron_t)
++
++term_getattr_pty_fs(openshift_cron_t)
++term_search_ptys(openshift_cron_t)
++
++auth_use_nsswitch(openshift_cron_t)
++
++miscfiles_read_generic_certs(openshift_cron_t)
++miscfiles_read_hwdata(openshift_cron_t)
++
++sysnet_exec_ifconfig(openshift_cron_t)
++sysnet_read_config(openshift_cron_t)
++
++optional_policy(`
++ dmidecode_exec(openshift_cron_t)
++')
++
++optional_policy(`
++ hostname_exec(openshift_cron_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(openshift_cron_t)
++ ssh_dontaudit_read_server_keys(openshift_cron_t)
++')
diff --git a/openvpn.if b/openvpn.if
index 6837e9a..af8f9d0 100644
--- a/openvpn.if
@@ -47874,7 +48429,7 @@ index 9b15730..14f29e4 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..4068f7f 100644
+index 508fedf..3e42ef8 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -47943,7 +48498,7 @@ index 508fedf..4068f7f 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,15 +58,9 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -57,33 +58,33 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -47960,7 +48515,8 @@ index 508fedf..4068f7f 100644
corecmd_exec_bin(openvswitch_t)
-@@ -73,17 +68,22 @@ dev_read_urand(openvswitch_t)
++dev_read_rand(openvswitch_t)
+ dev_read_urand(openvswitch_t)
domain_use_interactive_fds(openvswitch_t)
@@ -48206,10 +48762,24 @@ index 9682d9a..d47f913 100644
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
-index 3dd8ada..8b8d292 100644
+index 3dd8ada..9683812 100644
--- a/pacemaker.te
+++ b/pacemaker.te
-@@ -12,17 +12,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
+@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow pacemaker memcheck-amd64- to use executable memory
++## </p>
++## </desc>
++gen_tunable(pacemaker_use_execmem, false)
++
+ type pacemaker_t;
+ type pacemaker_exec_t;
+ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
+@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
type pacemaker_initrc_exec_t;
init_script_file(pacemaker_initrc_exec_t)
@@ -48235,7 +48805,24 @@ index 3dd8ada..8b8d292 100644
########################################
#
-@@ -60,13 +63,13 @@ kernel_read_system_state(pacemaker_t)
+@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t)
+ #
+
+ allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
++allow pacemaker_t self:capability2 block_suspend;
+ allow pacemaker_t self:process { setrlimit signal setpgid };
+ allow pacemaker_t self:fifo_file rw_fifo_file_perms;
+ allow pacemaker_t self:unix_stream_socket { connectto accept listen };
+
+ manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
+ manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
+-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
++manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
+
+ manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
+ manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
+@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t)
corecmd_exec_bin(pacemaker_t)
corecmd_exec_shell(pacemaker_t)
@@ -48252,14 +48839,20 @@ index 3dd8ada..8b8d292 100644
files_read_kernel_symbol_table(pacemaker_t)
fs_getattr_all_fs(pacemaker_t)
-@@ -75,9 +78,9 @@ auth_use_nsswitch(pacemaker_t)
+@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t)
logging_send_syslog_msg(pacemaker_t)
-miscfiles_read_localization(pacemaker_t)
--
++sysnet_domtrans_ifconfig(pacemaker_t)
++
++tunable_policy(`pacemaker_use_execmem',`
++ allow pacemaker_t self:process { execmem };
++')
+
optional_policy(`
corosync_read_log(pacemaker_t)
++ corosync_setattr_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
')
@@ -59924,15 +60517,24 @@ index 76f5b39..599b6cd 100644
')
+
diff --git a/quantum.fc b/quantum.fc
-index 70ab68b..9ac57eb 100644
+index 70ab68b..e97da31 100644
--- a/quantum.fc
+++ b/quantum.fc
-@@ -1,3 +1,5 @@
+@@ -1,9 +1,14 @@
+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0)
+
/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
+ /usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+ /usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+ /usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
++/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:quantum_exec_t,s0)
+
+ /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
+
diff --git a/quantum.if b/quantum.if
index afc0068..7616aa4 100644
--- a/quantum.if
@@ -65557,10 +66159,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..9e96a5c 100644
+index ebe91fc..db87bca 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,66 @@
+@@ -1,61 +1,67 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -65580,6 +66182,7 @@ index ebe91fc..9e96a5c 100644
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
++/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -65672,7 +66275,7 @@ index ebe91fc..9e96a5c 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..bedc8ae 100644
+index 0628d50..dbe00f4 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -65738,7 +66341,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -74,23 +74,31 @@ interface(`rpm_domtrans_script',`
+@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',`
## </param>
## <param name="role">
## <summary>
@@ -65752,19 +66355,16 @@ index 0628d50..bedc8ae 100644
gen_require(`
- attribute_role rpm_roles;
+ type rpm_t, rpm_script_t;
++ attribute_role rpm_script_roles;
')
rpm_domtrans($1)
- roleattribute $2 rpm_roles;
-+ role $2 types { rpm_t rpm_script_t };
++ roleattribute $2 rpm_script_roles;
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
-+
-+ seutil_run_loadpolicy(rpm_script_t, $2)
-+ seutil_run_semanage(rpm_script_t, $2)
-+ seutil_run_setfiles(rpm_script_t, $2)
')
########################################
@@ -65774,7 +66374,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -109,7 +117,7 @@ interface(`rpm_exec',`
+@@ -109,7 +114,7 @@ interface(`rpm_exec',`
########################################
## <summary>
@@ -65783,7 +66383,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -127,7 +135,7 @@ interface(`rpm_signull',`
+@@ -127,7 +132,7 @@ interface(`rpm_signull',`
########################################
## <summary>
@@ -65792,7 +66392,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -145,7 +153,7 @@ interface(`rpm_use_fds',`
+@@ -145,7 +150,7 @@ interface(`rpm_use_fds',`
########################################
## <summary>
@@ -65801,7 +66401,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -163,7 +171,7 @@ interface(`rpm_read_pipes',`
+@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',`
########################################
## <summary>
@@ -65810,7 +66410,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -181,6 +189,42 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',`
########################################
## <summary>
@@ -65853,7 +66453,7 @@ index 0628d50..bedc8ae 100644
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -224,7 +268,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',`
########################################
## <summary>
## Send and receive messages from
@@ -65862,7 +66462,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -244,7 +288,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',`
########################################
## <summary>
@@ -65871,7 +66471,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -263,7 +307,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +304,8 @@ interface(`rpm_search_log',`
#####################################
## <summary>
@@ -65881,7 +66481,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,14 +321,12 @@ interface(`rpm_append_log',`
+@@ -276,14 +318,12 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
@@ -65898,7 +66498,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +345,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +342,7 @@ interface(`rpm_manage_log',`
########################################
## <summary>
@@ -65907,7 +66507,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +363,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +360,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -65918,7 +66518,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +378,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +375,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -65935,7 +66535,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +399,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +396,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -65953,7 +66553,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +419,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +416,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -65969,7 +66569,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +446,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +443,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -65978,7 +66578,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +467,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +464,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -65988,7 +66588,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +488,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +485,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -65997,7 +66597,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +505,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +502,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -66011,7 +66611,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +529,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +526,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -66021,7 +66621,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -504,7 +550,7 @@ interface(`rpm_manage_db',`
+@@ -504,7 +547,7 @@ interface(`rpm_manage_db',`
########################################
## <summary>
## Do not audit attempts to create, read,
@@ -66030,7 +66630,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +560,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -66039,7 +66639,7 @@ index 0628d50..bedc8ae 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +589,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +586,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -66049,7 +66649,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +608,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +605,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -66059,7 +66659,7 @@ index 0628d50..bedc8ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,94 +617,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +614,72 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -66191,14 +66791,16 @@ index 0628d50..bedc8ae 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..a29e4d0 100644
+index 5cbe81c..decdd95 100644
--- a/rpm.te
+++ b/rpm.te
-@@ -1,15 +1,11 @@
+@@ -1,15 +1,13 @@
-policy_module(rpm, 1.15.3)
+policy_module(rpm, 1.15.0)
+
+attribute rpm_transition_domain;
++attribute_role rpm_script_roles;
++roleattribute system_r rpm_script_roles;
########################################
#
@@ -66213,12 +66815,12 @@ index 5cbe81c..a29e4d0 100644
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
-@@ -17,10 +13,10 @@ domain_obj_id_change_exemption(rpm_t)
+@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
-role rpm_roles types rpm_t;
-+role system_r types rpm_t;
++role rpm_script_roles types rpm_t;
-type rpm_initrc_exec_t;
-init_script_file(rpm_initrc_exec_t)
@@ -66227,7 +66829,7 @@ index 5cbe81c..a29e4d0 100644
type rpm_file_t;
files_type(rpm_file_t)
-@@ -31,9 +27,6 @@ files_tmp_file(rpm_tmp_t)
+@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
files_tmpfs_file(rpm_tmpfs_t)
@@ -66237,15 +66839,17 @@ index 5cbe81c..a29e4d0 100644
type rpm_log_t;
logging_log_file(rpm_log_t)
-@@ -56,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t)
+@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
-role rpm_roles types rpm_script_t;
- role system_r types rpm_script_t;
+-role system_r types rpm_script_t;
++role rpm_script_roles types rpm_script_t;
type rpm_script_tmp_t;
-@@ -75,23 +67,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
+ files_tmp_file(rpm_script_tmp_t)
+@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
@@ -66279,7 +66883,7 @@ index 5cbe81c..a29e4d0 100644
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
-@@ -99,23 +96,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -66307,7 +66911,7 @@ index 5cbe81c..a29e4d0 100644
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
-@@ -126,41 +119,34 @@ kernel_rw_irq_sysctls(rpm_t)
+@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
@@ -66363,7 +66967,7 @@ index 5cbe81c..a29e4d0 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -183,29 +169,49 @@ selinux_compute_relabel_context(rpm_t)
+@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
@@ -66415,7 +67019,7 @@ index 5cbe81c..a29e4d0 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -224,13 +230,17 @@ optional_policy(`
+@@ -224,13 +232,17 @@ optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -66437,7 +67041,7 @@ index 5cbe81c..a29e4d0 100644
')
########################################
-@@ -239,19 +249,20 @@ optional_policy(`
+@@ -239,19 +251,20 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@@ -66461,7 +67065,7 @@ index 5cbe81c..a29e4d0 100644
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -267,8 +278,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -66472,7 +67076,7 @@ index 5cbe81c..a29e4d0 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +289,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@@ -66522,7 +67126,7 @@ index 5cbe81c..a29e4d0 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
-@@ -331,30 +325,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -66562,25 +67166,25 @@ index 5cbe81c..a29e4d0 100644
logging_send_syslog_msg(rpm_script_t)
-miscfiles_read_localization(rpm_script_t)
--
--modutils_run_depmod(rpm_script_t, rpm_roles)
--modutils_run_insmod(rpm_script_t, rpm_roles)
+miscfiles_filetrans_named_content(rpm_script_t)
+-modutils_run_depmod(rpm_script_t, rpm_roles)
+-modutils_run_insmod(rpm_script_t, rpm_roles)
+-
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
-seutil_run_setfiles(rpm_script_t, rpm_roles)
-seutil_run_semanage(rpm_script_t, rpm_roles)
-+seutil_domtrans_loadpolicy(rpm_script_t)
-+seutil_domtrans_setfiles(rpm_script_t)
-+seutil_domtrans_semanage(rpm_script_t)
-+seutil_domtrans_setsebool(rpm_script_t)
++seutil_run_loadpolicy(rpm_script_t, rpm_script_roles)
++seutil_run_setfiles(rpm_script_t, rpm_script_roles)
++seutil_run_semanage(rpm_script_t, rpm_script_roles)
++seutil_run_setsebool(rpm_script_t, rpm_script_roles)
userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,24 +375,28 @@ ifdef(`distro_redhat',`
+@@ -363,40 +377,54 @@ ifdef(`distro_redhat',`
')
')
@@ -66591,52 +67195,53 @@ index 5cbe81c..a29e4d0 100644
optional_policy(`
- bootloader_run(rpm_script_t, rpm_roles)
-+ bootloader_domtrans(rpm_script_t)
++ bootloader_run(rpm_script_t, rpm_script_roles)
++')
++
++optional_policy(`
++ certmonger_dbus_chat(rpm_script_t)
++')
++
++optional_policy(`
++ cups_filetrans_named_content(rpm_script_t)
')
optional_policy(`
-- dbus_system_bus_client(rpm_script_t)
-+ certmonger_dbus_chat(rpm_script_t)
+ dbus_system_bus_client(rpm_script_t)
+')
- optional_policy(`
- unconfined_dbus_chat(rpm_script_t)
- ')
+optional_policy(`
-+ cups_filetrans_named_content(rpm_script_t)
++ lvm_domtrans(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
-+ dbus_system_bus_client(rpm_script_t)
++ ntp_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- lvm_run(rpm_script_t, rpm_roles)
-+ lvm_domtrans(rpm_script_t)
++ modutils_run_depmod(rpm_script_t, rpm_script_roles)
++ modutils_run_insmod(rpm_script_t, rpm_script_roles)
')
optional_policy(`
-@@ -388,8 +404,17 @@ optional_policy(`
+- ntp_domtrans(rpm_script_t)
++ openshift_initrc_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
- tzdata_run(rpm_t, rpm_roles)
- tzdata_run(rpm_script_t, rpm_roles)
-+ modutils_domtrans_depmod(rpm_script_t)
-+ modutils_domtrans_insmod(rpm_script_t)
-+')
-+
-+optional_policy(`
-+ openshift_initrc_domtrans(rpm_script_t)
-+')
-+
-+optional_policy(`
+ tzdata_domtrans(rpm_t)
-+ tzdata_domtrans(rpm_script_t)
++ tzdata_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
-@@ -397,6 +422,7 @@ optional_policy(`
+- udev_domtrans(rpm_script_t)
++ udev_run(rpm_script_t, rpm_script_roles)
')
optional_policy(`
@@ -66644,14 +67249,14 @@ index 5cbe81c..a29e4d0 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +435,6 @@ optional_policy(`
+@@ -409,6 +437,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_run_groupadd(rpm_script_t, rpm_roles)
- usermanage_run_useradd(rpm_script_t, rpm_roles)
-+ usermanage_domtrans_groupadd(rpm_script_t)
-+ usermanage_domtrans_useradd(rpm_script_t)
++ usermanage_run_groupadd(rpm_script_t, rpm_script_roles)
++ usermanage_run_useradd(rpm_script_t, rpm_script_roles)
')
diff --git a/rshd.fc b/rshd.fc
index 9ad0d58..6a4db03 100644
@@ -66824,7 +67429,7 @@ index d25301b..2d77839 100644
/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --git a/rsync.if b/rsync.if
-index f1140ef..6bde558 100644
+index f1140ef..c5bd83a 100644
--- a/rsync.if
+++ b/rsync.if
@@ -1,16 +1,16 @@
@@ -66946,7 +67551,7 @@ index f1140ef..6bde558 100644
can_exec($1, rsync_exec_t)
')
-@@ -165,18 +119,18 @@ interface(`rsync_read_config',`
+@@ -165,13 +119,13 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
@@ -66958,96 +67563,114 @@ index f1140ef..6bde558 100644
########################################
## <summary>
-## Write rsync config files.
-+## Write to rsync config files.
++## Read rsync data files.
## </summary>
## <param name="domain">
--## <summary>
-+## <summary>
- ## Domain allowed access.
--## </summary>
-+## </summary>
+ ## <summary>
+@@ -179,19 +133,18 @@ interface(`rsync_read_config',`
+ ## </summary>
## </param>
#
- interface(`rsync_write_config',`
-@@ -184,14 +138,13 @@ interface(`rsync_write_config',`
- type rsync_etc_t;
+-interface(`rsync_write_config',`
++interface(`rsync_read_data',`
+ gen_require(`
+- type rsync_etc_t;
++ type rsync_data_t;
')
-+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
- files_search_etc($1)
+- files_search_etc($1)
- allow $1 rsync_etc_t:file write_file_perms;
++ read_files_pattern($1, rsync_data_t, rsync_data_t)
')
++
########################################
## <summary>
-## Create, read, write, and delete
-## rsync config files.
-+## Manage rsync config files.
++## Write to rsync config files.
## </summary>
## <param name="domain">
## <summary>
-@@ -199,18 +152,18 @@ interface(`rsync_write_config',`
+@@ -199,83 +152,54 @@ interface(`rsync_write_config',`
## </summary>
## </param>
#
-interface(`rsync_manage_config_files',`
-+interface(`rsync_manage_config',`
++interface(`rsync_write_config',`
gen_require(`
type rsync_etc_t;
')
-- files_search_etc($1)
- manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
-+ files_search_etc($1)
++ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+- manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
')
########################################
## <summary>
-## Create specified objects in etc directories
-+## Create objects in etc directories
- ## with rsync etc type.
+-## with rsync etc type.
++## Manage rsync config files.
## </summary>
## <param name="domain">
-@@ -223,11 +176,6 @@ interface(`rsync_manage_config_files',`
- ## Class of the object being created.
- ## </summary>
- ## </param>
--## <param name="name" optional="true">
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="object_class">
-## <summary>
--## The name of the object being created.
+-## Class of the object being created.
-## </summary>
-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
- interface(`rsync_etc_filetrans_config',`
+-interface(`rsync_etc_filetrans_config',`
++interface(`rsync_manage_config',`
gen_require(`
-@@ -236,46 +184,3 @@ interface(`rsync_etc_filetrans_config',`
+ type rsync_etc_t;
+ ')
- files_etc_filetrans($1, rsync_etc_t, $2, $3)
+- files_etc_filetrans($1, rsync_etc_t, $2, $3)
++ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
')
--
--########################################
--## <summary>
+
+ ########################################
+ ## <summary>
-## All of the rules required to
-## administrate an rsync environment.
--## </summary>
--## <param name="domain">
--## <summary>
++## Create objects in etc directories
++## with rsync etc type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
-## <param name="role">
--## <summary>
++## <param name="object_class">
+ ## <summary>
-## Role allowed access.
--## </summary>
--## </param>
++## Class of the object being created.
+ ## </summary>
+ ## </param>
-## <rolecap/>
--#
+ #
-interface(`rsync_admin',`
-- gen_require(`
++interface(`rsync_etc_filetrans_config',`
+ gen_require(`
- type rsync_t, rsync_etc_t, rsync_data_t;
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
-- ')
--
++ type rsync_etc_t;
+ ')
+
- allow $1 rsync_t:process { ptrace signal_perms };
- ps_process_pattern($1, rsync_t)
-
@@ -67066,9 +67689,10 @@ index f1140ef..6bde558 100644
- admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
--')
++ files_etc_filetrans($1, rsync_etc_t, $2, $3)
+ ')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..ad3e416 100644
+index e3e7c96..2574954 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -67172,7 +67796,7 @@ index e3e7c96..ad3e416 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +79,23 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +79,25 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -67195,13 +67819,15 @@ index e3e7c96..ad3e416 100644
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+allow rsync_t rsync_data_t:dir_file_class_set getattr;
++allow rsync_t rsync_data_t:socket_class_set getattr;
++allow rsync_t rsync_data_t:sock_file setattr;
-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +109,76 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +111,76 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -75763,7 +76389,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if
-index a240455..6c2da43 100644
+index a240455..54c5c1f 100644
--- a/sssd.if
+++ b/sssd.if
@@ -1,21 +1,21 @@
@@ -76018,7 +76644,7 @@ index a240455..6c2da43 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -317,8 +352,26 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +352,27 @@ interface(`sssd_stream_connect',`
########################################
## <summary>
@@ -76034,10 +76660,11 @@ index a240455..6c2da43 100644
+#
+interface(`sssd_dontaudit_stream_connect',`
+ gen_require(`
-+ type sssd_t;
++ type sssd_t, sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
++ dontaudit $1 sssd_var_lib_t:sock_file write;
+')
+
+########################################
@@ -76047,7 +76674,7 @@ index a240455..6c2da43 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -327,7 +380,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +381,7 @@ interface(`sssd_stream_connect',`
## </param>
## <param name="role">
## <summary>
@@ -76056,7 +76683,7 @@ index a240455..6c2da43 100644
## </summary>
## </param>
## <rolecap/>
-@@ -335,27 +388,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +389,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -76719,6 +77346,181 @@ index c6aaac7..dc3f167 100644
-miscfiles_read_localization(svnserve_t)
-
sysnet_dns_name_resolve(svnserve_t)
+diff --git a/swift.fc b/swift.fc
+new file mode 100644
+index 0000000..7917018
+--- /dev/null
++++ b/swift.fc
+@@ -0,0 +1,9 @@
++/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
++/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
++
++/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0)
+diff --git a/swift.if b/swift.if
+new file mode 100644
+index 0000000..4ec3f4d
+--- /dev/null
++++ b/swift.if
+@@ -0,0 +1,103 @@
++
++## <summary>policy for swift</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the swift domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`swift_domtrans',`
++ gen_require(`
++ type swift_t, swift_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, swift_exec_t, swift_t)
++')
++########################################
++## <summary>
++## Read swift PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`swift_read_pid_files',`
++ gen_require(`
++ type swift_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, swift_var_run_t, swift_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute swift server in the swift domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`swift_systemctl',`
++ gen_require(`
++ type swift_t;
++ type swift_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 swift_unit_file_t:file read_file_perms;
++ allow $1 swift_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, swift_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an swift environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`swift_admin',`
++ gen_require(`
++ type swift_t;
++ type swift_var_run_t;
++ type swift_unit_file_t;
++ ')
++
++ allow $1 swift_t:process { ptrace signal_perms };
++ ps_process_pattern($1, swift_t)
++
++ files_search_pids($1)
++ admin_pattern($1, swift_var_run_t)
++
++ swift_systemctl($1)
++ admin_pattern($1, swift_unit_file_t)
++ allow $1 swift_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/swift.te b/swift.te
+new file mode 100644
+index 0000000..e3eab32
+--- /dev/null
++++ b/swift.te
+@@ -0,0 +1,45 @@
++policy_module(swift, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type swift_t;
++type swift_exec_t;
++init_daemon_domain(swift_t, swift_exec_t)
++
++type swift_var_run_t;
++files_pid_file(swift_var_run_t)
++
++type swift_unit_file_t;
++systemd_unit_file(swift_unit_file_t)
++
++########################################
++#
++# swift local policy
++#
++
++allow swift_t self:fifo_file rw_fifo_file_perms;
++allow swift_t self:unix_stream_socket create_stream_socket_perms;
++allow swift_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
++manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
++manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
++files_pid_filetrans(swift_t, swift_var_run_t, { dir })
++
++kernel_dgram_send(swift_t)
++kernel_read_system_state(swift_t)
++
++corecmd_exec_shell(swift_t)
++
++dev_read_urand(swift_t)
++
++domain_use_interactive_fds(swift_t)
++
++auth_use_nsswitch(swift_t)
++
++libs_exec_ldconfig(swift_t)
++
++logging_send_syslog_msg(swift_t)
diff --git a/sxid.te b/sxid.te
index c9824cb..1973f71 100644
--- a/sxid.te
@@ -76750,7 +77552,7 @@ index c9824cb..1973f71 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..c6580e4 100644
+index c8b80b2..e6b8ab8 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t)
@@ -76761,16 +77563,19 @@ index c8b80b2..c6580e4 100644
corecmd_exec_bin(sysstat_t)
dev_read_sysfs(sysstat_t)
-@@ -50,7 +51,7 @@ fs_getattr_xattr_fs(sysstat_t)
+@@ -49,8 +50,10 @@ files_read_etc_runtime_files(sysstat_t)
+ fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
++storage_getattr_fixed_disk_dev(sysstat_t)
++
term_use_console(sysstat_t)
-term_use_all_terms(sysstat_t)
+term_use_all_inherited_terms(sysstat_t)
auth_use_nsswitch(sysstat_t)
-@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
+@@ -60,10 +63,9 @@ locallogin_use_fds(sysstat_t)
logging_send_syslog_msg(sysstat_t)
@@ -80380,7 +81185,7 @@ index c416a83..cd83b89 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index cf118fd..3b93d32 100644
+index cf118fd..cd80e83 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -80573,75 +81378,58 @@ index cf118fd..3b93d32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -136,8 +195,7 @@ interface(`userhelper_dontaudit_search_config',`
+@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',`
########################################
## <summary>
-## Send and receive messages from
-## consolehelper over dbus.
-+## Allow domain to use userhelper file descriptor.
++## Do not audit attempts to write
++## the userhelper configuration files.
## </summary>
## <param name="domain">
## <summary>
-@@ -145,19 +203,17 @@ interface(`userhelper_dontaudit_search_config',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`userhelper_dbus_chat_all_consolehelper',`
-+interface(`userhelper_use_fd',`
++interface(`userhelper_dontaudit_write_config',`
gen_require(`
- attribute consolehelper_type;
- class dbus send_msg;
-+ attribute userhelper_type;
++ type userhelper_conf_t;
')
- allow $1 consolehelper_type:dbus send_msg;
- allow consolehelper_type $1:dbus send_msg;
-+ allow $1 userhelper_type:fd use;
++ dontaudit $1 userhelper_conf_t:file write;
')
########################################
## <summary>
-## Use userhelper all userhelper file descriptors.
-+## Allow domain to send sigchld to userhelper.
++## Allow domain to use userhelper file descriptor.
## </summary>
## <param name="domain">
## <summary>
-@@ -165,17 +221,17 @@ interface(`userhelper_dbus_chat_all_consolehelper',`
- ## </summary>
- ## </param>
- #
--interface(`userhelper_use_fd',`
-+interface(`userhelper_sigchld',`
- gen_require(`
- attribute userhelper_type;
- ')
-
-- allow $1 userhelper_type:fd use;
-+ allow $1 userhelper_type:process sigchld;
- ')
+@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',`
########################################
## <summary>
-## Send child terminated signals to all userhelper.
-+## Execute the userhelper program in the caller domain.
++## Allow domain to send sigchld to userhelper.
## </summary>
## <param name="domain">
## <summary>
-@@ -183,17 +239,87 @@ interface(`userhelper_use_fd',`
- ## </summary>
- ## </param>
- #
--interface(`userhelper_sigchld',`
-+interface(`userhelper_exec',`
- gen_require(`
-- attribute userhelper_type;
-+ type userhelper_exec_t;
+@@ -206,6 +263,93 @@ interface(`userhelper_exec',`
+ type userhelper_exec_t;
')
-- allow $1 userhelper_type:process sigchld;
-+ can_exec($1, userhelper_exec_t)
-+')
+- corecmd_search_bin($1)
+ can_exec($1, userhelper_exec_t)
+ ')
+
+#######################################
+## <summary>
@@ -80711,35 +81499,30 @@ index cf118fd..3b93d32 100644
+ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
- ')
-
- ########################################
- ## <summary>
--## Execute the userhelper program in the caller domain.
++')
++
++########################################
++## <summary>
+## Execute the consolehelper program in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -201,11 +327,10 @@ interface(`userhelper_sigchld',`
- ## </summary>
- ## </param>
- #
--interface(`userhelper_exec',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`userhelper_exec_console',`
- gen_require(`
-- type userhelper_exec_t;
++ gen_require(`
+ type consolehelper_exec_t;
- ')
-
-- corecmd_search_bin($1)
-- can_exec($1, userhelper_exec_t)
++ ')
++
+ can_exec($1, consolehelper_exec_t)
- ')
++')
diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..23b8929 100644
+index 274ed9c..4d8adf9 100644
--- a/userhelper.te
+++ b/userhelper.te
-@@ -1,18 +1,15 @@
+@@ -1,15 +1,12 @@
-policy_module(userhelper, 1.7.3)
+policy_module(userhelper, 1.7.0)
@@ -80756,11 +81539,7 @@ index 274ed9c..23b8929 100644
+attribute consolehelper_domain;
type userhelper_conf_t;
--files_config_file(userhelper_conf_t)
-+files_type(userhelper_conf_t)
-
- type userhelper_exec_t;
- application_executable_file(userhelper_exec_t)
+ files_config_file(userhelper_conf_t)
@@ -22,141 +19,67 @@ application_executable_file(consolehelper_exec_t)
########################################
@@ -83153,7 +83932,7 @@ index 9dec06c..d8a2b54 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..f704c9a 100644
+index 1f22fba..def6a6b 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -83504,9 +84283,7 @@ index 1f22fba..f704c9a 100644
-
-storage_raw_write_removable_device(virt_domain)
-storage_raw_read_removable_device(virt_domain)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-term_use_all_terms(virt_domain)
-term_getattr_pty_fs(virt_domain)
-term_use_generic_ptys(virt_domain)
@@ -83569,17 +84346,15 @@ index 1f22fba..f704c9a 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
--
--optional_policy(`
-- dbus_read_lib_files(virt_domain)
--')
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
@@ -83589,20 +84364,24 @@ index 1f22fba..f704c9a 100644
+corenet_tcp_connect_all_ports(svirt_t)
-optional_policy(`
-- nscd_use(virt_domain)
+- dbus_read_lib_files(virt_domain)
-')
+miscfiles_read_generic_certs(svirt_t)
optional_policy(`
-- samba_domtrans_smbd(virt_domain)
+- nscd_use(virt_domain)
+ xen_rw_image_files(svirt_t)
')
optional_policy(`
-- xen_rw_image_files(virt_domain)
+- samba_domtrans_smbd(virt_domain)
+ nscd_use(svirt_t)
')
+-optional_policy(`
+- xen_rw_image_files(virt_domain)
+-')
+-
-########################################
+#######################################
#
@@ -83615,7 +84394,9 @@ index 1f22fba..f704c9a 100644
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
@@ -83624,9 +84405,7 @@ index 1f22fba..f704c9a 100644
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
@@ -84308,12 +85087,12 @@ index 1f22fba..f704c9a 100644
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
-
-allow virsh_t svirt_lxc_domain:process transition;
--
--can_exec(virsh_t, virsh_exec_t)
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+-can_exec(virsh_t, virsh_exec_t)
+-
-virt_domtrans(virsh_t)
-virt_manage_images(virsh_t)
-virt_manage_config(virsh_t)
@@ -84635,7 +85414,7 @@ index 1f22fba..f704c9a 100644
optional_policy(`
udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1115,63 @@ optional_policy(`
+@@ -1078,81 +1115,67 @@ optional_policy(`
apache_read_sys_content(svirt_lxc_domain)
')
@@ -84643,6 +85422,10 @@ index 1f22fba..f704c9a 100644
-#
-# Lxc net local policy
-#
++optional_policy(`
++ userhelper_dontaudit_write_config(svirt_lxc_domain)
++')
++
+virt_lxc_domain_template(svirt_lxc_net)
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -84702,30 +85485,29 @@ index 1f22fba..f704c9a 100644
fs_mount_cgroup(svirt_lxc_net_t)
fs_manage_cgroup_dirs(svirt_lxc_net_t)
-fs_rw_cgroup_files(svirt_lxc_net_t)
--
--auth_use_nsswitch(svirt_lxc_net_t)
+fs_manage_cgroup_files(svirt_lxc_net_t)
-
--logging_send_audit_msgs(svirt_lxc_net_t)
++
+term_pty(svirt_lxc_file_t)
--userdom_use_user_ptys(svirt_lxc_net_t)
-+auth_use_nsswitch(svirt_lxc_net_t)
+ auth_use_nsswitch(svirt_lxc_net_t)
+
++rpm_read_db(svirt_lxc_net_t)
++
+ logging_send_audit_msgs(svirt_lxc_net_t)
+
+ userdom_use_user_ptys(svirt_lxc_net_t)
-optional_policy(`
- rpm_read_db(svirt_lxc_net_t)
-')
-+rpm_read_db(svirt_lxc_net_t)
-
+-
-#######################################
-#
-# Prot exec local policy
-#
-+logging_send_audit_msgs(svirt_lxc_net_t)
-
+-
-allow svirt_prot_exec_t self:process { execmem execstack };
-+userdom_use_inherited_user_ptys(svirt_lxc_net_t)
-
+-
########################################
#
-# Qmf local policy
@@ -84740,7 +85522,7 @@ index 1f22fba..f704c9a 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1184,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1188,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -84755,7 +85537,7 @@ index 1f22fba..f704c9a 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1202,8 @@ optional_policy(`
+@@ -1183,9 +1206,8 @@ optional_policy(`
########################################
#
@@ -84766,7 +85548,7 @@ index 1f22fba..f704c9a 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1216,65 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1220,65 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 00cba9a..bdab254 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,56 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jan 5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-10
+- Fix smartmontools
+- Fix userdom_restricted_xwindows_user_template() interface
+- Add xserver_xdm_ioctl_log() interface
+- Allow Xusers to ioctl lxdm.log to make lxdm working
+- Add MLS fixes to make MLS boot/log-in working
+- Add mls_socket_write_all_levels() also for syslogd
+- fsck.xfs needs to read passwd
+- Fix ntp_filetrans_named_content calling in init.te
+- Allow postgresql to create pg_log dir
+- Allow sshd to read rsync_data_t to make rsync <backuphost> working
+- Change ntp.conf to be labeled net_conf_t
+- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it
+- Allow xdm_t to execute gstreamer home content
+- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp
+- New policy for openstack swift domains
+- More access required for openshift_cron_t
+- Use cupsd_log_t instead of cupsd_var_log_t
+- rpm_script_roles should be used in rpm_run
+- Fix rpm_run() interface
+- Fix openshift_initrc_run()
+- Fix sssd_dontaudit_stream_connect() interface
+- Fix sssd_dontaudit_stream_connect() interface
+- Allow LDA's job to deliver mail to the mailbox
+- dontaudit block_suspend for mozilla_plugin_t
+- Allow l2tpd_t to all signal perms
+- Allow uuidgen to read /dev/random
+- Allow mozilla-plugin-config to read power_supply info
+- Implement cups_domain attribute for cups domains
+- We now need access to user terminals since we start by executing a command outside the tty
+- We now need access to user terminals since we start by executing a command outside the tty
+- svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen
+- Add containment of openshift cron jobs
+- Allow system cron jobs to create tmp directories
+- Make userhelp_conf_t a config file
+- Change rpm to use rpm_script_roles
+- More fixes for rsync to make rsync <backuphost> wokring
+- Allow logwatch to domtrans to mdadm
+- Allow pacemaker to domtrans to ifconfig
+- Allow pacemaker to setattr on corosync.log
+- Add pacemaker_use_execmem for memcheck-amd64 command
+- Allow block_suspend capability
+- Allow create fifo_file in /tmp with pacemaker_tmp_t
+- Allow systat to getattr on fixed disk
+- Relabel /etc/ntp.conf to be net_conf_t
+- ntp_admin should create files in /etc with the correct label
+- Add interface to create ntp_conf_t files in /etc
+- Add additional labeling for quantum
+- Allow quantum to execute dnsmasq with transition
+
* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-9
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
More information about the scm-commits
mailing list