[selinux-policy/f18] - Allow git_system_t to read network state - Allow pegasas to execute mount command - Allow nagios c
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Apr 15 10:31:43 UTC 2013
commit 6cd83dcaa84d046360bc735d965185a60058c598
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Apr 15 12:31:06 2013 +0200
- Allow git_system_t to read network state
- Allow pegasas to execute mount command
- Allow nagios check disk plugins to execute bin_t
- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp
- Allow quantum to transition to openvswitch_t
- Allow quantum to use databas
- allow quantum to stream connect to openvswitch
- Allow alsa_t signal_perms, we probaly should search for any app that can execute som
- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets
- Allow winbind to manage kerberos_rcache_host
- Allow spamd to create spamd_var_lib_t directories
- Dontaudit attempts by httpd_t attempting to read rpm database. Customer triggered t
- Add mising nslcd_dontaudit_write_sock_file() interface
- Fix pki_read_tomcat_lib_files() interface
- Allow certmonger to read pki-tomcat lib files
- Allow certwatch to execute bin_t
- Allow snmp to manage /var/lib/net-snmp files
- Fix for openvswitch_stream_connect()
- Add rgmanager_search_lib() interface
- Fix pki_read_tomcat_lib_files() interface
- Fix cobbler_manage_lib_files() interface
- Add xserver_dontaudit_xdm_rw_stream_sockets() interface
- Allow daemon to send dgrams to initrc_t
- Update textrel_shlib_t names
- Allow kdm to start the power service to initiate a reboot or poweroff
policy-f18-base.patch | 306 +++++++++++++++++++++++-------------
policy-f18-contrib.patch | 397 ++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 29 ++++-
3 files changed, 520 insertions(+), 212 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index cfbf58f..466c477 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -128769,7 +128769,7 @@ index fc86b7c..c65935b 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..888cb7e 100644
+index 130ced9..31366ca 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -129534,10 +129534,57 @@ index 130ced9..888cb7e 100644
')
########################################
-@@ -1185,6 +1518,26 @@ interface(`xserver_stream_connect',`
+@@ -1169,27 +1502,27 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
- files_search_tmp($1)
- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ ########################################
+ ## <summary>
+-## Connect to the X server over a unix domain
+-## stream socket.
++## Do not audit attempts to read and write xdm
++## unix domain stream sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_stream_connect',`
+- gen_require(`
+- type xserver_t, xserver_tmp_t;
+- ')
++interface(`xserver_dontaudit_xdm_rw_stream_sockets',`
++ gen_require(`
++ type xdm_t;
++ ')
+
+- files_search_tmp($1)
+- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ dontaudit $1 xdm_t:unix_stream_socket { read write };
+ ')
+
+ ########################################
+ ## <summary>
+-## Read X server temporary files.
++## Connect to the X server over a unix domain
++## stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1197,9 +1530,48 @@ interface(`xserver_stream_connect',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`xserver_read_tmp_files',`
++interface(`xserver_stream_connect',`
+ gen_require(`
+- type xserver_tmp_t;
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver_t $1:shm rw_shm_perms;
+')
+
@@ -129558,10 +129605,25 @@ index 130ced9..888cb7e 100644
+ ')
+
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
- ')
++')
++
++########################################
++## <summary>
++## Read X server temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_read_tmp_files',`
++ gen_require(`
++ type xserver_tmp_t;
+ ')
- ########################################
-@@ -1210,7 +1563,7 @@ interface(`xserver_read_tmp_files',`
+ allow $1 xserver_tmp_t:file read_file_perms;
+@@ -1210,7 +1582,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -129570,7 +129632,7 @@ index 130ced9..888cb7e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1573,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1592,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -129595,7 +129657,7 @@ index 130ced9..888cb7e 100644
')
########################################
-@@ -1243,10 +1606,625 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1625,625 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -130224,7 +130286,7 @@ index 130ced9..888cb7e 100644
+ allow $1 xdm_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..d195065 100644
+index d40f750..9ace67b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -130784,7 +130846,7 @@ index d40f750..d195065 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +624,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +624,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -130811,10 +130873,9 @@ index d40f750..d195065 100644
+init_dbus_chat(xdm_t)
+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
+init_status(xdm_t)
-+
-+systemd_write_inhibit_pipes(xdm_t)
libs_exec_lib_files(xdm_t)
++libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -130827,10 +130888,12 @@ index d40f750..d195065 100644
-sysnet_read_config(xdm_t)
+systemd_write_inhibit_pipes(xdm_t)
++systemd_dbus_chat_localed(xdm_t)
++systemd_start_power_services(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +668,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +669,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -130880,7 +130943,7 @@ index d40f750..d195065 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +718,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +719,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -130907,7 +130970,7 @@ index d40f750..d195065 100644
')
optional_policy(`
-@@ -514,12 +745,72 @@ optional_policy(`
+@@ -514,12 +746,72 @@ optional_policy(`
')
optional_policy(`
@@ -130980,7 +131043,7 @@ index d40f750..d195065 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +828,78 @@ optional_policy(`
+@@ -537,28 +829,78 @@ optional_policy(`
')
optional_policy(`
@@ -131068,7 +131131,7 @@ index d40f750..d195065 100644
')
optional_policy(`
-@@ -570,6 +911,14 @@ optional_policy(`
+@@ -570,6 +912,14 @@ optional_policy(`
')
optional_policy(`
@@ -131083,7 +131146,7 @@ index d40f750..d195065 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +943,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +944,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -131096,7 +131159,7 @@ index d40f750..d195065 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +960,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +961,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -131112,7 +131175,7 @@ index d40f750..d195065 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +976,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +977,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -131123,7 +131186,7 @@ index d40f750..d195065 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +991,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +992,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -131145,7 +131208,7 @@ index d40f750..d195065 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1011,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1012,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -131159,7 +131222,7 @@ index d40f750..d195065 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1037,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1038,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -131191,7 +131254,7 @@ index d40f750..d195065 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1069,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1070,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -131209,7 +131272,7 @@ index d40f750..d195065 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1092,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1093,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -131233,7 +131296,7 @@ index d40f750..d195065 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1157,40 @@ optional_policy(`
+@@ -775,16 +1158,40 @@ optional_policy(`
')
optional_policy(`
@@ -131275,7 +131338,7 @@ index d40f750..d195065 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1199,10 @@ optional_policy(`
+@@ -793,6 +1200,10 @@ optional_policy(`
')
optional_policy(`
@@ -131286,7 +131349,7 @@ index d40f750..d195065 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1218,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1219,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -131300,7 +131363,7 @@ index d40f750..d195065 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1229,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1230,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -131309,7 +131372,7 @@ index d40f750..d195065 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1242,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1243,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -131344,7 +131407,7 @@ index d40f750..d195065 100644
')
optional_policy(`
-@@ -859,6 +1264,10 @@ optional_policy(`
+@@ -859,6 +1265,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -131355,7 +131418,7 @@ index d40f750..d195065 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1311,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1312,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -131364,7 +131427,7 @@ index d40f750..d195065 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1365,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1366,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -131396,7 +131459,7 @@ index d40f750..d195065 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1411,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1412,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -134653,7 +134716,7 @@ index d26fe81..4f7db68 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..170bb03 100644
+index 4a88fa1..9c0b2c0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -134757,7 +134820,7 @@ index 4a88fa1..170bb03 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -107,12 +142,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -134771,6 +134834,7 @@ index 4a88fa1..170bb03 100644
+manage_files_pattern(init_t, initrc_state_t, initrc_state_t)
+can_exec(init_t, initrc_state_t)
+
++allow daemon initrc_t:unix_dgram_socket sendto;
+allow init_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
@@ -134796,7 +134860,7 @@ index 4a88fa1..170bb03 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -122,28 +177,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -122,28 +178,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -134837,7 +134901,7 @@ index 4a88fa1..170bb03 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -152,29 +218,53 @@ fs_list_inotifyfs(init_t)
+@@ -152,29 +219,53 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -134885,15 +134949,15 @@ index 4a88fa1..170bb03 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
-miscfiles_read_localization(init_t)
-+userdom_use_user_ttys(init_t)
-+
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -183,29 +273,177 @@ ifdef(`distro_gentoo',`
+@@ -183,29 +274,177 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -134921,14 +134985,15 @@ index 4a88fa1..170bb03 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -135051,14 +135116,13 @@ index 4a88fa1..170bb03 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -135079,7 +135143,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -213,6 +451,27 @@ optional_policy(`
+@@ -213,6 +452,27 @@ optional_policy(`
')
optional_policy(`
@@ -135107,7 +135171,7 @@ index 4a88fa1..170bb03 100644
unconfined_domain(init_t)
')
-@@ -222,8 +481,9 @@ optional_policy(`
+@@ -222,8 +482,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -135119,7 +135183,7 @@ index 4a88fa1..170bb03 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +511,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -135136,7 +135200,7 @@ index 4a88fa1..170bb03 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +536,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -135179,7 +135243,7 @@ index 4a88fa1..170bb03 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,9 +573,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -135191,7 +135255,7 @@ index 4a88fa1..170bb03 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -306,8 +585,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +586,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -135202,7 +135266,7 @@ index 4a88fa1..170bb03 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +596,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +597,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -135222,7 +135286,7 @@ index 4a88fa1..170bb03 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +614,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -135230,7 +135294,7 @@ index 4a88fa1..170bb03 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +621,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +622,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -135242,7 +135306,7 @@ index 4a88fa1..170bb03 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +640,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +641,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -135256,7 +135320,7 @@ index 4a88fa1..170bb03 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +655,13 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +656,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -135271,7 +135335,7 @@ index 4a88fa1..170bb03 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +671,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +672,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -135279,7 +135343,7 @@ index 4a88fa1..170bb03 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +683,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +684,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -135287,7 +135351,7 @@ index 4a88fa1..170bb03 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +702,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +703,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -135311,7 +135375,7 @@ index 4a88fa1..170bb03 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +767,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +768,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -135322,7 +135386,7 @@ index 4a88fa1..170bb03 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +791,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +792,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -135331,7 +135395,7 @@ index 4a88fa1..170bb03 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +806,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +807,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -135339,7 +135403,7 @@ index 4a88fa1..170bb03 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +827,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +828,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -135347,7 +135411,7 @@ index 4a88fa1..170bb03 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +837,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +838,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -135388,7 +135452,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -549,14 +878,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +879,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -135420,7 +135484,7 @@ index 4a88fa1..170bb03 100644
')
')
-@@ -567,6 +913,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +914,39 @@ ifdef(`distro_suse',`
')
')
@@ -135460,7 +135524,7 @@ index 4a88fa1..170bb03 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +958,8 @@ optional_policy(`
+@@ -579,6 +959,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -135469,7 +135533,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -600,6 +981,7 @@ optional_policy(`
+@@ -600,6 +982,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -135477,7 +135541,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -612,6 +994,17 @@ optional_policy(`
+@@ -612,6 +995,17 @@ optional_policy(`
')
optional_policy(`
@@ -135495,7 +135559,7 @@ index 4a88fa1..170bb03 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1021,13 @@ optional_policy(`
+@@ -628,9 +1022,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -135509,7 +135573,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -655,6 +1052,10 @@ optional_policy(`
+@@ -655,6 +1053,10 @@ optional_policy(`
')
optional_policy(`
@@ -135520,7 +135584,7 @@ index 4a88fa1..170bb03 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1073,15 @@ optional_policy(`
+@@ -672,6 +1074,15 @@ optional_policy(`
')
optional_policy(`
@@ -135536,7 +135600,7 @@ index 4a88fa1..170bb03 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1122,7 @@ optional_policy(`
+@@ -712,6 +1123,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -135544,7 +135608,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -729,7 +1140,14 @@ optional_policy(`
+@@ -729,7 +1141,14 @@ optional_policy(`
')
optional_policy(`
@@ -135559,7 +135623,7 @@ index 4a88fa1..170bb03 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1170,10 @@ optional_policy(`
+@@ -752,6 +1171,10 @@ optional_policy(`
')
optional_policy(`
@@ -135570,7 +135634,7 @@ index 4a88fa1..170bb03 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1183,20 @@ optional_policy(`
+@@ -761,10 +1184,20 @@ optional_policy(`
')
optional_policy(`
@@ -135591,7 +135655,7 @@ index 4a88fa1..170bb03 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1205,10 @@ optional_policy(`
+@@ -773,6 +1206,10 @@ optional_policy(`
')
optional_policy(`
@@ -135602,7 +135666,7 @@ index 4a88fa1..170bb03 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1230,6 @@ optional_policy(`
+@@ -794,8 +1231,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -135611,7 +135675,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -804,6 +1238,10 @@ optional_policy(`
+@@ -804,6 +1239,10 @@ optional_policy(`
')
optional_policy(`
@@ -135622,7 +135686,7 @@ index 4a88fa1..170bb03 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1251,12 @@ optional_policy(`
+@@ -813,10 +1252,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -135635,7 +135699,7 @@ index 4a88fa1..170bb03 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1268,6 @@ optional_policy(`
+@@ -828,8 +1269,6 @@ optional_policy(`
')
optional_policy(`
@@ -135644,7 +135708,7 @@ index 4a88fa1..170bb03 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1278,30 @@ optional_policy(`
+@@ -840,12 +1279,30 @@ optional_policy(`
')
optional_policy(`
@@ -135677,7 +135741,7 @@ index 4a88fa1..170bb03 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1311,18 @@ optional_policy(`
+@@ -855,6 +1312,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -135696,7 +135760,7 @@ index 4a88fa1..170bb03 100644
')
optional_policy(`
-@@ -870,6 +1338,10 @@ optional_policy(`
+@@ -870,6 +1339,10 @@ optional_policy(`
')
optional_policy(`
@@ -135707,7 +135771,7 @@ index 4a88fa1..170bb03 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1352,187 @@ optional_policy(`
+@@ -880,3 +1353,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -135889,6 +135953,15 @@ index 4a88fa1..170bb03 100644
+allow initrc_domain systemprocess_entry:file { getattr open read execute };
+allow initrc_domain systemprocess:process transition;
+
++optional_policy(`
++ systemd_getattr_unit_dirs(daemon)
++ systemd_getattr_unit_dirs(systemprocess)
++')
++
++optional_policy(`
++ rgmanager_search_lib(initrc_domain)
++')
++
+ifdef(`direct_sysadm_daemon',`
+ allow daemon direct_run_init:fd use;
+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
@@ -136459,7 +136532,7 @@ index 0646ee7..da1337a 100644
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..a21d5fe 100644
+index ef8bbaf..8c14853 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -136525,16 +136598,18 @@ index ef8bbaf..a21d5fe 100644
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -140,6 +149,8 @@ ifdef(`distro_redhat',`
+@@ -140,19 +149,21 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libjavascriptcoregtk[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib.*/libnvidia\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -147,12 +158,11 @@ ifdef(`distro_redhat',`
+ /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -136550,7 +136625,7 @@ index ef8bbaf..a21d5fe 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -181,11 +191,13 @@ ifdef(`distro_redhat',`
+@@ -181,11 +192,13 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -136564,7 +136639,7 @@ index ef8bbaf..a21d5fe 100644
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -240,14 +253,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -136580,7 +136655,7 @@ index ef8bbaf..a21d5fe 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -269,20 +278,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -136611,7 +136686,7 @@ index ef8bbaf..a21d5fe 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +307,148 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -136660,8 +136735,6 @@ index ef8bbaf..a21d5fe 100644
+/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/chrome/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
@@ -136766,7 +136839,6 @@ index ef8bbaf..a21d5fe 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@@ -142250,10 +142322,10 @@ index 0000000..d76b063
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..a7eb2f2
+index 0000000..96a1a74
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1050 @@
+@@ -0,0 +1,1068 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -142409,6 +142481,24 @@ index 0000000..a7eb2f2
+ allow $1 systemd_unit_file_type:file getattr_file_perms;
+')
+
++#####################################
++## <summary>
++## Allow domain to getattr all systemd unit directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_getattr_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:dir getattr;
++')
++
+######################################
+## <summary>
+## Allow domain to read all systemd unit files.
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 1ad0a41..f6343ab 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -1674,7 +1674,7 @@ index 1392679..64e685f 100644
+ ps_process_pattern($1, alsa_t)
+')
diff --git a/alsa.te b/alsa.te
-index dc1b088..33678e4 100644
+index dc1b088..1fdd2c2 100644
--- a/alsa.te
+++ b/alsa.te
@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
@@ -1687,7 +1687,15 @@ index dc1b088..33678e4 100644
########################################
#
# Local policy
-@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t)
+@@ -29,6 +32,7 @@ userdom_user_home_content(alsa_home_t)
+
+ allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+ dontaudit alsa_t self:capability sys_admin;
++allow alsa_t self:process signal_perms;
+ allow alsa_t self:sem create_sem_perms;
+ allow alsa_t self:shm create_shm_perms;
+ allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+@@ -59,7 +63,6 @@ dev_read_sysfs(alsa_t)
corecmd_exec_bin(alsa_t)
@@ -1695,7 +1703,7 @@ index dc1b088..33678e4 100644
files_read_usr_files(alsa_t)
term_dontaudit_use_console(alsa_t)
-@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +75,6 @@ init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
@@ -2163,7 +2171,7 @@ index 0000000..adcd6f4
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..bead01a 100644
+index fd9fa07..ac64761 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,20 +1,37 @@
@@ -2264,7 +2272,7 @@ index fd9fa07..bead01a 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -69,35 +96,54 @@ ifdef(`distro_suse', `
+@@ -69,35 +96,55 @@ ifdef(`distro_suse', `
/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -2286,6 +2294,7 @@ index fd9fa07..bead01a 100644
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2325,7 +2334,7 @@ index fd9fa07..bead01a 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +155,34 @@ ifdef(`distro_debian', `
+@@ -109,3 +156,38 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -2343,6 +2352,10 @@ index fd9fa07..bead01a 100644
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
@@ -3226,7 +3239,7 @@ index 6480167..c0ece1b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..9b2357a 100644
+index 0833afb..e8bbca3 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -3979,7 +3992,7 @@ index 0833afb..9b2357a 100644
')
optional_policy(`
-@@ -594,6 +951,42 @@ optional_policy(`
+@@ -594,6 +951,46 @@ optional_policy(`
')
optional_policy(`
@@ -4015,6 +4028,10 @@ index 0833afb..9b2357a 100644
+')
+
+optional_policy(`
++ rpm_dontaudit_read_db(httpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
@@ -4022,7 +4039,7 @@ index 0833afb..9b2357a 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -608,6 +1001,11 @@ optional_policy(`
+@@ -608,6 +1005,11 @@ optional_policy(`
')
optional_policy(`
@@ -4034,7 +4051,7 @@ index 0833afb..9b2357a 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -620,6 +1018,12 @@ optional_policy(`
+@@ -620,6 +1022,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -4047,7 +4064,7 @@ index 0833afb..9b2357a 100644
########################################
#
# Apache helper local policy
-@@ -633,7 +1037,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1041,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -4092,7 +4109,7 @@ index 0833afb..9b2357a 100644
########################################
#
-@@ -671,28 +1111,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1115,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -4136,7 +4153,7 @@ index 0833afb..9b2357a 100644
')
########################################
-@@ -702,6 +1144,7 @@ optional_policy(`
+@@ -702,6 +1148,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -4144,7 +4161,7 @@ index 0833afb..9b2357a 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -716,19 +1159,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1163,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4173,7 +4190,7 @@ index 0833afb..9b2357a 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -738,15 +1189,14 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -738,15 +1193,14 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -4191,7 +4208,7 @@ index 0833afb..9b2357a 100644
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-@@ -757,13 +1207,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1211,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -4224,7 +4241,7 @@ index 0833afb..9b2357a 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -786,6 +1254,25 @@ optional_policy(`
+@@ -786,6 +1258,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4250,7 +4267,7 @@ index 0833afb..9b2357a 100644
########################################
#
# Apache system script local policy
-@@ -806,12 +1293,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1297,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -4268,7 +4285,7 @@ index 0833afb..9b2357a 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -820,18 +1312,51 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1316,51 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -4328,7 +4345,7 @@ index 0833afb..9b2357a 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -839,14 +1364,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1368,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -4369,7 +4386,7 @@ index 0833afb..9b2357a 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,15 +1404,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+@@ -854,15 +1408,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
optional_policy(`
clamav_domtrans_clamscan(httpd_sys_script_t)
@@ -4396,7 +4413,7 @@ index 0833afb..9b2357a 100644
')
########################################
-@@ -878,11 +1439,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1443,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4408,7 +4425,7 @@ index 0833afb..9b2357a 100644
########################################
#
-@@ -908,11 +1467,143 @@ optional_policy(`
+@@ -908,11 +1471,143 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -7244,6 +7261,17 @@ index 9a62a1d..283f4fa 100644
optional_policy(`
xen_append_log(brctl_t)
+diff --git a/bugzilla.fc b/bugzilla.fc
+index 8c84063..258f2cb 100644
+--- a/bugzilla.fc
++++ b/bugzilla.fc
+@@ -1,4 +1,4 @@
+-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
++/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+
+ /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index de89d0f..86e4ee7 100644
--- a/bugzilla.if
@@ -7282,7 +7310,7 @@ index de89d0f..86e4ee7 100644
apache_list_sys_content($1)
diff --git a/bugzilla.te b/bugzilla.te
-index 048abbf..dece084 100644
+index 048abbf..d3ec115 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0)
@@ -7303,7 +7331,7 @@ index 048abbf..dece084 100644
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
-@@ -31,8 +33,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+@@ -31,11 +33,19 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
@@ -7318,6 +7346,11 @@ index 048abbf..dece084 100644
sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
++miscfiles_read_certs(httpd_bugzilla_script_t)
++
+ optional_policy(`
+ mta_send_mail(httpd_bugzilla_script_t)
+ ')
diff --git a/cachefilesd.fc b/cachefilesd.fc
new file mode 100644
index 0000000..aa03fc8
@@ -8308,7 +8341,7 @@ index 7a6e5ba..7475aa5 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..8dcec07 100644
+index c3e3f79..54c74eb 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t)
@@ -8389,7 +8422,7 @@ index c3e3f79..8dcec07 100644
optional_policy(`
dbus_system_bus_client(certmonger_t)
-@@ -64,9 +97,47 @@ optional_policy(`
+@@ -64,9 +97,48 @@ optional_policy(`
')
optional_policy(`
@@ -8411,6 +8444,7 @@ index c3e3f79..8dcec07 100644
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
++ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
@@ -8438,20 +8472,22 @@ index c3e3f79..8dcec07 100644
+ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/certwatch.te b/certwatch.te
-index e07cef5..86a8b81 100644
+index e07cef5..20cb64f 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -17,6 +17,9 @@ role system_r types certwatch_t;
+@@ -17,6 +17,11 @@ role system_r types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
+kernel_read_system_state(certwatch_t)
+
++corecmd_exec_bin(certwatch_t)
++
+dev_read_rand(certwatch_t)
dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
-@@ -27,17 +30,18 @@ files_list_tmp(certwatch_t)
+@@ -27,17 +32,18 @@ files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
@@ -9031,10 +9067,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..7dcfb29
+index 0000000..a2b1c20
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,203 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9066,6 +9102,7 @@ index 0000000..7dcfb29
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
@@ -10416,7 +10453,7 @@ index 1cf6c4e..0858f92 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/cobbler.if b/cobbler.if
-index 116d60f..e2c6ec6 100644
+index 116d60f..49f30af 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -1,12 +1,12 @@
@@ -10523,7 +10560,7 @@ index 116d60f..e2c6ec6 100644
files_search_var_lib($1)
')
-@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +140,55 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
@@ -10548,7 +10585,6 @@ index 116d60f..e2c6ec6 100644
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
-+
+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
@@ -10580,7 +10616,7 @@ index 116d60f..e2c6ec6 100644
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',`
+@@ -161,25 +207,43 @@ interface(`cobbler_manage_lib_files',`
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
@@ -23820,7 +23856,7 @@ index b0242d9..407e79d 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 6e8e1f3..ee24002 100644
+index 6e8e1f3..dbd5517 100644
--- a/git.te
+++ b/git.te
@@ -31,20 +31,21 @@ gen_tunable(git_cgi_use_nfs, false)
@@ -23911,7 +23947,7 @@ index 6e8e1f3..ee24002 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(git_session_t)
',`
-@@ -133,10 +146,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -133,10 +146,13 @@ tunable_policy(`use_samba_home_dirs',`
# Git system policy
#
@@ -23921,12 +23957,13 @@ index 6e8e1f3..ee24002 100644
+read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)
++kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
auth_use_nsswitch(git_system_t)
logging_send_syslog_msg(git_system_t)
-@@ -174,8 +189,8 @@ tunable_policy(`git_system_use_nfs',`
+@@ -174,8 +190,8 @@ tunable_policy(`git_system_use_nfs',`
# Git CGI policy
#
@@ -23937,7 +23974,7 @@ index 6e8e1f3..ee24002 100644
files_search_var_lib(httpd_git_script_t)
files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-@@ -217,12 +232,16 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -217,12 +233,16 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -35949,7 +35986,7 @@ index b397fde..aaf4cdf 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..710c1e6 100644
+index d4fcb75..0216e3f 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -36017,7 +36054,17 @@ index d4fcb75..710c1e6 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -100,7 +127,6 @@ corecmd_exec_shell(mozilla_t)
+@@ -79,7 +106,8 @@ allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+ manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+ manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
++# mozilla will manage user_tmp_t, so it will transition to it.
++#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+
+ manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+ manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -100,7 +128,6 @@ corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)
# Browse the web, connect to printer
@@ -36025,7 +36072,7 @@ index d4fcb75..710c1e6 100644
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
corenet_raw_sendrecv_generic_if(mozilla_t)
-@@ -110,6 +136,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
+@@ -110,6 +137,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
@@ -36033,7 +36080,7 @@ index d4fcb75..710c1e6 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -140,7 +167,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
+@@ -140,7 +168,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
@@ -36041,7 +36088,7 @@ index d4fcb75..710c1e6 100644
# /var/lib
files_read_var_lib_files(mozilla_t)
# interacting with gstreamer
-@@ -151,42 +177,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
+@@ -151,42 +178,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
fs_dontaudit_getattr_all_fs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
@@ -36094,7 +36141,7 @@ index d4fcb75..710c1e6 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -263,6 +281,7 @@ optional_policy(`
+@@ -263,6 +282,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -36102,7 +36149,7 @@ index d4fcb75..710c1e6 100644
')
optional_policy(`
-@@ -283,7 +302,8 @@ optional_policy(`
+@@ -283,7 +303,8 @@ optional_policy(`
')
optional_policy(`
@@ -36112,7 +36159,7 @@ index d4fcb75..710c1e6 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +317,105 @@ optional_policy(`
+@@ -297,65 +318,105 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -36233,7 +36280,7 @@ index d4fcb75..710c1e6 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +423,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +424,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -36317,7 +36364,7 @@ index d4fcb75..710c1e6 100644
')
optional_policy(`
-@@ -420,26 +487,45 @@ optional_policy(`
+@@ -420,26 +488,45 @@ optional_policy(`
')
optional_policy(`
@@ -36367,7 +36414,7 @@ index d4fcb75..710c1e6 100644
')
optional_policy(`
-@@ -447,10 +533,121 @@ optional_policy(`
+@@ -447,10 +534,122 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -36396,6 +36443,7 @@ index d4fcb75..710c1e6 100644
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
++ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
+ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
+')
+
@@ -39484,7 +39532,7 @@ index 8581040..d7d9a79 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/nagios.te b/nagios.te
-index c3e2a2d..f4cbdff 100644
+index c3e2a2d..dcc9cc6 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
@@ -39676,18 +39724,20 @@ index c3e2a2d..f4cbdff 100644
')
######################################
-@@ -311,7 +315,9 @@ optional_policy(`
+@@ -311,7 +315,11 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
-files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
+kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+
++corecmd_exec_bin(nagios_checkdisk_plugin_t)
++
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,11 +329,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,11 +331,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# local policy for service check plugins
#
@@ -39701,7 +39751,7 @@ index c3e2a2d..f4cbdff 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -342,6 +348,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -342,6 +350,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -39710,7 +39760,7 @@ index c3e2a2d..f4cbdff 100644
')
optional_policy(`
-@@ -365,6 +373,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -365,6 +375,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -39719,7 +39769,7 @@ index c3e2a2d..f4cbdff 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -372,11 +382,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
+@@ -372,11 +384,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
@@ -39735,7 +39785,7 @@ index c3e2a2d..f4cbdff 100644
# needed by check_users plugin
optional_policy(`
-@@ -391,3 +403,48 @@ optional_policy(`
+@@ -391,3 +405,48 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -41816,10 +41866,36 @@ index 4b15536..82e97aa 100644
sysnet_read_config(nsd_crond_t)
diff --git a/nslcd.if b/nslcd.if
-index 23c769c..0398e70 100644
+index 23c769c..51bcf02 100644
--- a/nslcd.if
+++ b/nslcd.if
-@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',`
+@@ -74,6 +74,25 @@ interface(`nslcd_stream_connect',`
+ files_search_pids($1)
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to write nslcd sock files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`nslcd_dontaudit_write_sock_file',`
++ gen_require(`
++ type nslcd_t, nslcd_var_run_t;
++ ')
++
++ dontaudit $1 nslcd_t:sock_file write;
++ dontaudit $1 nslcd_var_run_t:sock_file write;
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -93,12 +112,15 @@ interface(`nslcd_stream_connect',`
#
interface(`nslcd_admin',`
gen_require(`
@@ -41838,7 +41914,7 @@ index 23c769c..0398e70 100644
# Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
-@@ -106,9 +109,9 @@ interface(`nslcd_admin',`
+@@ -106,9 +128,9 @@ interface(`nslcd_admin',`
role_transition $2 nslcd_initrc_exec_t system_r;
allow $2 system_r;
@@ -45442,10 +45518,10 @@ index 0000000..8c906ee
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
diff --git a/openvswitch.if b/openvswitch.if
new file mode 100644
-index 0000000..14f29e4
+index 0000000..448e42b
--- /dev/null
+++ b/openvswitch.if
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,262 @@
+
+## <summary>policy for openvswitch</summary>
+
@@ -45624,6 +45700,26 @@ index 0000000..14f29e4
+
+########################################
+## <summary>
++## Allow stream connect to openvswitch.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++
++interface(`openvswitch_stream_connect',`
++ gen_require(`
++ type openvswitch_t, openvswitch_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
++')
++
++########################################
++## <summary>
+## Execute openvswitch server in the openvswitch domain.
+## </summary>
+## <param name="domain">
@@ -46655,7 +46751,7 @@ index 920b13f..22b745a 100644
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
+')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..2d917be 100644
+index 3185114..319c43b 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,10 +5,15 @@ policy_module(pegasus, 1.8.0)
@@ -46774,16 +46870,16 @@ index 3185114..2d917be 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-@@ -112,8 +137,6 @@ init_stream_connect_script(pegasus_t)
+@@ -112,7 +137,7 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
--
++mount_exec(pegasus_t)
+
sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
-
-@@ -121,12 +144,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +146,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
@@ -46833,7 +46929,7 @@ index 3185114..2d917be 100644
')
optional_policy(`
-@@ -136,3 +195,14 @@ optional_policy(`
+@@ -136,3 +197,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -48001,10 +48097,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
-index 0000000..83c13cf
+index 0000000..8119448
--- /dev/null
+++ b/pki.if
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,265 @@
+
+## <summary>policy for pki</summary>
+########################################
@@ -48253,6 +48349,23 @@ index 0000000..83c13cf
+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
+')
+
++#################################
++## <summary>
++## Allow domain to read pki tomcat lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pki_read_tomcat_lib_files',`
++ gen_require(`
++ type pki_tomcat_var_lib_t;
++ ')
++
++ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
++')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..8bad28e
@@ -55174,10 +55287,10 @@ index 0000000..010b2be
+')
diff --git a/quantum.te b/quantum.te
new file mode 100644
-index 0000000..992837f
+index 0000000..2b0a6a0
--- /dev/null
+++ b/quantum.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,100 @@
+policy_module(quantum, 1.0.0)
+
+########################################
@@ -55257,6 +55370,25 @@ index 0000000..992837f
+')
+
+optional_policy(`
++ mysql_stream_connect(quantum_t)
++ mysql_read_config(quantum_t)
++
++ mysql_tcp_connect(quantum_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(quantum_t)
++ postgresql_unpriv_client(quantum_t)
++
++ postgresql_tcp_connect(quantum_t)
++')
++
++optional_policy(`
++ openvswitch_domtrans(quantum_t)
++ openvswitch_stream_connect(quantum_t)
++')
++
++optional_policy(`
+ sudo_exec(quantum_t)
+')
diff --git a/quota.fc b/quota.fc
@@ -56914,7 +57046,7 @@ index 3c97ef0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 7dc38d1..8af1f78 100644
+index 7dc38d1..a4133dc 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -5,9 +5,9 @@
@@ -56964,7 +57096,7 @@ index 7dc38d1..8af1f78 100644
######################################
## <summary>
## Allow manage rgmanager tmp files.
-@@ -75,3 +94,111 @@ interface(`rgmanager_manage_tmpfs_files',`
+@@ -75,3 +94,130 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
@@ -57073,9 +57205,28 @@ index 7dc38d1..8af1f78 100644
+ ')
+
+ files_list_var_lib($1)
-+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
++
++######################################
++## <summary>
++## Allow the specified domain to search rgmanager's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rgmanager_search_lib',`
++ gen_require(`
++ type rgmanager_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++')
diff --git a/rgmanager.te b/rgmanager.te
index 3786c45..1ad9c12 100644
--- a/rgmanager.te
@@ -57555,7 +57706,7 @@ index de37806..aee7ba7 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/rhcs.te b/rhcs.te
-index 93c896a..8aa7362 100644
+index 93c896a..51852b6 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
@@ -57692,7 +57843,7 @@ index 93c896a..8aa7362 100644
')
optional_policy(`
-@@ -114,13 +164,52 @@ optional_policy(`
+@@ -114,13 +164,51 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -57731,9 +57882,8 @@ index 93c896a..8aa7362 100644
+')
+
+optional_policy(`
-+ snmp_read_snmp_var_lib_files(foghorn_t)
-+ snmp_dontaudit_write_snmp_var_lib_files(foghorn_t)
-+ snmp_stream_connect(foghorn_t)
++ snmp_manage_var_lib_dirs(foghorn_t)
++ snmp_stream_connect(foghorn_t)
+')
+
######################################
@@ -57746,7 +57896,7 @@ index 93c896a..8aa7362 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +228,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +227,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -57757,7 +57907,7 @@ index 93c896a..8aa7362 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,12 +239,12 @@ optional_policy(`
+@@ -154,12 +238,12 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -57772,7 +57922,7 @@ index 93c896a..8aa7362 100644
init_rw_script_tmp_files(groupd_t)
-@@ -168,8 +253,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +252,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -57782,7 +57932,7 @@ index 93c896a..8aa7362 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +266,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +265,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -57791,7 +57941,7 @@ index 93c896a..8aa7362 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -197,19 +281,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -197,19 +280,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
@@ -57815,7 +57965,7 @@ index 93c896a..8aa7362 100644
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +304,24 @@ optional_policy(`
+@@ -223,18 +303,24 @@ optional_policy(`
# rhcs domains common policy
#
@@ -59904,12 +60054,14 @@ index a63e9ee..e4a0c9b 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/rpm.fc b/rpm.fc
-index b2a0b6a..2f7a9b1 100644
+index b2a0b6a..ea27ee5 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -2,10 +2,13 @@
+@@ -1,11 +1,15 @@
+
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -59921,7 +60073,7 @@ index b2a0b6a..2f7a9b1 100644
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -14,18 +17,25 @@
+@@ -14,18 +18,25 @@
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -59947,7 +60099,7 @@ index b2a0b6a..2f7a9b1 100644
')
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -35,10 +45,12 @@ ifdef(`distro_redhat', `
+@@ -35,10 +46,12 @@ ifdef(`distro_redhat', `
/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -59962,7 +60114,7 @@ index b2a0b6a..2f7a9b1 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/rpm.if b/rpm.if
-index 951d8f6..bedc8ae 100644
+index 951d8f6..2363592 100644
--- a/rpm.if
+++ b/rpm.if
@@ -13,10 +13,13 @@
@@ -60092,7 +60244,34 @@ index 951d8f6..bedc8ae 100644
')
########################################
-@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -499,6 +549,26 @@ interface(`rpm_manage_db',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to create, read,the RPM package database.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`rpm_dontaudit_read_db',`
++ gen_require(`
++ type rpm_var_lib_t;
++ ')
++
++ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
++ dontaudit $1 rpm_var_lib_t:file read_file_perms;
++ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to create, read,
+ ## write, and delete the RPM package database.
+ ## </summary>
+@@ -513,7 +583,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -60101,7 +60280,7 @@ index 951d8f6..bedc8ae 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',`
+@@ -573,3 +643,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
')
@@ -61341,7 +61520,7 @@ index 82cb169..4f6fe4a 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..57f516b 100644
+index 905883f..3c1e5e4 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -61979,7 +62158,7 @@ index 905883f..57f516b 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +943,15 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,7 +943,17 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -61993,9 +62172,11 @@ index 905883f..57f516b 100644
+
+optional_policy(`
kerberos_use(winbind_t)
++ kerberos_filetrans_named_content(winbind_t)
')
-@@ -909,9 +990,7 @@ auth_use_nsswitch(winbind_helper_t)
+ optional_policy(`
+@@ -909,9 +991,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -62006,7 +62187,7 @@ index 905883f..57f516b 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +1008,34 @@ optional_policy(`
+@@ -929,19 +1009,34 @@ optional_policy(`
#
optional_policy(`
@@ -66756,7 +66937,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..9f47545 100644
+index 1bbf73b..a34889f 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0)
@@ -67152,11 +67333,13 @@ index 1bbf73b..9f47545 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,16 +411,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -309,17 +410,22 @@ manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
- allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+-allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -71809,10 +71992,10 @@ index 65baaac..3b93d32 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
-index f25ed61..ea90255 100644
+index f25ed61..9ce1516 100644
--- a/userhelper.te
+++ b/userhelper.te
-@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0)
+@@ -6,9 +6,89 @@ policy_module(userhelper, 1.7.0)
#
attribute userhelper_type;
@@ -71876,6 +72059,14 @@ index f25ed61..ea90255 100644
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
++userdom_search_admin_dir(consolehelper_domain)
++
++optional_policy(`
++ dbus_session_bus_client(consolehelper_domain)
++ optional_policy(`
++ devicekit_dbus_chat_disk(consolehelper_domain)
++ ')
++')
+
+optional_policy(`
+ gnome_read_gconf_home_files(consolehelper_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1201894..0d8b4ee 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 89%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,33 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Mon Apr 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-90
+- Allow git_system_t to read network state
+- Allow pegasas to execute mount command
+- Allow nagios check disk plugins to execute bin_t
+- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs
+- Allow quantum to transition to openvswitch_t
+- Allow quantum to use databas
+- allow quantum to stream connect to openvswitch
+- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms...
+- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets
+- Allow winbind to manage kerberos_rcache_host
+- Allow spamd to create spamd_var_lib_t directories
+- Dontaudit attempts by httpd_t attempting to read rpm database. Customer triggered this by executing createrepo, needs back port to rhel6
+- Add mising nslcd_dontaudit_write_sock_file() interface
+- Fix pki_read_tomcat_lib_files() interface
+- Allow certmonger to read pki-tomcat lib files
+- Allow certwatch to execute bin_t
+- Allow snmp to manage /var/lib/net-snmp files
+- Fix for openvswitch_stream_connect()
+- Add rgmanager_search_lib() interface
+- Fix pki_read_tomcat_lib_files() interface
+- Fix cobbler_manage_lib_files() interface
+- Add xserver_dontaudit_xdm_rw_stream_sockets() interface
+- Allow daemon to send dgrams to initrc_t
+- Update textrel_shlib_t names
+- Allow kdm to start the power service to initiate a reboot or poweroff
+
* Mon Apr 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-89
- Add port definition for osapi_compute port
- User accounts need to dbus chat with accountsd daemon
More information about the scm-commits
mailing list