commit f36b0da05d30533588bb0a7112e51039be40876d
Author: Miroslav Grepl <mgrepl(a)redhat.com>
Date: Fri Nov 30 21:13:13 2012 +0100
* Fri Nov 30 2012 Miroslav Grepl <mgrepl(a)redhat.com> 3.11.1-58
- Add back consolekit policy
- Silence bootloader trying to use inherited tty
- Silence xdm_dbusd_t trying to execute telepathy apps
- Fix shutdown avcs when machine has unconfined.pp disabled
- The host and a virtual machine can share the same printer on a usb device
- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob
- Allow abrt_watch_log_t to execute bin_t
- Allow chrome sandbox to write content in ~/.config/chromium
- Dontaudit setattr on fontconfig dir for thumb_t
- Allow lircd to request the kernel to load module
- Make rsync as userdom_home_manager
- Allow rsync to search automount filesystem
- Add fixes for pacemaker
modules-targeted-contrib.conf | 2 +
policy-rawhide.patch | 346 +++++++++++++++++++++++-------------
policy_contrib-rawhide.patch | 387 ++++++++++++++++++++++++++++++++++-------
selinux-policy.spec | 17 ++-
4 files changed, 561 insertions(+), 191 deletions(-)
---
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 6e04a59..0d7380f 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2277,3 +2277,5 @@ pki = module
# policy for smsd
#
smsd = module
+
+consolekit = module
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 20d327c..d885a84 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -110571,7 +110571,7 @@ index a778bb1..5e914db 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..803bd27 100644
+index ab0439a..57890fe 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
@@ -110643,17 +110643,18 @@ index ab0439a..803bd27 100644
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for ia64
fs_manage_dos_files(bootloader_t)
-@@ -89,7 +107,9 @@ mls_file_read_all_levels(bootloader_t)
+@@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_all_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
+term_dontaudit_getattr_generic_ptys(bootloader_t)
++term_use_unallocated_ttys(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
-@@ -98,12 +118,14 @@ domain_use_interactive_fds(bootloader_t)
+@@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
@@ -110668,7 +110669,7 @@ index ab0439a..803bd27 100644
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
-@@ -111,6 +133,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +134,7 @@ files_manage_etc_runtime_files(bootloader_t)
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
@@ -110676,7 +110677,7 @@ index ab0439a..803bd27 100644
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
-@@ -118,19 +141,21 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,19 +142,21 @@ init_rw_script_pipes(bootloader_t)
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
@@ -110701,7 +110702,7 @@ index ab0439a..803bd27 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -166,7 +191,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +192,8 @@ ifdef(`distro_redhat',`
files_manage_isid_type_chr_files(bootloader_t)
# for mke2fs
@@ -110711,7 +110712,7 @@ index ab0439a..803bd27 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +201,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -110722,7 +110723,7 @@ index ab0439a..803bd27 100644
fstools_exec(bootloader_t)
')
-@@ -183,6 +213,14 @@ optional_policy(`
+@@ -183,6 +214,14 @@ optional_policy(`
')
optional_policy(`
@@ -110737,7 +110738,7 @@ index ab0439a..803bd27 100644
kudzu_domtrans(bootloader_t)
')
-@@ -195,17 +233,19 @@ optional_policy(`
+@@ -195,17 +234,19 @@ optional_policy(`
optional_policy(`
modutils_exec_insmod(bootloader_t)
@@ -112384,7 +112385,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..ade50ce 100644
+index db981df..62de080 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112465,7 +112466,7 @@ index db981df..ade50ce 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +184,81 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -112525,7 +112526,6 @@ index db981df..ade50ce 100644
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112567,7 +112567,7 @@ index db981df..ade50ce 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +273,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -112583,7 +112583,7 @@ index db981df..ade50ce 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +294,17 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -112605,7 +112605,7 @@ index db981df..ade50ce 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +320,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +319,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -112616,7 +112616,7 @@ index db981df..ade50ce 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',`
+@@ -289,16 +341,21 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -112640,7 +112640,7 @@ index db981df..ade50ce 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +372,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +371,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -112653,7 +112653,7 @@ index db981df..ade50ce 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +387,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +386,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -112665,7 +112665,7 @@ index db981df..ade50ce 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +440,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +439,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -112681,7 +112681,7 @@ index db981df..ade50ce 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +457,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +456,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -120240,7 +120240,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..0a4bc14 100644
+index 7c6b791..aa86bf7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -120872,92 +120872,164 @@ index 7c6b791..0a4bc14 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
- type nfs_t;
- ')
-
-+ fs_search_auto_mountpoints($1)
- allow $1 nfs_t:dir list_dir_perms;
- write_files_pattern($1, nfs_t, nfs_t)
- ')
-@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2510,81 +2973,137 @@ interface(`fs_dontaudit_read_nfs_files',`
########################################
## <summary>
-+## Make general progams in nfs an entrypoint for
-+## the specified domain.
+-## Read files on a NFS filesystem.
++## Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The domain for which nfs_t is an entrypoint.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`fs_nfs_entry_type',`
++interface(`fs_write_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ domain_entry_file($1, nfs_t)
++ fs_search_auto_mountpoints($1)
++ allow $1 nfs_t:dir list_dir_perms;
++ write_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
- ## Append files
- ## on a NFS filesystem.
- ## </summary>
-@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',`
-
- ########################################
- ## <summary>
--## dontaudit Append files
-+## Do not audit attempts to append files
- ## on a NFS filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',`
-
- ########################################
- ## <summary>
-+## Read inherited files on a NFS filesystem.
++## Execute files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`fs_read_inherited_nfs_files',`
++interface(`fs_exec_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:file read_inherited_file_perms;
++ allow $1 nfs_t:dir list_dir_perms;
++ exec_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
-+## Read/write inherited files on a NFS filesystem.
++## Make general progams in nfs an entrypoint for
++## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
-+interface(`fs_rw_inherited_nfs_files',`
++interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
-+ allow $1 nfs_t:file rw_inherited_file_perms;
++ domain_entry_file($1, nfs_t)
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to read or
- ## write files on a NFS filesystem.
++## Append files
++## on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_write_nfs_files',`
++interface(`fs_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- allow $1 nfs_t:dir list_dir_perms;
+- write_files_pattern($1, nfs_t, nfs_t)
++ append_files_pattern($1, nfs_t, nfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute files on a NFS filesystem.
++## Do not audit attempts to append files
++## on a NFS filesystem.
## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`fs_exec_nfs_files',`
++interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- allow $1 nfs_t:dir list_dir_perms;
+- exec_files_pattern($1, nfs_t, nfs_t)
++ dontaudit $1 nfs_t:file append_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Append files
+-## on a NFS filesystem.
++## Read inherited files on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_append_nfs_files',`
++interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- append_files_pattern($1, nfs_t, nfs_t)
++ allow $1 nfs_t:file read_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## dontaudit Append files
+-## on a NFS filesystem.
++## Read/write inherited files on a NFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`fs_dontaudit_append_nfs_files',`
++interface(`fs_rw_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+- dontaudit $1 nfs_t:file append_file_perms;
++ allow $1 nfs_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -121224,10 +121296,28 @@ index 7c6b791..0a4bc14 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4185,6 +4833,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4833,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
++## Do not audit attempts to create character nodes on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_create_tmpfs_chr_dev',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:chr_file create;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
@@ -121267,7 +121357,7 @@ index 7c6b791..0a4bc14 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4926,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4944,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -121311,7 +121401,7 @@ index 7c6b791..0a4bc14 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +4982,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -121337,7 +121427,7 @@ index 7c6b791..0a4bc14 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +5207,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5225,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -121346,7 +121436,7 @@ index 7c6b791..0a4bc14 100644
')
########################################
-@@ -4513,7 +5255,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5273,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -121355,7 +121445,7 @@ index 7c6b791..0a4bc14 100644
## Example attributes:
## </p>
## <ul>
-@@ -4876,3 +5618,43 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5636,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -129445,7 +129535,7 @@ index 130ced9..a75282a 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..b89d276 100644
+index d40f750..6080063 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -130124,7 +130214,7 @@ index d40f750..b89d276 100644
')
optional_policy(`
-@@ -514,12 +740,71 @@ optional_policy(`
+@@ -514,12 +740,74 @@ optional_policy(`
')
optional_policy(`
@@ -130146,7 +130236,6 @@ index d40f750..b89d276 100644
+
+ corecmd_bin_entry_type(xdm_t)
+
-+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
@@ -130171,6 +130260,10 @@ index d40f750..b89d276 100644
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
++
++ optional_policy(`
++ telepathy_exec(xdm_dbusd_t)
++ ')
+')
+
+optional_policy(`
@@ -130196,7 +130289,7 @@ index d40f750..b89d276 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +822,74 @@ optional_policy(`
+@@ -537,28 +825,74 @@ optional_policy(`
')
optional_policy(`
@@ -130280,7 +130373,7 @@ index d40f750..b89d276 100644
')
optional_policy(`
-@@ -570,6 +901,14 @@ optional_policy(`
+@@ -570,6 +904,14 @@ optional_policy(`
')
optional_policy(`
@@ -130295,7 +130388,7 @@ index d40f750..b89d276 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +936,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -130308,7 +130401,7 @@ index d40f750..b89d276 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +953,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -130324,7 +130417,7 @@ index d40f750..b89d276 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +980,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -130346,7 +130439,7 @@ index d40f750..b89d276 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1000,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -130360,7 +130453,7 @@ index d40f750..b89d276 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1023,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1026,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -130392,7 +130485,7 @@ index d40f750..b89d276 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1055,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1058,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -130406,7 +130499,7 @@ index d40f750..b89d276 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1074,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1077,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -130430,7 +130523,7 @@ index d40f750..b89d276 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1139,40 @@ optional_policy(`
+@@ -775,16 +1142,40 @@ optional_policy(`
')
optional_policy(`
@@ -130472,7 +130565,7 @@ index d40f750..b89d276 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1181,10 @@ optional_policy(`
+@@ -793,6 +1184,10 @@ optional_policy(`
')
optional_policy(`
@@ -130483,7 +130576,7 @@ index d40f750..b89d276 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1203,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -130497,7 +130590,7 @@ index d40f750..b89d276 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1214,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -130506,7 +130599,7 @@ index d40f750..b89d276 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1224,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1227,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -130541,7 +130634,7 @@ index d40f750..b89d276 100644
')
optional_policy(`
-@@ -859,6 +1246,10 @@ optional_policy(`
+@@ -859,6 +1249,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -130552,7 +130645,7 @@ index d40f750..b89d276 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1293,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1296,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -130561,7 +130654,7 @@ index d40f750..b89d276 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1347,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1350,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -130593,7 +130686,7 @@ index d40f750..b89d276 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1393,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1396,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -133722,7 +133815,7 @@ index d26fe81..95c1bd8 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..d164f2b 100644
+index 4a88fa1..c57afad 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -134244,7 +134337,7 @@ index 4a88fa1..d164f2b 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +569,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,9 +569,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -134252,7 +134345,11 @@ index 4a88fa1..d164f2b 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t)
++dev_write_watchdog(initrc_t)
+ dev_rw_sysfs(initrc_t)
+ dev_list_usbfs(initrc_t)
+ dev_read_framebuffer(initrc_t)
+@@ -306,8 +581,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -134263,7 +134360,7 @@ index 4a88fa1..d164f2b 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +592,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -134283,7 +134380,7 @@ index 4a88fa1..d164f2b 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134291,7 +134388,7 @@ index 4a88fa1..d164f2b 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +617,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -134303,7 +134400,7 @@ index 4a88fa1..d164f2b 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +636,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -134317,12 +134414,13 @@ index 4a88fa1..d164f2b 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +650,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +651,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
++fs_dontaudit_create_tmpfs_chr_dev(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
@@ -134331,7 +134429,7 @@ index 4a88fa1..d164f2b 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +665,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +667,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -134339,7 +134437,7 @@ index 4a88fa1..d164f2b 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +677,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +679,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -134347,7 +134445,7 @@ index 4a88fa1..d164f2b 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +696,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +698,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -134371,7 +134469,7 @@ index 4a88fa1..d164f2b 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +761,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +763,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -134382,7 +134480,7 @@ index 4a88fa1..d164f2b 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +785,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +787,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -134391,7 +134489,7 @@ index 4a88fa1..d164f2b 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +800,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +802,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -134399,7 +134497,7 @@ index 4a88fa1..d164f2b 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +821,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +823,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -134407,7 +134505,7 @@ index 4a88fa1..d164f2b 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +831,40 @@ ifdef(`distro_redhat',`
+@@ -540,8 +833,40 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -134448,7 +134546,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -549,14 +872,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +874,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -134480,7 +134578,7 @@ index 4a88fa1..d164f2b 100644
')
')
-@@ -567,6 +907,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +909,39 @@ ifdef(`distro_suse',`
')
')
@@ -134520,7 +134618,7 @@ index 4a88fa1..d164f2b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +952,8 @@ optional_policy(`
+@@ -579,6 +954,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -134529,7 +134627,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -600,6 +975,7 @@ optional_policy(`
+@@ -600,6 +977,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -134537,7 +134635,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -612,6 +988,17 @@ optional_policy(`
+@@ -612,6 +990,17 @@ optional_policy(`
')
optional_policy(`
@@ -134555,7 +134653,7 @@ index 4a88fa1..d164f2b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1015,13 @@ optional_policy(`
+@@ -628,9 +1017,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -134569,7 +134667,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -655,6 +1046,10 @@ optional_policy(`
+@@ -655,6 +1048,10 @@ optional_policy(`
')
optional_policy(`
@@ -134580,7 +134678,7 @@ index 4a88fa1..d164f2b 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1067,15 @@ optional_policy(`
+@@ -672,6 +1069,15 @@ optional_policy(`
')
optional_policy(`
@@ -134596,7 +134694,7 @@ index 4a88fa1..d164f2b 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1116,7 @@ optional_policy(`
+@@ -712,6 +1118,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -134604,7 +134702,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -729,7 +1134,14 @@ optional_policy(`
+@@ -729,7 +1136,14 @@ optional_policy(`
')
optional_policy(`
@@ -134619,7 +134717,7 @@ index 4a88fa1..d164f2b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1164,10 @@ optional_policy(`
+@@ -752,6 +1166,10 @@ optional_policy(`
')
optional_policy(`
@@ -134630,7 +134728,7 @@ index 4a88fa1..d164f2b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1177,20 @@ optional_policy(`
+@@ -761,10 +1179,20 @@ optional_policy(`
')
optional_policy(`
@@ -134651,7 +134749,7 @@ index 4a88fa1..d164f2b 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1199,10 @@ optional_policy(`
+@@ -773,6 +1201,10 @@ optional_policy(`
')
optional_policy(`
@@ -134662,7 +134760,7 @@ index 4a88fa1..d164f2b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1224,6 @@ optional_policy(`
+@@ -794,8 +1226,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -134671,7 +134769,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -804,6 +1232,10 @@ optional_policy(`
+@@ -804,6 +1234,10 @@ optional_policy(`
')
optional_policy(`
@@ -134682,7 +134780,7 @@ index 4a88fa1..d164f2b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1245,12 @@ optional_policy(`
+@@ -813,10 +1247,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -134695,7 +134793,7 @@ index 4a88fa1..d164f2b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1262,6 @@ optional_policy(`
+@@ -828,8 +1264,6 @@ optional_policy(`
')
optional_policy(`
@@ -134704,7 +134802,7 @@ index 4a88fa1..d164f2b 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1272,30 @@ optional_policy(`
+@@ -840,12 +1274,30 @@ optional_policy(`
')
optional_policy(`
@@ -134737,7 +134835,7 @@ index 4a88fa1..d164f2b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1305,18 @@ optional_policy(`
+@@ -855,6 +1307,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -134756,7 +134854,7 @@ index 4a88fa1..d164f2b 100644
')
optional_policy(`
-@@ -870,6 +1332,10 @@ optional_policy(`
+@@ -870,6 +1334,10 @@ optional_policy(`
')
optional_policy(`
@@ -134767,7 +134865,7 @@ index 4a88fa1..d164f2b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1346,185 @@ optional_policy(`
+@@ -880,3 +1348,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index b25450f..6c2d5c9 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -366,7 +366,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..a708362 100644
+index 30861ec..864d511 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -652,7 +652,7 @@ index 30861ec..a708362 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +330,147 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +330,149 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -660,7 +660,7 @@ index 30861ec..a708362 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
-+')
+ ')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -742,7 +742,7 @@ index 30861ec..a708362 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
- ')
++')
+
+########################################
+#
@@ -787,6 +787,8 @@ index 30861ec..a708362 100644
+
+domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+
++corecmd_exec_bin(abrt_watch_log_t)
++
+logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
@@ -8797,10 +8799,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..5bd7c2a
+index 0000000..df0a069
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,192 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -8906,6 +8908,10 @@ index 0000000..5bd7c2a
+')
+
+optional_policy(`
++ mozilla_write_user_home_files(chrome_sandbox_t)
++')
++
++optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
@@ -12169,7 +12175,7 @@ index 5220c9d..885b25d 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index 04969e5..7b092d4 100644
+index 04969e5..0815968 100644
--- a/corosync.te
+++ b/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -12194,7 +12200,7 @@ index 04969e5..7b092d4 100644
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_admin sys_resource ipc_lock };
++allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
+# for hearbeat
+allow corosync_t self:capability { net_raw chown };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
@@ -14729,7 +14735,7 @@ index 305ddf4..f3cd95f 100644
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
')
diff --git a/cups.te b/cups.te
-index e5a8924..d999430 100644
+index e5a8924..e12c890 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14912,7 +14918,16 @@ index e5a8924..d999430 100644
')
optional_policy(`
-@@ -341,7 +366,7 @@ optional_policy(`
+@@ -336,12 +361,16 @@ optional_policy(`
+ udev_read_db(cupsd_t)
+ ')
+
++optional_policy(`
++ virt_rw_chr_files(cupsd_t)
++')
++
+ ########################################
+ #
# Cups configuration daemon local policy
#
@@ -14921,7 +14936,7 @@ index e5a8924..d999430 100644
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process { getsched signal_perms };
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -371,8 +396,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -14932,7 +14947,7 @@ index e5a8924..d999430 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -381,7 +407,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -14940,7 +14955,7 @@ index e5a8924..d999430 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -407,7 +432,6 @@ domain_use_interactive_fds(cupsd_config_t)
+@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t)
domain_dontaudit_search_all_domains_state(cupsd_config_t)
files_read_usr_files(cupsd_config_t)
@@ -14948,7 +14963,7 @@ index e5a8924..d999430 100644
files_read_etc_runtime_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
-@@ -418,18 +442,15 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -14969,7 +14984,7 @@ index e5a8924..d999430 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +474,10 @@ optional_policy(`
+@@ -453,6 +478,10 @@ optional_policy(`
')
optional_policy(`
@@ -14980,7 +14995,7 @@ index e5a8924..d999430 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +492,10 @@ optional_policy(`
+@@ -467,6 +496,10 @@ optional_policy(`
')
optional_policy(`
@@ -14991,7 +15006,7 @@ index e5a8924..d999430 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -526,7 +555,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
@@ -14999,7 +15014,7 @@ index e5a8924..d999430 100644
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
-@@ -537,19 +565,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -15020,7 +15035,7 @@ index e5a8924..d999430 100644
miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
-@@ -577,7 +604,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+@@ -577,7 +608,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -15028,7 +15043,7 @@ index e5a8924..d999430 100644
files_read_usr_files(cups_pdf_t)
corecmd_exec_shell(cups_pdf_t)
-@@ -585,25 +611,23 @@ corecmd_exec_bin(cups_pdf_t)
+@@ -585,25 +615,23 @@ corecmd_exec_bin(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -15063,7 +15078,7 @@ index e5a8924..d999430 100644
')
########################################
-@@ -635,9 +659,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -635,9 +663,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15080,7 +15095,7 @@ index e5a8924..d999430 100644
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -647,7 +678,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,7 +682,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -15091,7 +15106,7 @@ index e5a8924..d999430 100644
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -661,10 +694,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +698,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -15105,7 +15120,7 @@ index e5a8924..d999430 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -673,31 +706,34 @@ dev_read_rand(hplip_t)
+@@ -673,31 +710,34 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -15127,10 +15142,10 @@ index e5a8924..d999430 100644
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
-+
-+term_use_ptmx(hplip_t)
-miscfiles_read_localization(hplip_t)
++term_use_ptmx(hplip_t)
++
+auth_read_passwd(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
@@ -15151,7 +15166,7 @@ index e5a8924..d999430 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
-@@ -743,7 +779,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,7 +783,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -15159,7 +15174,7 @@ index e5a8924..d999430 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -760,13 +795,10 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -760,13 +799,10 @@ fs_search_auto_mountpoints(ptal_t)
domain_use_interactive_fds(ptal_t)
@@ -30773,7 +30788,7 @@ index 418cc81..cdb2561 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 6a78de1..1ac01cd 100644
+index 6a78de1..57f0aa2 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -30793,7 +30808,15 @@ index 6a78de1..1ac01cd 100644
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:unix_dgram_socket create_socket_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,21 +45,21 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -38,27 +39,29 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+ # /dev/lircd socket
+ dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+
++kernel_request_load_module(lircd_t)
++
+ corenet_tcp_sendrecv_generic_if(lircd_t)
+ corenet_tcp_bind_generic_node(lircd_t)
+ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -32706,6 +32729,171 @@ index 5671977..99a63b2 100644
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
+diff --git a/mcollective.fc b/mcollective.fc
+new file mode 100644
+index 0000000..821bf88
+--- /dev/null
++++ b/mcollective.fc
+@@ -0,0 +1,3 @@
++/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
++
++/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
+diff --git a/mcollective.if b/mcollective.if
+new file mode 100644
+index 0000000..e76a9b5
+--- /dev/null
++++ b/mcollective.if
+@@ -0,0 +1,114 @@
++
++## <summary>policy for mcollective</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the mcollective domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mcollective_domtrans',`
++ gen_require(`
++ type mcollective_t, mcollective_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
++')
++
++########################################
++## <summary>
++## Search mcollective conf directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mcollective_search_conf',`
++ gen_require(`
++ type mcollective_etc_rw_t;
++ ')
++
++ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
++ files_search_etc($1)
++')
++
++########################################
++## <summary>
++## Read mcollective conf files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mcollective_read_conf_files',`
++ gen_require(`
++ type mcollective_etc_rw_t;
++ ')
++
++ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
++ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
++ files_search_etc($1)
++')
++
++########################################
++## <summary>
++## Manage mcollective conf files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mcollective_manage_conf_files',`
++ gen_require(`
++ type mcollective_etc_rw_t;
++ ')
++
++ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
++ files_search_etc($1)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mcollective environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mcollective_admin',`
++ gen_require(`
++ type mcollective_t;
++ type mcollective_etc_rw_t;
++ ')
++
++ allow $1 mcollective_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mcollective_t)
++
++ files_search_etc($1)
++ admin_pattern($1, mcollective_etc_rw_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mcollective.te b/mcollective.te
+new file mode 100644
+index 0000000..5dd171f
+--- /dev/null
++++ b/mcollective.te
+@@ -0,0 +1,30 @@
++policy_module(mcollective, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mcollective_t;
++type mcollective_exec_t;
++init_daemon_domain(mcollective_t, mcollective_exec_t)
++cron_system_entry(mcollective_t, mcollective_exec_t)
++
++permissive mcollective_t;
++
++type mcollective_etc_rw_t;
++files_type(mcollective_etc_rw_t)
++
++########################################
++#
++# mcollective local policy
++#
++allow mcollective_t self:fifo_file rw_fifo_file_perms;
++allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
++files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
++
++domain_use_interactive_fds(mcollective_t)
++
++files_read_etc_files(mcollective_t)
diff --git a/mediawiki.if b/mediawiki.if
index 98d28b4..1c1d012 100644
--- a/mediawiki.if
@@ -41305,7 +41493,7 @@ index 9c272c2..7e2287c 100644
-
/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index bd76ec2..28c4f00 100644
+index bd76ec2..dec6bc7 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
@@ -41367,6 +41555,48 @@ index bd76ec2..28c4f00 100644
########################################
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
+@@ -109,3 +147,41 @@ interface(`oddjob_run_mkhomedir',`
+ oddjob_domtrans_mkhomedir($1)
+ role $2 types oddjob_mkhomedir_t;
+ ')
++
++########################################
++## <summary>
++## Create a domain which can be started by init,
++## with a range transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
++## </summary>
++## </param>
++## <param name="range">
++## <summary>
++## Range for the domain.
++## </summary>
++## </param>
++#
++interface(`oddjob_ranged_domain',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ oddjob_system_entry($1, $2)
++
++ ifdef(`enable_mcs',`
++ range_transition oddjob_t $2:process $3;
++ ')
++
++ ifdef(`enable_mls',`
++ range_transition oddjob_t $2:process $3;
++ mls_rangetrans_target($1)
++ ')
++')
diff --git a/oddjob.te b/oddjob.te
index a17ba31..467700e 100644
--- a/oddjob.te
@@ -42447,7 +42677,7 @@ index 0000000..bf37353
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..e6e4738
+index 0000000..8ddece6
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,378 @@
@@ -42479,7 +42709,7 @@ index 0000000..e6e4738
+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+domain_obj_id_change_exemption(openshift_initrc_t)
+optional_policy(`
-+ oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
++ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
+')
+
+
@@ -43339,10 +43569,10 @@ index 0000000..31370ed
+
diff --git a/pacemaker.fc b/pacemaker.fc
new file mode 100644
-index 0000000..4e915ab
+index 0000000..3793461
--- /dev/null
+++ b/pacemaker.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
@@ -43351,6 +43581,7 @@ index 0000000..4e915ab
+
+/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
+
++/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
+
+/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
@@ -43571,10 +43802,10 @@ index 0000000..e05c78f
+')
diff --git a/pacemaker.te b/pacemaker.te
new file mode 100644
-index 0000000..ec7033b
+index 0000000..ff79a8c
--- /dev/null
+++ b/pacemaker.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,64 @@
+policy_module(pacemaker, 1.0.0)
+
+########################################
@@ -43595,6 +43826,9 @@ index 0000000..ec7033b
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
++type pacemaker_tmpfs_t;
++files_tmpfs_file(pacemaker_tmpfs_t)
++
+type pacemaker_unit_file_t;
+systemd_unit_file(pacemaker_unit_file_t)
+
@@ -43602,10 +43836,11 @@ index 0000000..ec7033b
+#
+# pacemaker local policy
+#
-+allow pacemaker_t self:capability { chown dac_override setuid };
++
++allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
+allow pacemaker_t self:process { fork setrlimit signal };
+allow pacemaker_t self:fifo_file rw_fifo_file_perms;
-+allow pacemaker_t self:unix_stream_socket create_stream_socket_perms;
++allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
+manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
@@ -43615,15 +43850,24 @@ index 0000000..ec7033b
+manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
+files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
+
++manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
++manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
++fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
++
+domain_use_interactive_fds(pacemaker_t)
++domain_read_all_domains_state(pacemaker_t)
+
++dev_read_rand(pacemaker_t)
++dev_read_urand(pacemaker_t)
+
+auth_use_nsswitch(pacemaker_t)
+
+logging_send_syslog_msg(pacemaker_t)
+
+optional_policy(`
++ corosync_read_log(pacemaker_t)
+ corosync_stream_connect(pacemaker_t)
++ corosync_rw_tmpfs(pacemaker_t)
+')
+
diff --git a/pads.fc b/pads.fc
@@ -54000,7 +54244,7 @@ index bf5efbf..b38b22d 100644
optional_policy(`
diff --git a/rgmanager.fc b/rgmanager.fc
-index 3c97ef0..578d460 100644
+index 3c97ef0..91e69b8 100644
--- a/rgmanager.fc
+++ b/rgmanager.fc
@@ -1,7 +1,22 @@
@@ -54015,8 +54259,8 @@ index 3c97ef0..578d460 100644
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
-+/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
-+/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
++/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
+
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
@@ -57703,7 +57947,7 @@ index 3386f29..8d8f6c5 100644
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/rsync.te b/rsync.te
-index 2834d86..6dc67fa 100644
+index 2834d86..8fdd060 100644
--- a/rsync.te
+++ b/rsync.te
@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0)
@@ -57760,9 +58004,11 @@ index 2834d86..6dc67fa 100644
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
corenet_udp_sendrecv_generic_if(rsync_t)
-@@ -95,17 +115,15 @@ dev_read_urand(rsync_t)
+@@ -94,18 +114,19 @@ corenet_sendrecv_rsync_server_packets(rsync_t)
+ dev_read_urand(rsync_t)
fs_getattr_xattr_fs(rsync_t)
++fs_search_auto_mountpoints(rsync_t)
-files_read_etc_files(rsync_t)
files_search_home(rsync_t)
@@ -57775,26 +58021,15 @@ index 2834d86..6dc67fa 100644
miscfiles_read_public_files(rsync_t)
-tunable_policy(`allow_rsync_anon_write',`
++userdom_home_manager(rsync_t)
++
+tunable_policy(`rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
-@@ -121,13 +139,39 @@ optional_policy(`
- inetd_service_domain(rsync_t, rsync_exec_t)
+@@ -122,12 +143,26 @@ optional_policy(`
')
-+tunable_policy(`rsync_use_cifs',`
-+ fs_list_cifs(rsync_t)
-+ fs_read_cifs_files(rsync_t)
-+ fs_read_cifs_symlinks(rsync_t)
-+')
-+
-+tunable_policy(`rsync_use_nfs',`
-+ fs_list_nfs(rsync_t)
-+ fs_read_nfs_files(rsync_t)
-+ fs_read_nfs_symlinks(rsync_t)
-+')
-+
tunable_policy(`rsync_export_all_ro',`
- fs_read_noxattr_fs_files(rsync_t)
+ files_getattr_all_pipes(rsync_t)
@@ -66882,10 +67117,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..2a72b2f
+index 0000000..572ab5d
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,126 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -66975,6 +67210,8 @@ index 0000000..2a72b2f
+')
+
+miscfiles_read_fonts(thumb_t)
++miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
+
+sysnet_read_config(thumb_t)
+
@@ -69398,7 +69635,7 @@ index 2124b6a..e55e393 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..b324885 100644
+index 6f0736b..490101e 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -69768,7 +70005,7 @@ index 6f0736b..b324885 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -426,6 +558,24 @@ interface(`virt_read_images',`
+@@ -426,6 +558,42 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -69790,10 +70027,28 @@ index 6f0736b..b324885 100644
+
+########################################
+## <summary>
++## Allow domain to read/write virt image chr files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_rw_chr_files',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++')
++
++########################################
++## <summary>
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -435,15 +585,15 @@ interface(`virt_read_images',`
+@@ -435,15 +603,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -69814,7 +70069,7 @@ index 6f0736b..b324885 100644
')
########################################
-@@ -468,18 +618,52 @@ interface(`virt_manage_images',`
+@@ -468,18 +636,52 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -69876,7 +70131,7 @@ index 6f0736b..b324885 100644
')
########################################
-@@ -502,10 +686,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +704,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -69898,7 +70153,7 @@ index 6f0736b..b324885 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +711,302 @@ interface(`virt_admin',`
+@@ -517,4 +729,302 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1792497..6162aae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 30 2012 Miroslav Grepl <mgrepl(a)redhat.com> 3.11.1-58
+- Add back consolekit policy
+- Silence bootloader trying to use inherited tty
+- Silence xdm_dbusd_t trying to execute telepathy apps
+- Fix shutdown avcs when machine has unconfined.pp disabled
+- The host and a virtual machine can share the same printer on a usb device
+- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob
+- Allow abrt_watch_log_t to execute bin_t
+- Allow chrome sandbox to write content in ~/.config/chromium
+- Dontaudit setattr on fontconfig dir for thumb_t
+- Allow lircd to request the kernel to load module
+- Make rsync as userdom_home_manager
+- Allow rsync to search automount filesystem
+- Add fixes for pacemaker
+
* Wed Nov 28 2012 Miroslav Grepl <mgrepl(a)redhat.com> 3.11.1-57
- Add support for 4567/tcp port
- Random fixes from Tuomo Soini