[selinux-policy] - Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of de
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 2 16:22:14 UTC 2010
commit 09460452b65dafc74f6a97eba361e7661b73ba85
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Dec 2 18:21:58 2010 +0100
- Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
policy-F15.patch | 934 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 9 +-
2 files changed, 731 insertions(+), 212 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 7aaeaae..d716152 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -269,6 +269,19 @@ index 63eb96b..17a9f6d 100644
########################################
## <summary>
## Execute bootloader interactively and do
+diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
+index 40c0192..1a0f72c 100644
+--- a/policy/modules/admin/bootloader.te
++++ b/policy/modules/admin/bootloader.te
+@@ -23,7 +23,7 @@ role system_r types bootloader_t;
+ # grub.conf, lilo.conf, etc.
+ #
+ type bootloader_etc_t alias etc_bootloader_t;
+-files_type(bootloader_etc_t)
++files_config_file(bootloader_etc_t)
+
+ #
+ # The temp file is used for initrd creation;
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 2c2cdb6..73b3814 100644
--- a/policy/modules/admin/brctl.if
@@ -901,6 +914,19 @@ index 6a53a18..1bc14ea 100644
+ term_dontaudit_use_all_ttys(traceroute_t)
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
+diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
+index c633aea..b773bc3 100644
+--- a/policy/modules/admin/portage.te
++++ b/policy/modules/admin/portage.te
+@@ -43,7 +43,7 @@ type portage_db_t;
+ files_type(portage_db_t)
+
+ type portage_conf_t;
+-files_type(portage_conf_t)
++files_config_file(portage_conf_t)
+
+ type portage_cache_t;
+ files_type(portage_cache_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index aa0dcc6..0faba2a 100644
--- a/policy/modules/admin/prelink.te
@@ -1241,7 +1267,7 @@ index d33daa8..e50a5ed 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 542b820..a91d384 100644
+index 542b820..0b1760d 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -1266,7 +1292,7 @@ index 542b820..a91d384 100644
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -101,13 +104,15 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+@@ -101,13 +104,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -1280,10 +1306,11 @@ index 542b820..a91d384 100644
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
++kernel_rw_irq_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-@@ -127,6 +132,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
+@@ -127,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1292,7 +1319,15 @@ index 542b820..a91d384 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -207,6 +214,7 @@ optional_policy(`
+@@ -173,6 +181,7 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+ domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+ domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+ domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
++domain_signull_all_domains(rpm_t)
+
+ files_exec_etc_files(rpm_t)
+
+@@ -207,6 +216,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -1300,7 +1335,7 @@ index 542b820..a91d384 100644
')
optional_policy(`
-@@ -214,7 +222,7 @@ optional_policy(`
+@@ -214,7 +224,7 @@ optional_policy(`
')
optional_policy(`
@@ -1309,7 +1344,7 @@ index 542b820..a91d384 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +269,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
+@@ -261,6 +271,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -1317,7 +1352,7 @@ index 542b820..a91d384 100644
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -308,6 +317,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
+@@ -308,6 +319,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -1326,7 +1361,7 @@ index 542b820..a91d384 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -338,12 +349,15 @@ modutils_domtrans_insmod(rpm_script_t)
+@@ -338,12 +351,15 @@ modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1342,7 +1377,7 @@ index 542b820..a91d384 100644
')
')
-@@ -377,8 +391,9 @@ optional_policy(`
+@@ -377,8 +393,9 @@ optional_policy(`
')
optional_policy(`
@@ -2485,7 +2520,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..8978675 100644
+index f5afe78..dd4bd1e 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -2498,7 +2533,7 @@ index f5afe78..8978675 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,25 +45,282 @@ interface(`gnome_role',`
+@@ -46,25 +45,300 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -2665,12 +2700,11 @@ index f5afe78..8978675 100644
+## append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--template(`gnome_read_gconf_config',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_append_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
@@ -2750,6 +2784,24 @@ index f5afe78..8978675 100644
+ gnome_search_gconf($1)
+')
+
++#######################################
++## <summary>
++## Manage gconf data home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_data',`
++ gen_require(`
++ type data_home_t;
++ ')
++
++ manage_files_pattern($1, data_home_t, data_home_t)
++')
++
+########################################
+## <summary>
+## Create gconf_home_t objects in the /root directory
@@ -2778,16 +2830,17 @@ index f5afe78..8978675 100644
+## read gconf config files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-template(`gnome_read_gconf_config',`
+interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
')
-@@ -76,7 +332,27 @@ template(`gnome_read_gconf_config',`
+@@ -76,7 +350,27 @@ template(`gnome_read_gconf_config',`
#######################################
## <summary>
@@ -2816,7 +2869,7 @@ index f5afe78..8978675 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +360,40 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +378,40 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -2868,7 +2921,7 @@ index f5afe78..8978675 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +401,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +419,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -2885,7 +2938,7 @@ index f5afe78..8978675 100644
')
########################################
-@@ -151,40 +431,173 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +449,173 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -2916,7 +2969,7 @@ index f5afe78..8978675 100644
## <summary>
-## manage gnome homedir content (.config)
+## manage gconf home files
- ## </summary>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -2935,7 +2988,7 @@ index f5afe78..8978675 100644
+########################################
+## <summary>
+## Connect to gnome over an unix stream socket.
-+## </summary>
+ ## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -4088,7 +4141,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..05dd44a 100644
+index cbf4bec..9826f66 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2)
@@ -4170,7 +4223,7 @@ index cbf4bec..05dd44a 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,139 @@ optional_policy(`
+@@ -266,3 +291,144 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4238,7 +4291,7 @@ index cbf4bec..05dd44a 100644
+files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+
-+fs_getattr_tmpfs(mozilla_plugin_t)
++fs_getattr_all_fs(mozilla_plugin_t)
+fs_list_dos_dirs(mozilla_plugin_t)
+fs_read_dos_files(mozilla_plugin_t)
+
@@ -4288,6 +4341,11 @@ index cbf4bec..05dd44a 100644
+')
+
+optional_policy(`
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_read_user_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_dirs(mozilla_plugin_t)
@@ -6896,10 +6954,10 @@ index 0000000..46368cc
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..0b28cf8
+index 0000000..7d62b71
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,333 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7054,6 +7112,10 @@ index 0000000..0b28cf8
+ fs_manage_cifs_files(telepathy_gabble_t)
+')
+
++optional_policy(`
++ gnome_read_home_config(telepathy_gabble_t)
++')
++
+#######################################
+#
+# Telepathy Idle local policy.
@@ -14272,7 +14334,7 @@ index c9e1a44..1a1ba36 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..ee604fe 100644
+index 08dfa0c..b02e348 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -14527,6 +14589,15 @@ index 08dfa0c..ee604fe 100644
attribute httpdcontent;
attribute httpd_user_content_type;
+@@ -166,7 +231,7 @@ files_type(httpd_cache_t)
+
+ # httpd_config_t is the type given to the configuration files
+ type httpd_config_t;
+-files_type(httpd_config_t)
++files_config_file(httpd_config_t)
+
+ type httpd_helper_t;
+ type httpd_helper_exec_t;
@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
@@ -14819,10 +14890,11 @@ index 08dfa0c..ee604fe 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +709,12 @@ optional_policy(`
+@@ -537,8 +709,13 @@ optional_policy(`
')
optional_policy(`
++ git_read_generic_system_content_files(httpd_t)
+ gitosis_read_lib_files(httpd_t)
+')
+
@@ -14833,7 +14905,7 @@ index 08dfa0c..ee604fe 100644
')
')
-@@ -556,7 +732,13 @@ optional_policy(`
+@@ -556,7 +733,13 @@ optional_policy(`
')
optional_policy(`
@@ -14847,7 +14919,7 @@ index 08dfa0c..ee604fe 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +749,7 @@ optional_policy(`
+@@ -567,6 +750,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -14855,7 +14927,7 @@ index 08dfa0c..ee604fe 100644
')
optional_policy(`
-@@ -577,6 +760,16 @@ optional_policy(`
+@@ -577,6 +761,16 @@ optional_policy(`
')
optional_policy(`
@@ -14872,7 +14944,7 @@ index 08dfa0c..ee604fe 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +784,11 @@ optional_policy(`
+@@ -591,6 +785,11 @@ optional_policy(`
')
optional_policy(`
@@ -14884,7 +14956,7 @@ index 08dfa0c..ee604fe 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +801,11 @@ optional_policy(`
+@@ -603,6 +802,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -14896,7 +14968,7 @@ index 08dfa0c..ee604fe 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +821,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +822,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -14907,7 +14979,7 @@ index 08dfa0c..ee604fe 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +861,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +862,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14948,7 +15020,7 @@ index 08dfa0c..ee604fe 100644
')
########################################
-@@ -699,17 +905,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +906,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14974,7 +15046,7 @@ index 08dfa0c..ee604fe 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +951,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +952,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14996,7 +15068,7 @@ index 08dfa0c..ee604fe 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +990,25 @@ optional_policy(`
+@@ -769,6 +991,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15022,7 +15094,7 @@ index 08dfa0c..ee604fe 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1029,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1030,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -15040,7 +15112,7 @@ index 08dfa0c..ee604fe 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1048,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1049,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -15074,7 +15146,7 @@ index 08dfa0c..ee604fe 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1094,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1095,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -15083,7 +15155,7 @@ index 08dfa0c..ee604fe 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1102,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1103,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15104,7 +15176,7 @@ index 08dfa0c..ee604fe 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1128,20 @@ optional_policy(`
+@@ -842,10 +1129,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15125,7 +15197,7 @@ index 08dfa0c..ee604fe 100644
')
########################################
-@@ -891,11 +1187,21 @@ optional_policy(`
+@@ -891,11 +1188,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15439,7 +15511,7 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..0bde225 100644
+index 4deca04..42aa033 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
@@ -15457,6 +15529,15 @@ index 4deca04..0bde225 100644
## </desc>
gen_tunable(named_write_master_zones, false)
+@@ -27,7 +27,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+
+ # A type for configuration files of named.
+ type named_conf_t;
+-files_type(named_conf_t)
++files_config_file(named_conf_t)
+ files_mountpoint(named_conf_t)
+
+ # for secondary zone files
@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -15606,10 +15687,10 @@ index 3e45431..fa57a6f 100644
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..913d2a9 100644
+index 215b86b..4a3569f 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
-@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
+@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
#
# Declarations
#
@@ -15617,6 +15698,13 @@ index 215b86b..913d2a9 100644
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+
+ type bluetooth_conf_t;
+-files_type(bluetooth_conf_t)
++files_config_file(bluetooth_conf_t)
+
+ type bluetooth_conf_rw_t;
+ files_type(bluetooth_conf_rw_t)
@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
#search debugfs - redhat bug 548206
kernel_search_debugfs(bluetooth_t)
@@ -16395,9 +16483,18 @@ index 6ee2cc8..3105b09 100644
#
interface(`ccs_domtrans',`
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
-index 4c90b57..8d7e14e 100644
+index 4c90b57..af806c2 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
+@@ -10,7 +10,7 @@ type ccs_exec_t;
+ init_daemon_domain(ccs_t, ccs_exec_t)
+
+ type cluster_conf_t;
+-files_type(cluster_conf_t)
++files_config_file(cluster_conf_t)
+
+ type ccs_tmp_t;
+ files_tmp_file(ccs_tmp_t)
@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
@@ -16671,7 +16768,7 @@ index d020c93..e5cbcef 100644
cgroup_initrc_domtrans_cgconfig($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index 8ca2333..0a1097b 100644
+index 8ca2333..27f8f4d 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
@@ -16694,7 +16791,17 @@ index 8ca2333..0a1097b 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -52,7 +55,7 @@ fs_unmount_cgroup(cgclear_t)
+@@ -36,8 +39,7 @@ files_config_file(cgconfig_etc_t)
+ #
+ # cgclear personal policy.
+ #
+-
+-allow cgclear_t self:capability sys_admin;
++allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+
+ kernel_read_system_state(cgclear_t)
+
+@@ -52,7 +54,7 @@ fs_unmount_cgroup(cgclear_t)
# cgconfig personal policy.
#
@@ -16703,6 +16810,14 @@ index 8ca2333..0a1097b 100644
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -67,6 +69,7 @@ fs_manage_cgroup_dirs(cgconfig_t)
+ fs_manage_cgroup_files(cgconfig_t)
+ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
++fs_unmount_cgroup(cgconfig_t)
+
+ ########################################
+ #
@@ -79,6 +82,9 @@ allow cgred_t self:unix_dgram_socket { write create connect };
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -18048,6 +18163,19 @@ index 37f4810..cc93958 100644
miscfiles_read_localization(courier_pop_t)
+diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
+index 13d2f63..a048c53 100644
+--- a/policy/modules/services/cpucontrol.te
++++ b/policy/modules/services/cpucontrol.te
+@@ -10,7 +10,7 @@ type cpucontrol_exec_t;
+ init_system_domain(cpucontrol_t, cpucontrol_exec_t)
+
+ type cpucontrol_conf_t;
+-files_type(cpucontrol_conf_t)
++files_config_file(cpucontrol_conf_t)
+
+ type cpuspeed_t;
+ type cpuspeed_exec_t;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..3e8ad69 100644
--- a/policy/modules/services/cron.fc
@@ -19081,6 +19209,19 @@ index e182bf4..f80e725 100644
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
+diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
+index a8b93c0..831ce70 100644
+--- a/policy/modules/services/dante.te
++++ b/policy/modules/services/dante.te
+@@ -10,7 +10,7 @@ type dante_exec_t;
+ init_daemon_domain(dante_t, dante_exec_t)
+
+ type dante_conf_t;
+-files_type(dante_conf_t)
++files_config_file(dante_conf_t)
+
+ type dante_var_run_t;
+ files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 0d5711c..3874025 100644
--- a/policy/modules/services/dbus.if
@@ -19493,18 +19634,24 @@ index 8ba9425..b10da2c 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
-index 418a5a0..76542e1 100644
+index 418a5a0..28d9e41 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
-@@ -10,5 +10,6 @@
+@@ -8,7 +8,12 @@
+ /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+ /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
++/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
++/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0)
++
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..205afb9 100644
+index f706b99..92d4eba 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -19545,7 +19692,7 @@ index f706b99..205afb9 100644
## Read devicekit PID files.
## </summary>
## <param name="domain">
-@@ -139,22 +158,31 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +158,52 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -19557,15 +19704,10 @@ index f706b99..205afb9 100644
## <param name="domain">
## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--## <param name="role">
--## <summary>
--## The role to be allowed to manage the devicekit domain.
+## Domain to not audit.
## </summary>
## </param>
--## <param name="terminal">
+-## <param name="role">
+#
+interface(`devicekit_dontaudit_read_pid_files',`
+ gen_require(`
@@ -19575,6 +19717,29 @@ index f706b99..205afb9 100644
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
+')
+
++
++########################################
++## <summary>
++## Manage devicekit PID files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The role to be allowed to manage the devicekit domain.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="terminal">
++#
++interface(`devicekit_manage_pid_files',`
++ gen_require(`
++ type devicekit_var_run_t;
++ ')
++
++ files_search_pids($1)
++ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -19587,7 +19752,7 @@ index f706b99..205afb9 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +193,22 @@ interface(`devicekit_admin',`
+@@ -165,21 +214,22 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -19617,10 +19782,20 @@ index f706b99..205afb9 100644
')
+
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..14921ca 100644
+index f231f17..4ecd4b7 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
-@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
+ type devicekit_var_lib_t;
+ files_type(devicekit_var_lib_t)
+
++type devicekit_var_log_t;
++logging_log_file(devicekit_var_log_t)
++
+ ########################################
+ #
+ # DeviceKit local policy
+@@ -75,10 +78,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -19633,7 +19808,7 @@ index f231f17..14921ca 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -105,8 +107,10 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,8 +110,10 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -19645,7 +19820,7 @@ index f231f17..14921ca 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,25 +182,41 @@ optional_policy(`
+@@ -178,25 +185,47 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -19667,6 +19842,9 @@ index f231f17..14921ca 100644
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
++
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
@@ -19675,6 +19853,9 @@ index f231f17..14921ca 100644
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
++
+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
@@ -19688,7 +19869,7 @@ index f231f17..14921ca 100644
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
-@@ -212,12 +232,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +241,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -19705,7 +19886,7 @@ index f231f17..14921ca 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,8 +249,11 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +258,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -19717,7 +19898,7 @@ index f231f17..14921ca 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -261,6 +288,10 @@ optional_policy(`
+@@ -261,14 +297,21 @@ optional_policy(`
')
optional_policy(`
@@ -19726,9 +19907,10 @@ index f231f17..14921ca 100644
+
+optional_policy(`
hal_domtrans_mac(devicekit_power_t)
- hal_manage_log(devicekit_power_t)
+- hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -269,6 +300,10 @@ optional_policy(`
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
')
optional_policy(`
@@ -19739,7 +19921,7 @@ index f231f17..14921ca 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +311,21 @@ optional_policy(`
+@@ -276,9 +319,21 @@ optional_policy(`
')
optional_policy(`
@@ -20252,7 +20434,7 @@ index 0000000..440a6c5
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..6f93d77
+index 0000000..01c3755
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
@@ -0,0 +1,172 @@
@@ -20379,6 +20561,10 @@ index 0000000..6f93d77
+ kerberos_dontaudit_write_config(dirsrv_t)
+')
+
++optional_policy(`
++ rpcbind_stream_connect(dirsrv_t)
++')
++
+########################################
+#
+# dirsrv-snmp local policy
@@ -20424,10 +20610,6 @@ index 0000000..6f93d77
+ snmp_append_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_stream_connect(dirsrv_snmp_t)
+')
-+
-+optional_policy(`
-+ rpcbind_stream_connect(initrc_t)
-+')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 0c6a473..51e2ce8 100644
--- a/policy/modules/services/djbdns.te
@@ -20556,10 +20738,35 @@ index bfc880b..9a1dcba 100644
')
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
-index e1d7dc5..ee51a19 100644
+index e1d7dc5..673f185 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
-@@ -9,13 +9,13 @@
+@@ -1,5 +1,24 @@
+ ## <summary>Dovecot POP and IMAP mail server</summary>
+
++#######################################
++## <summary>
++## Connect to dovecot unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dovecot_stream_connect',`
++ gen_require(`
++ type dovecot_t, dovecot_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Connect to dovecot auth unix domain stream socket.
+@@ -9,13 +28,13 @@
## Domain allowed access.
## </summary>
## </param>
@@ -20574,7 +20781,7 @@ index e1d7dc5..ee51a19 100644
stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
-@@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',`
+@@ -52,6 +71,7 @@ interface(`dovecot_manage_spool',`
type dovecot_spool_t;
')
@@ -20582,7 +20789,7 @@ index e1d7dc5..ee51a19 100644
manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
-@@ -93,12 +94,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
+@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
#
interface(`dovecot_admin',`
gen_require(`
@@ -20599,7 +20806,7 @@ index e1d7dc5..ee51a19 100644
')
allow $1 dovecot_t:process { ptrace signal_perms };
-@@ -112,8 +111,11 @@ interface(`dovecot_admin',`
+@@ -112,8 +130,11 @@ interface(`dovecot_admin',`
files_list_etc($1)
admin_pattern($1, dovecot_etc_t)
@@ -20613,7 +20820,7 @@ index e1d7dc5..ee51a19 100644
files_list_spool($1)
admin_pattern($1, dovecot_spool_t)
-@@ -121,6 +123,9 @@ interface(`dovecot_admin',`
+@@ -121,6 +142,9 @@ interface(`dovecot_admin',`
files_list_var_lib($1)
admin_pattern($1, dovecot_var_lib_t)
@@ -20624,7 +20831,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..da1c6bf 100644
+index cbe14e4..2cc1082 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -20687,10 +20894,14 @@ index cbe14e4..da1c6bf 100644
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
-@@ -159,6 +166,11 @@ optional_policy(`
+@@ -159,6 +166,15 @@ optional_policy(`
')
optional_policy(`
++ gnome_manage_data(dovecot_t)
++')
++
++optional_policy(`
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
+')
@@ -20699,7 +20910,7 @@ index cbe14e4..da1c6bf 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -179,7 +191,7 @@ optional_policy(`
+@@ -179,7 +195,7 @@ optional_policy(`
# dovecot auth local policy
#
@@ -20708,7 +20919,7 @@ index cbe14e4..da1c6bf 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -189,6 +201,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -189,6 +205,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -20717,7 +20928,7 @@ index cbe14e4..da1c6bf 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -242,6 +256,7 @@ optional_policy(`
+@@ -242,6 +260,7 @@ optional_policy(`
')
optional_policy(`
@@ -20725,7 +20936,7 @@ index cbe14e4..da1c6bf 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +268,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +272,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -20761,9 +20972,14 @@ index cbe14e4..da1c6bf 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +331,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +334,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
optional_policy(`
++ gnome_manage_data(dovecot_deliver_t)
++')
++
++optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
')
@@ -21227,7 +21443,7 @@ index f590a1f..87f6bfb 100644
allow $1 fail2ban_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..0a4216c 100644
+index 2a69e5e..84e7ce2 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t)
@@ -21248,7 +21464,15 @@ index 2a69e5e..0a4216c 100644
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
-@@ -94,5 +94,9 @@ optional_policy(`
+@@ -66,6 +66,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
+ dev_read_urand(fail2ban_t)
+
+ domain_use_interactive_fds(fail2ban_t)
++domain_dontaudit_read_all_domains_state(fail2ban_t)
+
+ files_read_etc_files(fail2ban_t)
+ files_read_etc_runtime_files(fail2ban_t)
+@@ -94,5 +95,9 @@ optional_policy(`
')
optional_policy(`
@@ -21323,7 +21547,7 @@ index 69dcd2a..a9a9116 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..b2ca277 100644
+index 8a74a83..eca06f7 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -21399,7 +21623,15 @@ index 8a74a83..b2ca277 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -270,10 +288,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -219,6 +237,7 @@ auth_append_login_records(ftpd_t)
+ #kerberized ftp requires the following
+ auth_write_login_records(ftpd_t)
+ auth_rw_faillog(ftpd_t)
++auth_manage_var_auth(ftpd_t)
+
+ init_rw_utmp(ftpd_t)
+
+@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -21417,7 +21649,7 @@ index 8a74a83..b2ca277 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -316,6 +337,23 @@ optional_policy(`
+@@ -316,6 +338,23 @@ optional_policy(`
')
optional_policy(`
@@ -21441,7 +21673,7 @@ index 8a74a83..b2ca277 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,10 +385,11 @@ optional_policy(`
+@@ -347,10 +386,11 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -21454,7 +21686,7 @@ index 8a74a83..b2ca277 100644
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
-@@ -368,15 +407,28 @@ files_read_etc_files(sftpd_t)
+@@ -368,15 +408,28 @@ files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
@@ -22323,9 +22555,18 @@ index 7d97298..d6b2959 100644
+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
')
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
-index a627b34..c899c61 100644
+index a627b34..4b27e25 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
+@@ -10,7 +10,7 @@ type gpm_exec_t;
+ init_daemon_domain(gpm_t, gpm_exec_t)
+
+ type gpm_conf_t;
+-files_type(gpm_conf_t)
++files_config_file(gpm_conf_t)
+
+ type gpm_tmp_t;
+ files_tmp_file(gpm_tmp_t)
@@ -69,6 +69,7 @@ miscfiles_read_localization(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
@@ -22359,10 +22600,16 @@ index 03742d8..2a87d1e 100644
')
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
-index c98b0df..9db14d6 100644
+index c98b0df..3b1a051 100644
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
-@@ -24,7 +24,6 @@
+@@ -18,13 +18,9 @@
+
+ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+
+-/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+-/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
+-
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -22471,7 +22718,7 @@ index 7cf6763..ce32fe5 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..ae0b05b 100644
+index 24c6253..f11fa08 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -22532,7 +22779,17 @@ index 24c6253..ae0b05b 100644
init_dbus_chat_script(hald_t)
-@@ -268,6 +277,10 @@ optional_policy(`
+@@ -263,11 +272,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ # for pm-suspend.lock in /var/run/pm-utils/
++ devicekit_manage_pid_files(hald_t)
++')
++
++optional_policy(`
+ # For /usr/libexec/hald-probe-smbios
+ dmidecode_domtrans(hald_t)
')
optional_policy(`
@@ -22543,7 +22800,7 @@ index 24c6253..ae0b05b 100644
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -302,7 +315,7 @@ optional_policy(`
+@@ -302,7 +320,7 @@ optional_policy(`
')
optional_policy(`
@@ -22552,7 +22809,7 @@ index 24c6253..ae0b05b 100644
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -318,6 +331,10 @@ optional_policy(`
+@@ -318,6 +336,10 @@ optional_policy(`
')
optional_policy(`
@@ -22563,7 +22820,7 @@ index 24c6253..ae0b05b 100644
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -338,6 +355,10 @@ optional_policy(`
+@@ -338,6 +360,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
@@ -22574,7 +22831,7 @@ index 24c6253..ae0b05b 100644
########################################
#
# Hal acl local policy
-@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +384,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -22582,7 +22839,7 @@ index 24c6253..ae0b05b 100644
corecmd_exec_bin(hald_acl_t)
-@@ -388,7 +410,7 @@ logging_send_syslog_msg(hald_acl_t)
+@@ -388,7 +415,7 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -22591,7 +22848,7 @@ index 24c6253..ae0b05b 100644
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t)
+@@ -470,6 +497,10 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -22739,6 +22996,19 @@ index dfb4232..7665429 100644
')
allow $1 ifplugd_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
+index 978c32f..3b96342 100644
+--- a/policy/modules/services/ifplugd.te
++++ b/policy/modules/services/ifplugd.te
+@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+ # config files
+ type ifplugd_etc_t;
+-files_type(ifplugd_etc_t)
++files_config_file(ifplugd_etc_t)
+
+ type ifplugd_initrc_exec_t;
+ init_script_file(ifplugd_initrc_exec_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index df48e5e..6985546 100644
--- a/policy/modules/services/inetd.if
@@ -23252,7 +23522,7 @@ index 604f67b..31a6075 100644
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..c233701 100644
+index 8edc29b..245d4ec 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
@@ -23268,7 +23538,13 @@ index 8edc29b..c233701 100644
## </desc>
gen_tunable(allow_kerberos, false)
-@@ -40,7 +40,7 @@ files_type(krb5_conf_t)
+@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+ domain_obj_id_change_exemption(kpropd_t)
+
+ type krb5_conf_t;
+-files_type(krb5_conf_t)
++files_config_file(krb5_conf_t)
+
type krb5_home_t;
userdom_user_home_content(krb5_home_t)
@@ -23277,8 +23553,12 @@ index 8edc29b..c233701 100644
files_tmp_file(krb5_host_rcache_t)
# types for general configuration files in /etc
-@@ -52,7 +52,7 @@ type krb5kdc_conf_t;
- files_type(krb5kdc_conf_t)
+@@ -49,10 +49,10 @@ files_security_file(krb5_keytab_t)
+
+ # types for KDC configs and principal file(s)
+ type krb5kdc_conf_t;
+-files_type(krb5kdc_conf_t)
++files_config_file(krb5kdc_conf_t)
type krb5kdc_lock_t;
-files_type(krb5kdc_lock_t)
@@ -23705,9 +23985,18 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..b229ba0 100644
+index 6a78de1..ae8af5b 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
+@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
+ init_script_file(lircd_initrc_exec_t)
+
+ type lircd_etc_t;
+-files_type(lircd_etc_t)
++files_config_file(lircd_etc_t)
+
+ type lircd_var_run_t alias lircd_sock_t;
+ files_pid_file(lircd_var_run_t)
@@ -44,13 +44,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -23764,7 +24053,7 @@ index a4f32f5..ea7dca0 100644
type lpr_t, lpr_exec_t;
')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..80671d9 100644
+index 93c14ca..96a105a 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -23780,6 +24069,15 @@ index 93c14ca..80671d9 100644
## </desc>
gen_tunable(use_lpd_server, false)
+@@ -54,7 +54,7 @@ type printer_t;
+ files_type(printer_t)
+
+ type printconf_t;
+-files_type(printconf_t)
++files_config_file(printconf_t)
+
+ ########################################
+ #
@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
@@ -26432,9 +26730,18 @@ index abe3f7f..995a6cb 100644
allow $1 ypbind_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..5f2ba87 100644
+index 4876cae..5b60041 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
+@@ -37,7 +37,7 @@ type ypserv_exec_t;
+ init_daemon_domain(ypserv_t, ypserv_exec_t)
+
+ type ypserv_conf_t;
+-files_type(ypserv_conf_t)
++files_config_file(ypserv_conf_t)
+
+ type ypserv_tmp_t;
+ files_tmp_file(ypserv_tmp_t)
@@ -55,10 +55,11 @@ files_pid_file(ypxfr_var_run_t)
########################################
#
@@ -26656,6 +26963,19 @@ index 23c769c..be5a5b4 100644
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
+diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
+index 34eee5f..a9f19d8 100644
+--- a/policy/modules/services/nslcd.te
++++ b/policy/modules/services/nslcd.te
+@@ -16,7 +16,7 @@ type nslcd_var_run_t;
+ files_pid_file(nslcd_var_run_t)
+
+ type nslcd_conf_t;
+-files_type(nslcd_conf_t)
++files_config_file(nslcd_conf_t)
+
+ ########################################
+ #
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index ded9fb6..9d1e60a 100644
--- a/policy/modules/services/ntop.te
@@ -27369,9 +27689,18 @@ index 3116191..df751a6 100644
# pid files
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..5322412 100644
+index 3185114..790742c 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
+@@ -16,7 +16,7 @@ type pegasus_tmp_t;
+ files_tmp_file(pegasus_tmp_t)
+
+ type pegasus_conf_t;
+-files_type(pegasus_conf_t)
++files_config_file(pegasus_conf_t)
+
+ type pegasus_mof_t;
+ files_type(pegasus_mof_t)
@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
@@ -27500,9 +27829,18 @@ index 8688aae..1bfd8d2 100644
allow $1 pingd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
-index e9cf8a4..4a9d196 100644
+index e9cf8a4..9a7e5dc 100644
--- a/policy/modules/services/pingd.te
+++ b/policy/modules/services/pingd.te
+@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t)
+
+ # type for config
+ type pingd_etc_t;
+-files_type(pingd_etc_t)
++files_config_file(pingd_etc_t)
+
+ type pingd_initrc_exec_t;
+ init_script_file(pingd_initrc_exec_t)
@@ -27,7 +27,7 @@ files_type(pingd_modules_t)
allow pingd_t self:capability net_raw;
@@ -27725,7 +28063,7 @@ index 0000000..6403c17
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..6716b5e
+index 0000000..5793840
--- /dev/null
+++ b/policy/modules/services/piranha.te
@@ -0,0 +1,219 @@
@@ -27760,7 +28098,7 @@ index 0000000..6716b5e
+files_tmpfs_file(piranha_web_tmpfs_t)
+
+type piranha_web_conf_t;
-+files_type(piranha_web_conf_t)
++files_config_file(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
@@ -27769,7 +28107,7 @@ index 0000000..6716b5e
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
-+files_type(piranha_etc_rw_t)
++files_config_file(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
@@ -28532,6 +28870,19 @@ index 4313a6f..1d9fa76 100644
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
+index 0b1f471..075a550 100644
+--- a/policy/modules/services/portreserve.te
++++ b/policy/modules/services/portreserve.te
+@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t;
+ init_script_file(portreserve_initrc_exec_t)
+
+ type portreserve_etc_t;
+-files_type(portreserve_etc_t)
++files_config_file(portreserve_etc_t)
+
+ type portreserve_var_run_t;
+ files_pid_file(portreserve_var_run_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index 55e62d2..c114a40 100644
--- a/policy/modules/services/postfix.fc
@@ -28835,7 +29186,7 @@ index 46bee12..b87375e 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..cffba21 100644
+index 06e37d4..e76a63c 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -29074,7 +29425,7 @@ index 06e37d4..cffba21 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,6 +627,11 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +627,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -29086,7 +29437,12 @@ index 06e37d4..cffba21 100644
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
-@@ -611,8 +655,8 @@ optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
++ dovecot_stream_connect(postfix_smtpd_t)
+ ')
+
+ optional_policy(`
+@@ -611,8 +656,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -29096,7 +29452,7 @@ index 06e37d4..cffba21 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +674,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -29871,9 +30227,18 @@ index bc329d1..f040c20 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
-index d4000e0..c23cd14 100644
+index d4000e0..93cbfa2 100644
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
+@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
+
+ # config files
+ type psad_etc_t;
+-files_type(psad_etc_t)
++files_config_file(psad_etc_t)
+
+ type psad_initrc_exec_t;
+ init_script_file(psad_initrc_exec_t)
@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
@@ -30082,7 +30447,7 @@ index 494f7e2..aa3d0b4 100644
+ admin_pattern($1, pyzor_var_lib_t)
+')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
-index cd683f9..d455637 100644
+index cd683f9..a272112 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -5,40 +5,62 @@ policy_module(pyzor, 2.1.0)
@@ -30153,7 +30518,7 @@ index cd683f9..d455637 100644
+ role system_r types pyzor_t;
+
+ type pyzor_etc_t;
-+ files_type(pyzor_etc_t)
++ files_config_file(pyzor_etc_t)
+
+ type pyzor_home_t;
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
@@ -33627,7 +33992,7 @@ index 275f9fb..6defb76 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..0927db4 100644
+index 3d8d1b3..19148ba 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -33638,7 +34003,7 @@ index 3d8d1b3..0927db4 100644
type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)
-@@ -24,7 +25,8 @@ files_type(snmpd_var_lib_t)
+@@ -24,12 +25,13 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
@@ -33648,6 +34013,12 @@ index 3d8d1b3..0927db4 100644
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
+ allow snmpd_t self:unix_dgram_socket create_socket_perms;
+-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
++allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow snmpd_t self:tcp_socket create_stream_socket_perms;
+ allow snmpd_t self:udp_socket connected_stream_socket_perms;
+
@@ -43,8 +45,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
@@ -34375,7 +34746,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..744b172 100644
+index 4b2230e..cb4411d 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -34403,6 +34774,15 @@ index 4b2230e..744b172 100644
## </desc>
gen_tunable(squid_use_tproxy, false)
+@@ -29,7 +29,7 @@ type squid_cache_t;
+ files_type(squid_cache_t)
+
+ type squid_conf_t;
+-files_type(squid_conf_t)
++files_config_file(squid_conf_t)
+
+ type squid_initrc_exec_t;
+ init_script_file(squid_initrc_exec_t)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..06da5f7 100644
--- a/policy/modules/services/ssh.fc
@@ -34715,7 +35095,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..57a8f21 100644
+index 2dad3c8..4877b5a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -34860,7 +35240,7 @@ index 2dad3c8..57a8f21 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +203,56 @@ optional_policy(`
+@@ -200,6 +203,57 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -34881,6 +35261,7 @@ index 2dad3c8..57a8f21 100644
+
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
@@ -34917,7 +35298,7 @@ index 2dad3c8..57a8f21 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +262,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +263,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -34926,7 +35307,7 @@ index 2dad3c8..57a8f21 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +285,39 @@ optional_policy(`
+@@ -232,33 +286,39 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -34975,7 +35356,7 @@ index 2dad3c8..57a8f21 100644
')
optional_policy(`
-@@ -266,11 +325,24 @@ optional_policy(`
+@@ -266,11 +326,24 @@ optional_policy(`
')
optional_policy(`
@@ -35001,7 +35382,7 @@ index 2dad3c8..57a8f21 100644
')
optional_policy(`
-@@ -284,6 +356,11 @@ optional_policy(`
+@@ -284,6 +357,11 @@ optional_policy(`
')
optional_policy(`
@@ -35013,7 +35394,7 @@ index 2dad3c8..57a8f21 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +369,26 @@ optional_policy(`
+@@ -292,26 +370,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -35059,7 +35440,7 @@ index 2dad3c8..57a8f21 100644
') dnl endif TODO
########################################
-@@ -324,7 +401,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +402,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -35067,7 +35448,7 @@ index 2dad3c8..57a8f21 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +429,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +430,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -35746,9 +36127,18 @@ index 831b4a3..a206464 100644
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
-index 00aa99e..eab7ef5 100644
+index 00aa99e..5f1ad7d 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
+@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+ # config files
+ type ulogd_etc_t;
+-files_type(ulogd_etc_t)
++files_config_file(ulogd_etc_t)
+
+ type ulogd_initrc_exec_t;
+ init_script_file(ulogd_initrc_exec_t)
@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t)
# ulogd local policy
#
@@ -35791,7 +36181,7 @@ index 9001230..7ff3ef8 100644
uucp_manage_spool(uux_t)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index e385c83..6524574 100644
+index e385c83..10710fd 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.1)
@@ -35809,6 +36199,15 @@ index e385c83..6524574 100644
## </desc>
gen_tunable(varnishd_connect_any, false)
+@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
+ init_script_file(varnishd_initrc_exec_t)
+
+ type varnishd_etc_t;
+-files_type(varnishd_etc_t)
++files_config_file(varnishd_etc_t)
+
+ type varnishd_tmp_t;
+ files_tmp_file(varnishd_tmp_t)
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
index 0000000..71d9784
@@ -39741,7 +40140,7 @@ index 6b87605..347f754 100644
allow $1 zebra_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
-index c349adc..f0b1201 100644
+index c349adc..a4855b1 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -6,11 +6,10 @@ policy_module(zebra, 1.11.1)
@@ -39759,6 +40158,15 @@ index c349adc..f0b1201 100644
gen_tunable(allow_zebra_write_config, false)
type zebra_t;
+@@ -18,7 +17,7 @@ type zebra_exec_t;
+ init_daemon_domain(zebra_t, zebra_exec_t)
+
+ type zebra_conf_t;
+-files_type(zebra_conf_t)
++files_config_file(zebra_conf_t)
+
+ type zebra_initrc_exec_t;
+ init_script_file(zebra_initrc_exec_t)
@@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
@@ -40396,9 +40804,18 @@ index 89cc088..81e5ed4 100644
+ allow $1 svc_run_t:process sigchld;
+')
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
-index 183fcf1..699451c 100644
+index 183fcf1..d923d03 100644
--- a/policy/modules/system/daemontools.te
+++ b/policy/modules/system/daemontools.te
+@@ -6,7 +6,7 @@ policy_module(daemontools, 1.2.0)
+ #
+
+ type svc_conf_t;
+-files_type(svc_conf_t)
++files_config_file(svc_conf_t)
+
+ type svc_log_t;
+ files_type(svc_log_t)
@@ -38,7 +38,10 @@ files_type(svc_svc_t)
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -40489,7 +40906,7 @@ index a97a096..dd65c15 100644
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..69c1509 100644
+index a442acc..aef0c84 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -40536,10 +40953,14 @@ index a442acc..69c1509 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +171,14 @@ optional_policy(`
+@@ -166,6 +171,18 @@ optional_policy(`
')
optional_policy(`
++ devicekit_dontaudit_read_pid_files(fsadm_t)
++')
++
++optional_policy(`
+ hal_dontaudit_write_log(fsadm_t)
+')
+
@@ -40551,7 +40972,7 @@ index a442acc..69c1509 100644
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +188,10 @@ optional_policy(`
+@@ -175,6 +192,10 @@ optional_policy(`
')
optional_policy(`
@@ -40634,7 +41055,7 @@ index 9775375..41a244a 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..36da732 100644
+index df3fa64..cbc34e2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -40683,8 +41104,11 @@ index df3fa64..36da732 100644
# daemons started from init will
# inherit fds from init for the console
-@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',`
+@@ -283,17 +304,20 @@ interface(`init_daemon_domain',`
+ interface(`init_ranged_daemon_domain',`
+ gen_require(`
type initrc_t;
++ type init_t;
')
- init_daemon_domain($1,$2)
@@ -40692,7 +41116,17 @@ index df3fa64..36da732 100644
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
-@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',`
++ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
++ range_transition init_t $2:process $3;
+ ')
+ ')
+
+@@ -336,8 +360,10 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -40703,7 +41137,7 @@ index df3fa64..36da732 100644
')
application_domain($1,$2)
-@@ -345,6 +368,20 @@ interface(`init_system_domain',`
+@@ -345,6 +371,20 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -40724,7 +41158,7 @@ index df3fa64..36da732 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +390,37 @@ interface(`init_system_domain',`
+@@ -353,6 +393,37 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@@ -40762,7 +41196,27 @@ index df3fa64..36da732 100644
')
########################################
-@@ -687,19 +755,24 @@ interface(`init_telinit',`
+@@ -401,16 +472,19 @@ interface(`init_system_domain',`
+ interface(`init_ranged_system_domain',`
+ gen_require(`
+ type initrc_t;
++ type init_t;
+ ')
+
+ init_system_domain($1,$2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
++ range_transition init_t $2:process $3;
+ ')
+ ')
+
+@@ -687,19 +761,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -40788,7 +41242,7 @@ index df3fa64..36da732 100644
')
')
-@@ -772,18 +845,19 @@ interface(`init_script_file_entry_type',`
+@@ -772,18 +851,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -40812,7 +41266,7 @@ index df3fa64..36da732 100644
')
')
-@@ -799,23 +873,45 @@ interface(`init_spec_domtrans_script',`
+@@ -799,23 +879,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -40862,7 +41316,7 @@ index df3fa64..36da732 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -867,8 +963,12 @@ interface(`init_script_file_domtrans',`
+@@ -867,8 +969,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -40875,7 +41329,7 @@ index df3fa64..36da732 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1129,12 +1229,7 @@ interface(`init_read_script_state',`
+@@ -1129,12 +1235,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -40889,7 +41343,7 @@ index df3fa64..36da732 100644
')
########################################
-@@ -1374,6 +1469,27 @@ interface(`init_dbus_send_script',`
+@@ -1374,6 +1475,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -40917,7 +41371,7 @@ index df3fa64..36da732 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1460,6 +1576,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1460,6 +1582,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -40943,7 +41397,7 @@ index df3fa64..36da732 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1673,7 +1808,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1673,7 +1814,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -40952,7 +41406,7 @@ index df3fa64..36da732 100644
')
########################################
-@@ -1748,3 +1883,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1748,3 +1889,93 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -41047,7 +41501,7 @@ index df3fa64..36da732 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..9a3255e 100644
+index 8a105fd..dccae9d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -41152,7 +41606,15 @@ index 8a105fd..9a3255e 100644
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
-@@ -162,12 +194,15 @@ init_domtrans_script(init_t)
+@@ -151,6 +183,7 @@ mls_file_read_all_levels(init_t)
+ mls_file_write_all_levels(init_t)
+ mls_process_write_down(init_t)
+ mls_fd_use_all_levels(init_t)
++mls_rangetrans_source(initrc_t)
+
+ selinux_set_all_booleans(init_t)
+
+@@ -162,12 +195,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -41168,7 +41630,7 @@ index 8a105fd..9a3255e 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +213,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +214,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -41177,7 +41639,7 @@ index 8a105fd..9a3255e 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +221,115 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +222,116 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -41249,6 +41711,7 @@ index 8a105fd..9a3255e 100644
+ files_manage_all_pids(init_t)
+ files_manage_all_locks(init_t)
+ files_setattr_all_tmp_dirs(init_t)
++ logging_setattr_all_log_dirs(init_t)
+
+ files_purge_tmp(init_t)
+ files_manage_generic_tmp_files(init_t)
@@ -41293,7 +41756,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -199,10 +337,24 @@ optional_policy(`
+@@ -199,10 +339,24 @@ optional_policy(`
')
optional_policy(`
@@ -41318,7 +41781,7 @@ index 8a105fd..9a3255e 100644
unconfined_domain(init_t)
')
-@@ -212,7 +364,7 @@ optional_policy(`
+@@ -212,7 +366,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -41327,7 +41790,7 @@ index 8a105fd..9a3255e 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +393,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +395,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -41342,7 +41805,7 @@ index 8a105fd..9a3255e 100644
init_write_initctl(initrc_t)
-@@ -258,11 +412,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +414,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -41366,7 +41829,7 @@ index 8a105fd..9a3255e 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +457,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -41374,7 +41837,7 @@ index 8a105fd..9a3255e 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +465,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -41390,7 +41853,7 @@ index 8a105fd..9a3255e 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +490,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +492,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -41402,7 +41865,7 @@ index 8a105fd..9a3255e 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +509,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +511,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -41416,7 +41879,7 @@ index 8a105fd..9a3255e 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +524,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +526,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -41425,7 +41888,7 @@ index 8a105fd..9a3255e 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +538,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +540,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -41433,7 +41896,7 @@ index 8a105fd..9a3255e 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +550,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +552,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -41441,7 +41904,7 @@ index 8a105fd..9a3255e 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +571,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +573,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -41457,7 +41920,7 @@ index 8a105fd..9a3255e 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +651,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +653,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -41466,7 +41929,7 @@ index 8a105fd..9a3255e 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +697,23 @@ ifdef(`distro_redhat',`
+@@ -519,6 +699,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -41490,7 +41953,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -526,10 +721,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +723,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -41508,7 +41971,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -544,6 +746,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +748,35 @@ ifdef(`distro_suse',`
')
')
@@ -41544,7 +42007,7 @@ index 8a105fd..9a3255e 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +787,8 @@ optional_policy(`
+@@ -556,6 +789,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -41553,7 +42016,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -572,6 +805,7 @@ optional_policy(`
+@@ -572,6 +807,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -41561,7 +42024,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -584,6 +818,11 @@ optional_policy(`
+@@ -584,6 +820,11 @@ optional_policy(`
')
optional_policy(`
@@ -41573,7 +42036,7 @@ index 8a105fd..9a3255e 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,9 +839,13 @@ optional_policy(`
+@@ -600,9 +841,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -41587,7 +42050,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -701,7 +944,13 @@ optional_policy(`
+@@ -701,7 +946,13 @@ optional_policy(`
')
optional_policy(`
@@ -41601,7 +42064,7 @@ index 8a105fd..9a3255e 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +973,10 @@ optional_policy(`
+@@ -724,6 +975,10 @@ optional_policy(`
')
optional_policy(`
@@ -41612,7 +42075,7 @@ index 8a105fd..9a3255e 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -737,6 +990,10 @@ optional_policy(`
+@@ -737,6 +992,10 @@ optional_policy(`
')
optional_policy(`
@@ -41623,7 +42086,7 @@ index 8a105fd..9a3255e 100644
quota_manage_flags(initrc_t)
')
-@@ -745,6 +1002,10 @@ optional_policy(`
+@@ -745,6 +1004,10 @@ optional_policy(`
')
optional_policy(`
@@ -41634,7 +42097,7 @@ index 8a105fd..9a3255e 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1027,6 @@ optional_policy(`
+@@ -766,8 +1029,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -41643,7 +42106,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -776,14 +1035,21 @@ optional_policy(`
+@@ -776,14 +1037,21 @@ optional_policy(`
')
optional_policy(`
@@ -41665,7 +42128,7 @@ index 8a105fd..9a3255e 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1071,19 @@ optional_policy(`
+@@ -805,11 +1073,19 @@ optional_policy(`
')
optional_policy(`
@@ -41686,7 +42149,7 @@ index 8a105fd..9a3255e 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1093,25 @@ optional_policy(`
+@@ -819,6 +1095,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -41712,7 +42175,7 @@ index 8a105fd..9a3255e 100644
')
optional_policy(`
-@@ -844,3 +1137,59 @@ optional_policy(`
+@@ -844,3 +1139,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -42805,7 +43268,7 @@ index 571599b..17dd196 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..db7ad6b 100644
+index c7cfb62..f32290a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@@ -42853,7 +43316,7 @@ index c7cfb62..db7ad6b 100644
## Read the auditd configuration files.
## </summary>
## <param name="domain">
-@@ -715,7 +753,25 @@ interface(`logging_append_all_logs',`
+@@ -715,7 +753,44 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -42877,10 +43340,29 @@ index c7cfb62..db7ad6b 100644
+ ')
+
+ allow $1 logfile:file { getattr append };
++')
++
++########################################
++## <summary>
++## Set attributes on all log dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_setattr_all_log_dirs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ allow $1 logfile:dir setattr;
')
########################################
-@@ -798,7 +854,7 @@ interface(`logging_manage_all_logs',`
+@@ -798,7 +873,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -42889,7 +43371,7 @@ index c7cfb62..db7ad6b 100644
')
########################################
-@@ -996,6 +1052,8 @@ interface(`logging_admin_syslog',`
+@@ -996,6 +1071,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -42899,10 +43381,16 @@ index c7cfb62..db7ad6b 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index aa2b0a6..fc5aa2c 100644
+index aa2b0a6..304fbba 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -60,6 +60,7 @@ files_type(syslog_conf_t)
+@@ -55,11 +55,12 @@ type klogd_var_run_t;
+ files_pid_file(klogd_var_run_t)
+
+ type syslog_conf_t;
+-files_type(syslog_conf_t)
++files_config_file(syslog_conf_t)
+
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -43060,7 +43548,7 @@ index 58bc27f..b4f0663 100644
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..f1fe005 100644
+index 86ef2da..17aeb3e 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -43073,6 +43561,15 @@ index 86ef2da..f1fe005 100644
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
+@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t)
+ role system_r types lvm_t;
+
+ type lvm_etc_t;
+-files_type(lvm_etc_t)
++files_config_file(lvm_etc_t)
+
+ type lvm_lock_t;
+ files_lock_file(lvm_lock_t)
@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
@@ -43256,10 +43753,10 @@ index 9c0faab..def8d5a 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..7243733 100644
+index 74a4466..9061149 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -18,6 +18,7 @@ type insmod_t;
+@@ -18,11 +18,12 @@ type insmod_t;
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
@@ -43267,6 +43764,12 @@ index 74a4466..7243733 100644
role system_r types insmod_t;
# module loading config
+ type modules_conf_t;
+-files_type(modules_conf_t)
++files_config_file(modules_conf_t)
+
+ # module dependencies
+ type modules_dep_t;
@@ -36,6 +37,9 @@ role system_r types update_modules_t;
type update_modules_tmp_t;
files_tmp_file(update_modules_tmp_t)
@@ -43621,7 +44124,7 @@ index 8b5c196..b195f9d 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6fe8471..139e2c9 100644
+index 6fe8471..21de81b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -43663,7 +44166,7 @@ index 6fe8471..139e2c9 100644
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
@@ -45130,7 +45633,7 @@ index 8e71fb7..350d003 100644
+ role_transition $1 dhcpc_exec_t system_r;
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..f66bf66 100644
+index dfbe736..d1f6368 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -45157,6 +45660,15 @@ index dfbe736..f66bf66 100644
type dhcpc_state_t;
files_type(dhcpc_state_t)
+@@ -34,7 +44,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+ role system_r types ifconfig_t;
+
+ type net_conf_t alias resolv_conf_t;
+-files_type(net_conf_t)
++files_config_file(net_conf_t)
+
+ ########################################
+ #
@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7da2388..b4fc3ec 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.10
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Thu Dec 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.9-5
+- Fix cron to run ranged when started by init
+- Fix devicekit to use log files
+- Dontaudit use of devicekit_var_run_t for fstools
+- Allow init to setattr on logfile directories
+- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t
+
* Tue Nov 30 2010 Dan Walsh <dwalsh at redhat.com> 3.9.9-4
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
More information about the scm-commits
mailing list