[selinux-policy/f14/master] Allow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can s
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Sep 7 20:35:59 UTC 2010
commit 9b57ad54f07498eaa306ee5bfbaa20a5107d718f
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Sep 7 16:35:46 2010 -0400
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
policy-F14.patch | 1218 +++++++++++++++++++++++++++++++-----------------------
1 files changed, 697 insertions(+), 521 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index d722157..e3ed193 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -206,65 +206,37 @@ index af90ef2..fbd2c40 100644
(( h1 dom h2 ) or ( t1 == mcskillall ));
#
-diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index 30a0ac7..f5fc753 100644
---- a/policy/modules/admin/alsa.fc
-+++ b/policy/modules/admin/alsa.fc
-@@ -1,3 +1,5 @@
-+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
-+
- /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index fe09bea..090b5c9 100644
+index 69aa742..30bfb08 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
-@@ -16,6 +16,7 @@ interface(`alsa_domtrans',`
- ')
-
- domtrans_pattern($1, alsa_exec_t, alsa_t)
-+ corecmd_search_bin($1)
- ')
-
- ########################################
-@@ -33,7 +34,7 @@ interface(`alsa_rw_semaphores',`
- type alsa_t;
- ')
-
-- allow $1 alsa_t:sem { unix_read unix_write associate read write };
-+ allow $1 alsa_t:sem rw_sem_perms;
- ')
-
- ########################################
-@@ -51,7 +52,7 @@ interface(`alsa_rw_shared_mem',`
- type alsa_t;
- ')
-
-- allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
-+ allow $1 alsa_t:shm rw_shm_perms;
- ')
-
- ########################################
-@@ -72,6 +73,7 @@ interface(`alsa_read_rw_config',`
+@@ -74,6 +74,7 @@ interface(`alsa_read_rw_config',`
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ files_search_etc($1)
- ')
- ########################################
-@@ -92,6 +94,7 @@ interface(`alsa_manage_rw_config',`
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+@@ -99,6 +100,7 @@ interface(`alsa_manage_rw_config',`
allow $1 alsa_etc_rw_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ files_search_etc($1)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+@@ -122,6 +124,7 @@ interface(`alsa_read_home_files',`
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file read_file_perms;
++>>>>>>> .merge_file_D1FKe3
')
########################################
-@@ -110,4 +113,24 @@ interface(`alsa_read_lib',`
- ')
+@@ -141,4 +144,24 @@ interface(`alsa_read_lib',`
+ files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+ files_search_var_lib($1)
+')
@@ -287,29 +259,6 @@ index fe09bea..090b5c9 100644
+ allow $1 alsa_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
')
-diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
-index 04f9d96..ed1c3dc 100644
---- a/policy/modules/admin/alsa.te
-+++ b/policy/modules/admin/alsa.te
-@@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t)
- type alsa_var_lib_t;
- files_type(alsa_var_lib_t)
-
-+type alsa_home_t;
-+userdom_user_home_content(alsa_home_t)
-+
- ########################################
- #
- # Local policy
-@@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms;
- allow alsa_t self:unix_stream_socket create_stream_socket_perms;
- allow alsa_t self:unix_dgram_socket create_socket_perms;
-
-+allow alsa_t alsa_home_t:file read_file_perms;
-+
- manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
- manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
- files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index d1d035e..2cb11ea 100644
--- a/policy/modules/admin/amanda.if
@@ -1374,7 +1323,7 @@ index 95dbcf3..bdba9c5 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
-index 0948921..992a7fc 100644
+index 0948921..b83f3db 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
@@ -1402,7 +1351,33 @@ index 0948921..992a7fc 100644
#######################################
## <summary>
## Read shorewall etc configuration files.
-@@ -134,9 +152,10 @@ interface(`shorewall_rw_lib_files',`
+@@ -117,6 +135,25 @@ interface(`shorewall_rw_lib_files',`
+
+ #######################################
+ ## <summary>
++## Read shorewall tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_read_tmp_files',`
++ gen_require(`
++ type shorewall_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
++')
++
++#######################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an shorewall environment
+ ## </summary>
+@@ -134,9 +171,10 @@ interface(`shorewall_rw_lib_files',`
#
interface(`shorewall_admin',`
gen_require(`
@@ -1415,7 +1390,7 @@ index 0948921..992a7fc 100644
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,12 +172,12 @@ interface(`shorewall_admin',`
+@@ -153,12 +191,12 @@ interface(`shorewall_admin',`
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
@@ -1723,18 +1698,32 @@ index aecbf1c..0b5e634 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index c35d801..3045a19 100644
+index c35d801..961424f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -295,6 +295,7 @@ selinux_compute_user_contexts(passwd_t)
+@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
+ # for SSP
+ dev_read_urand(chfn_t)
+
+-auth_domtrans_chk_passwd(chfn_t)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
++auth_use_pam(chfn_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(chfn_t)
+@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
+term_use_generic_ptys(passwd_t)
- auth_domtrans_chk_passwd(passwd_t)
+-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
-@@ -304,6 +305,9 @@ auth_use_nsswitch(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+-auth_use_nsswitch(passwd_t)
++auth_use_pam(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -1744,7 +1733,7 @@ index c35d801..3045a19 100644
domain_use_interactive_fds(passwd_t)
-@@ -334,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1752,7 +1741,7 @@ index c35d801..3045a19 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -428,7 +433,7 @@ optional_policy(`
+@@ -428,7 +430,7 @@ optional_policy(`
# Useradd local policy
#
@@ -1761,7 +1750,7 @@ index c35d801..3045a19 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -500,12 +505,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2011,10 +2000,10 @@ index 7fd0900..899e234 100644
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
-index 0000000..9bd4f45
+index 0000000..e049042
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,49 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2027,6 +2016,7 @@ index 0000000..9bd4f45
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/vlc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2361,7 +2351,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..ffd9870 100644
+index f5afe78..09beb26 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,26 @@ interface(`gnome_role',`
@@ -2615,7 +2605,7 @@ index f5afe78..ffd9870 100644
')
########################################
-@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,22 +277,251 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -2623,13 +2613,12 @@ index f5afe78..ffd9870 100644
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
- ## </summary>
--## <param name="user_domain">
++## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
@@ -2640,24 +2629,18 @@ index f5afe78..ffd9870 100644
+## The class of the object to be created.
+## </summary>
+## </param>
- #
--template(`gnome_read_config',`
++#
+interface(`gnome_data_filetrans',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type data_home_t;
- ')
-
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ ')
++
+ filetrans_pattern($1, data_home_t, $2, $3)
+ gnome_search_gconf($1)
- ')
-
- ########################################
- ## <summary>
--## manage gnome homedir content (.config)
++')
++
++########################################
++## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
@@ -2728,15 +2711,13 @@ index f5afe78..ffd9870 100644
## </summary>
## </param>
#
--interface(`gnome_manage_config',`
+-template(`gnome_read_config',`
+interface(`gnome_exec_gconf',`
gen_require(`
- type gnome_home_t;
+ type gconfd_exec_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
++ ')
++
+ can_exec($1, gconfd_exec_t)
+')
+
@@ -2754,8 +2735,11 @@ index f5afe78..ffd9870 100644
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
@@ -2778,8 +2762,8 @@ index f5afe78..ffd9870 100644
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
- userdom_search_user_home_dirs($1)
- ')
++ userdom_search_user_home_dirs($1)
++')
+
+########################################
+## <summary>
@@ -2876,6 +2860,23 @@ index f5afe78..ffd9870 100644
+ ')
+
+ read_files_pattern($1, config_home_t, config_home_t)
+ ')
+
+ ########################################
+@@ -175,16 +530,53 @@ template(`gnome_read_config',`
+ ## </summary>
+ ## <param name="user_domain">
+ ## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`gnome_manage_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -2884,15 +2885,20 @@ index f5afe78..ffd9870 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_config',`
+interface(`gnome_rw_inherited_config',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ attribute gnome_home_type;
-+ ')
-+
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+- userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
@@ -2915,7 +2921,7 @@ index f5afe78..ffd9870 100644
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
-+')
+ ')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 35f7486..26852d2 100644
--- a/policy/modules/apps/gnome.te
@@ -3071,10 +3077,19 @@ index e9853d4..717d163 100644
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..7c48fc5 100644
+index 40e0a2a..13d939a 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
-@@ -85,6 +85,43 @@ interface(`gpg_domtrans',`
+@@ -54,6 +54,8 @@ interface(`gpg_role',`
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
++ allow gpg_pinentry_t $2:fifo_file { read write };
++
+ optional_policy(`
+ gpg_pinentry_dbus_chat($2)
+ ')
+@@ -85,6 +87,43 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -3678,7 +3693,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..99a3d49 100644
+index 9a6d67d..47aa143 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -3712,7 +3727,7 @@ index 9a6d67d..99a3d49 100644
')
########################################
-@@ -168,6 +176,50 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +176,52 @@ interface(`mozilla_domtrans',`
########################################
## <summary>
@@ -3756,6 +3771,8 @@ index 9a6d67d..99a3d49 100644
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
++
++ allow mozilla_plugin_t $1:process signull;
+')
+
+########################################
@@ -3764,7 +3781,7 @@ index 9a6d67d..99a3d49 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..b2e4e0c 100644
+index cbf4bec..04f5196 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3775,7 +3792,7 @@ index cbf4bec..b2e4e0c 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
-@@ -33,6 +34,13 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
+@@ -33,6 +34,20 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)
@@ -3784,12 +3801,19 @@ index cbf4bec..b2e4e0c 100644
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role system_r types mozilla_plugin_t;
+
++type mozilla_plugin_tmp_t;
++files_tmp_file(mozilla_plugin_tmp_t)
++
++type mozilla_plugin_tmpfs_t;
++files_tmpfs_file(mozilla_plugin_tmpfs_t)
++ubac_constrained(mozilla_plugin_tmpfs_t)
++
+permissive mozilla_plugin_t;
+
########################################
#
# Local policy
-@@ -89,16 +97,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
+@@ -89,16 +104,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
@@ -3810,7 +3834,7 @@ index cbf4bec..b2e4e0c 100644
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
-@@ -238,6 +250,7 @@ optional_policy(`
+@@ -238,6 +257,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -3818,7 +3842,7 @@ index cbf4bec..b2e4e0c 100644
')
optional_policy(`
-@@ -258,6 +271,11 @@ optional_policy(`
+@@ -258,6 +278,11 @@ optional_policy(`
')
optional_policy(`
@@ -3830,7 +3854,7 @@ index cbf4bec..b2e4e0c 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +284,46 @@ optional_policy(`
+@@ -266,3 +291,80 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3839,7 +3863,7 @@ index cbf4bec..b2e4e0c 100644
+#
+# mozilla_plugin local policy
+#
-+allow mozilla_plugin_t self:process setsched;
++allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
@@ -3848,6 +3872,16 @@ index cbf4bec..b2e4e0c 100644
+
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
++manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
++
++manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
@@ -3856,6 +3890,8 @@ index cbf4bec..b2e4e0c 100644
+corecmd_exec_shell(mozilla_plugin_t)
+
+dev_read_urand(mozilla_plugin_t)
++dev_read_video_dev(mozilla_plugin_t)
++dev_read_sysfs(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -3863,20 +3899,42 @@ index cbf4bec..b2e4e0c 100644
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+
++# Would like to get rid of this but needed to talk to mislabeled tmpfs
++fs_rw_tmpfs_files(mozilla_plugin_t)
++
+miscfiles_read_localization(mozilla_plugin_t)
++miscfiles_read_fonts(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
++userdom_rw_user_tmpfs_files(mozilla_plugin_t)
++userdom_stream_connect(mozilla_plugin_t)
++userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
++
++optional_policy(`
++ dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++ gnome_manage_home_config(mozilla_plugin_t)
++')
++
+optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
++ nsplugin_manage_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++ pulseaudio_rw_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+')
++
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -4376,10 +4434,10 @@ index 0000000..74c624e
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..b4f0852
+index 0000000..23890a7
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,308 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -4511,6 +4569,7 @@ index 0000000..b4f0852
+fs_list_inotifyfs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
++storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
@@ -6190,10 +6249,10 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..7e8fd3a
+index 0000000..6cd47ee
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,316 @@
+@@ -0,0 +1,319 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6249,6 +6308,7 @@ index 0000000..7e8fd3a
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
++can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -6268,6 +6328,8 @@ index 0000000..7e8fd3a
+
+auth_use_nsswitch(telepathy_msn_t)
+
++libs_exec_ldconfig(telepathy_msn_t)
++
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_certs(telepathy_msn_t)
@@ -6318,7 +6380,7 @@ index 0000000..7e8fd3a
+dev_read_rand(telepathy_gabble_t)
+dev_read_urand(telepathy_gabble_t)
+
-+files_read_etc_files(telepathy_gabble_t)
++files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_certs(telepathy_gabble_t)
@@ -6661,7 +6723,7 @@ index 5872ea2..028c994 100644
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index 1f803bb..ab99aa0 100644
+index 1f803bb..8a97303 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -6672,6 +6734,17 @@ index 1f803bb..ab99aa0 100644
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -159,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
++')
+
++optional_policy(`
++ shutdown_domtrans(vmware_host_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..9782698 100644
--- a/policy/modules/apps/wine.fc
@@ -6820,7 +6893,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..a71e2d5 100644
+index 0eb1d97..b267560 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -6845,7 +6918,16 @@ index 0eb1d97..a71e2d5 100644
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -126,6 +132,7 @@ ifdef(`distro_gentoo',`
+@@ -109,6 +115,8 @@ ifdef(`distro_debian',`
+ /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /lib
+ #
+@@ -126,6 +134,7 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6853,7 +6935,7 @@ index 0eb1d97..a71e2d5 100644
#
# /sbin
-@@ -145,6 +152,10 @@ ifdef(`distro_gentoo',`
+@@ -145,6 +154,10 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6864,7 +6946,7 @@ index 0eb1d97..a71e2d5 100644
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +180,7 @@ ifdef(`distro_gentoo',`
+@@ -169,6 +182,7 @@ ifdef(`distro_gentoo',`
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6872,7 +6954,7 @@ index 0eb1d97..a71e2d5 100644
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +232,7 @@ ifdef(`distro_gentoo',`
+@@ -220,6 +234,7 @@ ifdef(`distro_gentoo',`
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -6880,7 +6962,7 @@ index 0eb1d97..a71e2d5 100644
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +241,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +243,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6889,7 +6971,7 @@ index 0eb1d97..a71e2d5 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +329,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +331,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -6897,7 +6979,7 @@ index 0eb1d97..a71e2d5 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +356,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +358,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7133,19 +7215,18 @@ index 2ecdde8..f118873 100644
network_port(zope, tcp,8021,s0)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 3b2da10..18f3f4c 100644
+index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -159,6 +159,8 @@ ifdef(`distro_suse', `
+@@ -159,6 +159,7 @@ ifdef(`distro_suse', `
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/hugepages(/.*)? <<none>>
+/dev/mqueue(/.*)? <<none>>
/dev/pts(/.*)? <<none>>
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -176,13 +178,12 @@ ifdef(`distro_suse', `
+@@ -176,13 +177,12 @@ ifdef(`distro_suse', `
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
@@ -7161,7 +7242,7 @@ index 3b2da10..18f3f4c 100644
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -191,3 +192,8 @@ ifdef(`distro_redhat',`
+@@ -191,3 +191,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -7171,10 +7252,35 @@ index 3b2da10..18f3f4c 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 8b09281..e896bf7 100644
+index 8b09281..3fb8756 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -498,6 +498,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+
+ ########################################
+ ## <summary>
++## read generic files in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_read_generic_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ read_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ## Read and write generic files in /dev.
+ ## </summary>
+ ## <param name="domain">
+@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -7199,7 +7305,7 @@ index 8b09281..e896bf7 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -534,6 +552,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -7224,7 +7330,7 @@ index 8b09281..e896bf7 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -552,6 +588,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -7249,7 +7355,7 @@ index 8b09281..e896bf7 100644
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -661,6 +715,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -7274,7 +7380,7 @@ index 8b09281..e896bf7 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1070,6 +1142,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -7317,7 +7423,7 @@ index 8b09281..e896bf7 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1332,6 +1440,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -7342,7 +7448,7 @@ index 8b09281..e896bf7 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3595,6 +3721,24 @@ interface(`dev_manage_smartcard',`
+@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -7367,7 +7473,7 @@ index 8b09281..e896bf7 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3737,6 +3881,24 @@ interface(`dev_rw_sysfs',`
+@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -7392,7 +7498,7 @@ index 8b09281..e896bf7 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3906,6 +4068,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -7417,7 +7523,7 @@ index 8b09281..e896bf7 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4216,11 +4396,10 @@ interface(`dev_write_video_dev',`
+@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -8454,20 +8560,25 @@ index 07352a5..12e9ecf 100644
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index 9306de6..41dfd80 100644
+index 59bae6a..16f0f9e 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
-@@ -1,3 +1,4 @@
- /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+@@ -2,5 +2,10 @@
+ /dev/shm/.* <<none>>
+
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
++/cgroup/.* <<none>>
--/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-+/sys/fs/cgroup(/.*)? <<none>>
++/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup(/.*)? <<none>>
++
++/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index e3e17ba..3b34959 100644
+index 437a42a..8d6d333 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
-@@ -1233,7 +1233,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1241,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -8476,7 +8587,7 @@ index e3e17ba..3b34959 100644
')
########################################
-@@ -1496,6 +1496,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1504,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -8502,7 +8613,7 @@ index e3e17ba..3b34959 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1923,7 +1942,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +1950,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -8530,7 +8641,7 @@ index e3e17ba..3b34959 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1938,6 +1976,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +1984,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -8572,7 +8683,7 @@ index e3e17ba..3b34959 100644
########################################
## <summary>
-@@ -1991,6 +2064,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2072,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -8580,7 +8691,7 @@ index e3e17ba..3b34959 100644
')
########################################
-@@ -2387,6 +2461,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2469,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -8606,7 +8717,7 @@ index e3e17ba..3b34959 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2441,7 +2534,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2542,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -8615,7 +8726,7 @@ index e3e17ba..3b34959 100644
')
########################################
-@@ -2629,6 +2722,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2730,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -8640,7 +8751,7 @@ index e3e17ba..3b34959 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2837,7 +2948,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +2956,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -8649,7 +8760,7 @@ index e3e17ba..3b34959 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3962,6 +4073,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4081,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -8674,7 +8785,7 @@ index e3e17ba..3b34959 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4654,3 +4783,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4791,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -8700,7 +8811,7 @@ index e3e17ba..3b34959 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 56c3408..3f4cf3d 100644
+index 0dff98e..930062c 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -11645,7 +11756,7 @@ index cf34b4e..cc216a4 100644
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..b37de8e 100644
+index 9e39aa5..8603d4d 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -11693,7 +11804,7 @@ index 9e39aa5..b37de8e 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,16 @@ ifdef(`distro_debian', `
+@@ -109,3 +107,17 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -11705,16 +11816,17 @@ index 9e39aa5..b37de8e 100644
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..c96d035 100644
+index c9e1a44..46d0960 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
-@@ -13,17 +13,13 @@
+@@ -13,17 +13,14 @@
#
template(`apache_content_template',`
gen_require(`
@@ -11727,14 +11839,21 @@ index c9e1a44..c96d035 100644
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write, false)
--
+
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t; # customizable;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
-@@ -41,11 +37,11 @@ template(`apache_content_template',`
+@@ -36,16 +33,18 @@ template(`apache_content_template',`
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
++ search_dirs_pattern($1, httpd_sys_content_t, httpd_script_exec_type)
++
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
@@ -11748,7 +11867,7 @@ index c9e1a44..c96d035 100644
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
-@@ -54,7 +50,7 @@ template(`apache_content_template',`
+@@ -54,7 +53,7 @@ template(`apache_content_template',`
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
@@ -11757,7 +11876,7 @@ index c9e1a44..c96d035 100644
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
-@@ -86,7 +82,6 @@ template(`apache_content_template',`
+@@ -86,7 +85,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -11765,7 +11884,7 @@ index c9e1a44..c96d035 100644
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -95,6 +90,7 @@ template(`apache_content_template',`
+@@ -95,6 +93,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -11773,7 +11892,7 @@ index c9e1a44..c96d035 100644
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +104,6 @@ template(`apache_content_template',`
+@@ -108,19 +107,6 @@ template(`apache_content_template',`
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -11793,7 +11912,7 @@ index c9e1a44..c96d035 100644
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,6 +123,7 @@ template(`apache_content_template',`
+@@ -140,6 +126,7 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -11801,7 +11920,7 @@ index c9e1a44..c96d035 100644
')
tunable_policy(`httpd_enable_cgi',`
-@@ -148,14 +132,19 @@ template(`apache_content_template',`
+@@ -148,14 +135,19 @@ template(`apache_content_template',`
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -11821,7 +11940,7 @@ index c9e1a44..c96d035 100644
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
-@@ -172,6 +161,7 @@ template(`apache_content_template',`
+@@ -172,6 +164,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -11829,7 +11948,7 @@ index c9e1a44..c96d035 100644
')
optional_policy(`
-@@ -182,15 +172,13 @@ template(`apache_content_template',`
+@@ -182,15 +175,13 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -11847,7 +11966,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -229,6 +217,13 @@ interface(`apache_role',`
+@@ -229,6 +220,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -11861,7 +11980,7 @@ index c9e1a44..c96d035 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -243,6 +238,8 @@ interface(`apache_role',`
+@@ -243,6 +241,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -11870,7 +11989,7 @@ index c9e1a44..c96d035 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -312,6 +309,25 @@ interface(`apache_domtrans',`
+@@ -312,6 +312,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -11896,7 +12015,7 @@ index c9e1a44..c96d035 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -400,7 +416,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -11905,7 +12024,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -526,6 +542,25 @@ interface(`apache_rw_cache_files',`
+@@ -526,6 +545,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -11931,7 +12050,7 @@ index c9e1a44..c96d035 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -740,6 +775,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +778,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -11957,7 +12076,7 @@ index c9e1a44..c96d035 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +810,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +813,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -11965,7 +12084,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -814,6 +869,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -11973,7 +12092,7 @@ index c9e1a44..c96d035 100644
files_search_var($1)
')
-@@ -836,11 +892,80 @@ interface(`apache_manage_sys_content',`
+@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',`
')
files_search_var($1)
@@ -12054,7 +12173,7 @@ index c9e1a44..c96d035 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +983,11 @@ interface(`apache_domtrans_sys_script',`
+@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -12066,7 +12185,7 @@ index c9e1a44..c96d035 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -12075,7 +12194,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -12101,7 +12220,7 @@ index c9e1a44..c96d035 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -12110,7 +12229,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -1172,7 +1321,7 @@ interface(`apache_admin',`
+@@ -1172,7 +1324,7 @@ interface(`apache_admin',`
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12119,7 +12238,7 @@ index c9e1a44..c96d035 100644
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1351,43 @@ interface(`apache_admin',`
+@@ -1202,12 +1354,43 @@ interface(`apache_admin',`
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -12165,7 +12284,7 @@ index c9e1a44..c96d035 100644
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index e33b9cd..08ec94f 100644
+index e33b9cd..de4388a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
@@ -12212,7 +12331,21 @@ index e33b9cd..08ec94f 100644
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
-@@ -71,6 +94,13 @@ gen_tunable(httpd_can_sendmail, false)
+@@ -57,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
+
+ ## <desc>
+ ## <p>
++## Allow httpd to connect to memcache server
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
+ ## Allow httpd to act as a relay
+ ## </p>
+ ## </desc>
+@@ -71,6 +101,13 @@ gen_tunable(httpd_can_sendmail, false)
## <desc>
## <p>
@@ -12226,7 +12359,7 @@ index e33b9cd..08ec94f 100644
## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
-@@ -100,6 +130,13 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false)
## <desc>
## <p>
@@ -12240,7 +12373,7 @@ index e33b9cd..08ec94f 100644
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
-@@ -107,6 +144,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -107,6 +151,13 @@ gen_tunable(httpd_ssi_exec, false)
## <desc>
## <p>
@@ -12254,7 +12387,7 @@ index e33b9cd..08ec94f 100644
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -130,7 +174,7 @@ gen_tunable(httpd_use_cifs, false)
+@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false)
## <desc>
## <p>
@@ -12263,7 +12396,7 @@ index e33b9cd..08ec94f 100644
## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
-@@ -142,6 +186,13 @@ gen_tunable(httpd_use_gpg, false)
+@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false)
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -12277,7 +12410,7 @@ index e33b9cd..08ec94f 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -216,7 +267,10 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -12289,7 +12422,7 @@ index e33b9cd..08ec94f 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +280,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -12300,7 +12433,7 @@ index e33b9cd..08ec94f 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +291,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -12308,7 +12441,7 @@ index e33b9cd..08ec94f 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +345,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms;
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12316,7 +12449,7 @@ index e33b9cd..08ec94f 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +415,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12324,7 +12457,7 @@ index e33b9cd..08ec94f 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +426,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -12335,7 +12468,7 @@ index e33b9cd..08ec94f 100644
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +441,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12351,7 +12484,7 @@ index e33b9cd..08ec94f 100644
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +465,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12362,7 +12495,7 @@ index e33b9cd..08ec94f 100644
libs_read_lib_files(httpd_t)
-@@ -416,16 +483,31 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -12396,7 +12529,17 @@ index e33b9cd..08ec94f 100644
')
')
-@@ -439,13 +521,25 @@ tunable_policy(`httpd_can_network_relay',`
+@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+ ')
+
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
@@ -12422,7 +12565,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
-@@ -456,6 +550,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -12433,7 +12576,7 @@ index e33b9cd..08ec94f 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +568,25 @@ tunable_policy(`httpd_enable_homedirs',`
+@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_t)
')
@@ -12459,7 +12602,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +596,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -12476,7 +12619,7 @@ index e33b9cd..08ec94f 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +621,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -12487,7 +12630,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -513,7 +636,13 @@ optional_policy(`
+@@ -513,7 +647,13 @@ optional_policy(`
')
optional_policy(`
@@ -12502,7 +12645,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -528,7 +657,7 @@ optional_policy(`
+@@ -528,7 +668,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -12511,7 +12654,7 @@ index e33b9cd..08ec94f 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +666,12 @@ optional_policy(`
+@@ -537,8 +677,12 @@ optional_policy(`
')
optional_policy(`
@@ -12525,7 +12668,7 @@ index e33b9cd..08ec94f 100644
')
')
-@@ -557,6 +690,7 @@ optional_policy(`
+@@ -557,6 +701,7 @@ optional_policy(`
optional_policy(`
# Allow httpd to work with mysql
@@ -12533,7 +12676,7 @@ index e33b9cd..08ec94f 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +701,7 @@ optional_policy(`
+@@ -567,6 +712,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -12541,7 +12684,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -577,12 +712,23 @@ optional_policy(`
+@@ -577,12 +723,23 @@ optional_policy(`
')
optional_policy(`
@@ -12565,7 +12708,7 @@ index e33b9cd..08ec94f 100644
')
')
-@@ -591,6 +737,11 @@ optional_policy(`
+@@ -591,6 +748,11 @@ optional_policy(`
')
optional_policy(`
@@ -12577,7 +12720,7 @@ index e33b9cd..08ec94f 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +754,10 @@ optional_policy(`
+@@ -603,6 +765,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -12588,7 +12731,7 @@ index e33b9cd..08ec94f 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +773,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +784,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -12599,7 +12742,7 @@ index e33b9cd..08ec94f 100644
########################################
#
# Apache PHP script local policy
-@@ -699,17 +858,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +869,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -12621,7 +12764,7 @@ index e33b9cd..08ec94f 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +900,21 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +911,21 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -12644,7 +12787,7 @@ index e33b9cd..08ec94f 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +940,12 @@ optional_policy(`
+@@ -769,6 +951,12 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12657,7 +12800,7 @@ index e33b9cd..08ec94f 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +969,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +980,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12671,7 +12814,7 @@ index e33b9cd..08ec94f 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +984,28 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +995,28 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -12700,7 +12843,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1033,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1044,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12717,7 +12860,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1055,7 @@ optional_policy(`
+@@ -842,6 +1066,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12725,7 +12868,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -891,11 +1105,33 @@ optional_policy(`
+@@ -891,11 +1116,33 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12778,7 +12921,7 @@ index 67c91aa..472ddad 100644
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..c6832b0 100644
+index 1c8c27e..c7cba00 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@@ -12824,20 +12967,6 @@ index 1c8c27e..c6832b0 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -218,9 +228,13 @@ optional_policy(`
- udev_read_state(apmd_t) #necessary?
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(apmd_t)
- ')
-+', `
-+ permissive apmd_t;
-+')
-
- optional_policy(`
- vbetool_domtrans(apmd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 0160ba4..f31b5c9 100644
--- a/policy/modules/services/arpwatch.te
@@ -14064,7 +14193,7 @@ index fa82327..7f4ca47 100644
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index 8c36027..0a0f374 100644
+index 8c36027..16598a4 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
@@ -14098,17 +14227,24 @@ index 8c36027..0a0f374 100644
')
########################################
-@@ -182,6 +186,9 @@ allow freshclam_t freshclam_var_log_t:dir setattr;
- allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+ allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
++
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +196,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +199,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14116,7 +14252,7 @@ index 8c36027..0a0f374 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +215,8 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -14125,7 +14261,7 @@ index 8c36027..0a0f374 100644
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -251,6 +261,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
@@ -15914,7 +16050,7 @@ index 8ba9425..d53ee7e 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..ca3a848 100644
+index f231f17..6cee08f 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -15942,21 +16078,15 @@ index f231f17..ca3a848 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,17 +182,33 @@ optional_policy(`
+@@ -178,17 +182,27 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
-+ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
-+', `
-+ permissive devicekit_t;
-+ permissive devicekit_power_t;
-+ permissive devicekit_disk_t;
-+')
+
########################################
#
@@ -15977,7 +16107,7 @@ index f231f17..ca3a848 100644
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-@@ -212,12 +232,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -15992,7 +16122,7 @@ index f231f17..ca3a848 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,6 +247,8 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -16000,8 +16130,11 @@ index f231f17..ca3a848 100644
+
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
+
+ userdom_read_all_users_state(devicekit_power_t)
-@@ -261,6 +285,10 @@ optional_policy(`
+@@ -261,6 +280,10 @@ optional_policy(`
')
optional_policy(`
@@ -16012,7 +16145,7 @@ index f231f17..ca3a848 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -280,5 +308,10 @@ optional_policy(`
+@@ -280,5 +303,10 @@ optional_policy(`
')
optional_policy(`
@@ -16125,7 +16258,7 @@ index e1d7dc5..09f6f30 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index 14c6a2e..554ee5a 100644
+index 14c6a2e..c771d46 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16189,7 +16322,7 @@ index 14c6a2e..554ee5a 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +261,26 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +261,27 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -16198,7 +16331,8 @@ index 14c6a2e..554ee5a 100644
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-+allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
++
++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
@@ -16218,7 +16352,7 @@ index 14c6a2e..554ee5a 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +317,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +318,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -17519,10 +17653,25 @@ index 24c6253..e72b063 100644
#
# Local hald dccm policy
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index a57ffc0..f441c9a 100644
+index a57ffc0..4992511 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
-@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow icecast to connect to all ports, not just
++## sound ports.
++## </p>
++## </desc>
++gen_tunable(icecast_connect_any, false)
++
+ type icecast_t;
+ type icecast_exec_t;
+ init_daemon_domain(icecast_t, icecast_exec_t)
+@@ -37,7 +45,16 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
@@ -17530,10 +17679,16 @@ index a57ffc0..f441c9a 100644
+
corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
++
++tunable_policy(`icecast_connect_any',`
++ corenet_tcp_connect_all_ports(icecast_t)
++ corenet_tcp_bind_all_ports(icecast_t)
++ corenet_sendrecv_all_packets(icecast_t)
++')
# Init script handling
domain_use_interactive_fds(icecast_t)
-@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t)
+@@ -51,5 +68,9 @@ miscfiles_read_localization(icecast_t)
sysnet_dns_name_resolve(icecast_t)
optional_policy(`
@@ -19176,7 +19331,7 @@ index 256166a..c526ce8 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..01af7c3 100644
+index 343cee3..a9ebda2 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -220,6 +220,25 @@ interface(`mta_agent_executable',`
@@ -19247,7 +19402,33 @@ index 343cee3..01af7c3 100644
')
########################################
-@@ -474,7 +494,8 @@ interface(`mta_write_config',`
+@@ -420,6 +440,25 @@ interface(`mta_signal_system_mail',`
+
+ ########################################
+ ## <summary>
++## Send system mail client a kill signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`mta_kill_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ allow $1 system_mail_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Execute sendmail in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -474,7 +513,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -19257,7 +19438,7 @@ index 343cee3..01af7c3 100644
')
########################################
-@@ -698,7 +719,7 @@ interface(`mta_rw_spool',`
+@@ -698,7 +738,7 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -19266,7 +19447,7 @@ index 343cee3..01af7c3 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -899,3 +920,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +939,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -19846,7 +20027,7 @@ index 8581040..e3c8272 100644
## a domain transition.
## </summary>
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..0c4ac5b 100644
+index da5b33d..1029389 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -19864,8 +20045,12 @@ index da5b33d..0c4ac5b 100644
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -126,8 +124,6 @@ userdom_dontaudit_search_user_home_dirs(nagios_t)
+@@ -124,10 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+ userdom_dontaudit_search_user_home_dirs(nagios_t)
+
mta_send_mail(nagios_t)
++mta_signal_system_mail(nagios_t)
++mta_kill_system_mail(nagios_t)
optional_policy(`
- netutils_domtrans_ping(nagios_t)
@@ -19873,7 +20058,7 @@ index da5b33d..0c4ac5b 100644
netutils_kill_ping(nagios_t)
')
-@@ -340,6 +336,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +338,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -20445,7 +20630,7 @@ index 4996f62..975deca 100644
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index f3d5790..9be673c 100644
+index f3d5790..196f2a2 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -20458,6 +20643,15 @@ index f3d5790..9be673c 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
+@@ -48,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+-allow openvpn_t self:tun_socket create;
++allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
+ allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ can_exec(openvpn_t, openvpn_etc_t)
@@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
@@ -20811,10 +21005,10 @@ index 0000000..8ecd276
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..17d6b45
+index 0000000..0a5f27d
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,216 @@
+@@ -0,0 +1,220 @@
+policy_module(piranha,1.0.0)
+
+########################################
@@ -20932,6 +21126,10 @@ index 0000000..17d6b45
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(piranha_web_t)
++')
++
++optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
@@ -21178,7 +21376,7 @@ index 48ff1e8..29c9906 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..ab881a1 100644
+index 1e7169d..e731afa 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@@ -21262,7 +21460,7 @@ index 1e7169d..ab881a1 100644
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
-+allow policykit_auth_t self:capability { setgid setuid };
++allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
@@ -22956,7 +23154,7 @@ index 7dc38d1..91dbe71 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..ce5dbc0 100644
+index 00fa514..9ab1d80 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -17,6 +17,9 @@ type rgmanager_exec_t;
@@ -23018,20 +23216,6 @@ index 00fa514..ce5dbc0 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -193,9 +209,13 @@ optional_policy(`
- virt_stream_connect(rgmanager_t)
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(rgmanager_t)
- ')
-+', `
-+ permissive rgmanager_t;
-+')
-
- optional_policy(`
- xen_domtrans_xm(rgmanager_t)
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index c2ba53b..b19961e 100644
--- a/policy/modules/services/rhcs.fc
@@ -23848,6 +24032,20 @@ index 6f8e268..7d64285 100644
########################################
#
+diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
+index a07b2f4..d78daf4 100644
+--- a/policy/modules/services/rwho.te
++++ b/policy/modules/services/rwho.te
+@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
+ init_read_utmp(rwho_t)
+ init_dontaudit_write_utmp(rwho_t)
+
++logging_send_syslog_msg(rwho_t)
++
+ miscfiles_read_localization(rwho_t)
+
+ sysnet_dns_name_resolve(rwho_t)
++
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 69a6074..73db5ba 100644
--- a/policy/modules/services/samba.fc
@@ -26231,7 +26429,7 @@ index 7c5d8d8..1a0701b 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3cce663..8040c74 100644
+index 3cce663..8f0fac9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@@ -26485,21 +26683,7 @@ index 3cce663..8040c74 100644
')
optional_policy(`
-@@ -385,9 +446,13 @@ optional_policy(`
- udev_read_db(virtd_t)
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(virtd_t)
- ')
-+', `
-+ permissive virtd_t;
-+')
-
- ########################################
- #
-@@ -402,6 +467,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -402,6 +463,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -26519,7 +26703,7 @@ index 3cce663..8040c74 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +500,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +496,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -26527,7 +26711,7 @@ index 3cce663..8040c74 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +508,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +504,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -26540,7 +26724,7 @@ index 3cce663..8040c74 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +521,11 @@ files_search_all(virt_domain)
+@@ -440,6 +517,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -26552,7 +26736,7 @@ index 3cce663..8040c74 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +543,121 @@ optional_policy(`
+@@ -457,8 +539,121 @@ optional_policy(`
')
optional_policy(`
@@ -26829,7 +27013,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..a5b3186 100644
+index da2601a..81c0af8 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -27107,7 +27291,15 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -1224,9 +1322,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1185,6 +1283,7 @@ interface(`xserver_stream_connect',`
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ allow xserver $1:shm rw_shm_perms;
+ ')
+
+ ########################################
+@@ -1224,9 +1323,20 @@ interface(`xserver_manage_core_devices',`
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -27128,7 +27320,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -1250,3 +1359,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1360,329 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -27459,7 +27651,7 @@ index da2601a..a5b3186 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..50b4a08 100644
+index e226da4..9b9e013 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -28067,7 +28259,7 @@ index e226da4..50b4a08 100644
hostname_exec(xdm_t)
')
-@@ -539,20 +761,63 @@ optional_policy(`
+@@ -539,20 +761,64 @@ optional_policy(`
')
optional_policy(`
@@ -28085,6 +28277,7 @@ index e226da4..50b4a08 100644
+optional_policy(`
+ plymouthd_search_spool(xdm_t)
+ plymouthd_exec_plymouth(xdm_t)
++ plymouthd_stream_connect(xdm_t)
+')
+
+optional_policy(`
@@ -28133,7 +28326,7 @@ index e226da4..50b4a08 100644
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +826,6 @@ optional_policy(`
+@@ -561,7 +827,6 @@ optional_policy(`
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28141,7 +28334,7 @@ index e226da4..50b4a08 100644
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +836,10 @@ optional_policy(`
+@@ -572,6 +837,10 @@ optional_policy(`
')
optional_policy(`
@@ -28152,7 +28345,7 @@ index e226da4..50b4a08 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +864,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +865,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28161,7 +28354,7 @@ index e226da4..50b4a08 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +878,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +879,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28180,7 +28373,7 @@ index e226da4..50b4a08 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +909,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +910,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28202,7 +28395,7 @@ index e226da4..50b4a08 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +929,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +930,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -28210,7 +28403,7 @@ index e226da4..50b4a08 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +956,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +957,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28218,7 +28411,7 @@ index e226da4..50b4a08 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +965,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +966,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28232,7 +28425,7 @@ index e226da4..50b4a08 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +985,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +986,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28246,7 +28439,7 @@ index e226da4..50b4a08 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1013,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1014,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28261,7 +28454,7 @@ index e226da4..50b4a08 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,20 +1073,44 @@ optional_policy(`
+@@ -773,12 +1074,28 @@ optional_policy(`
')
optional_policy(`
@@ -28286,17 +28479,12 @@ index e226da4..50b4a08 100644
+ udev_read_db(xserver_t)
+')
+
-+ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-+', `
-+ permissive xserver_t;
-+')
- optional_policy(`
- userhelper_search_config(xserver_t)
+@@ -787,6 +1104,10 @@ optional_policy(`
')
optional_policy(`
@@ -28307,7 +28495,7 @@ index e226da4..50b4a08 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1126,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1123,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28320,7 +28508,7 @@ index e226da4..50b4a08 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1150,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1147,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28334,7 +28522,7 @@ index e226da4..50b4a08 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1172,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1169,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28351,7 +28539,7 @@ index e226da4..50b4a08 100644
')
optional_policy(`
-@@ -991,3 +1325,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1322,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28773,10 +28961,21 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 7fddc24..227958c 100644
+index 7fddc24..304bc75 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
-@@ -91,9 +91,12 @@ interface(`auth_use_pam',`
+@@ -66,6 +66,10 @@ interface(`auth_use_pam',`
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1)
++ ')
+ ')
+
+ optional_policy(`
+@@ -91,9 +95,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -28789,7 +28988,7 @@ index 7fddc24..227958c 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,8 +110,10 @@ interface(`auth_login_pgm_domain',`
+@@ -107,8 +114,10 @@ interface(`auth_login_pgm_domain',`
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -28800,7 +28999,7 @@ index 7fddc24..227958c 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -126,6 +131,8 @@ interface(`auth_login_pgm_domain',`
+@@ -126,6 +135,8 @@ interface(`auth_login_pgm_domain',`
files_read_etc_files($1)
fs_list_auto_mountpoints($1)
@@ -28809,7 +29008,7 @@ index 7fddc24..227958c 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +148,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +152,7 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -28817,7 +29016,7 @@ index 7fddc24..227958c 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +159,38 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +163,38 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28858,7 +29057,7 @@ index 7fddc24..227958c 100644
')
')
-@@ -365,13 +403,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +407,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -28875,7 +29074,7 @@ index 7fddc24..227958c 100644
')
########################################
-@@ -418,6 +458,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +462,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -28883,7 +29082,7 @@ index 7fddc24..227958c 100644
')
########################################
-@@ -874,6 +915,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +919,26 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -28910,7 +29109,7 @@ index 7fddc24..227958c 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -1500,6 +1561,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1565,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -28919,7 +29118,7 @@ index 7fddc24..227958c 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1594,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1598,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -29147,7 +29346,7 @@ index a97a096..dd65c15 100644
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..e8dd9c8 100644
+index a442acc..7cb7582 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -29168,7 +29367,7 @@ index a442acc..e8dd9c8 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -147,12 +151,16 @@ modutils_read_module_deps(fsadm_t)
+@@ -147,7 +151,7 @@ modutils_read_module_deps(fsadm_t)
seutil_read_config(fsadm_t)
@@ -29176,17 +29375,8 @@ index a442acc..e8dd9c8 100644
+term_use_all_terms(fsadm_t)
ifdef(`distro_redhat',`
-+ifdef(`enforcing',`
optional_policy(`
- unconfined_domain(fsadm_t)
- ')
-+', `
-+ permissive fsadm_t;
-+')
- ')
-
- optional_policy(`
-@@ -166,6 +174,14 @@ optional_policy(`
+@@ -166,6 +170,14 @@ optional_policy(`
')
optional_policy(`
@@ -29201,7 +29391,7 @@ index a442acc..e8dd9c8 100644
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +191,10 @@ optional_policy(`
+@@ -175,6 +187,10 @@ optional_policy(`
')
optional_policy(`
@@ -29320,7 +29510,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..7da8294 100644
+index f6aafe7..c504f34 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -29444,7 +29634,7 @@ index f6aafe7..7da8294 100644
')
########################################
-@@ -669,12 +733,14 @@ interface(`init_telinit',`
+@@ -669,19 +733,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -29460,7 +29650,8 @@ index f6aafe7..7da8294 100644
gen_require(`
type init_t;
')
-@@ -682,6 +748,8 @@ interface(`init_telinit',`
+
++ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -29469,7 +29660,7 @@ index f6aafe7..7da8294 100644
')
')
-@@ -754,18 +822,19 @@ interface(`init_script_file_entry_type',`
+@@ -754,18 +823,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -29493,7 +29684,7 @@ index f6aafe7..7da8294 100644
')
')
-@@ -781,23 +850,45 @@ interface(`init_spec_domtrans_script',`
+@@ -781,23 +851,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -29543,7 +29734,7 @@ index f6aafe7..7da8294 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -849,8 +940,10 @@ interface(`init_script_file_domtrans',`
+@@ -849,8 +941,10 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -29554,7 +29745,7 @@ index f6aafe7..7da8294 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1338,6 +1431,27 @@ interface(`init_dbus_send_script',`
+@@ -1338,6 +1432,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -29582,7 +29773,7 @@ index f6aafe7..7da8294 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1637,7 +1751,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1637,7 +1752,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -29591,7 +29782,7 @@ index f6aafe7..7da8294 100644
')
########################################
-@@ -1712,3 +1826,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1712,3 +1827,94 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30647,7 +30838,7 @@ index 5c94dfe..59bfb17 100644
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..e9bd52a 100644
+index a3fdcb3..bce3aea 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -30731,6 +30922,14 @@ index a3fdcb3..e9bd52a 100644
')
optional_policy(`
+@@ -124,6 +135,7 @@ optional_policy(`
+
+ optional_policy(`
+ shorewall_rw_lib_files(iptables_t)
++ shorewall_read_tmp_files(iptables_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
index 663a47b..ad0b864 100644
--- a/policy/modules/system/iscsi.if
@@ -30998,8 +31197,39 @@ index 9df8c4d..1d2236b 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index d97d16d..8b174c8 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
+
+ ########################################
+ ## <summary>
++## Execute ldconfig in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`libs_exec_ldconfig',`
++ gen_require(`
++ type ldconfig_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ldconfig_exec_t)
++')
++
++########################################
++## <summary>
+ ## Use the dynamic link/loader for automatic loading
+ ## of shared libraries.
+ ## </summary>
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..af2af2d 100644
+index bf416a4..561a849 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -31049,17 +31279,12 @@ index bf416a4..af2af2d 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +151,10 @@ optional_policy(`
- rpm_manage_script_tmp_files(ldconfig_t)
- ')
+@@ -143,4 +153,4 @@ optional_policy(`
-+ifdef(`enforcing',`
optional_policy(`
unconfined_domain(ldconfig_t)
+-')
+')'
-+, `
-+ permissive ldconfig_t;
- ')
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
index 7570583..be6a81b 100644
--- a/policy/modules/system/locallogin.fc
@@ -31452,7 +31677,7 @@ index 58bc27f..b4f0663 100644
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..7eb67d1 100644
+index 86ef2da..7f649d5 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -31476,26 +31701,19 @@ index 86ef2da..7eb67d1 100644
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
-@@ -135,9 +142,18 @@ lvm_domtrans(clvmd_t)
- lvm_read_config(clvmd_t)
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+ ')
- ifdef(`distro_redhat',`
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(clvmd_t)
- ')
-+', `
-+ permissive clvmd_t;
-+')
+ optional_policy(`
++ aisexec_stream_connect(clvmd_t)
++ corosync_stream_connect(clvmd_t)
+')
+
+optional_policy(`
-+ aisexec_stream_connect(clvmd_t)
-+ corosync_stream_connect(clvmd_t)
+ ccs_stream_connect(clvmd_t)
')
- optional_policy(`
-@@ -170,6 +186,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -31503,7 +31721,7 @@ index 86ef2da..7eb67d1 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -210,12 +227,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
@@ -31519,7 +31737,7 @@ index 86ef2da..7eb67d1 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -242,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -31527,7 +31745,7 @@ index 86ef2da..7eb67d1 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -251,8 +272,9 @@ files_read_etc_files(lvm_t)
+@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -31538,7 +31756,7 @@ index 86ef2da..7eb67d1 100644
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +284,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -31546,26 +31764,19 @@ index 86ef2da..7eb67d1 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -303,9 +326,18 @@ ifdef(`distro_redhat',`
- # this is from the initrd:
- files_rw_isid_type_dirs(lvm_t)
+@@ -309,6 +328,11 @@ ifdef(`distro_redhat',`
+ ')
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(lvm_t)
- ')
-+', `
-+ permissive lvm_t;
-+')
+ optional_policy(`
++ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
+')
+
+optional_policy(`
-+ aisexec_stream_connect(lvm_t)
-+ corosync_stream_connect(lvm_t)
+ bootloader_rw_tmp_files(lvm_t)
')
- optional_policy(`
-@@ -329,6 +361,10 @@ optional_policy(`
+@@ -329,6 +353,10 @@ optional_policy(`
')
optional_policy(`
@@ -31729,7 +31940,7 @@ index 9c0faab..def8d5a 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..f39f39f 100644
+index 74a4466..9abf3b1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
@@ -31764,21 +31975,7 @@ index 74a4466..f39f39f 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -94,17 +99,21 @@ optional_policy(`
- rpm_manage_script_tmp_files(depmod_t)
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- # Read System.map from home directories.
- unconfined_domain(depmod_t)
- ')
-+', `
-+ permissive depmod_t;
-+')
-
- ########################################
- #
+@@ -104,7 +109,7 @@ optional_policy(`
# insmod local policy
#
@@ -31787,7 +31984,7 @@ index 74a4466..f39f39f 100644
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t)
+@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -31795,7 +31992,7 @@ index 74a4466..f39f39f 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -31803,7 +32000,7 @@ index 74a4466..f39f39f 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -31819,7 +32016,7 @@ index 74a4466..f39f39f 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -31829,7 +32026,7 @@ index 74a4466..f39f39f 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -191,6 +205,10 @@ optional_policy(`
+@@ -191,6 +201,10 @@ optional_policy(`
')
optional_policy(`
@@ -31840,25 +32037,17 @@ index 74a4466..f39f39f 100644
hal_write_log(insmod_t)
')
-@@ -229,10 +247,18 @@ optional_policy(`
- rpm_rw_pipes(insmod_t)
+@@ -235,6 +249,10 @@ optional_policy(`
')
-+ifdef(`enforcing',`
optional_policy(`
- unconfined_domain(insmod_t)
- unconfined_dontaudit_rw_pipes(insmod_t)
- ')
-+', `
-+ permissive insmod_t;
++ virt_dontaudit_write_pipes(insmod_t)
+')
+
+optional_policy(`
-+ virt_dontaudit_write_pipes(insmod_t)
-+')
-
- optional_policy(`
# cjp: why is this needed:
+ dev_rw_xserver_misc(insmod_t)
+
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e..e3d06fd 100644
--- a/policy/modules/system/mount.fc
@@ -32387,7 +32576,7 @@ index fca6947..a2f7102 100644
+
+userdom_use_user_terminals(showmount_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..5ccaca7 100644
+index 09845c4..2fe5969 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -32401,25 +32590,24 @@ index 09845c4..5ccaca7 100644
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -57,6 +58,7 @@ domain_use_interactive_fds(mdadm_t)
+@@ -52,13 +53,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+ dev_read_realtime_clock(mdadm_t)
+ # unfortunately needed for DMI decoding:
+ dev_read_raw_memory(mdadm_t)
++dev_read_generic_files(mdadm_t)
+
+ domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
- fs_search_auto_mountpoints(mdadm_t)
+-fs_search_auto_mountpoints(mdadm_t)
++fs_list_hugetlbfs(mdadm_t)
++fs_list_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-@@ -95,6 +97,10 @@ optional_policy(`
- udev_read_db(mdadm_t)
- ')
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(mdadm_t)
- ')
-+', `
-+ permissive mdadm_t;
-+')
+ mls_file_read_all_levels(mdadm_t)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..9e81136 100644
--- a/policy/modules/system/selinuxutil.fc
@@ -32861,7 +33049,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..a0cf928 100644
+index ff5d72d..edee963 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -33102,7 +33290,7 @@ index ff5d72d..a0cf928 100644
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -498,112 +492,54 @@ ifdef(`enable_mls',`
+@@ -498,112 +492,50 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')
@@ -33152,18 +33340,12 @@ index ff5d72d..a0cf928 100644
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
@@ -33185,9 +33367,15 @@ index ff5d72d..a0cf928 100644
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-seutil_libselinux_linked(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
@@ -33241,13 +33429,9 @@ index ff5d72d..a0cf928 100644
')
')
-+ifdef(`enforcing',`
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
-+')
-+', `
-+ permissive lvm_t;
')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 4ec45a4..4488c6d 100644
@@ -33420,10 +33604,10 @@ index 0000000..fec3374
+')
diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te
new file mode 100644
-index 0000000..593a206
+index 0000000..c15bcea
--- /dev/null
+++ b/policy/modules/system/sosreport.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,154 @@
+policy_module(sosreport,1.0.0)
+
+########################################
@@ -33575,13 +33759,9 @@ index 0000000..593a206
+ xserver_stream_connect(sosreport_t)
+')
+
-+ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(sosreport_t)
+')
-+', `
-+ permissive sosreport_t;
-+')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 726619b..4bb3158 100644
--- a/policy/modules/system/sysnetwork.fc
@@ -34033,7 +34213,7 @@ index 025348a..59bc26b 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..7cc3698 100644
+index a054cf5..f99fdcb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -34067,21 +34247,7 @@ index a054cf5..7cc3698 100644
mcs_ptrace_all(udev_t)
-@@ -192,9 +196,13 @@ ifdef(`distro_redhat',`
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(udev_t)
-
-+ ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(udev_t)
- ')
-+ ', `
-+ permissive udev_t;
-+ ')
- ')
-
- optional_policy(`
-@@ -216,11 +224,16 @@ optional_policy(`
+@@ -216,11 +220,16 @@ optional_policy(`
')
optional_policy(`
@@ -34098,7 +34264,7 @@ index a054cf5..7cc3698 100644
')
optional_policy(`
-@@ -233,6 +246,10 @@ optional_policy(`
+@@ -233,6 +242,10 @@ optional_policy(`
')
optional_policy(`
@@ -34109,7 +34275,7 @@ index a054cf5..7cc3698 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +276,10 @@ optional_policy(`
+@@ -259,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -34120,7 +34286,7 @@ index a054cf5..7cc3698 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +294,11 @@ optional_policy(`
+@@ -273,6 +290,11 @@ optional_policy(`
')
optional_policy(`
@@ -34870,10 +35036,10 @@ index f976344..4474379 100644
- ')
-')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..9068325 100644
+index db75976..61db6da 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,14 @@
+@@ -1,4 +1,15 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -34885,12 +35051,13 @@ index db75976..9068325 100644
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 8b4f6d8..1456a83 100644
+index 8b4f6d8..e1da594 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -36404,6 +36571,15 @@ index 8b4f6d8..1456a83 100644
')
########################################
+@@ -2906,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+ type user_devpts_t;
+ ')
+
+- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -2961,7 +3260,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
More information about the scm-commits
mailing list