[selinux-policy] Allow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can se
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Sep 8 18:17:09 UTC 2010
commit 64d84cf8ece94efc144ecb3fe657118ae618916b
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 8 14:17:07 2010 -0400
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
.gitignore | 1 +
policy-F14.patch | 1733 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 16 +-
sources | 2 +-
4 files changed, 1008 insertions(+), 744 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 8632839..8fea9fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -223,3 +223,4 @@ serefpolicy*
/serefpolicy-3.9.0.tgz
/serefpolicy-3.9.1.tgz
/serefpolicy-3.9.2.tgz
+/serefpolicy-3.9.3.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index d722157..470095b 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -206,110 +206,6 @@ index af90ef2..fbd2c40 100644
(( h1 dom h2 ) or ( t1 == mcskillall ));
#
-diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index 30a0ac7..f5fc753 100644
---- a/policy/modules/admin/alsa.fc
-+++ b/policy/modules/admin/alsa.fc
-@@ -1,3 +1,5 @@
-+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
-+
- /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-
- /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index fe09bea..090b5c9 100644
---- a/policy/modules/admin/alsa.if
-+++ b/policy/modules/admin/alsa.if
-@@ -16,6 +16,7 @@ interface(`alsa_domtrans',`
- ')
-
- domtrans_pattern($1, alsa_exec_t, alsa_t)
-+ corecmd_search_bin($1)
- ')
-
- ########################################
-@@ -33,7 +34,7 @@ interface(`alsa_rw_semaphores',`
- type alsa_t;
- ')
-
-- allow $1 alsa_t:sem { unix_read unix_write associate read write };
-+ allow $1 alsa_t:sem rw_sem_perms;
- ')
-
- ########################################
-@@ -51,7 +52,7 @@ interface(`alsa_rw_shared_mem',`
- type alsa_t;
- ')
-
-- allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
-+ allow $1 alsa_t:shm rw_shm_perms;
- ')
-
- ########################################
-@@ -72,6 +73,7 @@ interface(`alsa_read_rw_config',`
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+ files_search_etc($1)
- ')
-
- ########################################
-@@ -92,6 +94,7 @@ interface(`alsa_manage_rw_config',`
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+ files_search_etc($1)
- ')
-
- ########################################
-@@ -110,4 +113,24 @@ interface(`alsa_read_lib',`
- ')
-
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read alsa home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`alsa_read_home_files',`
-+ gen_require(`
-+ type alsa_home_t;
-+ ')
-+
-+ allow $1 alsa_home_t:file read_file_perms;
-+ userdom_search_user_home_dirs($1)
- ')
-diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
-index 04f9d96..ed1c3dc 100644
---- a/policy/modules/admin/alsa.te
-+++ b/policy/modules/admin/alsa.te
-@@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t)
- type alsa_var_lib_t;
- files_type(alsa_var_lib_t)
-
-+type alsa_home_t;
-+userdom_user_home_content(alsa_home_t)
-+
- ########################################
- #
- # Local policy
-@@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms;
- allow alsa_t self:unix_stream_socket create_stream_socket_perms;
- allow alsa_t self:unix_dgram_socket create_socket_perms;
-
-+allow alsa_t alsa_home_t:file read_file_perms;
-+
- manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
- manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
- files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index d1d035e..2cb11ea 100644
--- a/policy/modules/admin/amanda.if
@@ -1374,7 +1270,7 @@ index 95dbcf3..bdba9c5 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
-index 0948921..992a7fc 100644
+index 0948921..b83f3db 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
@@ -1402,7 +1298,33 @@ index 0948921..992a7fc 100644
#######################################
## <summary>
## Read shorewall etc configuration files.
-@@ -134,9 +152,10 @@ interface(`shorewall_rw_lib_files',`
+@@ -117,6 +135,25 @@ interface(`shorewall_rw_lib_files',`
+
+ #######################################
+ ## <summary>
++## Read shorewall tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_read_tmp_files',`
++ gen_require(`
++ type shorewall_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
++')
++
++#######################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an shorewall environment
+ ## </summary>
+@@ -134,9 +171,10 @@ interface(`shorewall_rw_lib_files',`
#
interface(`shorewall_admin',`
gen_require(`
@@ -1415,7 +1337,7 @@ index 0948921..992a7fc 100644
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,12 +172,12 @@ interface(`shorewall_admin',`
+@@ -153,12 +191,12 @@ interface(`shorewall_admin',`
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
@@ -1723,18 +1645,32 @@ index aecbf1c..0b5e634 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index c35d801..3045a19 100644
+index c35d801..961424f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -295,6 +295,7 @@ selinux_compute_user_contexts(passwd_t)
+@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
+ # for SSP
+ dev_read_urand(chfn_t)
+
+-auth_domtrans_chk_passwd(chfn_t)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
++auth_use_pam(chfn_t)
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(chfn_t)
+@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t)
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
+term_use_generic_ptys(passwd_t)
- auth_domtrans_chk_passwd(passwd_t)
+-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
-@@ -304,6 +305,9 @@ auth_use_nsswitch(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+-auth_use_nsswitch(passwd_t)
++auth_use_pam(passwd_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -1744,7 +1680,7 @@ index c35d801..3045a19 100644
domain_use_interactive_fds(passwd_t)
-@@ -334,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1752,7 +1688,7 @@ index c35d801..3045a19 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -428,7 +433,7 @@ optional_policy(`
+@@ -428,7 +430,7 @@ optional_policy(`
# Useradd local policy
#
@@ -1761,7 +1697,7 @@ index c35d801..3045a19 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -500,12 +505,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2361,157 +2297,88 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..ffd9870 100644
+index f5afe78..db1a0d0 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -37,8 +37,26 @@ interface(`gnome_role',`
+@@ -37,8 +37,7 @@ interface(`gnome_role',`
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
+## gconf connection template.
-+## </summary>
-+## <param name="user_domain">
-+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect_gconf',`
-+ gen_require(`
-+ type gconfd_t, gconf_tmp_t;
-+ ')
-+
-+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-+ allow $1 gconfd_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+## Run gconfd in gconfd domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -46,75 +64,124 @@ interface(`gnome_role',`
+@@ -46,37 +45,36 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_domtrans_gconfd',`
++interface(`gnome_stream_connect_gconf',`
gen_require(`
- type gconfd_exec_t;
-+ type gconfd_t, gconfd_exec_t;
++ type gconfd_t, gconf_tmp_t;
')
- can_exec($1, gconfd_exec_t)
-+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Dontaudit search gnome homedir content (.config)
-+## </summary>
-+## <param name="user_domain">
-+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_dontaudit_search_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ dontaudit $1 gnome_home_type:dir search_dir_perms;
++ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
++ allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
## <summary>
-## Read gconf config files.
-+## manage gnome homedir content (.config)
++## Run gconfd in gconfd domain.
## </summary>
- ## <param name="user_domain">
- ## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_manage_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ allow $1 gnome_home_type:dir manage_dir_perms;
-+ allow $1 gnome_home_type:file manage_file_perms;
-+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## Send general signals to all gconf domains.
-+## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
+ ## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_signal_all',`
++interface(`gnome_domtrans_gconfd',`
gen_require(`
- type gconf_etc_t;
-+ attribute gnomedomain;
++ type gconfd_t, gconfd_exec_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ allow $1 gnomedomain:process signal;
++ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## Create objects in a Gnome cache home directory
-+## with an automatic type transition to
-+## a specified private type.
++## Dontaudit search gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -84,37 +82,38 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
-+## <param name="private_type">
-+## <summary>
-+## The type of the object to create.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## The class of the object to be created.
-+## </summary>
-+## </param>
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_cache_filetrans',`
++interface(`gnome_dontaudit_search_config',`
gen_require(`
- type gconf_etc_t;
-+ type cache_home_t;
++ attribute gnome_home_type;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ filetrans_pattern($1, cache_home_t, $2, $3)
-+ userdom_search_user_home_dirs($1)
++ dontaudit $1 gnome_home_type:dir search_dir_perms;
')
########################################
## <summary>
-## gconf connection template.
-+## Read generic cache home files (.cache)
++## manage gnome homedir content (.config)
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -2521,37 +2388,107 @@ index f5afe78..ffd9870 100644
## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_read_generic_cache_files',`
++interface(`gnome_manage_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ type cache_home_t;
++ attribute gnome_home_type;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ read_files_pattern($1, cache_home_t, cache_home_t)
++ allow $1 gnome_home_type:dir manage_dir_perms;
++ allow $1 gnome_home_type:file manage_file_perms;
++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## Set attributes of cache home dir (.cache)
++## Send general signals to all gconf domains.
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +121,139 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_setattr_cache_home_dir',`
++interface(`gnome_signal_all',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
-+ type cache_home_t;
++ attribute gnomedomain;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++ allow $1 gnomedomain:process signal;
++')
++
++########################################
++## <summary>
++## Create objects in a Gnome cache home directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`gnome_cache_filetrans',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ filetrans_pattern($1, cache_home_t, $2, $3)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Read generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ read_files_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Set attributes of cache home dir (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_setattr_cache_home_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
@@ -2598,9 +2535,9 @@ index f5afe78..ffd9870 100644
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the user domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2615,7 +2552,7 @@ index f5afe78..ffd9870 100644
')
########################################
-@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +277,306 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -2623,13 +2560,12 @@ index f5afe78..ffd9870 100644
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
- ## </summary>
--## <param name="user_domain">
++## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
@@ -2640,24 +2576,18 @@ index f5afe78..ffd9870 100644
+## The class of the object to be created.
+## </summary>
+## </param>
- #
--template(`gnome_read_config',`
++#
+interface(`gnome_data_filetrans',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type data_home_t;
- ')
-
-- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-- read_files_pattern($1, gnome_home_t, gnome_home_t)
-- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++ ')
++
+ filetrans_pattern($1, data_home_t, $2, $3)
+ gnome_search_gconf($1)
- ')
-
- ########################################
- ## <summary>
--## manage gnome homedir content (.config)
++')
++
++########################################
++## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
@@ -2683,9 +2613,9 @@ index f5afe78..ffd9870 100644
+## <summary>
+## read gconf config files
## </summary>
- ## <param name="user_domain">
- ## <summary>
-+## The type of the user domain.
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2724,19 +2654,15 @@ index f5afe78..ffd9870 100644
+## </summary>
+## <param name="domain">
+## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`gnome_manage_config',`
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_exec_gconf',`
- gen_require(`
-- type gnome_home_t;
++ gen_require(`
+ type gconfd_exec_t;
- ')
-
-- allow $1 gnome_home_t:dir manage_dir_perms;
-- allow $1 gnome_home_t:file manage_file_perms;
++ ')
++
+ can_exec($1, gconfd_exec_t)
+')
+
@@ -2766,9 +2692,9 @@ index f5afe78..ffd9870 100644
+## <summary>
+## search gconf homedir (.local)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2778,8 +2704,8 @@ index f5afe78..ffd9870 100644
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
- userdom_search_user_home_dirs($1)
- ')
++ userdom_search_user_home_dirs($1)
++')
+
+########################################
+## <summary>
@@ -2827,8 +2753,8 @@ index f5afe78..ffd9870 100644
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="user_domain">
-+## <summary>
+ ## <param name="user_domain">
+ ## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
@@ -2846,17 +2772,22 @@ index f5afe78..ffd9870 100644
+## <summary>
+## list gnome homedir content (.config)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-template(`gnome_read_config',`
+template(`gnome_list_home_config',`
-+ gen_require(`
+ gen_require(`
+- type gnome_home_t;
+ type config_home_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+- read_files_pattern($1, gnome_home_t, gnome_home_t)
+- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
@@ -2864,9 +2795,9 @@ index f5afe78..ffd9870 100644
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
-+## <param name="user_domain">
++## <param name="domain">
+## <summary>
-+## The type of the user domain.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -2876,6 +2807,30 @@ index f5afe78..ffd9870 100644
+ ')
+
+ read_files_pattern($1, config_home_t, config_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+ ## manage gnome homedir content (.config)
+ ## </summary>
+-## <param name="user_domain">
++## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_manage_config',`
++template(`gnome_manage_home_config',`
+ gen_require(`
+- type gnome_home_t;
++ type config_home_t;
+ ')
+
+- allow $1 gnome_home_t:dir manage_dir_perms;
+- allow $1 gnome_home_t:file manage_file_perms;
+- userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -2915,7 +2870,7 @@ index f5afe78..ffd9870 100644
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
-+')
+ ')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 35f7486..26852d2 100644
--- a/policy/modules/apps/gnome.te
@@ -3071,10 +3026,19 @@ index e9853d4..717d163 100644
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..7c48fc5 100644
+index 40e0a2a..13d939a 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
-@@ -85,6 +85,43 @@ interface(`gpg_domtrans',`
+@@ -54,6 +54,8 @@ interface(`gpg_role',`
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
++ allow gpg_pinentry_t $2:fifo_file { read write };
++
+ optional_policy(`
+ gpg_pinentry_dbus_chat($2)
+ ')
+@@ -85,6 +87,43 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -3678,7 +3642,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..99a3d49 100644
+index 9a6d67d..47aa143 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -3712,7 +3676,7 @@ index 9a6d67d..99a3d49 100644
')
########################################
-@@ -168,6 +176,50 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +176,52 @@ interface(`mozilla_domtrans',`
########################################
## <summary>
@@ -3756,6 +3720,8 @@ index 9a6d67d..99a3d49 100644
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
++
++ allow mozilla_plugin_t $1:process signull;
+')
+
+########################################
@@ -3764,7 +3730,7 @@ index 9a6d67d..99a3d49 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..b2e4e0c 100644
+index cbf4bec..58899ca 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3775,7 +3741,7 @@ index cbf4bec..b2e4e0c 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
-@@ -33,6 +34,13 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
+@@ -33,6 +34,20 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)
@@ -3784,12 +3750,19 @@ index cbf4bec..b2e4e0c 100644
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role system_r types mozilla_plugin_t;
+
++type mozilla_plugin_tmp_t;
++files_tmp_file(mozilla_plugin_tmp_t)
++
++type mozilla_plugin_tmpfs_t;
++files_tmpfs_file(mozilla_plugin_tmpfs_t)
++ubac_constrained(mozilla_plugin_tmpfs_t)
++
+permissive mozilla_plugin_t;
+
########################################
#
# Local policy
-@@ -89,16 +97,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
+@@ -89,16 +104,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
@@ -3810,7 +3783,7 @@ index cbf4bec..b2e4e0c 100644
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
-@@ -238,6 +250,7 @@ optional_policy(`
+@@ -238,6 +257,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -3818,7 +3791,7 @@ index cbf4bec..b2e4e0c 100644
')
optional_policy(`
-@@ -258,6 +271,11 @@ optional_policy(`
+@@ -258,6 +278,11 @@ optional_policy(`
')
optional_policy(`
@@ -3830,7 +3803,7 @@ index cbf4bec..b2e4e0c 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +284,46 @@ optional_policy(`
+@@ -266,3 +291,78 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3839,7 +3812,7 @@ index cbf4bec..b2e4e0c 100644
+#
+# mozilla_plugin local policy
+#
-+allow mozilla_plugin_t self:process setsched;
++allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
@@ -3848,6 +3821,16 @@ index cbf4bec..b2e4e0c 100644
+
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
++manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
++
++manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
@@ -3856,6 +3839,8 @@ index cbf4bec..b2e4e0c 100644
+corecmd_exec_shell(mozilla_plugin_t)
+
+dev_read_urand(mozilla_plugin_t)
++dev_read_video_dev(mozilla_plugin_t)
++dev_read_sysfs(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -3863,14 +3848,34 @@ index cbf4bec..b2e4e0c 100644
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+
++fs_getattr_tmpfs(mozilla_plugin_t)
++
+miscfiles_read_localization(mozilla_plugin_t)
++miscfiles_read_fonts(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
++userdom_rw_user_tmpfs_files(mozilla_plugin_t)
++userdom_stream_connect(mozilla_plugin_t)
++userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
++
++optional_policy(`
++ dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++ gnome_manage_home_config(mozilla_plugin_t)
++')
++
+optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
++ nsplugin_manage_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++ pulseaudio_rw_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -3979,10 +3984,10 @@ index 0000000..63abc5c
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
-index 0000000..74c624e
+index 0000000..4dd9d05
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,391 @@
+@@ -0,0 +1,374 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4030,21 +4035,9 @@ index 0000000..74c624e
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
-+## <desc>
-+## <p>
-+## This template creates a derived domains which are used
-+## for nsplugin web browser.
-+## </p>
-+## <p>
-+## This template is invoked automatically for each user, and
-+## generally does not need to be invoked directly
-+## by policy writers.
-+## </p>
-+## </desc>
-+## <param name="userdomain_prefix">
++## <param name="user_role">
+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
++## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
@@ -4052,11 +4045,6 @@ index 0000000..74c624e
+## The type of the user domain.
+## </summary>
+## </param>
-+## <param name="user_role">
-+## <summary>
-+## The role associated with the user domain.
-+## </summary>
-+## </param>
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
@@ -4376,10 +4364,10 @@ index 0000000..74c624e
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..b4f0852
+index 0000000..23890a7
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,308 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -4511,6 +4499,7 @@ index 0000000..b4f0852
+fs_list_inotifyfs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
++storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
@@ -5445,10 +5434,10 @@ index 0000000..c20d303
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..8d4ac56
+index 0000000..942bb30
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,400 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5683,7 +5672,6 @@ index 0000000..8d4ac56
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
-+#============= sandbox_x_t ==============
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@@ -5737,7 +5725,6 @@ index 0000000..8d4ac56
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
-+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
+corenet_tcp_sendrecv_all_if(sandbox_web_type)
@@ -5767,7 +5754,7 @@ index 0000000..8d4ac56
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+# Should not need other ports
++
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
@@ -5851,7 +5838,6 @@ index 0000000..8d4ac56
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
-+
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..7455c19 100644
--- a/policy/modules/apps/seunshare.if
@@ -6190,10 +6176,10 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..7e8fd3a
+index 0000000..c7250ae
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,316 @@
+@@ -0,0 +1,320 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6249,11 +6235,13 @@ index 0000000..7e8fd3a
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
++can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
++corenet_tcp_connect_sametime_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
@@ -6268,6 +6256,8 @@ index 0000000..7e8fd3a
+
+auth_use_nsswitch(telepathy_msn_t)
+
++libs_exec_ldconfig(telepathy_msn_t)
++
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_certs(telepathy_msn_t)
@@ -6318,7 +6308,7 @@ index 0000000..7e8fd3a
+dev_read_rand(telepathy_gabble_t)
+dev_read_urand(telepathy_gabble_t)
+
-+files_read_etc_files(telepathy_gabble_t)
++files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_certs(telepathy_gabble_t)
@@ -6661,7 +6651,7 @@ index 5872ea2..028c994 100644
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index 1f803bb..ab99aa0 100644
+index 1f803bb..8a97303 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -6672,6 +6662,17 @@ index 1f803bb..ab99aa0 100644
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -159,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
++')
+
++optional_policy(`
++ shutdown_domtrans(vmware_host_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..9782698 100644
--- a/policy/modules/apps/wine.fc
@@ -6820,7 +6821,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..a71e2d5 100644
+index 0eb1d97..b267560 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -6845,7 +6846,16 @@ index 0eb1d97..a71e2d5 100644
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -126,6 +132,7 @@ ifdef(`distro_gentoo',`
+@@ -109,6 +115,8 @@ ifdef(`distro_debian',`
+ /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
++/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /lib
+ #
+@@ -126,6 +134,7 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6853,7 +6863,7 @@ index 0eb1d97..a71e2d5 100644
#
# /sbin
-@@ -145,6 +152,10 @@ ifdef(`distro_gentoo',`
+@@ -145,6 +154,10 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6864,7 +6874,7 @@ index 0eb1d97..a71e2d5 100644
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +180,7 @@ ifdef(`distro_gentoo',`
+@@ -169,6 +182,7 @@ ifdef(`distro_gentoo',`
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6872,7 +6882,7 @@ index 0eb1d97..a71e2d5 100644
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +232,7 @@ ifdef(`distro_gentoo',`
+@@ -220,6 +234,7 @@ ifdef(`distro_gentoo',`
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -6880,7 +6890,7 @@ index 0eb1d97..a71e2d5 100644
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +241,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +243,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6889,7 +6899,7 @@ index 0eb1d97..a71e2d5 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +329,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +331,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -6897,7 +6907,7 @@ index 0eb1d97..a71e2d5 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +356,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +358,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6957,7 +6967,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..f118873 100644
+index 2ecdde8..bb4adcb 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7079,7 +7089,7 @@ index 2ecdde8..f118873 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +194,27 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -174,24 +194,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7089,6 +7099,7 @@ index 2ecdde8..f118873 100644
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(sametime, tcp,1533,s0, udp,1533,s0)
network_port(sieve, tcp,4190,s0)
-network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
@@ -7111,7 +7122,7 @@ index 2ecdde8..f118873 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +224,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -201,16 +225,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -7133,19 +7144,18 @@ index 2ecdde8..f118873 100644
network_port(zope, tcp,8021,s0)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 3b2da10..18f3f4c 100644
+index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -159,6 +159,8 @@ ifdef(`distro_suse', `
+@@ -159,6 +159,7 @@ ifdef(`distro_suse', `
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/hugepages(/.*)? <<none>>
+/dev/mqueue(/.*)? <<none>>
/dev/pts(/.*)? <<none>>
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -176,13 +178,12 @@ ifdef(`distro_suse', `
+@@ -176,13 +177,12 @@ ifdef(`distro_suse', `
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
@@ -7161,7 +7171,7 @@ index 3b2da10..18f3f4c 100644
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -191,3 +192,8 @@ ifdef(`distro_redhat',`
+@@ -191,3 +191,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -7171,10 +7181,35 @@ index 3b2da10..18f3f4c 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 8b09281..e896bf7 100644
+index 8b09281..3fb8756 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -498,6 +498,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+
+ ########################################
+ ## <summary>
++## read generic files in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_read_generic_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ read_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ## Read and write generic files in /dev.
+ ## </summary>
+ ## <param name="domain">
+@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -7199,7 +7234,7 @@ index 8b09281..e896bf7 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -534,6 +552,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -7224,7 +7259,7 @@ index 8b09281..e896bf7 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -552,6 +588,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -7249,7 +7284,7 @@ index 8b09281..e896bf7 100644
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -661,6 +715,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -7274,7 +7309,7 @@ index 8b09281..e896bf7 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1070,6 +1142,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -7317,7 +7352,7 @@ index 8b09281..e896bf7 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1332,6 +1440,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -7342,7 +7377,7 @@ index 8b09281..e896bf7 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -3595,6 +3721,24 @@ interface(`dev_manage_smartcard',`
+@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -7367,7 +7402,7 @@ index 8b09281..e896bf7 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3737,6 +3881,24 @@ interface(`dev_rw_sysfs',`
+@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -7392,7 +7427,7 @@ index 8b09281..e896bf7 100644
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
-@@ -3906,6 +4068,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -7417,7 +7452,7 @@ index 8b09281..e896bf7 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4216,11 +4396,10 @@ interface(`dev_write_video_dev',`
+@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -7496,7 +7531,7 @@ index aad8c52..09d4b31 100644
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 099f57f..ae62211 100644
+index 099f57f..d58ef64 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
@@ -7586,7 +7621,7 @@ index 099f57f..ae62211 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +194,77 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7648,6 +7683,10 @@ index 099f57f..ae62211 100644
+')
+
+optional_policy(`
++ hal_dontaudit_read_pid_files(domain)
++')
++
++optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
@@ -8454,20 +8493,25 @@ index 07352a5..12e9ecf 100644
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index 9306de6..41dfd80 100644
+index 59bae6a..16f0f9e 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
-@@ -1,3 +1,4 @@
- /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+@@ -2,5 +2,10 @@
+ /dev/shm/.* <<none>>
--/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-+/sys/fs/cgroup(/.*)? <<none>>
+ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
++/cgroup/.* <<none>>
+
++/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup(/.*)? <<none>>
++
++/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index e3e17ba..3b34959 100644
+index 437a42a..8d6d333 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
-@@ -1233,7 +1233,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1241,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -8476,7 +8520,7 @@ index e3e17ba..3b34959 100644
')
########################################
-@@ -1496,6 +1496,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1504,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -8502,7 +8546,7 @@ index e3e17ba..3b34959 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1923,7 +1942,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +1950,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -8530,7 +8574,7 @@ index e3e17ba..3b34959 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1938,6 +1976,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +1984,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -8572,7 +8616,7 @@ index e3e17ba..3b34959 100644
########################################
## <summary>
-@@ -1991,6 +2064,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2072,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -8580,7 +8624,7 @@ index e3e17ba..3b34959 100644
')
########################################
-@@ -2387,6 +2461,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2469,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -8606,7 +8650,7 @@ index e3e17ba..3b34959 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2441,7 +2534,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2542,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -8615,7 +8659,7 @@ index e3e17ba..3b34959 100644
')
########################################
-@@ -2629,6 +2722,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2730,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -8640,7 +8684,7 @@ index e3e17ba..3b34959 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2837,7 +2948,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +2956,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -8649,7 +8693,7 @@ index e3e17ba..3b34959 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3962,6 +4073,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4081,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -8674,7 +8718,7 @@ index e3e17ba..3b34959 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4654,3 +4783,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4791,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -8700,7 +8744,7 @@ index e3e17ba..3b34959 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 56c3408..3f4cf3d 100644
+index 0dff98e..930062c 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -10416,10 +10460,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..177e89c
+index 0000000..799db36
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,462 @@
+@@ -0,0 +1,475 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10437,6 +10481,13 @@ index 0000000..177e89c
+
+## <desc>
+## <p>
++## Allow vidio playing tools to tun unconfined
++## </p>
++## </desc>
++gen_tunable(unconfined_mplayer, false)
++
++## <desc>
++## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
@@ -10858,6 +10909,12 @@ index 0000000..177e89c
+ ')
+
+ optional_policy(`
++ tunable_policy(`unconfined_login',`
++ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
++ ')
++ ')
++
++ optional_policy(`
+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+')
@@ -11645,7 +11702,7 @@ index cf34b4e..cc216a4 100644
kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..b37de8e 100644
+index 9e39aa5..8603d4d 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -11693,7 +11750,7 @@ index 9e39aa5..b37de8e 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,16 @@ ifdef(`distro_debian', `
+@@ -109,3 +107,17 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -11705,16 +11762,17 @@ index 9e39aa5..b37de8e 100644
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..c96d035 100644
+index c9e1a44..2244b11 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
-@@ -13,17 +13,13 @@
+@@ -13,17 +13,14 @@
#
template(`apache_content_template',`
gen_require(`
@@ -11727,14 +11785,21 @@ index c9e1a44..c96d035 100644
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write, false)
--
+
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+ type httpd_$1_content_t; # customizable;
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
files_type(httpd_$1_content_t)
-@@ -41,11 +37,11 @@ template(`apache_content_template',`
+@@ -36,16 +33,18 @@ template(`apache_content_template',`
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
++ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
++
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
@@ -11748,7 +11813,7 @@ index c9e1a44..c96d035 100644
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
files_type(httpd_$1_ra_content_t)
-@@ -54,7 +50,7 @@ template(`apache_content_template',`
+@@ -54,7 +53,7 @@ template(`apache_content_template',`
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
@@ -11757,7 +11822,7 @@ index c9e1a44..c96d035 100644
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
-@@ -86,7 +82,6 @@ template(`apache_content_template',`
+@@ -86,7 +85,6 @@ template(`apache_content_template',`
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -11765,7 +11830,7 @@ index c9e1a44..c96d035 100644
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -95,6 +90,7 @@ template(`apache_content_template',`
+@@ -95,6 +93,7 @@ template(`apache_content_template',`
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -11773,7 +11838,7 @@ index c9e1a44..c96d035 100644
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +104,6 @@ template(`apache_content_template',`
+@@ -108,19 +107,6 @@ template(`apache_content_template',`
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -11793,7 +11858,7 @@ index c9e1a44..c96d035 100644
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,6 +123,7 @@ template(`apache_content_template',`
+@@ -140,6 +126,7 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -11801,7 +11866,7 @@ index c9e1a44..c96d035 100644
')
tunable_policy(`httpd_enable_cgi',`
-@@ -148,14 +132,19 @@ template(`apache_content_template',`
+@@ -148,14 +135,19 @@ template(`apache_content_template',`
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -11821,7 +11886,7 @@ index c9e1a44..c96d035 100644
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
-@@ -172,6 +161,7 @@ template(`apache_content_template',`
+@@ -172,6 +164,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -11829,7 +11894,7 @@ index c9e1a44..c96d035 100644
')
optional_policy(`
-@@ -182,15 +172,13 @@ template(`apache_content_template',`
+@@ -182,15 +175,13 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -11847,7 +11912,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -229,6 +217,13 @@ interface(`apache_role',`
+@@ -229,6 +220,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -11861,7 +11926,7 @@ index c9e1a44..c96d035 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -243,6 +238,8 @@ interface(`apache_role',`
+@@ -243,6 +241,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -11870,7 +11935,7 @@ index c9e1a44..c96d035 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -312,6 +309,25 @@ interface(`apache_domtrans',`
+@@ -312,6 +312,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -11896,7 +11961,7 @@ index c9e1a44..c96d035 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -400,7 +416,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -11905,7 +11970,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -526,6 +542,25 @@ interface(`apache_rw_cache_files',`
+@@ -526,6 +545,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -11931,7 +11996,7 @@ index c9e1a44..c96d035 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -740,6 +775,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +778,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -11957,7 +12022,7 @@ index c9e1a44..c96d035 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +810,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +813,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -11965,7 +12030,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -814,6 +869,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -11973,7 +12038,7 @@ index c9e1a44..c96d035 100644
files_search_var($1)
')
-@@ -836,11 +892,80 @@ interface(`apache_manage_sys_content',`
+@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',`
')
files_search_var($1)
@@ -12054,7 +12119,7 @@ index c9e1a44..c96d035 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +983,11 @@ interface(`apache_domtrans_sys_script',`
+@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -12066,7 +12131,7 @@ index c9e1a44..c96d035 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -12075,7 +12140,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -12101,7 +12166,7 @@ index c9e1a44..c96d035 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -12110,7 +12175,7 @@ index c9e1a44..c96d035 100644
')
########################################
-@@ -1172,7 +1321,7 @@ interface(`apache_admin',`
+@@ -1172,7 +1324,7 @@ interface(`apache_admin',`
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12119,7 +12184,7 @@ index c9e1a44..c96d035 100644
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1351,43 @@ interface(`apache_admin',`
+@@ -1202,12 +1354,43 @@ interface(`apache_admin',`
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -12165,7 +12230,7 @@ index c9e1a44..c96d035 100644
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index e33b9cd..08ec94f 100644
+index e33b9cd..de4388a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
@@ -12212,7 +12277,21 @@ index e33b9cd..08ec94f 100644
## Allow HTTPD scripts and modules to connect to databases over the network.
## </p>
## </desc>
-@@ -71,6 +94,13 @@ gen_tunable(httpd_can_sendmail, false)
+@@ -57,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
+
+ ## <desc>
+ ## <p>
++## Allow httpd to connect to memcache server
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
+ ## Allow httpd to act as a relay
+ ## </p>
+ ## </desc>
+@@ -71,6 +101,13 @@ gen_tunable(httpd_can_sendmail, false)
## <desc>
## <p>
@@ -12226,7 +12305,7 @@ index e33b9cd..08ec94f 100644
## Allow Apache to communicate with avahi service via dbus
## </p>
## </desc>
-@@ -100,6 +130,13 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false)
## <desc>
## <p>
@@ -12240,7 +12319,7 @@ index e33b9cd..08ec94f 100644
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
-@@ -107,6 +144,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -107,6 +151,13 @@ gen_tunable(httpd_ssi_exec, false)
## <desc>
## <p>
@@ -12254,7 +12333,7 @@ index e33b9cd..08ec94f 100644
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -130,7 +174,7 @@ gen_tunable(httpd_use_cifs, false)
+@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false)
## <desc>
## <p>
@@ -12263,7 +12342,7 @@ index e33b9cd..08ec94f 100644
## </p>
## </desc>
gen_tunable(httpd_use_gpg, false)
-@@ -142,6 +186,13 @@ gen_tunable(httpd_use_gpg, false)
+@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false)
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -12277,7 +12356,7 @@ index e33b9cd..08ec94f 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -216,7 +267,10 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -12289,7 +12368,7 @@ index e33b9cd..08ec94f 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +280,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -12300,7 +12379,7 @@ index e33b9cd..08ec94f 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +291,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -12308,7 +12387,7 @@ index e33b9cd..08ec94f 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +345,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms;
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12316,7 +12395,7 @@ index e33b9cd..08ec94f 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +415,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12324,7 +12403,7 @@ index e33b9cd..08ec94f 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +426,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -12335,7 +12414,7 @@ index e33b9cd..08ec94f 100644
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +441,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12351,7 +12430,7 @@ index e33b9cd..08ec94f 100644
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +465,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12362,7 +12441,7 @@ index e33b9cd..08ec94f 100644
libs_read_lib_files(httpd_t)
-@@ -416,16 +483,31 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -12396,7 +12475,17 @@ index e33b9cd..08ec94f 100644
')
')
-@@ -439,13 +521,25 @@ tunable_policy(`httpd_can_network_relay',`
+@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+ ')
+
++tunable_policy(`httpd_can_network_memcache',`
++ corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
@@ -12422,7 +12511,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
-@@ -456,6 +550,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -12433,7 +12522,7 @@ index e33b9cd..08ec94f 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +568,25 @@ tunable_policy(`httpd_enable_homedirs',`
+@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_t)
')
@@ -12459,7 +12548,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +596,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -12476,7 +12565,7 @@ index e33b9cd..08ec94f 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +621,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -12487,7 +12576,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -513,7 +636,13 @@ optional_policy(`
+@@ -513,7 +647,13 @@ optional_policy(`
')
optional_policy(`
@@ -12502,7 +12591,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -528,7 +657,7 @@ optional_policy(`
+@@ -528,7 +668,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -12511,7 +12600,7 @@ index e33b9cd..08ec94f 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +666,12 @@ optional_policy(`
+@@ -537,8 +677,12 @@ optional_policy(`
')
optional_policy(`
@@ -12525,7 +12614,7 @@ index e33b9cd..08ec94f 100644
')
')
-@@ -557,6 +690,7 @@ optional_policy(`
+@@ -557,6 +701,7 @@ optional_policy(`
optional_policy(`
# Allow httpd to work with mysql
@@ -12533,7 +12622,7 @@ index e33b9cd..08ec94f 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +701,7 @@ optional_policy(`
+@@ -567,6 +712,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -12541,7 +12630,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -577,12 +712,23 @@ optional_policy(`
+@@ -577,12 +723,23 @@ optional_policy(`
')
optional_policy(`
@@ -12565,7 +12654,7 @@ index e33b9cd..08ec94f 100644
')
')
-@@ -591,6 +737,11 @@ optional_policy(`
+@@ -591,6 +748,11 @@ optional_policy(`
')
optional_policy(`
@@ -12577,7 +12666,7 @@ index e33b9cd..08ec94f 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +754,10 @@ optional_policy(`
+@@ -603,6 +765,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -12588,7 +12677,7 @@ index e33b9cd..08ec94f 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +773,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +784,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -12599,7 +12688,7 @@ index e33b9cd..08ec94f 100644
########################################
#
# Apache PHP script local policy
-@@ -699,17 +858,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +869,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -12621,7 +12710,7 @@ index e33b9cd..08ec94f 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +900,21 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +911,21 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -12644,7 +12733,7 @@ index e33b9cd..08ec94f 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +940,12 @@ optional_policy(`
+@@ -769,6 +951,12 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12657,7 +12746,7 @@ index e33b9cd..08ec94f 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +969,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +980,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12671,7 +12760,7 @@ index e33b9cd..08ec94f 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +984,28 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +995,28 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -12700,7 +12789,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1033,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1044,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12717,7 +12806,7 @@ index e33b9cd..08ec94f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1055,7 @@ optional_policy(`
+@@ -842,6 +1066,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12725,7 +12814,7 @@ index e33b9cd..08ec94f 100644
')
optional_policy(`
-@@ -891,11 +1105,33 @@ optional_policy(`
+@@ -891,11 +1116,33 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12778,7 +12867,7 @@ index 67c91aa..472ddad 100644
mta_system_content(apcupsd_tmp_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..c6832b0 100644
+index 1c8c27e..c7cba00 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@@ -12824,20 +12913,6 @@ index 1c8c27e..c6832b0 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -218,9 +228,13 @@ optional_policy(`
- udev_read_state(apmd_t) #necessary?
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(apmd_t)
- ')
-+', `
-+ permissive apmd_t;
-+')
-
- optional_policy(`
- vbetool_domtrans(apmd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 0160ba4..f31b5c9 100644
--- a/policy/modules/services/arpwatch.te
@@ -14064,7 +14139,7 @@ index fa82327..7f4ca47 100644
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index 8c36027..0a0f374 100644
+index 8c36027..16598a4 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
@@ -14098,17 +14173,24 @@ index 8c36027..0a0f374 100644
')
########################################
-@@ -182,6 +186,9 @@ allow freshclam_t freshclam_var_log_t:dir setattr;
- allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+ allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
++
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +196,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +199,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14116,7 +14198,7 @@ index 8c36027..0a0f374 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +215,8 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -14125,7 +14207,7 @@ index 8c36027..0a0f374 100644
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -251,6 +261,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
@@ -15192,7 +15274,7 @@ index 35241ed..cbd01be 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..939877a 100644
+index f35b243..38a83ea 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@@ -15487,7 +15569,7 @@ index f35b243..939877a 100644
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+allow cronjob_t user_cron_spool_t:file create_lnk_perms;
++allow cronjob_t user_cron_spool_t:file manage_lnk_file_perms;
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
@@ -15704,7 +15786,7 @@ index 2a0f1c1..ab82c3c 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..4ab36ba 100644
+index 39e901a..e385f2f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -15775,7 +15857,7 @@ index 39e901a..4ab36ba 100644
domtrans_pattern(system_dbusd_t, $2, $1)
-+ fs_search_cgroup_dirs($1)
++ fs_search_all($1)
+
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
@@ -15914,7 +15996,7 @@ index 8ba9425..d53ee7e 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..ca3a848 100644
+index f231f17..6cee08f 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -15942,21 +16024,15 @@ index f231f17..ca3a848 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,17 +182,33 @@ optional_policy(`
+@@ -178,17 +182,27 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
-+ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
-+', `
-+ permissive devicekit_t;
-+ permissive devicekit_power_t;
-+ permissive devicekit_disk_t;
-+')
+
########################################
#
@@ -15977,7 +16053,7 @@ index f231f17..ca3a848 100644
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-@@ -212,12 +232,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -15992,7 +16068,7 @@ index f231f17..ca3a848 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,6 +247,8 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -16000,8 +16076,11 @@ index f231f17..ca3a848 100644
+
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
+
+ userdom_read_all_users_state(devicekit_power_t)
-@@ -261,6 +285,10 @@ optional_policy(`
+@@ -261,6 +280,10 @@ optional_policy(`
')
optional_policy(`
@@ -16012,7 +16091,7 @@ index f231f17..ca3a848 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -280,5 +308,10 @@ optional_policy(`
+@@ -280,5 +303,10 @@ optional_policy(`
')
optional_policy(`
@@ -16125,7 +16204,7 @@ index e1d7dc5..09f6f30 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index 14c6a2e..554ee5a 100644
+index 14c6a2e..c771d46 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16189,7 +16268,7 @@ index 14c6a2e..554ee5a 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +261,26 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +261,27 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -16198,7 +16277,8 @@ index 14c6a2e..554ee5a 100644
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-+allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
++
++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
@@ -16218,7 +16298,7 @@ index 14c6a2e..554ee5a 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +317,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +318,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -17519,10 +17599,25 @@ index 24c6253..e72b063 100644
#
# Local hald dccm policy
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index a57ffc0..f441c9a 100644
+index a57ffc0..4992511 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
-@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow icecast to connect to all ports, not just
++## sound ports.
++## </p>
++## </desc>
++gen_tunable(icecast_connect_any, false)
++
+ type icecast_t;
+ type icecast_exec_t;
+ init_daemon_domain(icecast_t, icecast_exec_t)
+@@ -37,7 +45,16 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
@@ -17530,10 +17625,16 @@ index a57ffc0..f441c9a 100644
+
corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
++
++tunable_policy(`icecast_connect_any',`
++ corenet_tcp_connect_all_ports(icecast_t)
++ corenet_tcp_bind_all_ports(icecast_t)
++ corenet_sendrecv_all_packets(icecast_t)
++')
# Init script handling
domain_use_interactive_fds(icecast_t)
-@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t)
+@@ -51,5 +68,9 @@ miscfiles_read_localization(icecast_t)
sysnet_dns_name_resolve(icecast_t)
optional_policy(`
@@ -18264,8 +18365,27 @@ index db4fd6f..c28a876 100644
')
allow $1 memcached_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
+index 55a3e2f..613c69d 100644
+--- a/policy/modules/services/milter.fc
++++ b/policy/modules/services/milter.fc
+@@ -1,3 +1,6 @@
++/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
++
++/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+ /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+ /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+ /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+@@ -5,6 +8,7 @@
+ /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
++/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
-index ed1af3c..96cba91 100644
+index ed1af3c..a000225 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -37,6 +37,8 @@ template(`milter_template',`
@@ -18302,6 +18422,71 @@ index ed1af3c..96cba91 100644
## Manage spamassassin milter state
## </summary>
## <param name="domain">
+@@ -100,3 +120,22 @@ interface(`milter_manage_spamass_state',`
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ ')
++
++#######################################
++## <summary>
++## Delete dkim-milter PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`milter_delete_dkim_pid_files',`
++ gen_require(`
++ type dkim_milter_data_t;
++ ')
++
++ files_search_pids($1)
++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
++')
+diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
+index 1b6dea0..6ba48ff 100644
+--- a/policy/modules/services/milter.te
++++ b/policy/modules/services/milter.te
+@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
+ attribute milter_domains;
+ attribute milter_data_type;
+
++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
++milter_template(dkim)
++
++# type for the private key of dkim-milter
++type dkim_milter_private_key_t;
++files_type(dkim_milter_private_key_t)
++
+ # currently-supported milters are milter-greylist, milter-regex and spamass-milter
+ milter_template(greylist)
+ milter_template(regex)
+@@ -20,6 +27,23 @@ milter_template(spamass)
+ type spamass_milter_state_t;
+ files_type(spamass_milter_state_t)
+
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
++
++mta_read_config(dkim_milter_t)
++
+ ########################################
+ #
+ # milter-greylist local policy
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
index 0000000..42bb2a3
@@ -19176,7 +19361,7 @@ index 256166a..c526ce8 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..01af7c3 100644
+index 343cee3..a9ebda2 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -220,6 +220,25 @@ interface(`mta_agent_executable',`
@@ -19247,7 +19432,33 @@ index 343cee3..01af7c3 100644
')
########################################
-@@ -474,7 +494,8 @@ interface(`mta_write_config',`
+@@ -420,6 +440,25 @@ interface(`mta_signal_system_mail',`
+
+ ########################################
+ ## <summary>
++## Send system mail client a kill signal
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`mta_kill_system_mail',`
++ gen_require(`
++ type system_mail_t;
++ ')
++
++ allow $1 system_mail_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Execute sendmail in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -474,7 +513,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -19257,7 +19468,7 @@ index 343cee3..01af7c3 100644
')
########################################
-@@ -698,7 +719,7 @@ interface(`mta_rw_spool',`
+@@ -698,7 +738,7 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -19266,7 +19477,7 @@ index 343cee3..01af7c3 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -899,3 +920,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +939,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -19846,7 +20057,7 @@ index 8581040..e3c8272 100644
## a domain transition.
## </summary>
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..0c4ac5b 100644
+index da5b33d..1029389 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -19864,8 +20075,12 @@ index da5b33d..0c4ac5b 100644
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -126,8 +124,6 @@ userdom_dontaudit_search_user_home_dirs(nagios_t)
+@@ -124,10 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+ userdom_dontaudit_search_user_home_dirs(nagios_t)
+
mta_send_mail(nagios_t)
++mta_signal_system_mail(nagios_t)
++mta_kill_system_mail(nagios_t)
optional_policy(`
- netutils_domtrans_ping(nagios_t)
@@ -19873,7 +20088,7 @@ index da5b33d..0c4ac5b 100644
netutils_kill_ping(nagios_t)
')
-@@ -340,6 +336,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +338,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -19981,7 +20196,7 @@ index 2324d9e..1a1bfe4 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 442cff9..9677236 100644
+index 442cff9..45ecee3 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@@ -20043,7 +20258,7 @@ index 442cff9..9677236 100644
')
optional_policy(`
-@@ -172,7 +183,7 @@ optional_policy(`
+@@ -172,12 +183,14 @@ optional_policy(`
')
optional_policy(`
@@ -20052,7 +20267,14 @@ index 442cff9..9677236 100644
')
optional_policy(`
-@@ -202,6 +213,13 @@ optional_policy(`
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
++ init_dbus_chat(NetworkManager_t)
++
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
+@@ -202,6 +215,13 @@ optional_policy(`
')
optional_policy(`
@@ -20066,7 +20288,7 @@ index 442cff9..9677236 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -263,6 +281,7 @@ optional_policy(`
+@@ -263,6 +283,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -20445,7 +20667,7 @@ index 4996f62..975deca 100644
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index f3d5790..9be673c 100644
+index f3d5790..196f2a2 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -20458,6 +20680,15 @@ index f3d5790..9be673c 100644
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
+@@ -48,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+-allow openvpn_t self:tun_socket create;
++allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
+ allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ can_exec(openvpn_t, openvpn_etc_t)
@@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
@@ -20811,10 +21042,10 @@ index 0000000..8ecd276
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..17d6b45
+index 0000000..0a5f27d
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,216 @@
+@@ -0,0 +1,220 @@
+policy_module(piranha,1.0.0)
+
+########################################
@@ -20932,6 +21163,10 @@ index 0000000..17d6b45
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(piranha_web_t)
++')
++
++optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
@@ -21178,7 +21413,7 @@ index 48ff1e8..29c9906 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..ab881a1 100644
+index 1e7169d..e731afa 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@@ -21262,7 +21497,7 @@ index 1e7169d..ab881a1 100644
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
-+allow policykit_auth_t self:capability { setgid setuid };
++allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
@@ -22956,7 +23191,7 @@ index 7dc38d1..91dbe71 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..ce5dbc0 100644
+index 00fa514..9ab1d80 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -17,6 +17,9 @@ type rgmanager_exec_t;
@@ -23018,20 +23253,6 @@ index 00fa514..ce5dbc0 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -193,9 +209,13 @@ optional_policy(`
- virt_stream_connect(rgmanager_t)
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(rgmanager_t)
- ')
-+', `
-+ permissive rgmanager_t;
-+')
-
- optional_policy(`
- xen_domtrans_xm(rgmanager_t)
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index c2ba53b..b19961e 100644
--- a/policy/modules/services/rhcs.fc
@@ -23848,6 +24069,20 @@ index 6f8e268..7d64285 100644
########################################
#
+diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
+index a07b2f4..d78daf4 100644
+--- a/policy/modules/services/rwho.te
++++ b/policy/modules/services/rwho.te
+@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
+ init_read_utmp(rwho_t)
+ init_dontaudit_write_utmp(rwho_t)
+
++logging_send_syslog_msg(rwho_t)
++
+ miscfiles_read_localization(rwho_t)
+
+ sysnet_dns_name_resolve(rwho_t)
++
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 69a6074..73db5ba 100644
--- a/policy/modules/services/samba.fc
@@ -26231,7 +26466,7 @@ index 7c5d8d8..1a0701b 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3cce663..8040c74 100644
+index 3cce663..8f0fac9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@@ -26485,21 +26720,7 @@ index 3cce663..8040c74 100644
')
optional_policy(`
-@@ -385,9 +446,13 @@ optional_policy(`
- udev_read_db(virtd_t)
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(virtd_t)
- ')
-+', `
-+ permissive virtd_t;
-+')
-
- ########################################
- #
-@@ -402,6 +467,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -402,6 +463,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -26519,7 +26740,7 @@ index 3cce663..8040c74 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +500,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +496,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -26527,7 +26748,7 @@ index 3cce663..8040c74 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +508,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +504,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -26540,7 +26761,7 @@ index 3cce663..8040c74 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +521,11 @@ files_search_all(virt_domain)
+@@ -440,6 +517,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -26552,7 +26773,7 @@ index 3cce663..8040c74 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +543,121 @@ optional_policy(`
+@@ -457,8 +539,121 @@ optional_policy(`
')
optional_policy(`
@@ -26829,7 +27050,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..a5b3186 100644
+index da2601a..4bc9fff 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -26844,7 +27065,7 @@ index da2601a..a5b3186 100644
')
role $1 types { xserver_t xauth_t iceauth_t };
-@@ -31,7 +32,7 @@ interface(`xserver_restricted_role',`
+@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',`
allow xserver_t $2:shm rw_shm_perms;
domtrans_pattern($2, xserver_exec_t, xserver_t)
@@ -26853,7 +27074,13 @@ index da2601a..a5b3186 100644
allow xserver_t $2:shm rw_shm_perms;
-@@ -45,6 +46,7 @@ interface(`xserver_restricted_role',`
+ allow $2 user_fonts_t:dir list_dir_perms;
+ allow $2 user_fonts_t:file read_file_perms;
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ allow $2 user_fonts_config_t:dir list_dir_perms;
+ allow $2 user_fonts_config_t:file read_file_perms;
+@@ -45,6 +47,7 @@ interface(`xserver_restricted_role',`
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -26861,7 +27088,7 @@ index da2601a..a5b3186 100644
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -56,6 +58,10 @@ interface(`xserver_restricted_role',`
+@@ -56,6 +59,10 @@ interface(`xserver_restricted_role',`
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -26872,7 +27099,7 @@ index da2601a..a5b3186 100644
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +77,13 @@ interface(`xserver_restricted_role',`
+@@ -71,9 +78,13 @@ interface(`xserver_restricted_role',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26887,7 +27114,7 @@ index da2601a..a5b3186 100644
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -89,14 +99,17 @@ interface(`xserver_restricted_role',`
+@@ -89,14 +100,17 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
@@ -26907,15 +27134,18 @@ index da2601a..a5b3186 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -148,6 +161,7 @@ interface(`xserver_role',`
+@@ -148,8 +162,10 @@ interface(`xserver_role',`
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
+ mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
++ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +211,7 @@ interface(`xserver_ro_session',`
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -26924,7 +27154,7 @@ index da2601a..a5b3186 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +305,12 @@ interface(`xserver_user_client',`
+@@ -291,12 +307,12 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26940,7 +27170,7 @@ index da2601a..a5b3186 100644
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +369,12 @@ template(`xserver_common_x_domain_template',`
+@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',`
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -26953,7 +27183,7 @@ index da2601a..a5b3186 100644
')
##############################
-@@ -386,6 +406,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -26969,7 +27199,7 @@ index da2601a..a5b3186 100644
')
#######################################
-@@ -476,11 +505,16 @@ template(`xserver_user_x_domain_template',`
+@@ -476,11 +507,16 @@ template(`xserver_user_x_domain_template',`
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -26986,13 +27216,21 @@ index da2601a..a5b3186 100644
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
-@@ -545,6 +579,27 @@ interface(`xserver_domtrans_xauth',`
+@@ -517,6 +553,7 @@ interface(`xserver_use_user_fonts',`
+ # Read per user fonts
+ allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:file read_file_perms;
++ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ # Manipulate the global font cache
+ manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+@@ -545,6 +582,27 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit xauth_t $1:socket_class_set { read write };
-+')
++ ifdef(`hide_broken_symptoms', `
++ dontaudit xauth_t $1:socket_class_set { read write };
++ ')
+')
+
+########################################
@@ -27014,7 +27252,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -598,6 +653,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +656,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -27022,7 +27260,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -725,10 +781,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -725,10 +784,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
interface(`xserver_stream_connect_xdm',`
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -27035,7 +27273,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -805,7 +863,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +866,7 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -27044,7 +27282,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -916,7 +974,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +977,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -27053,7 +27291,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -963,6 +1021,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1024,44 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -27098,7 +27336,7 @@ index da2601a..a5b3186 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1072,6 +1168,8 @@ interface(`xserver_domtrans',`
+@@ -1072,6 +1171,8 @@ interface(`xserver_domtrans',`
allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
@@ -27107,7 +27345,15 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -1224,9 +1322,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1185,6 +1286,7 @@ interface(`xserver_stream_connect',`
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ allow xserver_t $1:shm rw_shm_perms;
+ ')
+
+ ########################################
+@@ -1224,9 +1326,20 @@ interface(`xserver_manage_core_devices',`
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -27128,7 +27374,7 @@ index da2601a..a5b3186 100644
')
########################################
-@@ -1250,3 +1359,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1363,329 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -27459,7 +27705,7 @@ index da2601a..a5b3186 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..50b4a08 100644
+index e226da4..9b9e013 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -28067,7 +28313,7 @@ index e226da4..50b4a08 100644
hostname_exec(xdm_t)
')
-@@ -539,20 +761,63 @@ optional_policy(`
+@@ -539,20 +761,64 @@ optional_policy(`
')
optional_policy(`
@@ -28085,6 +28331,7 @@ index e226da4..50b4a08 100644
+optional_policy(`
+ plymouthd_search_spool(xdm_t)
+ plymouthd_exec_plymouth(xdm_t)
++ plymouthd_stream_connect(xdm_t)
+')
+
+optional_policy(`
@@ -28133,7 +28380,7 @@ index e226da4..50b4a08 100644
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +826,6 @@ optional_policy(`
+@@ -561,7 +827,6 @@ optional_policy(`
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28141,7 +28388,7 @@ index e226da4..50b4a08 100644
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +836,10 @@ optional_policy(`
+@@ -572,6 +837,10 @@ optional_policy(`
')
optional_policy(`
@@ -28152,7 +28399,7 @@ index e226da4..50b4a08 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +864,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +865,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28161,7 +28408,7 @@ index e226da4..50b4a08 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +878,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +879,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28180,7 +28427,7 @@ index e226da4..50b4a08 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +909,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +910,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28202,7 +28449,7 @@ index e226da4..50b4a08 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +929,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +930,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -28210,7 +28457,7 @@ index e226da4..50b4a08 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +956,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +957,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28218,7 +28465,7 @@ index e226da4..50b4a08 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +965,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +966,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28232,7 +28479,7 @@ index e226da4..50b4a08 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +985,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +986,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28246,7 +28493,7 @@ index e226da4..50b4a08 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1013,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1014,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28261,7 +28508,7 @@ index e226da4..50b4a08 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,20 +1073,44 @@ optional_policy(`
+@@ -773,12 +1074,28 @@ optional_policy(`
')
optional_policy(`
@@ -28286,17 +28533,12 @@ index e226da4..50b4a08 100644
+ udev_read_db(xserver_t)
+')
+
-+ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-+', `
-+ permissive xserver_t;
-+')
- optional_policy(`
- userhelper_search_config(xserver_t)
+@@ -787,6 +1104,10 @@ optional_policy(`
')
optional_policy(`
@@ -28307,7 +28549,7 @@ index e226da4..50b4a08 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1126,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1123,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28320,7 +28562,7 @@ index e226da4..50b4a08 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1150,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1147,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28334,7 +28576,7 @@ index e226da4..50b4a08 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1172,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1169,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28351,7 +28593,7 @@ index e226da4..50b4a08 100644
')
optional_policy(`
-@@ -991,3 +1325,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1322,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28773,10 +29015,30 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 7fddc24..227958c 100644
+index 7fddc24..395f8f3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
-@@ -91,9 +91,12 @@ interface(`auth_use_pam',`
+@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
++ init_rw_stream_sockets($1)
++
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+@@ -66,6 +68,10 @@ interface(`auth_use_pam',`
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1)
++ ')
+ ')
+
+ optional_policy(`
+@@ -91,9 +97,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -28789,7 +29051,7 @@ index 7fddc24..227958c 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,8 +110,10 @@ interface(`auth_login_pgm_domain',`
+@@ -107,8 +116,10 @@ interface(`auth_login_pgm_domain',`
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -28800,7 +29062,7 @@ index 7fddc24..227958c 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -126,6 +131,8 @@ interface(`auth_login_pgm_domain',`
+@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',`
files_read_etc_files($1)
fs_list_auto_mountpoints($1)
@@ -28809,7 +29071,7 @@ index 7fddc24..227958c 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +148,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -28817,7 +29079,7 @@ index 7fddc24..227958c 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +159,38 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +165,38 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28858,7 +29120,7 @@ index 7fddc24..227958c 100644
')
')
-@@ -365,13 +403,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +409,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -28875,7 +29137,7 @@ index 7fddc24..227958c 100644
')
########################################
-@@ -418,6 +458,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +464,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -28883,7 +29145,7 @@ index 7fddc24..227958c 100644
')
########################################
-@@ -874,6 +915,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +921,26 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -28910,7 +29172,7 @@ index 7fddc24..227958c 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -1500,6 +1561,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1567,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -28919,7 +29181,7 @@ index 7fddc24..227958c 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1594,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1600,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -29147,7 +29409,7 @@ index a97a096..dd65c15 100644
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..e8dd9c8 100644
+index a442acc..7cb7582 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -29168,7 +29430,7 @@ index a442acc..e8dd9c8 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -147,12 +151,16 @@ modutils_read_module_deps(fsadm_t)
+@@ -147,7 +151,7 @@ modutils_read_module_deps(fsadm_t)
seutil_read_config(fsadm_t)
@@ -29176,17 +29438,8 @@ index a442acc..e8dd9c8 100644
+term_use_all_terms(fsadm_t)
ifdef(`distro_redhat',`
-+ifdef(`enforcing',`
optional_policy(`
- unconfined_domain(fsadm_t)
- ')
-+', `
-+ permissive fsadm_t;
-+')
- ')
-
- optional_policy(`
-@@ -166,6 +174,14 @@ optional_policy(`
+@@ -166,6 +170,14 @@ optional_policy(`
')
optional_policy(`
@@ -29201,7 +29454,7 @@ index a442acc..e8dd9c8 100644
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +191,10 @@ optional_policy(`
+@@ -175,6 +187,10 @@ optional_policy(`
')
optional_policy(`
@@ -29320,7 +29573,7 @@ index 9775375..b338481 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..7da8294 100644
+index f6aafe7..f28524b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -29444,7 +29697,7 @@ index f6aafe7..7da8294 100644
')
########################################
-@@ -669,12 +733,14 @@ interface(`init_telinit',`
+@@ -669,19 +733,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -29460,7 +29713,8 @@ index f6aafe7..7da8294 100644
gen_require(`
type init_t;
')
-@@ -682,6 +748,8 @@ interface(`init_telinit',`
+
++ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -29469,7 +29723,7 @@ index f6aafe7..7da8294 100644
')
')
-@@ -754,18 +822,19 @@ interface(`init_script_file_entry_type',`
+@@ -754,18 +823,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -29493,7 +29747,7 @@ index f6aafe7..7da8294 100644
')
')
-@@ -781,23 +850,45 @@ interface(`init_spec_domtrans_script',`
+@@ -781,23 +851,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -29543,7 +29797,7 @@ index f6aafe7..7da8294 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -849,8 +940,10 @@ interface(`init_script_file_domtrans',`
+@@ -849,8 +941,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -29551,10 +29805,12 @@ index f6aafe7..7da8294 100644
')
+ typeattribute $1 initrc_transition_domain;
++ # service script searches all filesystems via mountpoint
++ fs_search_all($1)
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1338,6 +1431,27 @@ interface(`init_dbus_send_script',`
+@@ -1338,6 +1434,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -29582,7 +29838,7 @@ index f6aafe7..7da8294 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1637,7 +1751,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1637,7 +1754,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -29591,7 +29847,7 @@ index f6aafe7..7da8294 100644
')
########################################
-@@ -1712,3 +1826,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1712,3 +1829,94 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29687,7 +29943,7 @@ index f6aafe7..7da8294 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index abab4cf..9f9b812 100644
+index abab4cf..a80b4c7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -30138,10 +30394,11 @@ index abab4cf..9f9b812 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +882,12 @@ optional_policy(`
+@@ -701,7 +882,13 @@ optional_policy(`
')
optional_policy(`
++ milter_delete_dkim_pid_files(initrc_t)
+ milter_setattr_all_dirs(initrc_t)
+')
+
@@ -30151,7 +30408,7 @@ index abab4cf..9f9b812 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +910,10 @@ optional_policy(`
+@@ -724,6 +911,10 @@ optional_policy(`
')
optional_policy(`
@@ -30162,7 +30419,7 @@ index abab4cf..9f9b812 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +935,10 @@ optional_policy(`
+@@ -745,6 +936,10 @@ optional_policy(`
')
optional_policy(`
@@ -30173,7 +30430,7 @@ index abab4cf..9f9b812 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +960,6 @@ optional_policy(`
+@@ -766,8 +961,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30182,7 +30439,7 @@ index abab4cf..9f9b812 100644
')
optional_policy(`
-@@ -776,14 +968,21 @@ optional_policy(`
+@@ -776,14 +969,21 @@ optional_policy(`
')
optional_policy(`
@@ -30204,7 +30461,7 @@ index abab4cf..9f9b812 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1004,19 @@ optional_policy(`
+@@ -805,11 +1005,19 @@ optional_policy(`
')
optional_policy(`
@@ -30225,7 +30482,7 @@ index abab4cf..9f9b812 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1026,25 @@ optional_policy(`
+@@ -819,6 +1027,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30251,7 +30508,7 @@ index abab4cf..9f9b812 100644
')
optional_policy(`
-@@ -844,3 +1070,55 @@ optional_policy(`
+@@ -844,3 +1071,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30647,7 +30904,7 @@ index 5c94dfe..59bfb17 100644
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..e9bd52a 100644
+index a3fdcb3..bce3aea 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -30731,6 +30988,14 @@ index a3fdcb3..e9bd52a 100644
')
optional_policy(`
+@@ -124,6 +135,7 @@ optional_policy(`
+
+ optional_policy(`
+ shorewall_rw_lib_files(iptables_t)
++ shorewall_read_tmp_files(iptables_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
index 663a47b..ad0b864 100644
--- a/policy/modules/system/iscsi.if
@@ -30998,8 +31263,39 @@ index 9df8c4d..1d2236b 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index d97d16d..8b174c8 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
+
+ ########################################
+ ## <summary>
++## Execute ldconfig in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`libs_exec_ldconfig',`
++ gen_require(`
++ type ldconfig_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ldconfig_exec_t)
++')
++
++########################################
++## <summary>
+ ## Use the dynamic link/loader for automatic loading
+ ## of shared libraries.
+ ## </summary>
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..af2af2d 100644
+index bf416a4..99d7f60 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -31049,17 +31345,11 @@ index bf416a4..af2af2d 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +151,10 @@ optional_policy(`
- rpm_manage_script_tmp_files(ldconfig_t)
- ')
-
-+ifdef(`enforcing',`
+@@ -144,3 +154,4 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
-+')'
-+, `
-+ permissive ldconfig_t;
')
++
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
index 7570583..be6a81b 100644
--- a/policy/modules/system/locallogin.fc
@@ -31452,7 +31742,7 @@ index 58bc27f..b4f0663 100644
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..7eb67d1 100644
+index 86ef2da..7f649d5 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -31476,26 +31766,19 @@ index 86ef2da..7eb67d1 100644
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
-@@ -135,9 +142,18 @@ lvm_domtrans(clvmd_t)
- lvm_read_config(clvmd_t)
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+ ')
- ifdef(`distro_redhat',`
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(clvmd_t)
- ')
-+', `
-+ permissive clvmd_t;
-+')
+ optional_policy(`
++ aisexec_stream_connect(clvmd_t)
++ corosync_stream_connect(clvmd_t)
+')
+
+optional_policy(`
-+ aisexec_stream_connect(clvmd_t)
-+ corosync_stream_connect(clvmd_t)
+ ccs_stream_connect(clvmd_t)
')
- optional_policy(`
-@@ -170,6 +186,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -31503,7 +31786,7 @@ index 86ef2da..7eb67d1 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -210,12 +227,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
@@ -31519,7 +31802,7 @@ index 86ef2da..7eb67d1 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -242,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -31527,7 +31810,7 @@ index 86ef2da..7eb67d1 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -251,8 +272,9 @@ files_read_etc_files(lvm_t)
+@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -31538,7 +31821,7 @@ index 86ef2da..7eb67d1 100644
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +284,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -31546,26 +31829,19 @@ index 86ef2da..7eb67d1 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -303,9 +326,18 @@ ifdef(`distro_redhat',`
- # this is from the initrd:
- files_rw_isid_type_dirs(lvm_t)
+@@ -309,6 +328,11 @@ ifdef(`distro_redhat',`
+ ')
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(lvm_t)
- ')
-+', `
-+ permissive lvm_t;
-+')
+ optional_policy(`
++ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
+')
+
+optional_policy(`
-+ aisexec_stream_connect(lvm_t)
-+ corosync_stream_connect(lvm_t)
+ bootloader_rw_tmp_files(lvm_t)
')
- optional_policy(`
-@@ -329,6 +361,10 @@ optional_policy(`
+@@ -329,6 +353,10 @@ optional_policy(`
')
optional_policy(`
@@ -31729,7 +32005,7 @@ index 9c0faab..def8d5a 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..f39f39f 100644
+index 74a4466..9abf3b1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
@@ -31764,21 +32040,7 @@ index 74a4466..f39f39f 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -94,17 +99,21 @@ optional_policy(`
- rpm_manage_script_tmp_files(depmod_t)
- ')
-
-+ifdef(`enforcing',`
- optional_policy(`
- # Read System.map from home directories.
- unconfined_domain(depmod_t)
- ')
-+', `
-+ permissive depmod_t;
-+')
-
- ########################################
- #
+@@ -104,7 +109,7 @@ optional_policy(`
# insmod local policy
#
@@ -31787,7 +32049,7 @@ index 74a4466..f39f39f 100644
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t)
+@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -31795,7 +32057,7 @@ index 74a4466..f39f39f 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -31803,7 +32065,7 @@ index 74a4466..f39f39f 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -31819,7 +32081,7 @@ index 74a4466..f39f39f 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -31829,7 +32091,7 @@ index 74a4466..f39f39f 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -191,6 +205,10 @@ optional_policy(`
+@@ -191,6 +201,10 @@ optional_policy(`
')
optional_policy(`
@@ -31840,25 +32102,17 @@ index 74a4466..f39f39f 100644
hal_write_log(insmod_t)
')
-@@ -229,10 +247,18 @@ optional_policy(`
- rpm_rw_pipes(insmod_t)
+@@ -235,6 +249,10 @@ optional_policy(`
')
-+ifdef(`enforcing',`
optional_policy(`
- unconfined_domain(insmod_t)
- unconfined_dontaudit_rw_pipes(insmod_t)
- ')
-+', `
-+ permissive insmod_t;
++ virt_dontaudit_write_pipes(insmod_t)
+')
+
+optional_policy(`
-+ virt_dontaudit_write_pipes(insmod_t)
-+')
-
- optional_policy(`
# cjp: why is this needed:
+ dev_rw_xserver_misc(insmod_t)
+
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e..e3d06fd 100644
--- a/policy/modules/system/mount.fc
@@ -32387,7 +32641,7 @@ index fca6947..a2f7102 100644
+
+userdom_use_user_terminals(showmount_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..5ccaca7 100644
+index 09845c4..2fe5969 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -32401,25 +32655,24 @@ index 09845c4..5ccaca7 100644
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -57,6 +58,7 @@ domain_use_interactive_fds(mdadm_t)
+@@ -52,13 +53,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+ dev_read_realtime_clock(mdadm_t)
+ # unfortunately needed for DMI decoding:
+ dev_read_raw_memory(mdadm_t)
++dev_read_generic_files(mdadm_t)
+
+ domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
- fs_search_auto_mountpoints(mdadm_t)
+-fs_search_auto_mountpoints(mdadm_t)
++fs_list_hugetlbfs(mdadm_t)
++fs_list_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-@@ -95,6 +97,10 @@ optional_policy(`
- udev_read_db(mdadm_t)
- ')
-+ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(mdadm_t)
- ')
-+', `
-+ permissive mdadm_t;
-+')
+ mls_file_read_all_levels(mdadm_t)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..9e81136 100644
--- a/policy/modules/system/selinuxutil.fc
@@ -32861,7 +33114,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..a0cf928 100644
+index ff5d72d..edee963 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -33102,7 +33355,7 @@ index ff5d72d..a0cf928 100644
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -498,112 +492,54 @@ ifdef(`enable_mls',`
+@@ -498,112 +492,50 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')
@@ -33152,18 +33405,12 @@ index ff5d72d..a0cf928 100644
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
@@ -33185,9 +33432,15 @@ index ff5d72d..a0cf928 100644
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-seutil_libselinux_linked(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
@@ -33241,13 +33494,9 @@ index ff5d72d..a0cf928 100644
')
')
-+ifdef(`enforcing',`
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
-+')
-+', `
-+ permissive lvm_t;
')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 4ec45a4..4488c6d 100644
@@ -33420,10 +33669,10 @@ index 0000000..fec3374
+')
diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te
new file mode 100644
-index 0000000..593a206
+index 0000000..c15bcea
--- /dev/null
+++ b/policy/modules/system/sosreport.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,154 @@
+policy_module(sosreport,1.0.0)
+
+########################################
@@ -33575,13 +33824,9 @@ index 0000000..593a206
+ xserver_stream_connect(sosreport_t)
+')
+
-+ifdef(`enforcing',`
+optional_policy(`
+ unconfined_domain(sosreport_t)
+')
-+', `
-+ permissive sosreport_t;
-+')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 726619b..4bb3158 100644
--- a/policy/modules/system/sysnetwork.fc
@@ -34033,7 +34278,7 @@ index 025348a..59bc26b 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..7cc3698 100644
+index a054cf5..9f316ca 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -34053,7 +34298,15 @@ index a054cf5..7cc3698 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -116,10 +117,13 @@ files_exec_etc_files(udev_t)
+@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
+ files_read_usr_files(udev_t)
+ files_read_etc_runtime_files(udev_t)
+-files_read_etc_files(udev_t)
++
++# console_init manages files in /etc/sysconfig
++files_manage_etc_files(udev_t)
+ files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -34067,21 +34320,7 @@ index a054cf5..7cc3698 100644
mcs_ptrace_all(udev_t)
-@@ -192,9 +196,13 @@ ifdef(`distro_redhat',`
- # for arping used for static IP addresses on PCMCIA ethernet
- netutils_domtrans(udev_t)
-
-+ ifdef(`enforcing',`
- optional_policy(`
- unconfined_domain(udev_t)
- ')
-+ ', `
-+ permissive udev_t;
-+ ')
- ')
-
- optional_policy(`
-@@ -216,11 +224,16 @@ optional_policy(`
+@@ -216,11 +222,16 @@ optional_policy(`
')
optional_policy(`
@@ -34098,7 +34337,7 @@ index a054cf5..7cc3698 100644
')
optional_policy(`
-@@ -233,6 +246,10 @@ optional_policy(`
+@@ -233,6 +244,10 @@ optional_policy(`
')
optional_policy(`
@@ -34109,7 +34348,7 @@ index a054cf5..7cc3698 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +276,10 @@ optional_policy(`
+@@ -259,6 +274,10 @@ optional_policy(`
')
optional_policy(`
@@ -34120,7 +34359,7 @@ index a054cf5..7cc3698 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +294,11 @@ optional_policy(`
+@@ -273,6 +292,11 @@ optional_policy(`
')
optional_policy(`
@@ -34870,10 +35109,10 @@ index f976344..4474379 100644
- ')
-')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..9068325 100644
+index db75976..61db6da 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,14 @@
+@@ -1,4 +1,15 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -34885,12 +35124,13 @@ index db75976..9068325 100644
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 8b4f6d8..1456a83 100644
+index 8b4f6d8..e1da594 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -36404,6 +36644,15 @@ index 8b4f6d8..1456a83 100644
')
########################################
+@@ -2906,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+ type user_devpts_t;
+ ')
+
+- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
++ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
@@ -2961,7 +3260,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7799e24..1b82efa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.2
+Version: 3.9.3
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -469,6 +469,20 @@ exit 0
%endif
%changelog
+* Thu Aug 31 2010 Dan Walsh <dwalsh at redhat.com> 3.9.3-1
+Allow iptables to read shorewall tmp files
+Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
+intd
+label vlc as an execmem_exec_t
+Lots of fixes for mozilla_plugin to run google vidio chat
+Allow telepath_msn to execute ldconfig and its own tmp files
+Fix labels on hugepages
+Allow mdadm to read files on /dev
+Remove permissive domains and change back to unconfined
+Allow freshclam to execute shell and bin_t
+Allow devicekit_power to transition to dhcpc
+Add boolean to allow icecast to connect to any port
+
* Thu Aug 31 2010 Dan Walsh <dwalsh at redhat.com> 3.9.2-1
- Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
diff --git a/sources b/sources
index 1d0d2b4..3c4a5ef 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f35b66c95c41e4c046727789b361a969 serefpolicy-3.9.2.tgz
+2330fe4b7094df0e0a453856db12e3a4 serefpolicy-3.9.3.tgz
More information about the scm-commits
mailing list