[selinux-policy] - Update to upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 16 11:59:21 UTC 2010
commit a24e6a67003984f39e1ca4ddc42e090ca7034ff9
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Sep 16 07:59:03 2010 -0400
- Update to upstream
.gitignore | 1 +
policy-F14.patch | 3235 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 13 +-
sources | 2 +-
4 files changed, 2243 insertions(+), 1008 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 0dd8fdf..5c00acd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -225,3 +225,4 @@ serefpolicy*
/serefpolicy-3.9.2.tgz
/serefpolicy-3.9.3.tgz
/serefpolicy-3.9.4.tgz
+/serefpolicy-3.9.5.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index 21ebcd0..be8c885 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -280,7 +280,7 @@ index 5b43db5..fdb453c 100644
+ role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
-index e0fa983..86644f0 100644
+index a2e9cb5..cec5c56 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -35,7 +35,7 @@ miscfiles_read_generic_certs(certwatch_t)
@@ -292,14 +292,6 @@ index e0fa983..86644f0 100644
optional_policy(`
apache_exec_modules(certwatch_t)
-@@ -47,6 +47,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ pcscd_domtrans(certwatch_t)
- pcscd_stream_connect(certwatch_t)
- pcscd_read_pub_files(certwatch_t)
- ')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2b12a37..a370656 100644
--- a/policy/modules/admin/consoletype.te
@@ -334,21 +326,10 @@ index 72bc6d8..5421065 100644
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
-index db780c2..fd55ce2 100644
+index 66e486e..bfda8e9 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
-@@ -91,6 +91,10 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
- userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
-
- optional_policy(`
-+ consoletype_domtrans(firstboot_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(firstboot_t)
-
- optional_policy(`
-@@ -99,6 +103,10 @@ optional_policy(`
+@@ -103,6 +103,10 @@ optional_policy(`
')
optional_policy(`
@@ -359,7 +340,7 @@ index db780c2..fd55ce2 100644
nis_use_ypbind(firstboot_t)
')
-@@ -121,6 +129,7 @@ optional_policy(`
+@@ -125,6 +129,7 @@ optional_policy(`
')
optional_policy(`
@@ -368,7 +349,7 @@ index db780c2..fd55ce2 100644
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 0b6123e..23ef05f 100644
+index 0b6123e..dd4cd30 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t)
@@ -379,6 +360,15 @@ index 0b6123e..23ef05f 100644
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
+@@ -126,7 +127,7 @@ cron_search_spool(logrotate_t)
+ mta_send_mail(logrotate_t)
+
+ ifdef(`distro_debian', `
+- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
++ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+
diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
index 3c7b1e8..1e155f5 100644
--- a/policy/modules/admin/logwatch.fc
@@ -726,10 +716,10 @@ index b687b5d..4f38995 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index aa0dcc6..cdbadda 100644
+index aa0dcc6..0faba2a 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
-@@ -59,6 +59,7 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
@@ -737,6 +727,11 @@ index aa0dcc6..cdbadda 100644
# prelink misc objects that are not system
# libraries or entrypoints
+-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
++allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
+
+ kernel_read_system_state(prelink_t)
+ kernel_read_kernel_sysctls(prelink_t)
@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
@@ -1413,18 +1408,6 @@ index 51f7c3a..707fb3d 100644
+optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
')
-diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
-index 254c59d..35f2bb0 100644
---- a/policy/modules/admin/smoltclient.te
-+++ b/policy/modules/admin/smoltclient.te
-@@ -42,6 +42,7 @@ dev_read_sysfs(smoltclient_t)
-
- fs_getattr_all_fs(smoltclient_t)
- fs_getattr_all_dirs(smoltclient_t)
-+fs_list_auto_mountpoints(smoltclient_t)
-
- files_getattr_generic_locks(smoltclient_t)
- files_read_etc_files(smoltclient_t)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a0aa8c5..1b60ad8 100644
--- a/policy/modules/admin/su.if
@@ -1673,18 +1656,6 @@ index a870982..6542902 100644
optional_policy(`
dbus_system_bus_client(vpnc_t)
-diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
-index 051b979..31397a3 100644
---- a/policy/modules/apps/awstats.te
-+++ b/policy/modules/apps/awstats.te
-@@ -47,6 +47,7 @@ dev_read_urand(awstats_t)
- files_read_etc_files(awstats_t)
- # e.g. /usr/share/awstats/lang/awstats-en.txt
- files_read_usr_files(awstats_t)
-+files_dontaudit_search_all_mountpoints(awstats_t)
-
- fs_list_inotifyfs(awstats_t)
-
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
index 0000000..432fb25
@@ -1792,10 +1763,10 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..b09816f
+index 0000000..4e92e87
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,92 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -1878,14 +1849,15 @@ index 0000000..b09816f
+')
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-+ fs_dontaudit_read_nfs_files(chrome_sandbox_t)
-+ fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
++ fs_search_nfs(chrome_sandbox_t)
++ fs_read_inherited_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(chrome_sandbox_t)
++ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-+ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 7fd0900..899e234 100644
@@ -4860,9 +4832,18 @@ index 690589e..815d35d 100644
optional_policy(`
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 2ba7787..15fef11 100644
+index 2ba7787..9f12b51 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
+@@ -17,7 +17,7 @@
+ #
+ interface(`pulseaudio_role',`
+ gen_require(`
+- type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
++ type pulseaudio_t, pulseaudio_exec_t;
+ class dbus { acquire_svc send_msg };
+ ')
+
@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
@@ -6695,7 +6676,7 @@ index 5872ea2..028c994 100644
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index 1f803bb..8a97303 100644
+index 1f803bb..4bdcbe3 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -6706,9 +6687,34 @@ index 1f803bb..8a97303 100644
domain_use_interactive_fds(vmware_host_t)
domain_dontaudit_read_all_domains_state(vmware_host_t)
-@@ -159,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t)
+@@ -133,6 +134,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
+ files_list_tmp(vmware_host_t)
+ files_read_etc_files(vmware_host_t)
+ files_read_etc_runtime_files(vmware_host_t)
++files_read_usr_files(vmware_host_t)
+
+ fs_getattr_all_fs(vmware_host_t)
+ fs_search_auto_mountpoints(vmware_host_t)
+@@ -151,6 +153,7 @@ logging_send_syslog_msg(vmware_host_t)
+ miscfiles_read_localization(vmware_host_t)
+
+ sysnet_dns_name_resolve(vmware_host_t)
++sysnet_domtrans_ifconfig(vmware_host_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+@@ -158,8 +161,19 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+ netutils_domtrans_ping(vmware_host_t)
optional_policy(`
++ hostname_exec(vmware_host_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(vmware_host_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
+')
@@ -8587,7 +8593,7 @@ index 59bae6a..16f0f9e 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..4eecefb 100644
+index 437a42a..51d47a0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',`
@@ -8654,7 +8660,32 @@ index 437a42a..4eecefb 100644
dev_search_sysfs($1)
')
-@@ -1241,7 +1249,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1227,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',`
+
+ ########################################
+ ## <summary>
++## Read inherited files on a CIFS or SMB filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read or
+ ## write files on a CIFS or SMB filesystem.
+ ## </summary>
+@@ -1241,7 +1267,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -8663,7 +8694,7 @@ index 437a42a..4eecefb 100644
')
########################################
-@@ -1504,6 +1512,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1530,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -8689,7 +8720,7 @@ index 437a42a..4eecefb 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1931,7 +1958,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +1976,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -8717,7 +8748,7 @@ index 437a42a..4eecefb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +1992,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2010,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -8759,7 +8790,7 @@ index 437a42a..4eecefb 100644
########################################
## <summary>
-@@ -1999,6 +2080,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2098,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -8767,7 +8798,7 @@ index 437a42a..4eecefb 100644
')
########################################
-@@ -2395,6 +2477,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2495,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -8793,7 +8824,32 @@ index 437a42a..4eecefb 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2449,7 +2550,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2435,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+
+ ########################################
+ ## <summary>
++## Read inherited files on a NFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read or
+ ## write files on a NFS filesystem.
+ ## </summary>
+@@ -2449,7 +2586,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -8802,7 +8858,7 @@ index 437a42a..4eecefb 100644
')
########################################
-@@ -2637,6 +2738,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2774,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -8827,7 +8883,7 @@ index 437a42a..4eecefb 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2845,7 +2964,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3000,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -8836,7 +8892,7 @@ index 437a42a..4eecefb 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,6 +4089,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4125,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -8861,7 +8917,7 @@ index 437a42a..4eecefb 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4662,3 +4799,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4835,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -9273,7 +9329,7 @@ index 3723150..bde6daa 100644
dev_add_entry_generic_dirs($1)
')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 492bf76..f9930a3 100644
+index 492bf76..87a6942 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -292,9 +292,11 @@ interface(`term_use_console',`
@@ -9289,6 +9345,15 @@ index 492bf76..f9930a3 100644
')
########################################
+@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 console_device_t:chr_file { relabelfrom relabelto };
++ allow $1 console_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -9298,6 +9363,15 @@ index 492bf76..f9930a3 100644
')
########################################
+@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
++ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -9334,6 +9408,15 @@ index 492bf76..f9930a3 100644
')
########################################
+@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file { relabelfrom relabelto };
++ allow $1 ttynode:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -9374,10 +9457,18 @@ index 252913b..a1bbe8f 100644
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
-index 1875064..20d9333 100644
+index 1875064..e9c9277 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
-@@ -58,3 +58,7 @@ optional_policy(`
+@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
+ selinux_get_enforce_mode(dbadm_t)
+
+ logging_send_syslog_msg(dbadm_t)
++logging_send_audit_msgs(dbadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+@@ -58,3 +59,7 @@ optional_policy(`
optional_policy(`
postgresql_admin(dbadm_t, dbadm_r)
')
@@ -9413,10 +9504,10 @@ index ebe6a9c..e3a1987 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0c9876c..06b7974 100644
+index 1854002..b0d95d4 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,17 +8,55 @@ policy_module(staff, 2.1.1)
+@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -9463,129 +9554,95 @@ index 0c9876c..06b7974 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-
- optional_policy(`
-+ mozilla_run_plugin(staff_t, staff_r)
-+')
-+
-+optional_policy(`
- auditadm_role_change(staff_r)
- ')
-
-@@ -27,6 +65,23 @@ optional_policy(`
+@@ -27,6 +61,35 @@ optional_policy(`
')
optional_policy(`
-+ logadm_role_change(staff_r)
++ accountsd_dbus_chat(staff_t)
++ accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
-+ webadm_role_change(staff_r)
++ gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
-+ kerneloops_manage_tmp_files(staff_t)
++ firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
-+ oident_manage_user_content(staff_t)
-+ oident_relabel_user_content(staff_t)
++ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
- postgresql_role(staff_r, staff_t)
- ')
-
-@@ -35,6 +90,18 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ unconfined_role_change(staff_r)
++ kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
-+ rtkit_scheduled(staff_t)
++ logadm_role_change(staff_r)
+')
+
+optional_policy(`
-+ screen_role_template(staff, staff_r, staff_t)
++ mozilla_run_plugin(staff_t, staff_r)
+')
+
+optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
')
-
-@@ -48,6 +115,10 @@ optional_policy(`
+@@ -36,21 +99,62 @@ optional_policy(`
')
optional_policy(`
-+ telepathy_dbus_session_role(staff_r, staff_t)
++ rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
- xserver_role(staff_r, staff_t)
++ rpm_dbus_chat(staff_usertype)
++')
++
++optional_policy(`
+ secadm_role_change(staff_r)
')
-@@ -121,10 +192,6 @@ ifndef(`distro_redhat',`
- ')
-
- optional_policy(`
-- oident_manage_user_content(staff_t)
-- oident_relabel_user_content(staff_t)
-- ')
-- optional_policy(`
- pyzor_role(staff_r, staff_t)
- ')
-
-@@ -137,10 +204,6 @@ ifndef(`distro_redhat',`
- ')
+ optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
++ sandbox_transition(staff_t, staff_r)
+ ')
- optional_policy(`
-- screen_role_template(staff, staff_r, staff_t)
-- ')
--
-- optional_policy(`
- spamassassin_role(staff_r, staff_t)
- ')
+ optional_policy(`
+- sudo_role_template(staff, staff_r, staff_t)
++ screen_role_template(staff, staff_r, staff_t)
+ ')
-@@ -172,3 +235,46 @@ ifndef(`distro_redhat',`
- wireshark_role(staff_r, staff_t)
- ')
+ optional_policy(`
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
')
-+
-+optional_policy(`
-+ accountsd_dbus_chat(staff_t)
-+ accountsd_read_lib_files(staff_t)
-+')
-+
+optional_policy(`
-+ gnomeclock_dbus_chat(staff_t)
++ setroubleshoot_stream_connect(staff_t)
++ setroubleshoot_dbus_chat(staff_t)
++ setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
-+ firewallgui_dbus_chat(staff_t)
++ ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
-+ lpd_list_spool(staff_t)
++ sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
-+ kerneloops_dbus_chat(staff_t)
-+')
-+
-+optional_policy(`
-+ rpm_dbus_chat(staff_usertype)
++ telepathy_dbus_session_role(staff_r, staff_t)
+')
+
+optional_policy(`
-+ sandbox_transition(staff_t, staff_r)
++ userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
-+ setroubleshoot_stream_connect(staff_t)
-+ setroubleshoot_dbus_chat(staff_t)
-+ setroubleshoot_dbus_chat_fixit(staff_t)
++ unconfined_role_change(staff_r)
+')
+
+optional_policy(`
@@ -9593,8 +9650,22 @@ index 0c9876c..06b7974 100644
+')
+
+optional_policy(`
-+ userhelper_console_role_template(staff, staff_r, staff_usertype)
++ webadm_role_change(staff_r)
+')
+
+ optional_policy(`
+ xserver_role(staff_r, staff_t)
+@@ -138,10 +242,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- screen_role_template(staff, staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..1a95085 100644
--- a/policy/modules/roles/sysadm.te
@@ -11106,10 +11177,10 @@ index 0000000..799db36
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e8a507d..aac3fe1 100644
+index 9b55b00..2932c13 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,22 +12,48 @@ role user_r;
+@@ -12,6 +12,8 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -11118,6 +11189,8 @@ index e8a507d..aac3fe1 100644
optional_policy(`
apache_role(user_r, user_t)
')
+@@ -22,10 +24,34 @@ optional_policy(`
+ ')
optional_policy(`
+ mozilla_run_plugin(user_t, user_r)
@@ -11140,43 +11213,17 @@ index e8a507d..aac3fe1 100644
')
optional_policy(`
-+ telepathy_dbus_session_role(user_r, user_t)
++ setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
+optional_policy(`
-+ setroubleshoot_dontaudit_stream_connect(user_t)
++ telepathy_dbus_session_role(user_r, user_t)
+')
+
+optional_policy(`
xserver_role(user_r, user_t)
')
- ifndef(`distro_redhat',`
- optional_policy(`
- auth_role(user_r, user_t)
-- ')
-+ ')
-
- optional_policy(`
- bluetooth_role(user_r, user_t)
-@@ -44,7 +70,7 @@ ifndef(`distro_redhat',`
- optional_policy(`
- dbus_role_template(user, user_r, user_t)
- ')
--
-+
- optional_policy(`
- evolution_role(user_r, user_t)
- ')
-@@ -97,7 +123,7 @@ ifndef(`distro_redhat',`
- oident_manage_user_content(user_t)
- oident_relabel_user_content(user_t)
- ')
--
-+
- optional_policy(`
- postgresql_role(user_r, user_t)
- ')
@@ -115,7 +141,7 @@ ifndef(`distro_redhat',`
')
@@ -11186,6 +11233,18 @@ index e8a507d..aac3fe1 100644
')
optional_policy(`
+diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
+index 0ecc786..dbf2710 100644
+--- a/policy/modules/roles/webadm.te
++++ b/policy/modules/roles/webadm.te
+@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
+ seutil_domtrans_setfiles(webadm_t)
+
+ logging_send_syslog_msg(webadm_t)
++logging_send_audit_msgs(webadm_t)
+
+ userdom_dontaudit_search_user_home_dirs(webadm_t)
+
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f..e76f7a7 100644
--- a/policy/modules/roles/xguest.te
@@ -11357,10 +11416,18 @@ index 1bd5812..3b3ba64 100644
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..8a5d6a4 100644
+index 0b827c5..022c079 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
-@@ -130,6 +130,10 @@ interface(`abrt_domtrans_helper',`
+@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
+ type abrt_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+ ')
+
+@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
')
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
@@ -11371,7 +11438,7 @@ index 0b827c5..8a5d6a4 100644
')
########################################
-@@ -160,8 +164,25 @@ interface(`abrt_run_helper',`
+@@ -160,8 +165,25 @@ interface(`abrt_run_helper',`
########################################
## <summary>
@@ -11399,7 +11466,7 @@ index 0b827c5..8a5d6a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -253,6 +274,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +275,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -11565,6 +11632,19 @@ index 98646c4..2bd70ae 100644
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
+')
+diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
+index c0f858d..b46f76f 100644
+--- a/policy/modules/services/accountsd.if
++++ b/policy/modules/services/accountsd.if
+@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
+ type accountsd_t;
+ ')
+
+- allow $1 accountsd_t:process { ptrace signal_perms getattr };
++ allow $1 accountsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, accountsd_t)
+
+ accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f10..2724c11 100644
--- a/policy/modules/services/accountsd.te
@@ -11587,6 +11667,21 @@ index 1632f10..2724c11 100644
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
+diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
+index 8559cdc..49c0cc8 100644
+--- a/policy/modules/services/afs.if
++++ b/policy/modules/services/afs.if
+@@ -97,8 +97,8 @@ interface(`afs_admin',`
+ type afs_t, afs_initrc_exec_t;
+ ')
+
+- allow $1 afs_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, afs_t, afs_t)
++ allow $1 afs_t:process { ptrace signal_perms };
++ ps_process_pattern($1, afs_t)
+
+ # Allow afs_admin to restart the afs service
+ afs_initrc_domtrans($1)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index de8b791..9ec36b9 100644
--- a/policy/modules/services/afs.te
@@ -11740,7 +11835,7 @@ index 0000000..420c856
+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644
-index 0000000..d21aa69
+index 0000000..416c49e
--- /dev/null
+++ b/policy/modules/services/aiccu.te
@@ -0,0 +1,71 @@
@@ -11769,7 +11864,7 @@ index 0000000..d21aa69
+# aiccu local policy
+#
+
-+allow aiccu_t self:capability { kill net_admin };
++allow aiccu_t self:capability { kill net_admin net_raw };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
@@ -11990,35 +12085,6 @@ index 0000000..3441758
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)
-diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
-index adb3d5f..de26af5 100644
---- a/policy/modules/services/amavis.if
-+++ b/policy/modules/services/amavis.if
-@@ -56,7 +56,7 @@ interface(`amavis_read_spool_files',`
- ')
-
- files_search_spool($1)
-- allow $1 amavis_spool_t:file read_file_perms;
-+ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
- ')
-
- ########################################
-diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index 3e8002a..31f4612 100644
---- a/policy/modules/services/amavis.te
-+++ b/policy/modules/services/amavis.te
-@@ -92,9 +92,10 @@ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
- logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
-
- # pid file
-+manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
- manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
- manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
--files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file })
-+files_pid_filetrans(amavis_t, amavis_var_run_t, { file sock_file dir })
-
- kernel_read_kernel_sysctls(amavis_t)
- # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..8603d4d 100644
--- a/policy/modules/services/apache.fc
@@ -13254,26 +13320,32 @@ index 1c8c27e..c7cba00 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
-index 0160ba4..f31b5c9 100644
---- a/policy/modules/services/arpwatch.te
-+++ b/policy/modules/services/arpwatch.te
-@@ -50,6 +50,7 @@ kernel_read_network_state(arpwatch_t)
- kernel_read_kernel_sysctls(arpwatch_t)
- kernel_list_proc(arpwatch_t)
- kernel_read_proc_symlinks(arpwatch_t)
-+kernel_request_load_module(arpwatch_t)
-
- corenet_all_recvfrom_unlabeled(arpwatch_t)
- corenet_all_recvfrom_netlabel(arpwatch_t)
-@@ -63,6 +64,7 @@ corenet_tcp_sendrecv_all_ports(arpwatch_t)
- corenet_udp_sendrecv_all_ports(arpwatch_t)
-
- dev_read_sysfs(arpwatch_t)
-+dev_read_usbmon_dev(arpwatch_t)
- dev_rw_generic_usb_dev(arpwatch_t)
-
- fs_getattr_all_fs(arpwatch_t)
+diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
+index c804110..bdefbe1 100644
+--- a/policy/modules/services/arpwatch.if
++++ b/policy/modules/services/arpwatch.if
+@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
+ type arpwatch_initrc_exec_t;
+ ')
+
+- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
++ allow $1 arpwatch_t:process { ptrace signal_perms };
+ ps_process_pattern($1, arpwatch_t)
+
+ arpwatch_initrc_domtrans($1)
+diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
+index 8b8143e..c1a2b96 100644
+--- a/policy/modules/services/asterisk.if
++++ b/policy/modules/services/asterisk.if
+@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
+ type asterisk_initrc_exec_t;
+ ')
+
+- allow $1 asterisk_t:process { ptrace signal_perms getattr };
++ allow $1 asterisk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b9e94c4..608e3a1 100644
--- a/policy/modules/services/asterisk.te
@@ -13305,6 +13377,29 @@ index b9e94c4..608e3a1 100644
postgresql_stream_connect(asterisk_t)
')
+diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
+index d80a16b..f384848 100644
+--- a/policy/modules/services/automount.if
++++ b/policy/modules/services/automount.if
+@@ -68,7 +68,8 @@ interface(`automount_read_state',`
+ type automount_t;
+ ')
+
+- read_files_pattern($1, automount_t, automount_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, automount_t)
+ ')
+
+ ########################################
+@@ -149,7 +150,7 @@ interface(`automount_admin',`
+ type automount_var_run_t, automount_initrc_exec_t;
+ ')
+
+- allow $1 automount_t:process { ptrace signal_perms getattr };
++ allow $1 automount_t:process { ptrace signal_perms };
+ ps_process_pattern($1, automount_t)
+
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 39799db..6189565 100644
--- a/policy/modules/services/automount.te
@@ -13506,7 +13601,7 @@ index 0000000..c095160
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
-index 0000000..9f4885c
+index 0000000..272bf74
--- /dev/null
+++ b/policy/modules/services/boinc.if
@@ -0,0 +1,151 @@
@@ -13650,8 +13745,8 @@ index 0000000..9f4885c
+ type boinc_var_lib_t;
+ ')
+
-+ allow $1 boinc_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, boinc_t, boinc_t)
++ allow $1 boinc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -14213,22 +14308,6 @@ index 0000000..e67f987
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
-diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
-index 358b757..b819a47 100644
---- a/policy/modules/services/canna.te
-+++ b/policy/modules/services/canna.te
-@@ -42,9 +42,10 @@ manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
- manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
- files_var_lib_filetrans(canna_t, canna_var_lib_t, file)
-
-+manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t)
- manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
- manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
--files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
-+files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
-
- kernel_read_kernel_sysctls(canna_t)
- kernel_read_system_state(canna_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4c90b57..bffe6b6 100644
--- a/policy/modules/services/ccs.te
@@ -14244,38 +14323,8 @@ index 4c90b57..bffe6b6 100644
+optional_policy(`
unconfined_use_fds(ccs_t)
')
-diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
-index 9629d3d..f9335fb 100644
---- a/policy/modules/services/certmaster.if
-+++ b/policy/modules/services/certmaster.if
-@@ -18,6 +18,25 @@ interface(`certmaster_domtrans',`
- domtrans_pattern($1, certmaster_exec_t, certmaster_t)
- ')
-
-+####################################
-+## <summary>
-+## Execute certmaster.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`certmaster_exec',`
-+ gen_require(`
-+ type certmaster_exec_t;
-+ ')
-+
-+ can_exec($1, certmaster_exec_t)
-+ corecmd_search_bin($1)
-+')
-+
- #######################################
- ## <summary>
- ## read certmaster logs.
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index d8b8639..da60c93 100644
+index 73f03ff..4aef864 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
@@ -14286,32 +14335,6 @@ index d8b8639..da60c93 100644
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
-diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
-index a3728d4..7a6e5ba 100644
---- a/policy/modules/services/certmonger.if
-+++ b/policy/modules/services/certmonger.if
-@@ -167,8 +167,8 @@ interface(`certmonger_admin',`
- allow $2 system_r;
-
- files_search_var_lib($1)
-- admin_pattern($1, cermonger_var_lib_t)
-+ admin_pattern($1, certmonger_var_lib_t)
-
- files_search_pids($1)
-- admin_pattern($1, cermonger_var_run_t)
-+ admin_pattern($1, certmonger_var_run_t)
- ')
-diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 7106981..261a37c 100644
---- a/policy/modules/services/certmonger.te
-+++ b/policy/modules/services/certmonger.te
-@@ -68,5 +68,5 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_dbus_send(certmonger_t)
-+ pcscd_stream_connect(certmonger_t)
- ')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 8ca2333..63a18fc 100644
--- a/policy/modules/services/cgroup.te
@@ -14694,10 +14717,10 @@ index 0000000..d5b410f
+')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644
-index 0000000..1e4adfa
+index 0000000..bb7d429
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,55 @@
+policy_module(cmirrord,1.0.0)
+
+########################################
@@ -14709,8 +14732,6 @@ index 0000000..1e4adfa
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
-+permissive cmirrord_t;
-+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
@@ -14726,6 +14747,7 @@ index 0000000..1e4adfa
+#
+
+allow cmirrord_t self:capability { net_admin kill };
++dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process signal;
+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
@@ -14797,7 +14819,7 @@ index 1cf6c4e..90c60df 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..1bdfe84 100644
+index 293e08d..b2198bb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
@@ -14907,7 +14929,7 @@ index 293e08d..1bdfe84 100644
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -162,6 +186,9 @@ interface(`cobblerd_admin',`
+@@ -162,10 +186,13 @@ interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t, cobblerd_initrc_exec_t;
@@ -14916,7 +14938,13 @@ index 293e08d..1bdfe84 100644
+ type httpd_cobbler_content_rw_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, cobblerd_t, cobblerd_t)
++ allow $1 cobblerd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cobblerd_t)
+
+ files_search_etc($1)
+ admin_pattern($1, cobbler_etc_t)
@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
@@ -15254,8 +15282,38 @@ index 3a6d7eb..2098ee9 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
+index 5220c9d..05f7296 100644
+--- a/policy/modules/services/corosync.if
++++ b/policy/modules/services/corosync.if
+@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+ ')
+
++######################################
++## <summary>
++## Execute corosync in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`corosync_exec',`
++ gen_require(`
++ type corosync_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, corosync_exec_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 7d2cf85..fdb0dcb 100644
+index 7d2cf85..ed9dd2f 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@@ -15297,7 +15355,7 @@ index 7d2cf85..fdb0dcb 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +88,35 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +88,36 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -15334,38 +15392,10 @@ index 7d2cf85..fdb0dcb 100644
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
')
optional_policy(`
-diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
-index 37b03f6..9971337 100644
---- a/policy/modules/services/courier.if
-+++ b/policy/modules/services/courier.if
-@@ -38,10 +38,12 @@ template(`courier_domain_template',`
- read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
- allow courier_$1_t courier_etc_t:dir list_dir_perms;
-
-+ manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
- manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
- manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
- manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
- files_search_pids(courier_$1_t)
-+ files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
-
- kernel_read_system_state(courier_$1_t)
- kernel_read_kernel_sysctls(courier_$1_t)
-diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
-index b96c242..72901d8 100644
---- a/policy/modules/services/courier.te
-+++ b/policy/modules/services/courier.te
-@@ -48,6 +48,7 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
- allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
- allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
- allow courier_authdaemon_t courier_tcpd_t:process sigchld;
-+allow courier_authdaemon_t courier_tcpd_t:fd use;
- allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
- allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
-
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08..3e8ad69 100644
--- a/policy/modules/services/cron.fc
@@ -15388,21 +15418,22 @@ index 2eefc08..3e8ad69 100644
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..cbd01be 100644
+index 35241ed..9822074 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
-@@ -12,6 +12,10 @@
+@@ -12,6 +12,11 @@
## </param>
#
template(`cron_common_crontab_template',`
+ gen_require(`
-+ type crond_t, crond_var_run_t;
++ type crond_t, crond_var_run_t, crontab_exec_t;
++ type cron_spool_t, user_cron_spool_t;
+ ')
+
##############################
#
# Declarations
-@@ -34,8 +38,12 @@ template(`cron_common_crontab_template',`
+@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',`
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
@@ -15417,7 +15448,7 @@ index 35241ed..cbd01be 100644
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-@@ -62,6 +70,7 @@ template(`cron_common_crontab_template',`
+@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
@@ -15425,7 +15456,7 @@ index 35241ed..cbd01be 100644
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
-@@ -76,6 +85,7 @@ template(`cron_common_crontab_template',`
+@@ -76,6 +86,7 @@ template(`cron_common_crontab_template',`
userdom_use_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
@@ -15433,7 +15464,7 @@ index 35241ed..cbd01be 100644
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -106,6 +116,8 @@ template(`cron_common_crontab_template',`
+@@ -106,6 +117,8 @@ template(`cron_common_crontab_template',`
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
@@ -15442,7 +15473,7 @@ index 35241ed..cbd01be 100644
')
role $1 types { cronjob_t crontab_t };
-@@ -116,6 +128,13 @@ interface(`cron_role',`
+@@ -116,6 +129,13 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -15456,7 +15487,7 @@ index 35241ed..cbd01be 100644
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
allow $2 crontab_t:process signal;
-@@ -154,27 +173,14 @@ interface(`cron_role',`
+@@ -154,27 +174,14 @@ interface(`cron_role',`
#
interface(`cron_unconfined_role',`
gen_require(`
@@ -15486,7 +15517,7 @@ index 35241ed..cbd01be 100644
optional_policy(`
gen_require(`
class dbus send_msg;
-@@ -408,7 +414,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -15531,7 +15562,7 @@ index 35241ed..cbd01be 100644
')
########################################
-@@ -554,7 +596,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +597,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -15540,7 +15571,7 @@ index 35241ed..cbd01be 100644
')
########################################
-@@ -587,11 +629,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +630,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -15556,12 +15587,11 @@ index 35241ed..cbd01be 100644
')
########################################
-@@ -627,7 +672,48 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +673,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
-+ type system_cronjob_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
@@ -15606,7 +15636,7 @@ index 35241ed..cbd01be 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..c72dd92 100644
+index f35b243..ff1a1c9 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@@ -15884,17 +15914,21 @@ index f35b243..c72dd92 100644
')
optional_policy(`
-@@ -497,6 +579,9 @@ optional_policy(`
+@@ -497,7 +579,13 @@ optional_policy(`
')
optional_policy(`
-+ unconfined_dbus_send(crond_t)
-+ unconfined_shell_domtrans(crond_t)
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
++')
++
++optional_policy(`
++ unconfined_shell_domtrans(crond_t)
++ unconfined_dbus_send(crond_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,7 +675,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+
+@@ -590,7 +678,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -16292,21 +16326,6 @@ index b354128..c725cae 100644
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
-diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
-index f02cfe4..0cb9ac9 100644
---- a/policy/modules/services/dcc.te
-+++ b/policy/modules/services/dcc.te
-@@ -231,8 +231,9 @@ manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
- manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
- files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
-
-+manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
- manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
--files_pid_filetrans(dccd_t, dccd_var_run_t, file)
-+files_pid_filetrans(dccd_t, dccd_var_run_t, { file dir })
-
- kernel_read_system_state(dccd_t)
- kernel_read_kernel_sysctls(dccd_t)
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index 8ba9425..d53ee7e 100644
--- a/policy/modules/services/denyhosts.te
@@ -16350,6 +16369,27 @@ index 8ba9425..d53ee7e 100644
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
+diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
+index f706b99..70cf018 100644
+--- a/policy/modules/services/devicekit.if
++++ b/policy/modules/services/devicekit.if
+@@ -165,13 +165,13 @@ interface(`devicekit_admin',`
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+- allow $1 devicekit_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_t)
+
+- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_disk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_disk_t)
+
+- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_power_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..6cee08f 100644
--- a/policy/modules/services/devicekit.te
@@ -16457,6 +16497,19 @@ index f231f17..6cee08f 100644
vbetool_domtrans(devicekit_power_t)
')
+
+diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
+index 5e2cea8..aa4da1d 100644
+--- a/policy/modules/services/dhcp.if
++++ b/policy/modules/services/dhcp.if
+@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
+ #
+ interface(`dhcpd_admin',`
+ gen_require(`
+- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
++ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ ')
+
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..a307b51 100644
--- a/policy/modules/services/dhcp.te
@@ -16473,10 +16526,10 @@ index d4424ad..a307b51 100644
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
-index 22221ad..bd97d09 100644
+index 0c6a473..e723266 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
-@@ -22,6 +22,8 @@ djbdns_daemontools_domain_template(tinydns)
+@@ -23,6 +23,8 @@ djbdns_daemontools_domain_template(tinydns)
# Local policy for axfrdns component
#
@@ -16685,7 +16738,7 @@ index 298f066..c2570df 100644
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
-index 6bef7f8..0217906 100644
+index 6bef7f8..1685c5d 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -20,6 +20,24 @@ interface(`exim_domtrans',`
@@ -16740,8 +16793,8 @@ index 6bef7f8..0217906 100644
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
-+ allow $1 exim_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, exim_t, exim_t)
++ allow $1 exim_t:process { ptrace signal_perms };
++ ps_process_pattern($1, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -16838,21 +16891,18 @@ index 2a69e5e..fd30b02 100644
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
-diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
-index dc2c044..5f5b57b 100644
---- a/policy/modules/services/fetchmail.te
-+++ b/policy/modules/services/fetchmail.te
-@@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
- allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
- mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
-
-+manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
--files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, file)
-+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
-
- kernel_read_kernel_sysctls(fetchmail_t)
- kernel_list_proc(fetchmail_t)
+diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
+index 6537214..7d64c0a 100644
+--- a/policy/modules/services/fetchmail.if
++++ b/policy/modules/services/fetchmail.if
+@@ -18,6 +18,7 @@ interface(`fetchmail_admin',`
+ type fetchmail_var_run_t;
+ ')
+
++ allow $1 fetchmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fetchmail_t)
+
+ files_list_etc($1)
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
index 7df52c7..899feaf 100644
--- a/policy/modules/services/fprintd.te
@@ -17827,10 +17877,18 @@ index 03742d8..7b9c543 100644
')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
-index 7cf6763..5b9771e 100644
+index 7cf6763..0d50d0d 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
-@@ -377,6 +377,25 @@ interface(`hal_read_pid_files',`
+@@ -51,6 +51,7 @@ interface(`hal_read_state',`
+ type hald_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, hald_t)
+ ')
+
+@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',`
########################################
## <summary>
@@ -17839,7 +17897,7 @@ index 7cf6763..5b9771e 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -17856,7 +17914,7 @@ index 7cf6763..5b9771e 100644
## Read/Write hald PID files.
## </summary>
## <param name="domain">
-@@ -431,3 +450,27 @@ interface(`hal_manage_pid_files',`
+@@ -431,3 +451,27 @@ interface(`hal_manage_pid_files',`
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
@@ -17867,7 +17925,7 @@ index 7cf6763..5b9771e 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -17988,11 +18046,36 @@ index 24c6253..e72b063 100644
########################################
#
# Local hald dccm policy
+diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
+index 87b4531..777b036 100644
+--- a/policy/modules/services/hddtemp.if
++++ b/policy/modules/services/hddtemp.if
+@@ -70,8 +70,4 @@ interface(`hddtemp_admin',`
+
+ admin_pattern($1, hddtemp_etc_t)
+ files_search_etc($1)
+-
+- allow $1 hddtemp_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
+- kernel_search_proc($1)
+ ')
+diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
+index ecab47a..3aa86f3 100644
+--- a/policy/modules/services/icecast.if
++++ b/policy/modules/services/icecast.if
+@@ -173,6 +173,7 @@ interface(`icecast_admin',`
+ type icecast_t, icecast_initrc_exec_t;
+ ')
+
++ allow $1 icecast_t:process { ptrace signal_perms };
+ ps_process_pattern($1, icecast_t)
+
+ # Allow icecast_t to restart the apache service
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index a57ffc0..4992511 100644
+index f368bf3..80befb0 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
-@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0)
+@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.1)
# Declarations
#
@@ -18007,12 +18090,9 @@ index a57ffc0..4992511 100644
type icecast_t;
type icecast_exec_t;
init_daemon_domain(icecast_t, icecast_exec_t)
-@@ -37,7 +45,16 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
- manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
- files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+ kernel_read_system_state(icecast_t)
-+kernel_read_system_state(icecast_t)
-+
corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
+
@@ -18024,16 +18104,6 @@ index a57ffc0..4992511 100644
# Init script handling
domain_use_interactive_fds(icecast_t)
-@@ -51,5 +68,9 @@ miscfiles_read_localization(icecast_t)
- sysnet_dns_name_resolve(icecast_t)
-
- optional_policy(`
-+ apache_read_sys_content(icecast_t)
-+')
-+
-+optional_policy(`
- rtkit_scheduled(icecast_t)
- ')
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 9fab1dc..05119f7 100644
--- a/policy/modules/services/inn.te
@@ -18075,7 +18145,7 @@ index 4c9acec..908eb91 100644
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
-index 9878499..2873e8f 100644
+index 9878499..f17e629 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -1,17 +1,96 @@
@@ -18149,7 +18219,7 @@ index 9878499..2873e8f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -18491,7 +18561,7 @@ index c62f23e..335fda1 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..e5684f4 100644
+index 3aa8fa7..d15f94d 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,43 @@
@@ -18564,13 +18634,16 @@ index 3aa8fa7..e5684f4 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -71,6 +128,30 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +126,30 @@ interface(`ldap_stream_connect',`
+ ')
+
files_search_pids($1)
- allow $1 slapd_var_run_t:sock_file write;
- allow $1 slapd_t:unix_stream_socket connectto;
+- allow $1 slapd_var_run_t:sock_file write;
+- allow $1 slapd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+
+ optional_policy(`
-+ ldap_stream_connect_dirsrv($1)
++ ldap_stream_connect_dirsrv($1)
+ ')
+')
+
@@ -18590,8 +18663,7 @@ index 3aa8fa7..e5684f4 100644
+ ')
+
+ files_search_pids($1)
-+ allow $1 dirsrv_var_run_t:sock_file write;
-+ allow $1 dirsrv_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
')
########################################
@@ -18677,6 +18749,19 @@ index 6a78de1..02f6985 100644
dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
+diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
+index a4f32f5..d801ec0 100644
+--- a/policy/modules/services/lpd.if
++++ b/policy/modules/services/lpd.if
+@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
+ ')
+
+ files_search_spool($1)
+- allow $1 print_spool_t:file { relabelto relabelfrom };
++ allow $1 print_spool_t:file relabel_file_perms;
+ ')
+
+ ########################################
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 93c14ca..4d31118 100644
--- a/policy/modules/services/lpd.te
@@ -18744,7 +18829,7 @@ index af4d572..ac97ed9 100644
\ No newline at end of file
+')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
-index db4fd6f..c28a876 100644
+index db4fd6f..ee60e59 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -59,6 +59,7 @@ interface(`memcached_admin',`
@@ -18755,6 +18840,13 @@ index db4fd6f..c28a876 100644
')
allow $1 memcached_t:process { ptrace signal_perms };
+@@ -69,5 +70,6 @@ interface(`memcached_admin',`
+ role_transition $2 memcached_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
+ admin_pattern($1, memcached_var_run_t)
+ ')
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f..613c69d 100644
--- a/policy/modules/services/milter.fc
@@ -19334,10 +19426,10 @@ index 0000000..564b22d
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
new file mode 100644
-index 0000000..07dac12
+index 0000000..5599d14
--- /dev/null
+++ b/policy/modules/services/mpd.if
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,273 @@
+
+## <summary>policy for daemon for playing music</summary>
+
@@ -19393,7 +19485,6 @@ index 0000000..07dac12
+ type mpd_data_t;
+ ')
+
-+ files_search_var_lib($1)
+ mpd_search_lib($1)
+ read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
@@ -19413,8 +19504,7 @@ index 0000000..07dac12
+ type mpd_tmpfs_t;
+ ')
+
-+ files_search_var_lib($1)
-+ mpd_search_lib($1)
++ fs_search_tmpfs($1)
+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
@@ -19433,8 +19523,7 @@ index 0000000..07dac12
+ type mpd_tmpfs_t;
+ ')
+
-+ files_search_var_lib($1)
-+ mpd_search_lib($1)
++ fs_search_tmpfs($1)
+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
@@ -19454,7 +19543,6 @@ index 0000000..07dac12
+ type mpd_data_t;
+ ')
+
-+ files_search_var_lib($1)
+ mpd_search_lib($1)
+ manage_files_pattern($1, mpd_data_t, mpd_data_t)
+')
@@ -19590,6 +19678,7 @@ index 0000000..07dac12
+ type mpd_data_t;
+ type mpd_log_t;
+ type mpd_var_lib_t;
++ type mpd_tmpfs_t;
+ ')
+
+ allow $1 mpd_t:process { ptrace signal_perms };
@@ -19611,6 +19700,8 @@ index 0000000..07dac12
+
+ admin_pattern($1, mpd_log_t)
+
++ fs_search_tmpfs($1)
++ admin_pattern($1, mpd_tmpfs_t)
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
@@ -20133,7 +20224,7 @@ index fd71d69..bad9920 100644
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
-index c358d8f..5046738 100644
+index c358d8f..dda8ca9 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -13,10 +13,11 @@
@@ -20169,7 +20260,18 @@ index c358d8f..5046738 100644
')
########################################
-@@ -92,6 +84,24 @@ interface(`munin_read_config',`
+@@ -65,9 +57,8 @@ interface(`munin_stream_connect',`
+ type munin_var_run_t, munin_t;
+ ')
+
+- allow $1 munin_t:unix_stream_socket connectto;
+- allow $1 munin_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
+ ')
+
+ #######################################
+@@ -92,6 +83,24 @@ interface(`munin_read_config',`
files_search_etc($1)
')
@@ -20375,6 +20477,18 @@ index f17583b..13d365d 100644
+fs_getattr_all_fs(munin_plugin_domain)
+
+miscfiles_read_localization(munin_plugin_domain)
+diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
+index e9c0982..b81e257 100644
+--- a/policy/modules/services/mysql.if
++++ b/policy/modules/services/mysql.if
+@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
+ type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+ ')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 0a0d63c..b370d53 100644
--- a/policy/modules/services/mysql.te
@@ -20842,19 +20956,37 @@ index 7936e09..6a174f5 100644
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
-diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 21360e8..b314c0d 100644
---- a/policy/modules/services/nslcd.te
-+++ b/policy/modules/services/nslcd.te
-@@ -34,6 +34,8 @@ manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
- manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
- files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
+index 23c769c..b94add1 100644
+--- a/policy/modules/services/nslcd.if
++++ b/policy/modules/services/nslcd.if
+@@ -106,9 +106,9 @@ interface(`nslcd_admin',`
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
-+kernel_read_system_state(nslcd_t)
-+
- files_read_etc_files(nslcd_t)
+- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
++ files_search_etc($1)
++ admin_pattern($1, nslcd_conf_t)
+
+- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
++ files_search_pids($1)
++ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ ')
+diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
+index e80f8c0..6b240d9 100644
+--- a/policy/modules/services/ntp.if
++++ b/policy/modules/services/ntp.if
+@@ -144,7 +144,7 @@ interface(`ntp_admin',`
+ type ntpd_initrc_exec_t;
+ ')
- auth_use_nsswitch(nslcd_t)
+- allow $1 ntpd_t:process { ptrace signal_perms getattr };
++ allow $1 ntpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ntpd_t)
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..b5b5992 100644
--- a/policy/modules/services/ntp.te
@@ -20872,38 +21004,6 @@ index c61adc8..b5b5992 100644
term_use_ptmx(ntpd_t)
-diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
-index 181bd88..35b9bfa 100644
---- a/policy/modules/services/nut.te
-+++ b/policy/modules/services/nut.te
-@@ -41,7 +41,7 @@ read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
- manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
- manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
- manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
--files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })
-+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file dir })
-
- kernel_read_kernel_sysctls(nut_upsd_t)
-
-@@ -65,6 +65,7 @@ miscfiles_read_localization(nut_upsd_t)
- allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
- allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
- allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
- allow nut_upsmon_t self:tcp_socket create_socket_perms;
-
- read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
-@@ -103,6 +104,10 @@ miscfiles_read_localization(nut_upsmon_t)
-
- mta_send_mail(nut_upsmon_t)
-
-+optional_policy(`
-+ shutdown_domtrans(nut_upsmon_t)
-+')
-+
- ########################################
- #
- # Local policy for upsdrvctl
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
index 79a225c..b1384ad 100644
--- a/policy/modules/services/nx.if
@@ -20951,7 +21051,7 @@ index bdf8c89..5ee1598 100644
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
-index bd76ec2..85f6ada 100644
+index bd76ec2..ca33ae3 100644
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
@@ -20965,7 +21065,7 @@ index bd76ec2..85f6ada 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -21040,22 +21140,6 @@ index 0a244b1..9097656 100644
logging_send_syslog_msg(oidentd_t)
-diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
-index 4996f62..975deca 100644
---- a/policy/modules/services/openct.te
-+++ b/policy/modules/services/openct.te
-@@ -20,9 +20,10 @@ files_pid_file(openct_var_run_t)
- dontaudit openct_t self:capability sys_tty_config;
- allow openct_t self:process signal_perms;
-
-+manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
- manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
- manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
--files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file })
-+files_pid_filetrans(openct_t, openct_var_run_t, { file sock_file dir })
-
- kernel_read_kernel_sysctls(openct_t)
- kernel_list_proc(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4..ba7c06b 100644
--- a/policy/modules/services/openvpn.te
@@ -21132,6 +21216,20 @@ index 8b550f4..ba7c06b 100644
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
+index 8ac407e..4452d3b 100644
+--- a/policy/modules/services/pads.if
++++ b/policy/modules/services/pads.if
+@@ -39,6 +39,9 @@ interface(`pads_admin', `
+ role_transition $2 pads_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
+ admin_pattern($1, pads_var_run_t)
++
++ files_search_etc($1)
+ admin_pattern($1, pads_config_t)
+ ')
diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
new file mode 100644
index 0000000..8d00972
@@ -21293,20 +21391,6 @@ index 0000000..9cb0d1c
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
-diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
-index b881672..da06e9f 100644
---- a/policy/modules/services/pcscd.te
-+++ b/policy/modules/services/pcscd.te
-@@ -44,7 +44,8 @@ corenet_tcp_connect_http_port(pcscd_t)
- dev_rw_generic_usb_dev(pcscd_t)
- dev_rw_smartcard(pcscd_t)
- dev_rw_usbfs(pcscd_t)
--dev_search_sysfs(pcscd_t)
-+dev_list_sysfs(pcscd_t)
-+dev_read_sysfs(pcscd_t)
-
- files_read_etc_files(pcscd_t)
- files_read_etc_runtime_files(pcscd_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3185114..e2e2f67 100644
--- a/policy/modules/services/pegasus.te
@@ -21831,6 +21915,27 @@ index 0000000..0a5f27d
+miscfiles_read_localization(piranha_domain)
+
+sysnet_read_config(piranha_domain)
+diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
+index 9759ed8..fecc0dc 100644
+--- a/policy/modules/services/plymouthd.if
++++ b/policy/modules/services/plymouthd.if
+@@ -249,12 +249,14 @@ interface(`plymouthd_admin', `
+ type plymouthd_var_run_t;
+ ')
+
+- allow $1 plymouthd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, plymouthd_t, plymouthd_t)
++ allow $1 plymouthd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, plymouthd_t)
+
++ files_search_var_lib($1)
+ admin_pattern($1, plymouthd_spool_t)
+
+ admin_pattern($1, plymouthd_var_lib_t)
+
++ files_search_pids($1)
+ admin_pattern($1, plymouthd_var_run_t)
+ ')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index fb8dc84..c30505a 100644
--- a/policy/modules/services/plymouthd.te
@@ -22183,7 +22288,7 @@ index c69d047..1d9fa76 100644
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
-index 10300a0..4af4422 100644
+index 10300a0..d91c1f5 100644
--- a/policy/modules/services/portreserve.if
+++ b/policy/modules/services/portreserve.if
@@ -18,6 +18,24 @@ interface(`portreserve_domtrans',`
@@ -22238,8 +22343,8 @@ index 10300a0..4af4422 100644
+ type portreserve_initrc_exec_t, portreserve_var_run_t;
+ ')
+
-+ allow $1 portreserve_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, portreserve_t, portreserve_t)
++ allow $1 portreserve_t:process { ptrace signal_perms };
++ ps_process_pattern($1, portreserve_t)
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -22305,7 +22410,7 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..b6d763d 100644
+index 46bee12..cfcbac7 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
@@ -22457,26 +22562,26 @@ index 46bee12..b6d763d 100644
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ ')
+
-+ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_bounce_t, postfix_bounce_t)
++ allow $1 postfix_bounce_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_bounce_t)
+
-+ allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t)
++ allow $1 postfix_cleanup_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_cleanup_t)
+
-+ allow $1 postfix_local_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_local_t, postfix_local_t)
++ allow $1 postfix_local_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_local_t)
+
-+ allow $1 postfix_master_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_master_t, postfix_master_t)
++ allow $1 postfix_master_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_master_t)
+
-+ allow $1 postfix_pickup_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_pickup_t, postfix_pickup_t)
++ allow $1 postfix_pickup_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_pickup_t)
+
-+ allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t)
++ allow $1 postfix_qmgr_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_qmgr_t)
+
-+ allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t)
++ allow $1 postfix_smtpd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1,$2)
+ postfix_run_postdrop($1,$2)
@@ -22696,23 +22801,42 @@ index 06e37d4..87043e1 100644
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
+diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
+index 539a7c9..2c6b723 100644
+--- a/policy/modules/services/postgresql.if
++++ b/policy/modules/services/postgresql.if
+@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 postgresql_t:unix_stream_socket connectto;
+- allow $1 postgresql_var_run_t:sock_file write;
+- # Some versions of postgresql put the sock file in /tmp
+- allow $1 postgresql_tmp_t:sock_file write;
++ files_search_tmp($1)
++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
+ ')
+
+ ########################################
+@@ -441,10 +439,13 @@ interface(`postgresql_admin',`
+
+ admin_pattern($1, postgresql_var_run_t)
+
++ files_search_var_lib($1)
+ admin_pattern($1, postgresql_db_t)
+
++ files_search_etc($1)
+ admin_pattern($1, postgresql_etc_t)
+
++ logging_search_logs($1)
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index c0652ec..0ed1671 100644
+index 39abf57..4a85c12 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
-@@ -202,9 +202,10 @@ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
- files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
- fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
-
-+manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
- manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
- manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
--files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
-+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(postgresql_t)
- kernel_read_system_state(postgresql_t)
-@@ -250,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -22722,22 +22846,28 @@ index c0652ec..0ed1671 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
-index 2c066b0..afaf453 100644
---- a/policy/modules/services/postgrey.te
-+++ b/policy/modules/services/postgrey.te
-@@ -47,9 +47,10 @@ manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
- manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
- files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
-
-+manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
- manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
- manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
--files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file })
-+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { file sock_file dir })
-
- kernel_read_system_state(postgrey_t)
- kernel_read_kernel_sysctls(postgrey_t)
+diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
+index b524673..f916c76 100644
+--- a/policy/modules/services/ppp.if
++++ b/policy/modules/services/ppp.if
+@@ -360,7 +360,7 @@ interface(`ppp_admin',`
+ type pppd_initrc_exec_t;
+ ')
+
+- allow $1 pppd_t:process { ptrace signal_perms getattr };
++ allow $1 pppd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pppd_t)
+
+ ppp_initrc_domtrans($1)
+@@ -386,7 +386,7 @@ interface(`ppp_admin',`
+ files_list_pids($1)
+ admin_pattern($1, pppd_var_run_t)
+
+- allow $1 pptp_t:process { ptrace signal_perms getattr };
++ allow $1 pptp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pptp_t)
+
+ admin_pattern($1, pptp_log_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2af42e7..74f07f8 100644
--- a/policy/modules/services/ppp.te
@@ -22783,22 +22913,40 @@ index 2af42e7..74f07f8 100644
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
-diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
-index 4d66b76..3a12d03 100644
---- a/policy/modules/services/prelude.te
-+++ b/policy/modules/services/prelude.te
-@@ -72,9 +72,10 @@ manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
- manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
- files_search_var_lib(prelude_t)
-
-+manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
- manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
- manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
--files_pid_filetrans(prelude_t, prelude_var_run_t, file)
-+files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file })
-
- kernel_read_system_state(prelude_t)
- kernel_read_sysctl(prelude_t)
+diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
+index 2316653..e4d8797 100644
+--- a/policy/modules/services/prelude.if
++++ b/policy/modules/services/prelude.if
+@@ -136,9 +136,16 @@ interface(`prelude_admin',`
+ allow $2 system_r;
+
+ admin_pattern($1, prelude_spool_t)
++
++ files_search_var_lib($1)
+ admin_pattern($1, prelude_var_lib_t)
++
++ files_search_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
++
++ files_search_tmp($1)
+ admin_pattern($1, prelude_lml_tmp_t)
++
+ admin_pattern($1, prelude_lml_var_run_t)
+ ')
+diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
+index 1da26dc..c8f6cb5 100644
+--- a/policy/modules/services/privoxy.if
++++ b/policy/modules/services/privoxy.if
+@@ -24,7 +24,7 @@ interface(`privoxy_admin',`
+ type privoxy_initrc_exec_t;
+ ')
+
+- allow $1 privoxy_t:process { ptrace signal_perms getattr };
++ allow $1 privoxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, privoxy_t)
+
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 0d295a8..19138e1 100644
--- a/policy/modules/services/privoxy.te
@@ -22971,7 +23119,7 @@ index d4000e0..c23cd14 100644
fs_getattr_all_fs(psad_t)
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..3588ebb 100644
+index 64c5f95..9587224 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -22987,21 +23135,21 @@ index 64c5f95..3588ebb 100644
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-+allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
++allow puppetmaster_t puppet_log_t:file relabel_file_perms;
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
-+allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-+allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-+allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)
@@ -23200,7 +23348,7 @@ index 0000000..f3b89e4
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
new file mode 100644
-index 0000000..039bd27
+index 0000000..5dbca44
--- /dev/null
+++ b/policy/modules/services/qpidd.if
@@ -0,0 +1,236 @@
@@ -23385,8 +23533,8 @@ index 0000000..039bd27
+ type qpidd_t;
+ ')
+
-+ allow $1 qpidd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, qpidd_t, qpidd_t)
++ allow $1 qpidd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, qpidd_t)
+
+
+ gen_require(`
@@ -23505,6 +23653,19 @@ index 0000000..cf9a327
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
+diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
+index 9a78598..8f132e7 100644
+--- a/policy/modules/services/radius.if
++++ b/policy/modules/services/radius.if
+@@ -38,7 +38,7 @@ interface(`radius_admin',`
+ type radiusd_initrc_exec_t;
+ ')
+
+- allow $1 radiusd_t:process { ptrace signal_perms getattr };
++ allow $1 radiusd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, radiusd_t)
+
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index db6296a..b3f1fd3 100644
--- a/policy/modules/services/radius.te
@@ -23537,21 +23698,6 @@ index db6296a..b3f1fd3 100644
samba_read_var_files(radiusd_t)
')
-diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
-index 87fdb1c..2943342 100644
---- a/policy/modules/services/radvd.te
-+++ b/policy/modules/services/radvd.te
-@@ -33,8 +33,9 @@ allow radvd_t self:fifo_file rw_file_perms;
-
- allow radvd_t radvd_etc_t:file read_file_perms;
-
-+manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
- manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
--files_pid_filetrans(radvd_t, radvd_var_run_t, file)
-+files_pid_filetrans(radvd_t, radvd_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(radvd_t)
- kernel_rw_net_sysctls(radvd_t)
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index 1efba0c..71d657c 100644
--- a/policy/modules/services/razor.fc
@@ -23562,10 +23708,10 @@ index 1efba0c..71d657c 100644
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
-index f04a595..9011506 100644
+index f04a595..13ad2fe 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
-@@ -157,3 +157,45 @@ interface(`razor_domtrans',`
+@@ -157,3 +157,44 @@ interface(`razor_domtrans',`
domtrans_pattern($1, razor_exec_t, razor_t)
')
@@ -23586,7 +23732,6 @@ index f04a595..9011506 100644
+ type razor_home_t;
+ ')
+
-+ files_search_home($1)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
@@ -23686,6 +23831,19 @@ index 0a76027..cdd0542 100644
unconfined_shell_domtrans(remote_login_t)
')
+diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
+index d457736..eabdd78 100644
+--- a/policy/modules/services/resmgr.if
++++ b/policy/modules/services/resmgr.if
+@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+- allow $1 resmgrd_t:unix_stream_socket connectto;
+- allow $1 resmgrd_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
+ ')
diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
index 3c97ef0..c025d59 100644
--- a/policy/modules/services/rgmanager.fc
@@ -23697,7 +23855,7 @@ index 3c97ef0..c025d59 100644
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
-index 7dc38d1..91dbe71 100644
+index 7dc38d1..aaf7c85 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',`
@@ -23747,7 +23905,7 @@ index 7dc38d1..91dbe71 100644
+ ')
+
+ allow $1 rgmanager_t:process { ptrace signal_perms };
-+ read_files_pattern($1, rgmanager_t, rgmanager_t)
++ ps_process_pattern($1, rgmanager_t)
+
+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -23829,7 +23987,7 @@ index 00fa514..9ab1d80 100644
mysql_stream_connect(rgmanager_t)
')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..b19961e 100644
+index c2ba53b..a8676c7 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
@@ -1,6 +1,7 @@
@@ -23840,8 +23998,16 @@ index c2ba53b..b19961e 100644
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+@@ -9,6 +10,7 @@
+
+ /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
++/var/log/cluster/.*\.*log <<none>>
+ /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+ /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+ /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..6928301 100644
+index de37806..d8b97c2 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -14,6 +14,8 @@
@@ -23937,7 +24103,7 @@ index de37806..6928301 100644
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +416,21 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +416,40 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -23959,8 +24125,27 @@ index de37806..6928301 100644
+
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
++
++######################################
++## <summary>
++## Allow domain to read cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_read_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..68f2b99 100644
+index 93c896a..1ebc84d 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -13,6 +13,8 @@ policy_module(rhcs, 1.1.0)
@@ -23972,7 +24157,18 @@ index 93c896a..68f2b99 100644
rhcs_domain_template(dlm_controld)
-@@ -55,17 +57,13 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -33,6 +35,10 @@ rhcs_domain_template(qdiskd)
+ type qdiskd_var_lib_t;
+ files_type(qdiskd_var_lib_t)
+
++# type for cluster lib files
++type cluster_var_lib_t;
++files_type(cluster_var_lib_t)
++
+ #####################################
+ #
+ # dlm_controld local policy
+@@ -55,17 +61,13 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -23991,7 +24187,7 @@ index 93c896a..68f2b99 100644
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
-@@ -82,7 +80,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,7 +84,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -24002,15 +24198,22 @@ index 93c896a..68f2b99 100644
corenet_tcp_connect_http_port(fenced_t)
-@@ -106,7 +107,6 @@ tunable_policy(`fenced_can_network_connect',`
+@@ -104,9 +109,13 @@ tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+ ')
++# needed by fence_scsi
++optional_policy(`
++ corosync_exec(fenced_t)
++')
++
optional_policy(`
ccs_read_config(fenced_t)
- ccs_stream_connect(fenced_t)
')
optional_policy(`
-@@ -139,10 +139,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -24021,7 +24224,7 @@ index 93c896a..68f2b99 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -168,7 +164,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,7 +173,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -24030,7 +24233,7 @@ index 93c896a..68f2b99 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -207,10 +203,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -24041,7 +24244,15 @@ index 93c896a..68f2b99 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -236,5 +228,9 @@ logging_send_syslog_msg(cluster_domain)
+@@ -231,10 +232,17 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
+ allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+ allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
++manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
++manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
++
+ logging_send_syslog_msg(cluster_domain)
+
miscfiles_read_localization(cluster_domain)
optional_policy(`
@@ -24063,7 +24274,7 @@ index 5b08327..ed5dc05 100644
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
-index f7826f9..f326085 100644
+index f7826f9..ecc341c 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -18,6 +18,24 @@ interface(`ricci_domtrans',`
@@ -24091,10 +24302,17 @@ index f7826f9..f326085 100644
########################################
## <summary>
## Execute a domain transition to run ricci_modcluster.
-@@ -96,6 +114,24 @@ interface(`ricci_stream_connect_modclusterd',`
+@@ -90,8 +108,25 @@ interface(`ricci_stream_connect_modclusterd',`
+ ')
- ########################################
- ## <summary>
+ files_search_pids($1)
+- allow $1 ricci_modcluster_var_run_t:sock_file write;
+- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
++')
++
++########################################
++## <summary>
+## Read and write to ricci_modcluserd temporary file system.
+## </summary>
+## <param name="domain">
@@ -24109,14 +24327,10 @@ index f7826f9..f326085 100644
+ ')
+
+ allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Execute a domain transition to run ricci_modlog.
- ## </summary>
- ## <param name="domain">
-@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',`
+ ')
+
+ ########################################
+@@ -165,3 +200,67 @@ interface(`ricci_domtrans_modstorage',`
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -24312,7 +24526,7 @@ index 779fa44..29a5d0d 100644
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..b0eac5b 100644
+index cda37bb..b65be0c 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -246,6 +246,26 @@ interface(`rpc_domtrans_rpcd',`
@@ -24346,7 +24560,7 @@ index cda37bb..b0eac5b 100644
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
-+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
++ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 8e1ab72..9ae080e 100644
@@ -24428,10 +24642,20 @@ index f5c47d6..5a965e9 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..ca97ead 100644
+index a96249c..5a4d69d 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
-@@ -141,7 +141,7 @@ interface(`rpcbind_admin',`
+@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 rpcbind_var_run_t:sock_file write;
+- allow $1 rpcbind_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
+ ')
+
+ ########################################
+@@ -141,8 +140,14 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
@@ -24440,6 +24664,13 @@ index a96249c..ca97ead 100644
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, rpcbind_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, rpcbind_var_run_t)
+ ')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index d6d76e1..9cb5e25 100644
--- a/policy/modules/services/rpcbind.te
@@ -24671,7 +24902,7 @@ index 69a6074..73db5ba 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..89935be 100644
+index 82cb169..84732e5 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -79,6 +79,25 @@ interface(`samba_domtrans_net',`
@@ -24700,7 +24931,7 @@ index 82cb169..89935be 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +122,50 @@ interface(`samba_run_net',`
+@@ -103,6 +122,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -24713,6 +24944,7 @@ index 82cb169..89935be 100644
+## The role to be allowed the samba_net domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+template(`samba_role_notrans',`
+ gen_require(`
@@ -24751,7 +24983,7 @@ index 82cb169..89935be 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -412,6 +475,7 @@ interface(`samba_manage_var_files',`
+@@ -412,6 +476,7 @@ interface(`samba_manage_var_files',`
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
@@ -24759,6 +24991,25 @@ index 82cb169..89935be 100644
')
########################################
+@@ -419,15 +484,14 @@ interface(`samba_manage_var_files',`
+ ## Execute a domain transition to run smbcontrol.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+- type smbcontrol_t;
+- type smbcontrol_exec_t;
++ type smbcontrol_t, smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@@ -564,6 +628,7 @@ interface(`samba_domtrans_winbind_helper',`
')
@@ -24767,7 +25018,7 @@ index 82cb169..89935be 100644
')
########################################
-@@ -644,6 +709,36 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +709,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -24783,7 +25034,9 @@ index 82cb169..89935be 100644
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
++ role system_r;
+ ')
++
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
@@ -24796,7 +25049,6 @@ index 82cb169..89935be 100644
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
-+
+')
+
+########################################
@@ -24804,35 +25056,44 @@ index 82cb169..89935be 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -664,7 +759,7 @@ interface(`samba_admin',`
- type nmbd_t, nmbd_var_run_t;
- type smbd_t, smbd_tmp_t;
- type smbd_var_run_t;
+@@ -661,21 +757,13 @@ interface(`samba_stream_connect_winbind',`
+ #
+ interface(`samba_admin',`
+ gen_require(`
+- type nmbd_t, nmbd_var_run_t;
+- type smbd_t, smbd_tmp_t;
+- type smbd_var_run_t;
- type smbd_spool_t;
-+ type samba_initrc_exec_t;
-
- type samba_log_t, samba_var_t;
- type samba_etc_t, samba_share_t;
-@@ -675,7 +770,7 @@ interface(`samba_admin',`
+-
+- type samba_log_t, samba_var_t;
+- type samba_etc_t, samba_share_t;
+- type samba_secrets_t;
+-
++ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
++ type smbd_t, smbd_tmp_t, samba_secrets_t;
++ type samba_initrc_exec_t, samba_log_t, samba_var_t;
++ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t;
+-
type winbind_var_run_t, winbind_tmp_t;
- type winbind_log_t;
-
+- type winbind_log_t;
+-
- type samba_initrc_exec_t;
+ type samba_unconfined_script_t, samba_unconfined_script_exec_t;
')
allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +779,9 @@ interface(`samba_admin',`
+@@ -684,6 +772,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
-+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
-+
++ allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, samba_unconfined_script_t)
++
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +807,6 @@ interface(`samba_admin',`
+@@ -709,9 +800,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -24842,7 +25103,7 @@ index 82cb169..89935be 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +822,5 @@ interface(`samba_admin',`
+@@ -727,4 +815,5 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -25051,6 +25312,19 @@ index e30bb63..2a5981d 100644
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
+diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
+index f1aea88..c3ffa9d 100644
+--- a/policy/modules/services/sasl.if
++++ b/policy/modules/services/sasl.if
+@@ -42,7 +42,7 @@ interface(`sasl_admin',`
+ type saslauthd_initrc_exec_t;
+ ')
+
+- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
++ allow $1 saslauthd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, saslauthd_t)
+
+ init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 22184ad..87810ec 100644
--- a/policy/modules/services/sasl.te
@@ -25086,35 +25360,56 @@ index a86ec50..ef4199b 100644
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
-index 7e94c7c..4f7eb51 100644
+index 7e94c7c..cf9fdcd 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
-@@ -57,6 +57,24 @@ interface(`sendmail_domtrans',`
- allow sendmail_t $1:process sigchld;
- ')
+@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
+ ')
+ mta_sendmail_domtrans($1, sendmail_t)
++')
++
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`sendmail_initrc_domtrans', `
-+ gen_require(`
-+ type sendmail_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
-+')
-+
++interface(`sendmail_initrc_domtrans',`
++ gen_require(`
++ type sendmail_initrc_exec_t;
++ ')
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_file_perms;
+- allow sendmail_t $1:process sigchld;
++ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ ')
+
########################################
- ## <summary>
- ## Execute the sendmail program in the sendmail domain.
-@@ -295,3 +313,50 @@ interface(`sendmail_run_unconfined',`
+@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
+ type sendmail_t;
+ ')
+
+- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
++ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ type sendmail_t;
+ ')
+
+- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
++ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -295,3 +309,50 @@ interface(`sendmail_run_unconfined',`
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
@@ -25143,11 +25438,11 @@ index 7e94c7c..4f7eb51 100644
+ type mail_spool_t;
+ ')
+
-+ allow $1 sendmail_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, sendmail_t, sendmail_t)
++ allow $1 sendmail_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sendmail_t)
+
-+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
++ allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
++ ps_process_pattern($1, unconfined_sendmail_t)
+
+ sendmail_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -25232,7 +25527,7 @@ index 22dac1f..b6781d5 100644
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
-index 22dfeb4..9dc4091 100644
+index 22dfeb4..a7fbedc 100644
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
@@ -25243,7 +25538,7 @@ index 22dfeb4..9dc4091 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -25344,6 +25639,27 @@ index 086cd5f..679558c 100644
optional_policy(`
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
+diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
+index adea9f9..d5b2d93 100644
+--- a/policy/modules/services/smartmon.if
++++ b/policy/modules/services/smartmon.if
+@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
+ type fsdaemon_tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
+ ')
+
+@@ -41,7 +42,7 @@ interface(`smartmon_admin',`
+ type fsdaemon_initrc_exec_t;
+ ')
+
+- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
++ allow $1 fsdaemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fsdaemon_t)
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 4804f14..894f62d 100644
--- a/policy/modules/services/smartmon.te
@@ -25357,6 +25673,22 @@ index 4804f14..894f62d 100644
term_dontaudit_search_ptys(fsdaemon_t)
+diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
+index 824d206..8265278 100644
+--- a/policy/modules/services/smokeping.if
++++ b/policy/modules/services/smokeping.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run smokeping.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`smokeping_domtrans',`
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 4ca5449..058bfc9 100644
--- a/policy/modules/services/smokeping.te
@@ -25390,6 +25722,56 @@ index 623c8fa..ac10740 100644
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
+diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
+index 275f9fb..6aa68d8 100644
+--- a/policy/modules/services/snmp.if
++++ b/policy/modules/services/snmp.if
+@@ -11,12 +11,12 @@
+ ## </param>
+ #
+ interface(`snmp_stream_connect',`
+- gen_require(`
++ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+- ')
++ ')
+
+- files_search_var_lib($1)
+- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
++ files_search_var_lib($1)
++ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+ ')
+
+ ########################################
+@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
+ type snmpd_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
++
+ dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file read_file_perms;
+- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
++ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -128,7 +130,7 @@ interface(`snmp_admin',`
+ type snmpd_initrc_exec_t;
+ ')
+
+- allow $1 snmpd_t:process { ptrace signal_perms getattr };
++ allow $1 snmpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, snmpd_t)
+
+ init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 3d8d1b3..b5cd366 100644
--- a/policy/modules/services/snmp.te
@@ -25422,26 +25804,22 @@ index 3d8d1b3..b5cd366 100644
auth_use_nsswitch(snmpd_t)
auth_read_all_dirs_except_shadow(snmpd_t)
-diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
-index bf59f60..814a47a 100644
---- a/policy/modules/services/snort.te
-+++ b/policy/modules/services/snort.te
-@@ -61,6 +61,7 @@ kernel_list_proc(snort_t)
- kernel_read_proc_symlinks(snort_t)
- kernel_request_load_module(snort_t)
- kernel_dontaudit_read_system_state(snort_t)
-+kernel_read_network_state(snort_t)
-
- corenet_all_recvfrom_unlabeled(snort_t)
- corenet_all_recvfrom_netlabel(snort_t)
-@@ -77,6 +78,7 @@ corenet_tcp_connect_prelude_port(snort_t)
- dev_read_sysfs(snort_t)
- dev_read_rand(snort_t)
- dev_read_urand(snort_t)
-+dev_read_usbmon_dev(snort_t)
- # Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
- # Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
- dev_rw_generic_usb_dev(snort_t)
+diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
+index c117e8b..215f425 100644
+--- a/policy/modules/services/snort.if
++++ b/policy/modules/services/snort.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run snort.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`snort_domtrans',`
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 6b3abf9..540981f 100644
--- a/policy/modules/services/spamassassin.fc
@@ -25476,10 +25854,40 @@ index 6b3abf9..540981f 100644
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..76cfada 100644
+index c954f31..7f57f22 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
-@@ -111,6 +111,45 @@ interface(`spamassassin_domtrans_client',`
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`spamassassin_role',`
+ gen_require(`
+@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
+ role $1 types { spamc_t spamassassin_t };
+
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
++
++ allow $2 spamassassin_t:process { ptrace signal_perms };
+ ps_process_pattern($2, spamassassin_t)
+
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
++
++ allow $2 spamc_t:process { ptrace signal_perms };
+ ps_process_pattern($2, spamc_t)
+
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
+ ')
+
+ can_exec($1, spamassassin_exec_t)
+-
+ ')
+
+ ########################################
+@@ -111,6 +115,46 @@ interface(`spamassassin_domtrans_client',`
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
@@ -25519,13 +25927,14 @@ index c954f31..76cfada 100644
+ type spamc_home_t;
+ ')
+
++ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
-@@ -166,7 +205,9 @@ interface(`spamassassin_read_lib_files',`
+@@ -166,7 +210,9 @@ interface(`spamassassin_read_lib_files',`
')
files_search_var_lib($1)
@@ -25535,10 +25944,21 @@ index c954f31..76cfada 100644
')
########################################
-@@ -225,3 +266,69 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -204,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
+ type spamd_tmp_t;
+ ')
- dontaudit $1 spamd_tmp_t:sock_file getattr;
++ files_search_tmp($1)
+ allow $1 spamd_tmp_t:file read_file_perms;
')
+
+@@ -223,5 +270,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ type spamd_tmp_t;
+ ')
+
+- dontaudit $1 spamd_tmp_t:sock_file getattr;
++ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
++')
+
+########################################
+## <summary>
@@ -25552,9 +25972,10 @@ index c954f31..76cfada 100644
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
-+ type spamd_t, spamd_var_run_t, spamd_spool_t;
++ type spamd_t, spamd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
@@ -25584,7 +26005,7 @@ index c954f31..76cfada 100644
+
+ allow $1 spamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, spamd_t)
-+
++
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 spamd_initrc_exec_t system_r;
@@ -25604,7 +26025,7 @@ index c954f31..76cfada 100644
+
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
-+')
+ ')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 9d40380..9ad4eff 100644
--- a/policy/modules/services/spamassassin.te
@@ -25908,6 +26329,27 @@ index 9d40380..9ad4eff 100644
')
optional_policy(`
+diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
+index d2496bd..dc4f590 100644
+--- a/policy/modules/services/squid.if
++++ b/policy/modules/services/squid.if
+@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
+ type squid_t;
+ ')
+
+- allow $1 squid_t:unix_stream_socket { getattr read write };
++ allow $1 squid_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
+ ## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`squid_dontaudit_search_cache',`
+ gen_require(`
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..dd706b0 100644
--- a/policy/modules/services/ssh.fc
@@ -25931,10 +26373,14 @@ index 078bcd7..dd706b0 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..3061e83 100644
+index 22adaca..784c363 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
-@@ -36,6 +36,7 @@ template(`ssh_basic_client_template',`
+@@ -32,10 +32,10 @@
+ ## </param>
+ #
+ template(`ssh_basic_client_template',`
+-
gen_require(`
attribute ssh_server;
type ssh_exec_t, sshd_key_t, sshd_tmp_t;
@@ -25942,7 +26388,7 @@ index 22adaca..3061e83 100644
')
##############################
-@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
+@@ -47,10 +47,6 @@ template(`ssh_basic_client_template',`
application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t;
@@ -25953,7 +26399,7 @@ index 22adaca..3061e83 100644
##############################
#
# Client local policy
-@@ -93,18 +90,18 @@ template(`ssh_basic_client_template',`
+@@ -93,18 +89,18 @@ template(`ssh_basic_client_template',`
ps_process_pattern($2, $1_ssh_t)
# user can manage the keys and config
@@ -25980,7 +26426,7 @@ index 22adaca..3061e83 100644
kernel_read_kernel_sysctls($1_ssh_t)
kernel_read_system_state($1_ssh_t)
-@@ -116,6 +113,8 @@ template(`ssh_basic_client_template',`
+@@ -116,6 +112,8 @@ template(`ssh_basic_client_template',`
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
@@ -25989,7 +26435,16 @@ index 22adaca..3061e83 100644
dev_read_urand($1_ssh_t)
-@@ -181,9 +180,9 @@ template(`ssh_server_template', `
+@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',`
+ ## </summary>
+ ## </param>
+ #
+-template(`ssh_server_template', `
++template(`ssh_server_template',`
+ type $1_t, ssh_server;
+ auth_login_pgm_domain($1_t)
+
+@@ -181,16 +179,16 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -26001,7 +26456,15 @@ index 22adaca..3061e83 100644
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
-@@ -206,6 +205,7 @@ template(`ssh_server_template', `
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ term_create_pty($1_t, $1_devpts_t)
+
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+@@ -206,6 +204,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
@@ -26009,7 +26472,7 @@ index 22adaca..3061e83 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +220,11 @@ template(`ssh_server_template', `
+@@ -220,8 +219,11 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -26022,7 +26485,7 @@ index 22adaca..3061e83 100644
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,6 +237,7 @@ template(`ssh_server_template', `
+@@ -234,6 +236,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -26030,18 +26493,18 @@ index 22adaca..3061e83 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,9 +247,9 @@ template(`ssh_server_template', `
+@@ -243,9 +246,8 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
- userdom_create_all_users_keys($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
- userdom_search_user_home_dirs($1_t)
+- userdom_search_user_home_dirs($1_t)
+ userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
-@@ -268,6 +272,14 @@ template(`ssh_server_template', `
+@@ -268,6 +270,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -26056,7 +26519,29 @@ index 22adaca..3061e83 100644
')
########################################
-@@ -338,6 +350,7 @@ template(`ssh_role_template',`
+@@ -290,11 +300,11 @@ template(`ssh_server_template', `
+ ## User domain for the role
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ template(`ssh_role_template',`
+ gen_require(`
+ attribute ssh_server, ssh_agent_type;
+-
+ type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
+ type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+ type ssh_agent_tmp_t;
+@@ -327,7 +337,7 @@ template(`ssh_role_template',`
+
+ # allow ps to show ssh
+ ps_process_pattern($3, ssh_t)
+- allow $3 ssh_t:process signal;
++ allow $3 ssh_t:process { ptrace signal_perms };
+
+ # for rsync
+ allow ssh_t $3:unix_stream_socket rw_socket_perms;
+@@ -338,6 +348,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -26064,13 +26549,57 @@ index 22adaca..3061e83 100644
##############################
#
-@@ -584,6 +597,25 @@ interface(`ssh_domtrans',`
- domtrans_pattern($1, sshd_exec_t, sshd_t)
- ')
+@@ -359,7 +370,7 @@ template(`ssh_role_template',`
+ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+
+ # Allow the user shell to signal the ssh program.
+- allow $3 $1_ssh_agent_t:process signal;
++ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
+
+ # allow ps to show ssh
+ ps_process_pattern($3, $1_ssh_agent_t)
+@@ -381,7 +392,6 @@ template(`ssh_role_template',`
+
+ files_read_etc_files($1_ssh_agent_t)
+ files_read_etc_runtime_files($1_ssh_agent_t)
+- files_search_home($1_ssh_agent_t)
+
+ libs_read_lib_files($1_ssh_agent_t)
+
+@@ -398,9 +408,6 @@ template(`ssh_role_template',`
+ # for the transition back to normal privs upon exec
+ userdom_search_user_home_content($1_ssh_agent_t)
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+- allow $3 $1_ssh_agent_t:fd use;
+- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+- allow $3 $1_ssh_agent_t:process sigchld;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_ssh_agent_t)
+@@ -477,8 +484,9 @@ interface(`ssh_read_pipes',`
+ type sshd_t;
+ ')
+- allow $1 sshd_t:fifo_file { getattr read };
++ allow $1 sshd_t:fifo_file read_fifo_file_perms;
+ ')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+ ## Read and write a ssh server unnamed pipe.
+@@ -494,7 +502,7 @@ interface(`ssh_rw_pipes',`
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { write read getattr ioctl };
++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -586,6 +594,24 @@ interface(`ssh_domtrans',`
+
+ ########################################
+ ## <summary>
+## Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
@@ -26087,10 +26616,30 @@ index 22adaca..3061e83 100644
+ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
+')
+
- ########################################
- ## <summary>
++########################################
++## <summary>
## Execute the ssh client in the caller domain.
-@@ -735,3 +767,22 @@ interface(`ssh_delete_tmp',`
+ ## </summary>
+ ## <param name="domain">
+@@ -618,7 +644,7 @@ interface(`ssh_setattr_key_files',`
+ type sshd_key_t;
+ ')
+
+- allow $1 sshd_key_t:file setattr;
++ allow $1 sshd_key_t:file setattr_file_perms;
+ files_search_pids($1)
+ ')
+
+@@ -695,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+ type sshd_key_t;
+ ')
+
+- dontaudit $1 sshd_key_t:file { getattr read };
++ dontaudit $1 sshd_key_t:file read_file_perms;
+ ')
+
+ ######################################
+@@ -735,3 +761,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -26112,7 +26661,6 @@ index 22adaca..3061e83 100644
+
+ allow $1 sshd_t:process signull;
+')
-+
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..68c3057 100644
--- a/policy/modules/services/ssh.te
@@ -26356,6 +26904,63 @@ index 2dad3c8..68c3057 100644
seutil_sigchld_newrole(ssh_keygen_t)
')
+diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
+index 941380a..6dbfc01 100644
+--- a/policy/modules/services/sssd.if
++++ b/policy/modules/services/sssd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run sssd.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`sssd_domtrans',`
+@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
+ type sssd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ ')
+@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+- files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
+ ## The role to be allowed to manage the sssd domain.
+ ## </summary>
+ ## </param>
+-## <param name="terminal">
+-## <summary>
+-## The type of the user terminal.
+-## </summary>
+-## </param>
+ ## <rolecap/>
+ #
+ interface(`sssd_admin',`
+ gen_require(`
+- type sssd_t, sssd_public_t;
+- type sssd_initrc_exec_t;
++ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
+ ')
+
+- allow $1 sssd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, sssd_t, sssd_t)
++ allow $1 sssd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sssd_t)
+
+ # Allow sssd_t to restart the apache service
+ sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 8ffa257..07d6748 100644
--- a/policy/modules/services/sssd.te
@@ -26389,21 +26994,18 @@ index 8ffa257..07d6748 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
-diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
-index 02e751d..733250d 100644
---- a/policy/modules/services/stunnel.te
-+++ b/policy/modules/services/stunnel.te
-@@ -46,8 +46,9 @@ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
- manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
- files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
-
-+manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
- manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
--files_pid_filetrans(stunnel_t, stunnel_var_run_t, file)
-+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(stunnel_t)
- kernel_read_system_state(stunnel_t)
+diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
+index 6073656..eaf49b2 100644
+--- a/policy/modules/services/stunnel.if
++++ b/policy/modules/services/stunnel.if
+@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
+ type stunnel_t;
+ ')
+
+- domtrans_pattern(stunnel_t,$2,$1)
++ domtrans_pattern(stunnel_t, $2, $1)
+ allow $1 stunnel_t:tcp_socket rw_socket_perms;
+ ')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 52f0d6c..111b041 100644
--- a/policy/modules/services/sysstat.te
@@ -26449,7 +27051,7 @@ index f40e67b..a0eeea9 100644
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
-index 38bb312..4d10dda 100644
+index 38bb312..1427b54 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -16,6 +16,26 @@ interface(`tftp_read_content',`
@@ -26487,19 +27089,19 @@ index 38bb312..4d10dda 100644
+## with specified types.
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed access.
-+## </summary>
++## </summary>
+## </param>
+## <param name="file_type">
-+## <summary>
++## <summary>
+## Private file type.
-+## </summary>
++## </summary>
+## </param>
+## <param name="object_class">
-+## <summary>
++## <summary>
+## Class of the object being created.
-+## </summary>
++## </summary>
+## </param>
+#
+interface(`tftp_filetrans_tftpdir',`
@@ -26516,6 +27118,18 @@ index 38bb312..4d10dda 100644
## All of the rules required to administrate
## an tftp environment
## </summary>
+@@ -55,9 +105,10 @@ interface(`tftp_admin',`
+ type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+ ')
+
+- allow $1 tftpd_t:process { ptrace signal_perms getattr };
++ allow $1 tftpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tftpd_t)
+
++ files_list_var_lib($1)
+ admin_pattern($1, tftpdir_rw_t)
+
+ admin_pattern($1, tftpdir_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index d50c10d..66bfd1c 100644
--- a/policy/modules/services/tftp.te
@@ -26531,12 +27145,65 @@ index d50c10d..66bfd1c 100644
inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
')
+diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
+index b113b41..c2ed23a 100644
+--- a/policy/modules/services/tgtd.if
++++ b/policy/modules/services/tgtd.if
+@@ -11,18 +11,36 @@
+
+ #####################################
+ ## <summary>
+-## Allow read and write access to tgtd semaphores.
++## Allow read and write access to tgtd semaphores.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+ interface(`tgtd_rw_semaphores',`
+- gen_require(`
+- type tgtd_t;
+- ')
++ gen_require(`
++ type tgtd_t;
++ ')
+
+- allow $1 tgtd_t:sem rw_sem_perms;
++ allow $1 tgtd_t:sem rw_sem_perms;
++')
++
++######################################
++## <summary>
++## Manage tgtd sempaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tgtd_manage_semaphores',`
++ gen_require(`
++ type tgtd_t;
++ ')
++
++ allow $1 tgtd_t:sem create_sem_perms;
+ ')
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index aa0cc45..debff69 100644
+index aa0cc45..678ab90 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
-@@ -59,8 +59,12 @@ corenet_sendrecv_iscsi_server_packets(tgtd_t)
+@@ -57,10 +57,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
+ corenet_tcp_bind_iscsi_port(tgtd_t)
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
++dev_search_sysfs(tgtd_t)
++
files_read_etc_files(tgtd_t)
+fs_read_anon_inodefs_files(tgtd_t)
@@ -26547,7 +27214,22 @@ index aa0cc45..debff69 100644
miscfiles_read_localization(tgtd_t)
+
-+iscsi_manage_semaphores(tgtd_t)
++optional_policy(`
++ iscsi_manage_semaphores(tgtd_t)
++')
+diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
+index 904f13e..464347f 100644
+--- a/policy/modules/services/tor.if
++++ b/policy/modules/services/tor.if
+@@ -42,7 +42,7 @@ interface(`tor_admin',`
+ type tor_initrc_exec_t;
+ ')
+
+- allow $1 tor_t:process { ptrace signal_perms getattr };
++ allow $1 tor_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tor_t)
+
+ init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 9fa94e4..0a0074c 100644
--- a/policy/modules/services/tor.te
@@ -26590,6 +27272,32 @@ index 9fa94e4..0a0074c 100644
miscfiles_read_localization(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports', `
+diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
+index 54b8605..329f139 100644
+--- a/policy/modules/services/tuned.if
++++ b/policy/modules/services/tuned.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run tuned.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`tuned_domtrans',`
+@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
+ #
+ interface(`tuned_admin',`
+ gen_require(`
+- type tuned_t, tuned_var_run_t;
+- type tuned_initrc_exec_t;
++ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
+ ')
+
+ allow $1 tuned_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index db9d2a5..b3983a9 100644
--- a/policy/modules/services/tuned.te
@@ -26613,6 +27321,29 @@ index db9d2a5..b3983a9 100644
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
+diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
+index c1feba4..1f6f55b 100644
+--- a/policy/modules/services/ucspitcp.if
++++ b/policy/modules/services/ucspitcp.if
+@@ -20,7 +20,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`ucspitcp_service_domain', `
++interface(`ucspitcp_service_domain',`
+ gen_require(`
+ type ucspitcp_t;
+ role system_r;
+@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
+
+ role system_r types $1;
+
+- domain_auto_trans(ucspitcp_t, $2, $1)
+- allow $1 ucspitcp_t:fd use;
+- allow $1 ucspitcp_t:process sigchld;
+- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
++ domtrans_pattern(ucspitcp_t, $2, $1)
+ ')
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index a0794bf..dd23a9c 100644
--- a/policy/modules/services/ucspitcp.te
@@ -26626,6 +27357,45 @@ index a0794bf..dd23a9c 100644
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
+diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
+index b078bf7..e3c66d8 100644
+--- a/policy/modules/services/ulogd.if
++++ b/policy/modules/services/ulogd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run ulogd.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`ulogd_domtrans',`
+@@ -65,9 +65,9 @@ interface(`ulogd_read_log',`
+ ## Allow the specified domain to search ulogd's log files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`ulogd_search_log',`
+@@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
+ #
+ interface(`ulogd_admin',`
+ gen_require(`
+- type ulogd_t, ulogd_etc_t;
++ type ulogd_t, ulogd_etc_t, ulogd_modules_t;
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+- type ulogd_modules_t;
+ ')
+
+ allow $1 ulogd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index eeaa641..eb4d8d5 100644
--- a/policy/modules/services/ulogd.te
@@ -26669,8 +27439,24 @@ index fa54aee..40b8b8d 100644
-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if
+index 5015043..53792d3 100644
+--- a/policy/modules/services/usbmuxd.if
++++ b/policy/modules/services/usbmuxd.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run usbmuxd.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`usbmuxd_domtrans',`
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
-index a4fbe31..0e4774c 100644
+index a4fbe31..a717e2d 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -2,6 +2,25 @@
@@ -26699,6 +27485,15 @@ index a4fbe31..0e4774c 100644
## Allow the specified domain to append
## to uucp log files.
## </summary>
+@@ -80,7 +99,7 @@ interface(`uucp_admin',`
+ type uucpd_var_run_t;
+ ')
+
+- allow $1 uucpd_t:process { ptrace signal_perms getattr };
++ allow $1 uucpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uucpd_t)
+
+ logging_list_logs($1)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index b775aaf..ec1562b 100644
--- a/policy/modules/services/uucp.te
@@ -26723,9 +27518,18 @@ index b775aaf..ec1562b 100644
#
# UUX Local policy
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
-index b4d90ac..9214237 100644
+index b4d90ac..e0f819e 100644
--- a/policy/modules/services/varnishd.if
+++ b/policy/modules/services/varnishd.if
+@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',`
+
+ #######################################
+ ## <summary>
+-## Execute varnishd
++## Execute varnishd
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
@@ -56,6 +56,25 @@ interface(`varnishd_read_config',`
read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
')
@@ -26735,23 +27539,62 @@ index b4d90ac..9214237 100644
+## Read varnish lib files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
+interface(`varnishd_read_lib_files',`
-+ gen_require(`
-+ type varnishd_var_lib_t;
-+ ')
++ gen_require(`
++ type varnishd_var_lib_t;
++ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
++ files_search_var_lib($1)
++ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+')
+
#######################################
## <summary>
## Read varnish logs.
+@@ -132,9 +151,8 @@ interface(`varnishd_manage_log',`
+ #
+ interface(`varnishd_admin_varnishlog',`
+ gen_require(`
+- type varnishlog_t;
++ type varnishlog_t, varnishlog_initrc_exec_t;
+ type varnishlog_var_run_t, varnishlog_log_t;
+- type varnishlog_initrc_exec_t;
+ ')
+
+ allow $1 varnishlog_t:process { ptrace signal_perms };
+@@ -146,11 +164,10 @@ interface(`varnishd_admin_varnishlog',`
+ allow $2 system_r;
+
+ files_search_pids($1)
+- admin_pattern($1, varnishlog_var_run_t)
++ admin_pattern($1, varnishlog_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, varnishlog_log_t)
+-
+ ')
+
+ #######################################
+@@ -173,7 +190,7 @@ interface(`varnishd_admin_varnishlog',`
+ interface(`varnishd_admin',`
+ gen_require(`
+ type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
+- type varnishd_var_run_t, varnishd_tmp_t;
++ type varnishd_var_run_t, varnishd_tmp_t;
+ type varnishd_initrc_exec_t;
+ ')
+
+@@ -196,5 +213,4 @@ interface(`varnishd_admin',`
+
+ files_search_tmp($1)
+ admin_pattern($1, varnishd_tmp_t)
+-
+ ')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index 1cc80e8..95c6dc3 100644
--- a/policy/modules/services/varnishd.te
@@ -26767,10 +27610,59 @@ index 1cc80e8..95c6dc3 100644
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
-index 1f872b5..dadae8e 100644
+index 1f872b5..da605ba 100644
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
-@@ -209,7 +209,7 @@ interface(`vhostmd_admin',`
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run vhostmd.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`vhostmd_domtrans',`
+@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
+ ')
+
+ allow $1 vhostmd_tmpfs_t:file read_file_perms;
+- files_search_tmp($1)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
+ ')
+
+ rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+- files_search_tmp($1)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
+ ')
+
+ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+- files_search_tmp($1)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
+ type vhostmd_var_run_t;
+ ')
+
+- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
++ files_search_pids($1)
++ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ ')
+
+ ########################################
+@@ -209,7 +210,7 @@ interface(`vhostmd_admin',`
type vhostmd_t, vhostmd_initrc_exec_t;
')
@@ -26779,6 +27671,12 @@ index 1f872b5..dadae8e 100644
ps_process_pattern($1, vhostmd_t)
vhostmd_initrc_domtrans($1)
+@@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
+ vhostmd_manage_tmpfs_files($1)
+
+ vhostmd_manage_pid_files($1)
+-
+ ')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index 32a3c13..f56f51f 100644
--- a/policy/modules/services/vhostmd.te
@@ -26833,10 +27731,18 @@ index 2124b6a..be4b00f 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..1a0701b 100644
+index 7c5d8d8..e584e21 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -21,6 +21,7 @@ template(`virt_domain_template',`
+@@ -14,13 +14,13 @@
+ template(`virt_domain_template',`
+ gen_require(`
+ type virtd_t;
+- attribute virt_image_type;
+- attribute virt_domain;
++ attribute virt_image_type, virt_domain;
+ ')
+
type $1_t, virt_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
@@ -26844,16 +27750,17 @@ index 7c5d8d8..1a0701b 100644
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,17 +36,18 @@ template(`virt_domain_template',`
+@@ -35,17 +35,18 @@ template(`virt_domain_template',`
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
--
-- type $1_var_run_t;
-- files_pid_file($1_var_run_t)
+ dev_associate_sysfs($1_image_t)
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+- type $1_var_run_t;
+- files_pid_file($1_var_run_t)
+-
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
@@ -26866,7 +27773,7 @@ index 7c5d8d8..1a0701b 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +58,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -26885,7 +27792,27 @@ index 7c5d8d8..1a0701b 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -171,6 +161,7 @@ interface(`virt_read_config',`
+@@ -101,9 +90,9 @@ interface(`virt_image',`
+ ## Execute a domain transition to run virt.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`virt_domtrans',`
+@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
+ #
+ interface(`virt_read_config',`
+ gen_require(`
+- type virt_etc_t;
+- type virt_etc_rw_t;
++ type virt_etc_t, virt_etc_rw_t;
+ ')
+
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -26893,7 +27820,15 @@ index 7c5d8d8..1a0701b 100644
')
########################################
-@@ -192,6 +183,7 @@ interface(`virt_manage_config',`
+@@ -185,13 +174,13 @@ interface(`virt_read_config',`
+ #
+ interface(`virt_manage_config',`
+ gen_require(`
+- type virt_etc_t;
+- type virt_etc_rw_t;
++ type virt_etc_t, virt_etc_rw_t;
+ ')
+
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -26901,7 +27836,7 @@ index 7c5d8d8..1a0701b 100644
')
########################################
-@@ -231,6 +223,24 @@ interface(`virt_read_content',`
+@@ -231,6 +220,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -26909,7 +27844,7 @@ index 7c5d8d8..1a0701b 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -26926,7 +27861,7 @@ index 7c5d8d8..1a0701b 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -308,6 +318,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +315,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -26951,7 +27886,19 @@ index 7c5d8d8..1a0701b 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -424,6 +452,24 @@ interface(`virt_read_images',`
+@@ -352,9 +377,9 @@ interface(`virt_read_log',`
+ ## virt log files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`virt_append_log',`
+@@ -424,6 +449,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -26976,7 +27923,7 @@ index 7c5d8d8..1a0701b 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +479,15 @@ interface(`virt_read_images',`
+@@ -433,15 +476,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -26997,7 +27944,7 @@ index 7c5d8d8..1a0701b 100644
')
########################################
-@@ -516,3 +562,51 @@ interface(`virt_admin',`
+@@ -516,3 +559,51 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -27017,6 +27964,7 @@ index 7c5d8d8..1a0701b 100644
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
@@ -27048,9 +27996,8 @@ index 7c5d8d8..1a0701b 100644
+
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
-+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..91a1d0a 100644
+index 3eca020..fec701f 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@@ -27219,22 +28166,23 @@ index 3eca020..91a1d0a 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,9 +237,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+-allow virtd_t virt_image_type:file { relabelfrom relabelto };
+-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
- allow virtd_t virt_image_type:file { relabelfrom relabelto };
- allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
-
++allow virtd_t virt_image_type:file relabel_file_perms;
++allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
-+
+
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
- logging_log_filetrans(virtd_t, virt_log_t, { file dir })
@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -27529,6 +28477,16 @@ index 1174ad8..f4c4c1b 100644
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
+diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
+index aa6e5a8..42a0efb 100644
+--- a/policy/modules/services/xfs.if
++++ b/policy/modules/services/xfs.if
+@@ -1,4 +1,4 @@
+-## <summary>X Windows Font Server </summary>
++## <summary>X Windows Font Server</summary>
+
+ ########################################
+ ## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 6f1e3c7..39c2bb3 100644
--- a/policy/modules/services/xserver.fc
@@ -27655,7 +28613,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..4bc9fff 100644
+index da2601a..f34a53f 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -27693,40 +28651,37 @@ index da2601a..4bc9fff 100644
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -56,6 +59,10 @@ interface(`xserver_restricted_role',`
-
- domtrans_pattern($2, iceauth_exec_t, iceauth_t)
-
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit iceauth_t $2:socket_class_set { read write };
-+')
-+
- allow $2 iceauth_home_t:file read_file_perms;
+@@ -70,17 +73,21 @@ interface(`xserver_restricted_role',`
- domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +78,13 @@ interface(`xserver_restricted_role',`
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xdm_tmp_t:dir search;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
-+ dontaudit $2 xdm_tmp_t:dir setattr;
++ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
+
+ allow $2 xdm_t:dbus send_msg;
+ allow xdm_t $2:dbus send_msg;
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -89,14 +100,17 @@ interface(`xserver_restricted_role',`
+ allow $2 xserver_tmpfs_t:file read_file_perms;
+
+ # Read /tmp/.X0-lock
+- allow $2 xserver_tmp_t:file { getattr read };
++ allow $2 xserver_tmp_t:file read_inherited_file_perms;
+
+ dev_rw_xserver_misc($2)
+ dev_rw_power_management($2)
+@@ -89,14 +96,14 @@ interface(`xserver_restricted_role',`
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
- dev_dontaudit_rw_dri($2)
-+ tunable_policy(`user_direct_dri',`
-+ dev_rw_dri($2)
-+ ')
+
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
@@ -27739,9 +28694,36 @@ index da2601a..4bc9fff 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -148,8 +162,10 @@ interface(`xserver_role',`
+@@ -107,11 +114,19 @@ interface(`xserver_restricted_role',`
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($2)
+
++ ifdef(`hide_broken_symptoms',`
++ dontaudit iceauth_t $2:socket_class_set { read write };
++ ')
++
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($2)
++ ')
+ ')
+
+ ########################################
+@@ -143,13 +158,15 @@ interface(`xserver_role',`
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+ allow $2 iceauth_home_t:file manage_file_perms;
+- allow $2 iceauth_home_t:file { relabelfrom relabelto };
++ allow $2 iceauth_home_t:file relabel_file_perms;
+
allow $2 xauth_home_t:file manage_file_perms;
- allow $2 xauth_home_t:file { relabelfrom relabelto };
+- allow $2 xauth_home_t:file { relabelfrom relabelto };
++ allow $2 xauth_home_t:file relabel_file_perms;
+ mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
@@ -27750,6 +28732,14 @@ index da2601a..4bc9fff 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+@@ -162,7 +179,6 @@ interface(`xserver_role',`
+ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+-
+ ')
+
+ #######################################
@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
@@ -27775,7 +28765,16 @@ index da2601a..4bc9fff 100644
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',`
+@@ -347,14 +363,19 @@ template(`xserver_common_x_domain_template',`
+ type xevent_t, client_xevent_t;
+ type input_xevent_t, $1_input_xevent_t;
+
+- attribute x_domain;
++ attribute x_domain, input_xevent_type;
+ attribute xdrawable_type, xcolormap_type;
+- attribute input_xevent_type;
+
+ class x_drawable all_x_drawable_perms;
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -27788,7 +28787,7 @@ index da2601a..4bc9fff 100644
')
##############################
-@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +407,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -27804,7 +28803,24 @@ index da2601a..4bc9fff 100644
')
#######################################
-@@ -476,11 +507,16 @@ template(`xserver_user_x_domain_template',`
+@@ -458,9 +488,9 @@ template(`xserver_user_x_domain_template',`
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -472,20 +502,25 @@ template(`xserver_user_x_domain_template',`
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($2)
+
+- xserver_ro_session($2,$3)
++ xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -27812,16 +28828,22 @@ index da2601a..4bc9fff 100644
# X object manager
xserver_object_types_template($1)
- xserver_common_x_domain_template($1,$2)
+- xserver_common_x_domain_template($1,$2)
++ xserver_common_x_domain_template($1, $2)
-+ tunable_policy(`user_direct_dri',`
-+ dev_rw_dri($2)
-+ ')
-+
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
-@@ -517,6 +553,7 @@ interface(`xserver_use_user_fonts',`
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($2)
++ ')
+ ')
+
+ ########################################
+@@ -517,6 +552,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -27829,11 +28851,12 @@ index da2601a..4bc9fff 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +582,27 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +581,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
-+ ifdef(`hide_broken_symptoms', `
++
++ ifdef(`hide_broken_symptoms',`
+ dontaudit xauth_t $1:socket_class_set { read write };
+ ')
+')
@@ -27865,20 +28888,81 @@ index da2601a..4bc9fff 100644
')
########################################
-@@ -725,10 +784,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -615,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
+ type xconsole_device_t;
+ ')
+
+- allow $1 xconsole_device_t:fifo_file setattr;
++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -651,7 +710,7 @@ interface(`xserver_use_xdm_fds',`
+ type xdm_t;
+ ')
+
+- allow $1 xdm_t:fd use;
++ allow $1 xdm_t:fd use;
+ ')
+
+ ########################################
+@@ -670,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+ type xdm_t;
+ ')
+
+- dontaudit $1 xdm_t:fd use;
++ dontaudit $1 xdm_t:fd use;
+ ')
+
+ ########################################
+@@ -688,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
+ type xdm_t;
+ ')
+
+- allow $1 xdm_t:fifo_file { getattr read write };
++ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -703,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',`
+ ## </param>
+ #
+ interface(`xserver_dontaudit_rw_xdm_pipes',`
+-
+ gen_require(`
+ type xdm_t;
+ ')
+
+- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -724,11 +782,13 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+ #
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
-+ type xdm_var_run_t;
+- type xdm_t, xdm_tmp_t;
++ type xdm_t, xdm_tmp_t, xdm_var_run_t;
')
files_search_tmp($1)
++ files_search_pids($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
')
########################################
-@@ -805,7 +866,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -765,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+ type xdm_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir setattr;
++ allow $1 xdm_tmp_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -805,7 +865,7 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -27887,7 +28971,16 @@ index da2601a..4bc9fff 100644
')
########################################
-@@ -916,7 +977,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -897,7 +957,7 @@ interface(`xserver_getattr_log',`
+ ')
+
+ logging_search_logs($1)
+- allow $1 xserver_log_t:file getattr;
++ allow $1 xserver_log_t:file getattr_file_perms;
+ ')
+
+ ########################################
+@@ -916,7 +976,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -27896,7 +28989,7 @@ index da2601a..4bc9fff 100644
')
########################################
-@@ -963,6 +1024,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1023,44 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -27913,7 +29006,7 @@ index da2601a..4bc9fff 100644
+ type xdm_etc_t;
+ ')
+
-+ files_search_etc($1)
++ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
@@ -27932,7 +29025,7 @@ index da2601a..4bc9fff 100644
+ type xdm_etc_t;
+ ')
+
-+ files_search_etc($1)
++ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
@@ -27941,16 +29034,37 @@ index da2601a..4bc9fff 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1072,6 +1171,8 @@ interface(`xserver_domtrans',`
+@@ -976,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',`
+ type xdm_tmp_t;
+ ')
+
+- files_search_tmp($1)
++ files_search_tmp($1)
+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+ ')
- allow $1 xserver_t:process siginh;
+@@ -1052,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -1070,8 +1168,10 @@ interface(`xserver_domtrans',`
+ type xserver_t, xserver_exec_t;
+ ')
+
+- allow $1 xserver_t:process siginh;
++ allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
')
########################################
-@@ -1185,6 +1286,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1285,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -27958,13 +29072,26 @@ index da2601a..4bc9fff 100644
')
########################################
-@@ -1224,9 +1326,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1210,7 +1311,7 @@ interface(`xserver_read_tmp_files',`
+ ## <summary>
+ ## Interface to provide X object permissions on a given X server to
+ ## an X client domain. Gives the domain permission to read the
+-## virtual core keyboard and virtual core pointer devices.
++## virtual core keyboard and virtual core pointer devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1220,13 +1321,23 @@ interface(`xserver_read_tmp_files',`
+ #
+ interface(`xserver_manage_core_devices',`
+ gen_require(`
+- type xserver_t;
++ type xserver_t, root_xdrawable_t;
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
-+ type root_xdrawable_t;
+ attribute x_domain;
+ class x_drawable { read manage setattr show };
+ class x_resource { write read };
@@ -27979,7 +29106,15 @@ index da2601a..4bc9fff 100644
')
########################################
-@@ -1250,3 +1363,329 @@ interface(`xserver_unconfined',`
+@@ -1243,10 +1354,331 @@ interface(`xserver_manage_core_devices',`
+ #
+ interface(`xserver_unconfined',`
+ gen_require(`
+- attribute x_domain;
+- attribute xserver_unconfined_type;
++ attribute x_domain, xserver_unconfined_type;
+ ')
+
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -27996,8 +29131,7 @@ index da2601a..4bc9fff 100644
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+ gen_require(`
-+ type xdm_home_t;
-+ type xserver_tmp_t;
++ type xdm_home_t, xserver_tmp_t;
+ ')
+
+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
@@ -28024,8 +29158,7 @@ index da2601a..4bc9fff 100644
+#
+interface(`xserver_append_xdm_home_files',`
+ gen_require(`
-+ type xdm_home_t;
-+ type xserver_tmp_t;
++ type xdm_home_t, xserver_tmp_t;
+ ')
+
+ allow $1 xdm_home_t:file append_file_perms;
@@ -28186,12 +29319,10 @@ index da2601a..4bc9fff 100644
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+ gen_require(`
-+ type user_fonts_t;
-+ type user_fonts_config_t;
++ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ allow $1 user_fonts_t:file rw_inherited_file_perms;
@@ -28218,7 +29349,6 @@ index da2601a..4bc9fff 100644
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
-+
+########################################
+## <summary>
+## Make an X executable an entrypoint for the specified domain.
@@ -28252,6 +29382,7 @@ index da2601a..4bc9fff 100644
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`xserver_run',`
+ gen_require(`
@@ -28277,6 +29408,7 @@ index da2601a..4bc9fff 100644
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`xserver_run_xauth',`
+ gen_require(`
@@ -28299,8 +29431,7 @@ index da2601a..4bc9fff 100644
+#
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
-+ type user_fonts_t;
-+ type user_fonts_config_t;
++ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
@@ -29233,21 +30364,34 @@ index e226da4..5fbf38f 100644
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
-diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 2e0f6f6..2ae7a3d 100644
---- a/policy/modules/services/zabbix.te
-+++ b/policy/modules/services/zabbix.te
-@@ -35,8 +35,9 @@ manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
- logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-
- # pid file
-+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
- manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
--files_pid_filetrans(zabbix_t, zabbix_var_run_t, file)
-+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { file dir })
-
- files_read_etc_files(zabbix_t)
-
+diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
+index d77e631..4776863 100644
+--- a/policy/modules/services/zabbix.if
++++ b/policy/modules/services/zabbix.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run zabbix.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`zabbix_domtrans',`
+@@ -44,9 +44,9 @@ interface(`zabbix_read_log',`
+ ## zabbix log files.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed access.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`zabbix_append_log',`
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
index 0000000..56cb5af
@@ -29283,37 +30427,35 @@ index 0000000..56cb5af
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
-index 0000000..bba3124
+index 0000000..78fc104
--- /dev/null
+++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,105 @@
-+
+@@ -0,0 +1,102 @@
+## <summary>policy for zarafa services</summary>
+
+######################################
+## <summary>
-+## Creates types and rules for a basic
-+## zararfa init daemon domain.
++## Creates types and rules for a basic
++## zararfa init daemon domain.
+## </summary>
+## <param name="prefix">
-+## <summary>
-+## Prefix for the domain.
-+## </summary>
++## <summary>
++## Prefix for the domain.
++## </summary>
+## </param>
+#
+template(`zarafa_domain_template',`
-+
+ gen_require(`
+ attribute zarafa_domain;
+ ')
+
+ ##############################
-+ #
-+ # $1_t declarations
-+ #
++ #
++ # $1_t declarations
++ #
+
+ type zarafa_$1_t, zarafa_domain;
-+ type zarafa_$1_exec_t;
++ type zarafa_$1_exec_t;
+ init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
+
+ type zarafa_$1_log_t;
@@ -29323,28 +30465,28 @@ index 0000000..bba3124
+ files_pid_file(zarafa_$1_var_run_t)
+
+ ##############################
-+ #
++ #
+ # $1_t local policy
-+ #
++ #
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
-+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
-+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
++ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
++ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+ #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+ #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
-+')
-+
++')
++
+########################################
+## <summary>
+## Execute a domain transition to run zarafa_server.
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed to transition.
-+## </summary>
++## </summary>
+## </param>
+#
+interface(`zarafa_server_domtrans',`
@@ -29355,15 +30497,14 @@ index 0000000..bba3124
+ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+')
+
-+
+########################################
+## <summary>
+## Execute a domain transition to run zarafa_deliver.
+## </summary>
+## <param name="domain">
-+## <summary>
++## <summary>
+## Domain allowed to transition.
-+## </summary>
++## </summary>
+## </param>
+#
+interface(`zarafa_deliver_domtrans',`
@@ -29376,21 +30517,21 @@ index 0000000..bba3124
+
+#######################################
+## <summary>
-+## Connect to zarafa-server unix domain stream socket.
++## Connect to zarafa-server unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`zarafa_stream_connect_server',`
-+ gen_require(`
-+ type zarafa_server_t, zarafa_server_var_run_t;
-+ ')
++ gen_require(`
++ type zarafa_server_t, zarafa_server_var_run_t;
++ ')
+
-+ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
++ files_search_var_lib($1)
++ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
@@ -29531,22 +30672,36 @@ index 0000000..3509088
+optional_policy(`
+ apache_content_template(zarafa)
+')
-diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
-index 086cbef..9939bff 100644
---- a/policy/modules/services/zebra.te
-+++ b/policy/modules/services/zebra.te
-@@ -61,9 +61,10 @@ logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
- allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
- files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
-
-+manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
- manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
- manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
--files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
-+files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file dir })
-
- kernel_read_system_state(zebra_t)
- kernel_read_network_state(zebra_t)
+diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
+index 6b87605..5860687 100644
+--- a/policy/modules/services/zebra.if
++++ b/policy/modules/services/zebra.if
+@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
+ ')
+
+ files_search_pids($1)
+- allow $1 zebra_var_run_t:sock_file write;
+- allow $1 zebra_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+ ')
+
+ ########################################
+diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
+index 702e768..1d24e1e 100644
+--- a/policy/modules/services/zosremote.if
++++ b/policy/modules/services/zosremote.if
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run audispd-zos-remote.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`zosremote_domtrans',`
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index ac50333..108595b 100644
--- a/policy/modules/system/application.if
@@ -29621,7 +30776,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..bd3185e 100644
+index bea0ade..5819211 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -29751,6 +30906,15 @@ index bea0ade..bd3185e 100644
')
########################################
+@@ -694,7 +741,7 @@ interface(`auth_relabel_shadow',`
+ ')
+
+ files_search_etc($1)
+- allow $1 shadow_t:file { relabelfrom relabelto };
++ allow $1 shadow_t:file relabel_file_perms;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
+
@@ -874,6 +921,26 @@ interface(`auth_exec_pam',`
########################################
@@ -31666,7 +32830,7 @@ index 663a47b..ad0b864 100644
+ allow $1 iscsid_t:sem create_sem_perms;
+')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..0787687 100644
+index 1d1c399..3ab3a47 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -76,6 +76,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
@@ -31678,6 +32842,13 @@ index 1d1c399..0787687 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+@@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t)
+ miscfiles_read_localization(iscsid_t)
+
+ optional_policy(`
+- tgtd_rw_semaphores(iscsid_t)
++ tgtd_manage_semaphores(iscsid_t)
+ ')
diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te
index 57c645b..7682697 100644
--- a/policy/modules/system/kdump.te
@@ -32157,7 +33328,7 @@ index 362614c..a76d2fc 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..aa09d1c 100644
+index c7cfb62..453377e 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -545,6 +545,25 @@ interface(`logging_send_syslog_msg',`
@@ -32226,8 +33397,8 @@ index c7cfb62..aa09d1c 100644
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
-+ allow $1 logfile:dir { relabelfrom relabelto };
-+ allow $1 logfile:file { relabelfrom relabelto };
++ allow $1 logfile:dir relabel_dir_perms;
++ allow $1 logfile:file relabel_file_perms;
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -34884,7 +36055,7 @@ index 0291685..44fe366 100644
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..59bc26b 100644
+index 025348a..5b277ea 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -34895,6 +36066,16 @@ index 025348a..59bc26b 100644
')
########################################
+@@ -88,8 +89,7 @@ interface(`udev_read_state',`
+ ')
+
+ kernel_search_proc($1)
+- allow $1 udev_t:file read_file_perms;
+- allow $1 udev_t:lnk_file read_lnk_file_perms;
++ ps_process_pattern($1, udev_t)
+ ')
+
+ ########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a054cf5..4867243 100644
--- a/policy/modules/system/udev.te
@@ -35758,7 +36939,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 2aa8928..c67c8e8 100644
+index 2aa8928..b4d758b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -35772,7 +36953,7 @@ index 2aa8928..c67c8e8 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,95 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,98 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -35903,6 +37084,9 @@ index 2aa8928..c67c8e8 100644
- libs_exec_ld_so($1_t)
+ init_stream_connect($1_usertype)
++ # The library functions always try to open read-write first,
++ # then fall back to read-only if it fails.
++ init_dontaudit_rw_utmp($1_usertype)
+
+ libs_exec_ld_so($1_usertype)
@@ -35917,7 +37101,7 @@ index 2aa8928..c67c8e8 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +143,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +146,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -35934,7 +37118,7 @@ index 2aa8928..c67c8e8 100644
')
#######################################
-@@ -149,6 +186,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +189,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -35943,7 +37127,7 @@ index 2aa8928..c67c8e8 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +205,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +208,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -35971,7 +37155,7 @@ index 2aa8928..c67c8e8 100644
')
#######################################
-@@ -218,8 +236,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +239,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -35983,7 +37167,7 @@ index 2aa8928..c67c8e8 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +249,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +252,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -36015,7 +37199,7 @@ index 2aa8928..c67c8e8 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +271,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +274,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -36045,7 +37229,7 @@ index 2aa8928..c67c8e8 100644
')
')
-@@ -289,6 +312,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +315,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -36054,7 +37238,7 @@ index 2aa8928..c67c8e8 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +322,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +325,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -36100,7 +37284,7 @@ index 2aa8928..c67c8e8 100644
')
#######################################
-@@ -316,6 +380,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +383,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -36108,7 +37292,7 @@ index 2aa8928..c67c8e8 100644
files_search_tmp($1)
')
-@@ -350,6 +415,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +418,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -36117,7 +37301,7 @@ index 2aa8928..c67c8e8 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +427,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +430,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
## <summary>
@@ -36186,7 +37370,7 @@ index 2aa8928..c67c8e8 100644
')
#######################################
-@@ -430,6 +492,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +495,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -36194,7 +37378,7 @@ index 2aa8928..c67c8e8 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +553,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +556,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -36203,7 +37387,7 @@ index 2aa8928..c67c8e8 100644
##############################
#
-@@ -500,73 +563,78 @@ template(`userdom_common_user_template',`
+@@ -500,73 +566,78 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -36321,7 +37505,7 @@ index 2aa8928..c67c8e8 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,65 +642,108 @@ template(`userdom_common_user_template',`
+@@ -574,65 +645,108 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -36372,47 +37556,47 @@ index 2aa8928..c67c8e8 100644
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ hal_dbus_chat($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
- ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ git_session_role($1_r, $1_usertype)
+ ')
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
++ git_session_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
@@ -36435,20 +37619,20 @@ index 2aa8928..c67c8e8 100644
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ ')
++
++ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -643,41 +754,50 @@ template(`userdom_common_user_template',`
+@@ -643,41 +757,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -36480,53 +37664,51 @@ index 2aa8928..c67c8e8 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
-+ ')
+ ')
+
')
#######################################
-@@ -705,13 +825,26 @@ template(`userdom_login_user_template', `
+@@ -705,13 +828,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-
-- userdom_manage_tmp_role($1_r, $1_t)
-- userdom_manage_tmpfs_role($1_r, $1_t)
++
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_manage_tmp_role($1_r, $1_t)
+- userdom_manage_tmpfs_role($1_r, $1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -36534,7 +37716,9 @@ index 2aa8928..c67c8e8 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -36542,7 +37726,7 @@ index 2aa8928..c67c8e8 100644
userdom_change_password_template($1)
-@@ -729,72 +862,74 @@ template(`userdom_login_user_template', `
+@@ -729,72 +865,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -36584,14 +37768,13 @@ index 2aa8928..c67c8e8 100644
+ fs_rw_anon_inodefs_files($1_usertype)
auth_dontaudit_write_login_records($1_t)
--
-- application_exec_all($1_t)
+ auth_rw_cache($1_t)
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
+- application_exec_all($1_t)
+-
+- # The library functions always try to open read-write first,
+- # then fall back to read-only if it fails.
- init_dontaudit_rw_utmp($1_t)
-+ init_dontaudit_rw_utmp($1_usertype)
# Stop warnings about access to /dev/console
- init_dontaudit_use_fds($1_t)
- init_dontaudit_use_script_fds($1_t)
@@ -37049,7 +38232,7 @@ index 2aa8928..c67c8e8 100644
+ type user_home_t;
+ ')
+
-+ allow $1 user_home_t:file { relabelto relabelfrom };
++ allow $1 user_home_t:file relabel_file_perms;
+')
+
########################################
@@ -37079,33 +38262,69 @@ index 2aa8928..c67c8e8 100644
')
########################################
-@@ -1638,6 +1922,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1638,34 +1922,53 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
+-## Do not audit attempts to set the
+-## attributes of user home files.
+## Set the attributes of user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`userdom_dontaudit_setattr_user_home_content_files',`
+interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file setattr_file_perms;
++ allow $1 user_home_t:file setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Mmap user home files.
++## Do not audit attempts to set the
++## attributes of user home files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_mmap_user_home_content_files',`
++interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
-+ allow $1 user_home_t:file setattr;
++ dontaudit $1 user_home_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to set the
- ## attributes of user home files.
- ## </summary>
-@@ -1689,13 +1992,33 @@ interface(`userdom_read_user_home_content_files',`
++## Mmap user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_mmap_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+@@ -1689,12 +1992,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -37116,7 +38335,6 @@ index 2aa8928..c67c8e8 100644
########################################
## <summary>
--## Do not audit attempts to read user home files.
+## Do not audit attempts to getattr user home files.
+## </summary>
+## <param name="domain">
@@ -37136,10 +38354,9 @@ index 2aa8928..c67c8e8 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to read user home files.
+ ## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
- ## <summary>
@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
@@ -37168,7 +38385,7 @@ index 2aa8928..c67c8e8 100644
')
########################################
-@@ -1816,21 +2141,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1816,20 +2141,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -37182,18 +38399,17 @@ index 2aa8928..c67c8e8 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -38286,7 +39502,7 @@ index 8c827f8..744fa64 100644
ifdef(`distro_debian',`
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
-index 77d41b6..4af4e6b 100644
+index 77d41b6..4aa96c6 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -87,6 +87,26 @@ interface(`xen_read_image_files',`
@@ -38327,6 +39543,15 @@ index 77d41b6..4af4e6b 100644
domtrans_pattern($1, xm_exec_t, xm_t)
')
+@@ -230,7 +251,7 @@ interface(`xen_domtrans_xm',`
+ #
+ interface(`xen_stream_connect_xm',`
+ gen_require(`
+- type xm_t;
++ type xm_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index f661f5a..600d43f 100644
--- a/policy/modules/system/xen.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 62be418..e2f8051 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.4
-Release: 2%{?dist}
+Version: 3.9.5
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,15 @@ exit 0
%endif
%changelog
+* Thu Sep 16 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-1
+- Update to upstream
+
+* Wed Sep 15 2010 Dan Walsh <dwalsh at redhat.com> 3.9.4-3
+- Add the ability to send audit messages to confined admin policies
+- Remove permissive domain from cmirrord and dontaudit sys_tty_config
+- Split out unconfined_domain() calls from other unconfined_ calls so we can d
+- virt needs to be able to read processes to clearance for MLS
+
* Tue Sep 14 2010 Dan Walsh <dwalsh at redhat.com> 3.9.4-2
- Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
diff --git a/sources b/sources
index 11bf11d..1e6d985 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-c610a100e8448f4fdc2559d1e509494c serefpolicy-3.9.4.tgz
+92b67fbf7e35e89cd46d04881966d2ae serefpolicy-3.9.5.tgz
More information about the scm-commits
mailing list