[selinux-policy] - Pull in cleanups from dgrift - Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Sep 25 10:35:23 UTC 2010
commit e25799116a869d5d621bc8311d009dea5060a4a0
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Sep 24 12:03:50 2010 -0400
- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
policy-F14.patch | 2077 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 7 +-
2 files changed, 1611 insertions(+), 473 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index a644247..9f77722 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -2252,7 +2252,7 @@ index 00a19e3..46db5ff 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..594dc0f 100644
+index f5afe78..91737d4 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
@@ -2306,12 +2306,11 @@ index f5afe78..594dc0f 100644
+## Dontaudit search gnome homedir content (.config)
+## </summary>
+## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--template(`gnome_read_gconf_config',`
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`gnome_dontaudit_search_config',`
+ gen_require(`
+ attribute gnome_home_type;
@@ -2545,11 +2544,12 @@ index f5afe78..594dc0f 100644
+## read gconf config files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-template(`gnome_read_gconf_config',`
+interface(`gnome_read_gconf_config',`
gen_require(`
type gconf_etc_t;
@@ -2587,7 +2587,7 @@ index f5afe78..594dc0f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +359,39 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +359,40 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -2625,6 +2625,7 @@ index f5afe78..594dc0f 100644
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
++ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
@@ -2638,7 +2639,7 @@ index f5afe78..594dc0f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,12 +399,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +400,13 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -2655,7 +2656,7 @@ index f5afe78..594dc0f 100644
')
########################################
-@@ -151,40 +429,173 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +430,173 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -3700,7 +3701,7 @@ index 9a6d67d..47aa143 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..0a9a921 100644
+index cbf4bec..7243acc 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3773,7 +3774,7 @@ index cbf4bec..0a9a921 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,90 @@ optional_policy(`
+@@ -266,3 +291,91 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -3790,6 +3791,7 @@ index cbf4bec..0a9a921 100644
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++can_exec(mozilla_plugin_t, mozilla_home_t)
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -19080,7 +19082,7 @@ index 99a94de..6dbc203 100644
files_search_etc(gatekeeper_t)
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
-index 54f0737..28b71f6 100644
+index 54f0737..2b552c5 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,13 @@
@@ -19093,7 +19095,8 @@ index 54f0737..28b71f6 100644
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
- /var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
++/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
@@ -20420,7 +20423,7 @@ index 9fab1dc..dc7dd01 100644
mta_send_mail(innd_t)
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
-index 4c9acec..908eb91 100644
+index 4c9acec..deef4c7 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -2,5 +2,14 @@
@@ -20429,9 +20432,9 @@ index 4c9acec..908eb91 100644
+# for new version of jabberd
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
-+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
@@ -20561,7 +20564,7 @@ index 9878499..9167dc9 100644
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..5f8840f 100644
+index da2127e..e184dff 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
@@ -20585,7 +20588,7 @@ index da2127e..5f8840f 100644
type jabberd_log_t;
logging_log_file(jabberd_log_t)
-@@ -21,40 +27,78 @@ files_type(jabberd_var_lib_t)
+@@ -21,74 +27,94 @@ files_type(jabberd_var_lib_t)
type jabberd_var_run_t;
files_pid_file(jabberd_var_run_t)
@@ -20593,10 +20596,10 @@ index da2127e..5f8840f 100644
+permissive jabberd_router_t;
+permissive jabberd_t;
+
-+#######################################
++######################################
#
-# Local policy
-+# Local policy for jabberd domains
++# Local policy for jabberd-router and c2s components
#
-allow jabberd_t self:capability dac_override;
@@ -20605,6 +20608,95 @@ index da2127e..5f8840f 100644
-allow jabberd_t self:fifo_file read_fifo_file_perms;
-allow jabberd_t self:tcp_socket create_stream_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+-
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+-
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+-
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+-kernel_read_proc_symlinks(jabberd_t)
+-
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
++
++corenet_tcp_bind_jabber_client_port(jabberd_router_t)
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_tcp_connect_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
++corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
++fs_getattr_all_fs(jabberd_router_t)
+
+-domain_use_interactive_fds(jabberd_t)
++miscfiles_read_certs(jabberd_router_t)
+
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
++optional_policy(`
++ kerberos_use(jabberd_router_t)
++')
+
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
++optional_policy(`
++ nis_use_ypbind(jabberd_router_t)
++')
+
+-logging_send_syslog_msg(jabberd_t)
++#####################################
++#
++# Local policy for other jabberd components
++#
+
+-miscfiles_read_localization(jabberd_t)
++kernel_read_system_state(jabberd_t)
+
+-sysnet_read_config(jabberd_t)
++corenet_tcp_bind_jabber_interserver_port(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+ optional_policy(`
+- nis_use_ypbind(jabberd_t)
++ seutil_sigchld_newrole(jabberd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(jabberd_t)
++ udev_read_db(jabberd_t)
+ ')
+
+-optional_policy(`
+- udev_read_db(jabberd_t)
+-')
++#######################################
++#
++# Local policy for jabberd domains
++#
++
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file read_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
@@ -20616,14 +20708,10 @@ index da2127e..5f8840f 100644
+# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
+manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
-
--manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++
+manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
-
--manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
--logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
@@ -20636,6 +20724,7 @@ index da2127e..5f8840f 100644
+
+dev_read_urand(jabberd_domain)
+dev_read_urand(jabberd_domain)
++dev_read_sysfs(jabberd_domain)
+
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
@@ -20645,68 +20734,6 @@ index da2127e..5f8840f 100644
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
-+
-+######################################
-+#
-+# Local policy for jabberd-router
-+#
-
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
-+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-+
-+optional_policy(`
-+ kerberos_use(jabberd_router_t)
-+')
-+
-+########################################
-+#
-+# Local policy for jabberd
-+#
-+
-+allow jabberd_t self:capability dac_override;
-+dontaudit jabberd_t self:capability sys_tty_config;
-
- kernel_read_kernel_sysctls(jabberd_t)
--kernel_list_proc(jabberd_t)
- kernel_read_proc_symlinks(jabberd_t)
-+kernel_read_system_state(jabberd_t)
-
--corenet_all_recvfrom_unlabeled(jabberd_t)
--corenet_all_recvfrom_netlabel(jabberd_t)
--corenet_tcp_sendrecv_generic_if(jabberd_t)
--corenet_udp_sendrecv_generic_if(jabberd_t)
--corenet_tcp_sendrecv_generic_node(jabberd_t)
--corenet_udp_sendrecv_generic_node(jabberd_t)
--corenet_tcp_sendrecv_all_ports(jabberd_t)
--corenet_udp_sendrecv_all_ports(jabberd_t)
--corenet_tcp_bind_generic_node(jabberd_t)
-+corenet_tcp_connect_jabber_router_port(jabberd_t)
- corenet_tcp_bind_jabber_client_port(jabberd_t)
- corenet_tcp_bind_jabber_interserver_port(jabberd_t)
- corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-@@ -66,18 +110,9 @@ dev_read_rand(jabberd_t)
-
- domain_use_interactive_fds(jabberd_t)
-
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
--
- fs_getattr_all_fs(jabberd_t)
- fs_search_auto_mountpoints(jabberd_t)
-
--logging_send_syslog_msg(jabberd_t)
--
--miscfiles_read_localization(jabberd_t)
--
--sysnet_read_config(jabberd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
- userdom_dontaudit_search_user_home_dirs(jabberd_t)
-
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 3525d24..e5db539 100644
--- a/policy/modules/services/kerberos.fc
@@ -28390,24 +28417,20 @@ index f04a595..3203212 100644
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
-index 340a6c0..eaa8706 100644
+index 340a6c0..f24c52e 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
-@@ -5,6 +5,32 @@ policy_module(razor, 2.1.1)
+@@ -5,118 +5,139 @@ policy_module(razor, 2.1.1)
# Declarations
#
+-type razor_exec_t;
+-corecmd_executable_file(razor_exec_t)
+ifdef(`distro_redhat',`
-+
+ gen_require(`
-+ type spamc_t;
-+ type spamc_exec_t;
-+ type spamd_log_t;
-+ type spamd_spool_t;
-+ type spamd_var_lib_t;
-+ type spamd_etc_t;
-+ type spamc_home_t;
-+ type spamc_tmp_t;
++ type spamc_t, spamc_exec_t, spamd_log_t;
++ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
++ type spamc_home_t, spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
@@ -28420,37 +28443,232 @@ index 340a6c0..eaa8706 100644
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
-+
+',`
++ type razor_exec_t;
++ corecmd_executable_file(razor_exec_t)
+
- type razor_exec_t;
- corecmd_executable_file(razor_exec_t)
-
-@@ -14,6 +40,7 @@ files_config_file(razor_etc_t)
- type razor_home_t;
- typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
- typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
-+files_poly_member(razor_home_t)
- userdom_user_home_content(razor_home_t)
++ type razor_etc_t;
++ files_config_file(razor_etc_t)
++
++ type razor_home_t;
++ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
++ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
++ userdom_user_home_content(razor_home_t)
++
++ type razor_log_t;
++ logging_log_file(razor_log_t)
++
++ type razor_tmp_t;
++ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
++ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
++ files_tmp_file(razor_tmp_t)
++ ubac_constrained(razor_tmp_t)
++
++ type razor_var_lib_t;
++ files_type(razor_var_lib_t)
++
++ # these are here due to ordering issues:
++ razor_common_domain_template(razor)
++ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
++ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
++ ubac_constrained(razor_t)
++
++ razor_common_domain_template(system_razor)
++ role system_r types system_razor_t;
++
++ ########################################
++ #
++ # System razor local policy
++ #
++
++ # this version of razor is invoked typically
++ # via the system spam filter
++
++ allow system_razor_t self:tcp_socket create_socket_perms;
++
++ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
++ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
++ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
++ files_search_etc(system_razor_t)
++
++ allow system_razor_t razor_log_t:file manage_file_perms;
++ logging_log_filetrans(system_razor_t, razor_log_t, file)
++
++ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
++ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
++
++ corenet_all_recvfrom_unlabeled(system_razor_t)
++ corenet_all_recvfrom_netlabel(system_razor_t)
++ corenet_tcp_sendrecv_generic_if(system_razor_t)
++ corenet_raw_sendrecv_generic_if(system_razor_t)
++ corenet_tcp_sendrecv_generic_node(system_razor_t)
++ corenet_raw_sendrecv_generic_node(system_razor_t)
++ corenet_tcp_sendrecv_razor_port(system_razor_t)
++ corenet_tcp_connect_razor_port(system_razor_t)
++ corenet_sendrecv_razor_client_packets(system_razor_t)
++
++ sysnet_read_config(system_razor_t)
++
++ # cjp: this shouldn't be needed
++ userdom_use_unpriv_users_fds(system_razor_t)
++
++ optional_policy(`
++ logging_send_syslog_msg(system_razor_t)
++ ')
++
++ optional_policy(`
++ nscd_socket_use(system_razor_t)
++ ')
++
++ ########################################
++ #
++ # User razor local policy
++ #
++
++ # Allow razor to be run by hand. Needed by any action other than
++ # invocation from a spam filter.
++
++ allow razor_t self:unix_stream_socket create_stream_socket_perms;
++
++ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
++ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
++ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
++ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
++
++ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
++ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
++ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
++
++ auth_use_nsswitch(razor_t)
++
++ logging_send_syslog_msg(razor_t)
- type razor_log_t;
-@@ -100,6 +127,8 @@ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
- manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
- files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+-type razor_etc_t;
+-files_config_file(razor_etc_t)
++ userdom_search_user_home_dirs(razor_t)
++ userdom_use_user_terminals(razor_t)
-+auth_use_nsswitch(razor_t)
-+
- logging_send_syslog_msg(razor_t)
+-type razor_home_t;
+-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+-userdom_user_home_content(razor_home_t)
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(razor_t)
++ fs_manage_nfs_files(razor_t)
++ fs_manage_nfs_symlinks(razor_t)
++ ')
- userdom_search_user_home_dirs(razor_t)
-@@ -118,5 +147,7 @@ tunable_policy(`use_samba_home_dirs',`
- ')
+-type razor_log_t;
+-logging_log_file(razor_log_t)
++ tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(razor_t)
++ fs_manage_cifs_files(razor_t)
++ fs_manage_cifs_symlinks(razor_t)
++ ')
- optional_policy(`
+-type razor_tmp_t;
+-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+-files_tmp_file(razor_tmp_t)
+-ubac_constrained(razor_tmp_t)
+-
+-type razor_var_lib_t;
+-files_type(razor_var_lib_t)
+-
+-# these are here due to ordering issues:
+-razor_common_domain_template(razor)
+-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+-ubac_constrained(razor_t)
+-
+-razor_common_domain_template(system_razor)
+-role system_r types system_razor_t;
+-
+-########################################
+-#
+-# System razor local policy
+-#
+-
+-# this version of razor is invoked typically
+-# via the system spam filter
+-
+-allow system_razor_t self:tcp_socket create_socket_perms;
+-
+-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+-files_search_etc(system_razor_t)
+-
+-allow system_razor_t razor_log_t:file manage_file_perms;
+-logging_log_filetrans(system_razor_t, razor_log_t, file)
+-
+-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+-
+-corenet_all_recvfrom_unlabeled(system_razor_t)
+-corenet_all_recvfrom_netlabel(system_razor_t)
+-corenet_tcp_sendrecv_generic_if(system_razor_t)
+-corenet_raw_sendrecv_generic_if(system_razor_t)
+-corenet_tcp_sendrecv_generic_node(system_razor_t)
+-corenet_raw_sendrecv_generic_node(system_razor_t)
+-corenet_tcp_sendrecv_razor_port(system_razor_t)
+-corenet_tcp_connect_razor_port(system_razor_t)
+-corenet_sendrecv_razor_client_packets(system_razor_t)
+-
+-sysnet_read_config(system_razor_t)
+-
+-# cjp: this shouldn't be needed
+-userdom_use_unpriv_users_fds(system_razor_t)
+-
+-optional_policy(`
+- logging_send_syslog_msg(system_razor_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(system_razor_t)
+-')
+-
+-########################################
+-#
+-# User razor local policy
+-#
+-
+-# Allow razor to be run by hand. Needed by any action other than
+-# invocation from a spam filter.
+-
+-allow razor_t self:unix_stream_socket create_stream_socket_perms;
+-
+-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+-
+-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+-
+-logging_send_syslog_msg(razor_t)
+-
+-userdom_search_user_home_dirs(razor_t)
+-userdom_use_user_terminals(razor_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(razor_t)
+- fs_manage_nfs_files(razor_t)
+- fs_manage_nfs_symlinks(razor_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(razor_t)
+- fs_manage_cifs_files(razor_t)
+- fs_manage_cifs_symlinks(razor_t)
+-')
+-
+-optional_policy(`
- nscd_socket_use(razor_t)
-+ milter_manage_spamass_state(razor_t)
-+')
-+
++ optional_policy(`
++ milter_manage_spamass_state(razor_t)
++ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 0a76027..cdd0542 100644
@@ -28569,11 +28787,25 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..9ab1d80 100644
+index 00fa514..612e4e4 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
-@@ -17,6 +17,9 @@ type rgmanager_exec_t;
- domain_type(rgmanager_t)
+@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow rgmanager domain to connect to the network using TCP.
+-## </p>
++## <p>
++## Allow rgmanager domain to connect to the network using TCP.
++## </p>
+ ## </desc>
+ gen_tunable(rgmanager_can_network_connect, false)
+
+ type rgmanager_t;
+ type rgmanager_exec_t;
+-domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+type rgmanager_initrc_exec_t;
@@ -28582,7 +28814,16 @@ index 00fa514..9ab1d80 100644
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
-@@ -55,11 +58,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+@@ -37,7 +39,7 @@ files_pid_file(rgmanager_var_run_t)
+ allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+ dontaudit rgmanager_t self:capability { sys_ptrace };
+ allow rgmanager_t self:process { setsched signal };
+-dontaudit rgmanager_t self:process { ptrace };
++dontaudit rgmanager_t self:process ptrace;
+
+ allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+ allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+@@ -55,11 +57,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
@@ -28598,7 +28839,7 @@ index 00fa514..9ab1d80 100644
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
-@@ -78,14 +84,19 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -78,14 +83,19 @@ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
@@ -28619,7 +28860,7 @@ index 00fa514..9ab1d80 100644
storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
-@@ -140,6 +151,11 @@ optional_policy(`
+@@ -140,6 +150,11 @@ optional_policy(`
')
optional_policy(`
@@ -28822,10 +29063,20 @@ index de37806..229a3c7 100644
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..1ebc84d 100644
+index 93c896a..8d40ec9 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
-@@ -13,6 +13,8 @@ policy_module(rhcs, 1.1.0)
+@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow fenced domain to connect to the network using TCP.
+-## </p>
++## <p>
++## Allow fenced domain to connect to the network using TCP.
++## </p>
+ ## </desc>
gen_tunable(fenced_can_network_connect, false)
attribute cluster_domain;
@@ -28881,7 +29132,7 @@ index 93c896a..1ebc84d 100644
+# needed by fence_scsi
+optional_policy(`
-+ corosync_exec(fenced_t)
++ corosync_exec(fenced_t)
+')
+
optional_policy(`
@@ -28890,7 +29141,15 @@ index 93c896a..1ebc84d 100644
')
optional_policy(`
-@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -120,7 +129,6 @@ optional_policy(`
+ #
+
+ allow gfs_controld_t self:capability { net_admin sys_resource };
+-
+ allow gfs_controld_t self:shm create_shm_perms;
+ allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+@@ -139,10 +147,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -28901,16 +29160,25 @@ index 93c896a..1ebc84d 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -168,7 +173,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -154,7 +158,6 @@ optional_policy(`
+
+ allow groupd_t self:capability { sys_nice sys_resource };
+ allow groupd_t self:process setsched;
+-
+ allow groupd_t self:shm create_shm_perms;
+
+ dev_list_sysfs(groupd_t)
+@@ -168,8 +171,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
-allow qdiskd_t self:capability ipc_lock;
+-
+allow qdiskd_t self:capability { ipc_lock sys_boot };
-
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+
+@@ -207,10 +209,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -28921,7 +29189,16 @@ index 93c896a..1ebc84d 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -231,10 +232,17 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
+@@ -223,18 +221,24 @@ optional_policy(`
+ # rhcs domains common policy
+ #
+
+-allow cluster_domain self:capability { sys_nice };
++allow cluster_domain self:capability sys_nice;
+ allow cluster_domain self:process setsched;
+-
+ allow cluster_domain self:sem create_sem_perms;
+ allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
@@ -28950,6 +29227,19 @@ index 96efae7..793a29f 100644
+ fs_search_tmpfs($1)
allow $1 rhgb_tmpfs_t:file rw_file_perms;
')
+diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
+index 0f262a7..4d10897 100644
+--- a/policy/modules/services/rhgb.te
++++ b/policy/modules/services/rhgb.te
+@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
+ allow rhgb_t self:udp_socket create_socket_perms;
+ allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+
+-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(rhgb_t, rhgb_devpts_t)
+
+ manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -29167,11 +29457,14 @@ index f7826f9..3128dd8 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..e2434cb 100644
+index 33e72e8..29e7311 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
-@@ -10,6 +10,9 @@ type ricci_exec_t;
- domain_type(ricci_t)
+@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
+
+ type ricci_t;
+ type ricci_exec_t;
+-domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
+type ricci_initrc_exec_t;
@@ -29180,8 +29473,11 @@ index 33e72e8..e2434cb 100644
type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)
-@@ -42,6 +45,9 @@ type ricci_modclusterd_exec_t;
- domain_type(ricci_modclusterd_t)
+@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t)
+
+ type ricci_modclusterd_t;
+ type ricci_modclusterd_exec_t;
+-domain_type(ricci_modclusterd_t)
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+type ricci_modclusterd_tmpfs_t;
@@ -29190,7 +29486,16 @@ index 33e72e8..e2434cb 100644
type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
-@@ -105,6 +111,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+ manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+ files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
+
+-allow ricci_t ricci_var_log_t:dir setattr;
++allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
+ manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+ manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+ logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
+@@ -105,6 +109,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_t)
@@ -29198,7 +29503,7 @@ index 33e72e8..e2434cb 100644
corecmd_exec_bin(ricci_t)
-@@ -170,6 +177,10 @@ optional_policy(`
+@@ -170,6 +175,10 @@ optional_policy(`
')
optional_policy(`
@@ -29209,7 +29514,7 @@ index 33e72e8..e2434cb 100644
unconfined_use_fds(ricci_t)
')
-@@ -241,8 +252,7 @@ optional_policy(`
+@@ -241,8 +250,7 @@ optional_policy(`
')
optional_policy(`
@@ -29219,7 +29524,7 @@ index 33e72e8..e2434cb 100644
')
########################################
-@@ -261,6 +271,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -29230,7 +29535,7 @@ index 33e72e8..e2434cb 100644
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +286,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -29238,7 +29543,7 @@ index 33e72e8..e2434cb 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -444,6 +459,12 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,6 +457,12 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -29264,10 +29569,28 @@ index 2785337..c3c2775 100644
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..29a5d0d 100644
+index 779fa44..0155ca7 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
-@@ -43,7 +43,6 @@ can_exec(rlogind_t, rlogind_exec_t)
+@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
+ # Local policy
+ #
+
+-allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+ allow rlogind_t self:process signal_perms;
+ allow rlogind_t self:fifo_file rw_fifo_file_perms;
+ allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow rlogind_t self:capability { setuid setgid };
+
+-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(rlogind_t, rlogind_devpts_t)
+
+ # for /usr/lib/telnetlogin
+@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t)
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -29275,7 +29598,7 @@ index 779fa44..29a5d0d 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -71,6 +70,7 @@ fs_search_auto_mountpoints(rlogind_t)
+@@ -71,6 +69,7 @@ fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
@@ -29283,7 +29606,7 @@ index 779fa44..29a5d0d 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,6 +88,9 @@ seutil_read_config(rlogind_t)
+@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -29380,13 +29703,42 @@ index cda37bb..28e7576 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..9ae080e 100644
+index 8e1ab72..288e6cc 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
-@@ -63,8 +63,9 @@ allow rpcd_t self:process { getcap setcap };
+@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow gssd to read temp directory. For access to kerberos tgt.
+-## </p>
++## <p>
++## Allow gssd to read temp directory. For access to kerberos tgt.
++## </p>
+ ## </desc>
+ gen_tunable(allow_gssd_read_tmp, true)
+
+ ## <desc>
+-## <p>
+-## Allow nfs servers to modify public files
+-## used for public file transfer services. Files/Directories must be
+-## labeled public_content_rw_t.
+-## </p>
++## <p>
++## Allow nfs servers to modify public files
++## used for public file transfer services. Files/Directories must be
++## labeled public_content_rw_t.
++## </p>
+ ## </desc>
+ gen_tunable(allow_nfsd_anon_write, false)
+
+@@ -62,9 +62,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+ allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
- allow rpcd_t rpcd_var_run_t:dir setattr;
+-allow rpcd_t rpcd_var_run_t:dir setattr;
++allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
-files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
@@ -29394,7 +29746,15 @@ index 8e1ab72..9ae080e 100644
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
-@@ -97,15 +98,26 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -87,6 +88,7 @@ fs_read_rpc_files(rpcd_t)
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_rw_rpc_sockets(rpcd_t)
+ fs_get_all_fs_quotas(rpcd_t)
++fs_set_xattr_fs_quotas(rpcd_t)
+ fs_getattr_all_fs(rpcd_t)
+
+ storage_getattr_fixed_disk_dev(rpcd_t)
+@@ -97,15 +99,26 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -29421,7 +29781,7 @@ index 8e1ab72..9ae080e 100644
########################################
#
# NFSD local policy
-@@ -120,6 +132,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,6 +133,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -29429,15 +29789,25 @@ index 8e1ab72..9ae080e 100644
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -160,6 +173,7 @@ tunable_policy(`nfs_export_all_rw',`
- fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_shadow(nfsd_t)
- ')
+@@ -148,6 +162,8 @@ storage_raw_read_removable_device(nfsd_t)
+ # Read access to public_content_t and public_content_rw_t
+ miscfiles_read_public_files(nfsd_t)
+
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
++
+ # Write access to public_content_t and public_content_rw_t
+ tunable_policy(`allow_nfsd_anon_write',`
+ miscfiles_manage_public_files(nfsd_t)
+@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
- tunable_policy(`nfs_export_all_ro',`
- dev_getattr_all_blk_files(nfsd_t)
-@@ -218,6 +232,8 @@ tunable_policy(`allow_gssd_read_tmp',`
+ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+-allow gssd_t self:fifo_file rw_file_perms;
++allow gssd_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -218,6 +234,8 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
@@ -30707,19 +31077,28 @@ index 275f9fb..bfdf197 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..b5cd366 100644
+index 3d8d1b3..0927db4 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
-@@ -24,7 +24,7 @@ files_type(snmpd_var_lib_t)
+@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
+ #
+ # Declarations
+ #
++
+ type snmpd_t;
+ type snmpd_exec_t;
+ init_daemon_domain(snmpd_t, snmpd_exec_t)
+@@ -24,7 +25,8 @@ files_type(snmpd_var_lib_t)
#
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
++
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
-@@ -43,8 +43,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
+@@ -43,8 +45,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
@@ -30730,7 +31109,7 @@ index 3d8d1b3..b5cd366 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -97,6 +98,7 @@ fs_search_auto_mountpoints(snmpd_t)
+@@ -97,6 +100,7 @@ fs_search_auto_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
@@ -30738,6 +31117,15 @@ index 3d8d1b3..b5cd366 100644
auth_use_nsswitch(snmpd_t)
auth_read_all_dirs_except_shadow(snmpd_t)
+@@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t)
+ userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
+ userdom_dontaudit_search_user_home_dirs(snmpd_t)
+
+-ifdef(`distro_redhat', `
++ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(snmpd_t)
+ rpm_dontaudit_manage_db(snmpd_t)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index c117e8b..88ebedb 100644
--- a/policy/modules/services/snort.if
@@ -30769,6 +31157,31 @@ index c117e8b..88ebedb 100644
- files_search_pids($1)
+ files_list_pids($1)
')
+diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
+index d7f4bd4..012723c 100644
+--- a/policy/modules/services/snort.te
++++ b/policy/modules/services/snort.te
+@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
+ allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+ dontaudit snort_t self:capability sys_tty_config;
+ allow snort_t self:process signal_perms;
+-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
++allow snort_t self:netlink_route_socket create_netlink_socket_perms;
+ allow snort_t self:tcp_socket create_stream_socket_perms;
+ allow snort_t self:udp_socket create_socket_perms;
+ allow snort_t self:packet_socket create_socket_perms;
+ allow snort_t self:socket create_socket_perms;
+ # Snort IPS node. unverified.
+-allow snort_t self:netlink_firewall_socket { bind create getattr };
++allow snort_t self:netlink_firewall_socket create_socket_perms;
+
+ allow snort_t snort_etc_t:dir list_dir_perms;
+ allow snort_t snort_etc_t:file read_file_perms;
+-allow snort_t snort_etc_t:lnk_file { getattr read };
++allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+ create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
index 93fe7bf..4a15633 100644
--- a/policy/modules/services/soundserver.if
@@ -30991,64 +31404,127 @@ index c954f31..7f57f22 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index 9d40380..9ad4eff 100644
+index 9d40380..56e4c2e 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -19,6 +19,35 @@ gen_tunable(spamassassin_can_network, false)
+@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.3.1)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow user spamassassin clients to use the network.
+-## </p>
++## <p>
++## Allow user spamassassin clients to use the network.
++## </p>
+ ## </desc>
+ gen_tunable(spamassassin_can_network, false)
+
+ ## <desc>
+-## <p>
+-## Allow spamd to read/write user home directories.
+-## </p>
++## <p>
++## Allow spamd to read/write user home directories.
++## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
+-type spamassassin_t;
+-type spamassassin_exec_t;
+-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+-application_domain(spamassassin_t, spamassassin_exec_t)
+-ubac_constrained(spamassassin_t)
+-
+-type spamassassin_home_t;
+-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+-userdom_user_home_content(spamassassin_home_t)
+-
+-type spamassassin_tmp_t;
+-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+-files_tmp_file(spamassassin_tmp_t)
+-ubac_constrained(spamassassin_tmp_t)
+-
+-type spamc_t;
+-type spamc_exec_t;
+-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+-application_domain(spamc_t, spamc_exec_t)
+-ubac_constrained(spamc_t)
+-
+-type spamc_tmp_t;
+-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+-files_tmp_file(spamc_tmp_t)
+-ubac_constrained(spamc_tmp_t)
+ifdef(`distro_redhat',`
-+# spamassassin client executable
-+type spamc_t;
-+type spamc_exec_t;
-+application_domain(spamc_t, spamc_exec_t)
-+role system_r types spamc_t;
-+
-+type spamd_etc_t;
-+files_config_file(spamd_etc_t)
-+
-+typealias spamc_exec_t alias spamassassin_exec_t;
-+typealias spamc_t alias spamassassin_t;
-+
-+type spamc_home_t;
-+userdom_user_home_content(spamc_home_t)
-+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
-+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
-+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
-+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
-+
-+type spamc_tmp_t;
-+files_tmp_file(spamc_tmp_t)
-+typealias spamc_tmp_t alias spamassassin_tmp_t;
-+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
-+
-+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
-+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
-+', `
- type spamassassin_t;
- type spamassassin_exec_t;
- typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-@@ -30,6 +59,7 @@ type spamassassin_home_t;
- typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
- typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
- userdom_user_home_content(spamassassin_home_t)
-+files_poly_member(spamassassin_home_t)
-
- type spamassassin_tmp_t;
- typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
-@@ -49,10 +79,21 @@ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tm
- typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
- files_tmp_file(spamc_tmp_t)
- ubac_constrained(spamc_tmp_t)
++ # spamassassin client executable
++ type spamc_t;
++ type spamc_exec_t;
++ application_domain(spamc_t, spamc_exec_t)
++ role system_r types spamc_t;
++
++ type spamd_etc_t;
++ files_config_file(spamd_etc_t)
++
++ typealias spamc_exec_t alias spamassassin_exec_t;
++ typealias spamc_t alias spamassassin_t;
++
++ type spamc_home_t;
++ userdom_user_home_content(spamc_home_t)
++ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
++ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
++ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
++ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
++
++ type spamc_tmp_t;
++ files_tmp_file(spamc_tmp_t)
++ typealias spamc_tmp_t alias spamassassin_tmp_t;
++ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
++
++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
++',`
++ type spamassassin_t;
++ type spamassassin_exec_t;
++ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
++ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
++ application_domain(spamassassin_t, spamassassin_exec_t)
++ ubac_constrained(spamassassin_t)
++
++ type spamassassin_home_t;
++ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
++ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
++ userdom_user_home_content(spamassassin_home_t)
++
++ type spamassassin_tmp_t;
++ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
++ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
++ files_tmp_file(spamassassin_tmp_t)
++ ubac_constrained(spamassassin_tmp_t)
++
++ type spamc_t;
++ type spamc_exec_t;
++ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
++ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
++ application_domain(spamc_t, spamc_exec_t)
++ ubac_constrained(spamc_t)
++
++ type spamc_tmp_t;
++ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
++ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
++ files_tmp_file(spamc_tmp_t)
++ ubac_constrained(spamc_tmp_t)
+')
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
-+can_exec(spamd_t, spamd_exec_t)
-+
+
+type spamd_compiled_t;
+files_type(spamd_compiled_t)
+
@@ -31057,10 +31533,11 @@ index 9d40380..9ad4eff 100644
+
+type spamd_log_t;
+logging_log_file(spamd_log_t)
-
++
type spamd_spool_t;
files_type(spamd_spool_t)
-@@ -108,6 +149,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+
+@@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -31068,7 +31545,7 @@ index 9d40380..9ad4eff 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +190,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +188,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -31078,7 +31555,7 @@ index 9d40380..9ad4eff 100644
sysnet_read_config(spamassassin_t)
')
-@@ -184,6 +229,8 @@ optional_policy(`
+@@ -184,6 +227,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -31087,18 +31564,12 @@ index 9d40380..9ad4eff 100644
')
########################################
-@@ -205,16 +252,33 @@ allow spamc_t self:unix_dgram_socket sendto;
- allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +251,30 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
-+corenet_all_recvfrom_unlabeled(spamc_t)
-+corenet_all_recvfrom_netlabel(spamc_t)
-+corenet_tcp_sendrecv_generic_if(spamc_t)
-+corenet_tcp_sendrecv_generic_node(spamc_t)
-+corenet_tcp_connect_spamd_port(spamc_t)
-+
-+can_exec(spamc_t, spamc_exec_t)
++can_exec(spamc_t, spamc_exec_t)
++
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
@@ -31111,6 +31582,9 @@ index 9d40380..9ad4eff 100644
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
+
++list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
++read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
++
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@@ -31121,13 +31595,19 @@ index 9d40380..9ad4eff 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -244,9 +308,16 @@ files_read_usr_files(spamc_t)
+@@ -226,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+ corenet_udp_sendrecv_all_ports(spamc_t)
+ corenet_tcp_connect_all_ports(spamc_t)
+ corenet_sendrecv_all_client_packets(spamc_t)
++corenet_tcp_connect_spamd_port(spamc_t)
+
+ fs_search_auto_mountpoints(spamc_t)
+
+@@ -244,9 +305,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
+files_list_var_lib(spamc_t)
-+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+fs_search_auto_mountpoints(spamc_t)
@@ -31138,7 +31618,7 @@ index 9d40380..9ad4eff 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +325,40 @@ seutil_read_config(spamc_t)
+@@ -254,27 +320,40 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -31185,7 +31665,7 @@ index 9d40380..9ad4eff 100644
')
########################################
-@@ -286,7 +370,7 @@ optional_policy(`
+@@ -286,7 +365,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -31194,7 +31674,7 @@ index 9d40380..9ad4eff 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +386,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +381,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -31213,7 +31693,7 @@ index 9d40380..9ad4eff 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +405,13 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +400,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -31226,10 +31706,12 @@ index 9d40380..9ad4eff 100644
-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
++
++can_exec(spamd_t, spamd_exec_t)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +457,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -31261,7 +31743,7 @@ index 9d40380..9ad4eff 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +497,9 @@ optional_policy(`
+@@ -399,7 +494,9 @@ optional_policy(`
')
optional_policy(`
@@ -31271,7 +31753,16 @@ index 9d40380..9ad4eff 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -416,10 +516,6 @@ optional_policy(`
+@@ -408,25 +505,17 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- corenet_tcp_connect_mysqld_port(spamd_t)
+- corenet_sendrecv_mysqld_client_packets(spamd_t)
+-
++ mysql_tcp_connect(spamd_t)
+ mysql_search_db(spamd_t)
+ mysql_stream_connect(spamd_t)
')
optional_policy(`
@@ -31282,7 +31773,15 @@ index 9d40380..9ad4eff 100644
postfix_read_config(spamd_t)
')
-@@ -437,6 +533,10 @@ optional_policy(`
+ optional_policy(`
+- corenet_tcp_connect_postgresql_port(spamd_t)
+- corenet_sendrecv_postgresql_client_packets(spamd_t)
+-
++ postgresql_tcp_connect(spamd_t)
+ postgresql_stream_connect(spamd_t)
+ ')
+
+@@ -437,6 +526,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -31324,6 +31823,35 @@ index d2496bd..1d0c078 100644
')
allow $1 squid_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
+index 4b2230e..744b172 100644
+--- a/policy/modules/services/squid.te
++++ b/policy/modules/services/squid.te
+@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow squid to connect to all ports, not just
+-## HTTP, FTP, and Gopher ports.
+-## </p>
++## <p>
++## Allow squid to connect to all ports, not just
++## HTTP, FTP, and Gopher ports.
++## </p>
+ ## </desc>
+ gen_tunable(squid_connect_any, false)
+
+ ## <desc>
+-## <p>
+-## Allow squid to run as a transparent proxy (TPROXY)
+-## </p>
++## <p>
++## Allow squid to run as a transparent proxy (TPROXY)
++## </p>
+ ## </desc>
+ gen_tunable(squid_use_tproxy, false)
+
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..dd706b0 100644
--- a/policy/modules/services/ssh.fc
@@ -31636,24 +32164,50 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..68c3057 100644
+index 2dad3c8..c7efe5d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
+@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
+ #
+
+ ## <desc>
+-## <p>
+-## allow host key based authentication
+-## </p>
++## <p>
++## allow host key based authentication
++## </p>
+ ## </desc>
+ gen_tunable(allow_ssh_keysign, false)
+
+ ## <desc>
+-## <p>
+-## Allow ssh logins as sysadm_r:sysadm_t
+-## </p>
++## <p>
++## Allow ssh logins as sysadm_r:sysadm_t
++## </p>
## </desc>
gen_tunable(ssh_sysadm_login, false)
+## <desc>
-+## <p>
-+## allow sshd to forward port connections
-+## </p>
++## <p>
++## allow sshd to forward port connections
++## </p>
+## </desc>
+gen_tunable(sshd_forward_ports, false)
+
attribute ssh_server;
attribute ssh_agent_type;
-@@ -33,13 +40,12 @@ corecmd_executable_file(sshd_exec_t)
+ type ssh_keygen_t;
+ type ssh_keygen_exec_t;
+ init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
+-role system_r types ssh_keygen_t;
+
+ type sshd_exec_t;
+ corecmd_executable_file(sshd_exec_t)
+@@ -33,17 +39,12 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -31667,10 +32221,28 @@ index 2dad3c8..68c3057 100644
-files_tmp_file(sshd_tmp_t)
-files_poly_parent(sshd_tmp_t)
-
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
- ')
-@@ -99,11 +105,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms;
+-ifdef(`enable_mcs',`
+- init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+-')
+-
+ type ssh_t;
+ type ssh_exec_t;
+ typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
+@@ -76,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
+ type ssh_home_t;
+ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+ typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+-files_type(ssh_home_t)
+ userdom_user_home_content(ssh_home_t)
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
++')
++
+ ##############################
+ #
+ # SSH client local policy
+@@ -99,11 +103,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms;
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
@@ -31682,7 +32254,7 @@ index 2dad3c8..68c3057 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,6 +112,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -31690,7 +32262,7 @@ index 2dad3c8..68c3057 100644
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+@@ -124,9 +124,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -31704,7 +32276,7 @@ index 2dad3c8..68c3057 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +139,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -31713,7 +32285,7 @@ index 2dad3c8..68c3057 100644
dev_read_urand(ssh_t)
-@@ -169,8 +174,10 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +172,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -31724,8 +32296,15 @@ index 2dad3c8..68c3057 100644
+userdom_read_user_home_content_symlinks(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -200,6 +207,54 @@ optional_policy(`
+- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+- allow ssh_keysign_t ssh_t:fd use;
+- allow ssh_keysign_t ssh_t:process sigchld;
+- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -200,6 +202,53 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -31739,7 +32318,6 @@ index 2dad3c8..68c3057 100644
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
@@ -31780,10 +32358,20 @@ index 2dad3c8..68c3057 100644
##############################
#
# ssh_keysign_t local policy
-@@ -233,44 +288,65 @@ optional_policy(`
+@@ -209,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
+ allow ssh_keysign_t self:capability { setgid setuid };
+ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+- allow ssh_keysign_t sshd_key_t:file { getattr read };
++ allow ssh_keysign_t sshd_key_t:file read_file_perms;
+
+ dev_read_urand(ssh_keysign_t)
+
+@@ -232,33 +281,39 @@ optional_policy(`
+ # so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
-
+-
-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -31803,15 +32391,17 @@ index 2dad3c8..68c3057 100644
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
-+tunable_policy(`sshd_forward_ports', `
-+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
-+ corenet_tcp_connect_all_ports(sshd_t)
-+')
-+
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_search_admin_dir(sshd_t)
+userdom_manage_tmp_role(system_r, sshd_t)
++userdom_spec_domtrans_unpriv_users(sshd_t)
++userdom_signal_unpriv_users(sshd_t)
++
++tunable_policy(`sshd_forward_ports',`
++ corenet_tcp_bind_all_unreserved_ports(sshd_t)
++ corenet_tcp_connect_all_ports(sshd_t)
++')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -31825,11 +32415,8 @@ index 2dad3c8..68c3057 100644
- userdom_signal_unpriv_users(sshd_t)
')
-+userdom_spec_domtrans_unpriv_users(sshd_t)
-+userdom_signal_unpriv_users(sshd_t)
-+
optional_policy(`
- daemontools_service_domain(sshd_t, sshd_exec_t)
+@@ -266,11 +321,24 @@ optional_policy(`
')
optional_policy(`
@@ -31855,7 +32442,7 @@ index 2dad3c8..68c3057 100644
')
optional_policy(`
-@@ -284,6 +360,11 @@ optional_policy(`
+@@ -284,6 +352,11 @@ optional_policy(`
')
optional_policy(`
@@ -31867,7 +32454,61 @@ index 2dad3c8..68c3057 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -353,10 +434,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -292,26 +365,26 @@ optional_policy(`
+ ')
+
+ ifdef(`TODO',`
+-tunable_policy(`ssh_sysadm_login',`
+- # Relabel and access ptys created by sshd
+- # ioctl is necessary for logout() processing for utmp entry and for w to
+- # display the tty.
+- # some versions of sshd on the new SE Linux require setattr
+- allow sshd_t ptyfile:chr_file relabelto;
+-
+- optional_policy(`
+- domain_trans(sshd_t, xauth_exec_t, userdomain)
+- ')
+-',`
+- optional_policy(`
+- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
++ tunable_policy(`ssh_sysadm_login',`
++ # Relabel and access ptys created by sshd
++ # ioctl is necessary for logout() processing for utmp entry and for w to
++ # display the tty.
++ # some versions of sshd on the new SE Linux require setattr
++ allow sshd_t ptyfile:chr_file relabelto;
++
++ optional_policy(`
++ domain_trans(sshd_t, xauth_exec_t, userdomain)
++ ')
++ ',`
++ optional_policy(`
++ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
++ ')
++ # Relabel and access ptys created by sshd
++ # ioctl is necessary for logout() processing for utmp entry and for w to
++ # display the tty.
++ # some versions of sshd on the new SE Linux require setattr
++ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
+ ')
+- # Relabel and access ptys created by sshd
+- # ioctl is necessary for logout() processing for utmp entry and for w to
+- # display the tty.
+- # some versions of sshd on the new SE Linux require setattr
+- allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
+-')
+ ') dnl endif TODO
+
+ ########################################
+@@ -324,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
+
+ dontaudit ssh_keygen_t self:capability sys_tty_config;
+ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+-
+ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+@@ -353,10 +425,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -31936,22 +32577,33 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..07d6748 100644
+index 8ffa257..7113802 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
-@@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t)
+@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
++
+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
- allow sssd_t self:fifo_file rw_file_perms;
+-allow sssd_t self:fifo_file rw_file_perms;
++allow sssd_t self:fifo_file rw_fifo_file_perms;
+allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -48,6 +49,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+ manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
++files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
+
+ manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+ logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+@@ -48,6 +50,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -31959,7 +32611,7 @@ index 8ffa257..07d6748 100644
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -80,6 +82,8 @@ logging_send_audit_msgs(sssd_t)
+@@ -80,6 +83,8 @@ logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -31980,11 +32632,78 @@ index 6073656..eaf49b2 100644
+ domtrans_pattern(stunnel_t, $2, $1)
allow $1 stunnel_t:tcp_socket rw_socket_perms;
')
+diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
+index 7ecb27b..296e5ba 100644
+--- a/policy/modules/services/stunnel.te
++++ b/policy/modules/services/stunnel.te
+@@ -6,17 +6,7 @@ policy_module(stunnel, 1.9.1)
+ #
+
+ type stunnel_t;
+-domain_type(stunnel_t)
+-role system_r types stunnel_t;
+-
+ type stunnel_exec_t;
+-domain_entry_file(stunnel_t, stunnel_exec_t)
+-
+-ifdef(`distro_gentoo',`
+- init_daemon_domain(stunnel_t, stunnel_exec_t)
+-',`
+- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+-')
+
+ type stunnel_etc_t;
+ files_config_file(stunnel_etc_t)
+@@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
+ type stunnel_var_run_t;
+ files_pid_file(stunnel_var_run_t)
+
++ifdef(`distro_gentoo',`
++ init_daemon_domain(stunnel_t, stunnel_exec_t)
++',`
++ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
+
+ allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+ allow stunnel_t stunnel_etc_t:file read_file_perms;
+-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
++allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+ manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+@@ -77,7 +73,7 @@ miscfiles_read_localization(stunnel_t)
+
+ sysnet_read_config(stunnel_t)
+
+-ifdef(`distro_gentoo', `
++ifdef(`distro_gentoo',`
+ dontaudit stunnel_t self:capability sys_tty_config;
+ allow stunnel_t self:udp_socket create_socket_perms;
+
+@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
+ gen_require(`
+ type stunnel_port_t;
+ ')
++
+ allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
-index 52f0d6c..111b041 100644
+index 52f0d6c..3645a22 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
-@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
+@@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
+ type sysstat_t;
+ type sysstat_exec_t;
+ init_system_domain(sysstat_t, sysstat_exec_t)
+-role system_r types sysstat_t;
+
+ type sysstat_log_t;
+ logging_log_file(sysstat_log_t)
+@@ -18,8 +17,7 @@ logging_log_file(sysstat_log_t)
# Local policy
#
@@ -31994,7 +32713,7 @@ index 52f0d6c..111b041 100644
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
-@@ -68,3 +67,8 @@ optional_policy(`
+@@ -68,3 +66,7 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(sysstat_t)
')
@@ -32002,12 +32721,47 @@ index 52f0d6c..111b041 100644
+optional_policy(`
+ nscd_socket_use(sysstat_t)
+')
-+
+diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
+index 7038b55..4e84f23 100644
+--- a/policy/modules/services/tcpd.te
++++ b/policy/modules/services/tcpd.te
+@@ -7,7 +7,6 @@ policy_module(tcpd, 1.4.0)
+ type tcpd_t;
+ type tcpd_exec_t;
+ inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
+-role system_r types tcpd_t;
+
+ type tcpd_tmp_t;
+ files_tmp_file(tcpd_tmp_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
-index f40e67b..a0eeea9 100644
+index f40e67b..34c4c57 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
-@@ -38,7 +38,6 @@ term_create_pty(telnetd_t, telnetd_devpts_t)
+@@ -8,7 +8,6 @@ policy_module(telnet, 1.10.0)
+ type telnetd_t;
+ type telnetd_exec_t;
+ inetd_service_domain(telnetd_t, telnetd_exec_t)
+-role system_r types telnetd_t;
+
+ type telnetd_devpts_t; #, userpty_type;
+ term_login_pty(telnetd_devpts_t)
+@@ -24,21 +23,19 @@ files_pid_file(telnetd_var_run_t)
+ # Local policy
+ #
+
+-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+ allow telnetd_t self:process signal_perms;
+ allow telnetd_t self:fifo_file rw_fifo_file_perms;
+ allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+ allow telnetd_t self:udp_socket create_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow telnetd_t self:capability { setuid setgid };
+
+-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
++allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(telnetd_t, telnetd_devpts_t)
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
@@ -32015,15 +32769,39 @@ index f40e67b..a0eeea9 100644
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -85,6 +84,8 @@ remotelogin_domtrans(telnetd_t)
+@@ -70,8 +67,6 @@ corecmd_search_bin(telnetd_t)
+ files_read_usr_files(telnetd_t)
+ files_read_etc_files(telnetd_t)
+ files_read_etc_runtime_files(telnetd_t)
+-# for identd; cjp: this should probably only be inetd_child rules?
+-files_search_home(telnetd_t)
+
+ init_rw_utmp(telnetd_t)
+
+@@ -85,11 +80,8 @@ remotelogin_domtrans(telnetd_t)
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
+-
+-optional_policy(`
+- kerberos_keytab_template(telnetd, telnetd_t)
+- kerberos_manage_host_rcache(telnetd_t)
+-')
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
- optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(telnetd_t)
+@@ -98,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
+ tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(telnetd_t)
+ ')
++
++optional_policy(`
++ kerberos_keytab_template(telnetd, telnetd_t)
++ kerberos_manage_host_rcache(telnetd_t)
++')
++
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 38bb312..1427b54 100644
--- a/policy/modules/services/tftp.if
@@ -32105,9 +32883,42 @@ index 38bb312..1427b54 100644
admin_pattern($1, tftpdir_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
-index d50c10d..66bfd1c 100644
+index d50c10d..97ce79e 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
+@@ -6,10 +6,10 @@ policy_module(tftp, 1.12.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow tftp to modify public files
+-## used for public file transfer services.
+-## </p>
++## <p>
++## Allow tftp to modify public files
++## used for public file transfer services.
++## </p>
+ ## </desc>
+ gen_tunable(tftp_anon_write, false)
+
+@@ -32,15 +32,15 @@ files_type(tftpdir_rw_t)
+ #
+
+ allow tftpd_t self:capability { setgid setuid sys_chroot };
++dontaudit tftpd_t self:capability sys_tty_config;
+ allow tftpd_t self:tcp_socket create_stream_socket_perms;
+ allow tftpd_t self:udp_socket create_socket_perms;
+ allow tftpd_t self:unix_dgram_socket create_socket_perms;
+ allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+-dontaudit tftpd_t self:capability sys_tty_config;
+
+ allow tftpd_t tftpdir_t:dir list_dir_perms;
+ allow tftpd_t tftpdir_t:file read_file_perms;
+-allow tftpd_t tftpdir_t:lnk_file { getattr read };
++allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+ manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
@@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',`
')
@@ -32169,9 +32980,18 @@ index b113b41..c2ed23a 100644
+ allow $1 tgtd_t:sem create_sem_perms;
')
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index aa0cc45..678ab90 100644
+index aa0cc45..44dfdc8 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
+@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
+ allow tgtd_t self:capability sys_resource;
+ allow tgtd_t self:process { setrlimit signal };
+ allow tgtd_t self:fifo_file rw_fifo_file_perms;
+-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
+ allow tgtd_t self:shm create_shm_perms;
+ allow tgtd_t self:sem create_sem_perms;
+ allow tgtd_t self:tcp_socket create_stream_socket_perms;
@@ -57,10 +57,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
@@ -32205,19 +33025,33 @@ index 904f13e..464347f 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index 9fa94e4..0a0074c 100644
+index 9fa94e4..7f0d9a9 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
-@@ -42,6 +42,8 @@ files_pid_file(tor_var_run_t)
+@@ -6,10 +6,10 @@ policy_module(tor, 1.7.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow tor daemon to bind
+-## tcp sockets to all unreserved ports.
+-## </p>
++## <p>
++## Allow tor daemon to bind
++## tcp sockets to all unreserved ports.
++## </p>
+ ## </desc>
+ gen_tunable(tor_bind_all_unreserved_ports, false)
+
+@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
#
allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:process signal;
-+
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -67,9 +69,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+@@ -67,9 +68,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
# pid file
@@ -32229,7 +33063,7 @@ index 9fa94e4..0a0074c 100644
kernel_read_system_state(tor_t)
-@@ -88,6 +91,7 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -88,6 +90,7 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -32237,7 +33071,7 @@ index 9fa94e4..0a0074c 100644
# tor uses crypto and needs random
dev_read_urand(tor_t)
-@@ -100,6 +104,8 @@ files_read_usr_files(tor_t)
+@@ -100,9 +103,11 @@ files_read_usr_files(tor_t)
auth_use_nsswitch(tor_t)
@@ -32245,7 +33079,11 @@ index 9fa94e4..0a0074c 100644
+
miscfiles_read_localization(tor_t)
- tunable_policy(`tor_bind_all_unreserved_ports', `
+-tunable_policy(`tor_bind_all_unreserved_ports', `
++tunable_policy(`tor_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+ ')
+
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..752697f 100644
--- a/policy/modules/services/tuned.if
@@ -32327,18 +33165,30 @@ index c1feba4..1f6f55b 100644
+ domtrans_pattern(ucspitcp_t, $2, $1)
')
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
-index a0794bf..dd23a9c 100644
+index a0794bf..37c056b 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
-@@ -91,3 +91,8 @@ optional_policy(`
+@@ -8,12 +8,10 @@ policy_module(ucspitcp, 1.3.0)
+ type rblsmtpd_t;
+ type rblsmtpd_exec_t;
+ init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
+-role system_r types rblsmtpd_t;
+
+ type ucspitcp_t;
+ type ucspitcp_exec_t;
+ init_system_domain(ucspitcp_t, ucspitcp_exec_t)
+-role system_r types ucspitcp_t;
+
+ ########################################
+ #
+@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t)
+
+ optional_policy(`
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
++ daemontools_sigchld_run(ucspitcp_t)
daemontools_read_svc(ucspitcp_t)
')
+
-+optional_policy(`
-+ daemontools_sigchld_run(ucspitcp_t)
-+')
-+
diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
index b078bf7..fd72fe8 100644
--- a/policy/modules/services/ulogd.if
@@ -32394,7 +33244,7 @@ index b078bf7..fd72fe8 100644
admin_pattern($1, ulogd_modules_t)
')
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
-index eeaa641..eb4d8d5 100644
+index eeaa641..ef97cb3 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -31,6 +31,9 @@ logging_log_file(ulogd_var_log_t)
@@ -32407,7 +33257,7 @@ index eeaa641..eb4d8d5 100644
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -43,6 +46,18 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+@@ -43,6 +46,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
@@ -32420,13 +33270,27 @@ index eeaa641..eb4d8d5 100644
+sysnet_dns_name_resolve(ulogd_t)
+
+optional_policy(`
-+ mysql_stream_connect(ulogd_t)
++ mysql_stream_connect(ulogd_t)
++ mysql_tcp_connect(ulogd_t)
+')
+
+optional_policy(`
-+ postgresql_stream_connect(ulogd_t)
++ postgresql_stream_connect(ulogd_t)
+ postgresql_tcp_connect(ulogd_t)
+')
+diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
+index c2cf97e..037a1e8 100644
+--- a/policy/modules/services/uptime.te
++++ b/policy/modules/services/uptime.te
+@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
+
+ dontaudit uptimed_t self:capability sys_tty_config;
+ allow uptimed_t self:process signal_perms;
+-allow uptimed_t self:fifo_file write_file_perms;
++allow uptimed_t self:fifo_file write_fifo_file_perms;
+
+ allow uptimed_t uptimed_etc_t:file read_file_perms;
+ files_search_etc(uptimed_t)
diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc
index fa54aee..40b8b8d 100644
--- a/policy/modules/services/usbmuxd.fc
@@ -32492,10 +33356,18 @@ index a4fbe31..a717e2d 100644
logging_list_logs($1)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index b775aaf..ec1562b 100644
+index b775aaf..1e40c2a 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
-@@ -83,6 +83,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t)
+@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
+ type uucpd_t;
+ type uucpd_exec_t;
+ inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
+-role system_r types uucpd_t;
+
+ type uucpd_lock_t;
+ files_lock_file(uucpd_lock_t)
+@@ -83,6 +82,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t)
corenet_udp_sendrecv_generic_node(uucpd_t)
corenet_tcp_sendrecv_all_ports(uucpd_t)
corenet_udp_sendrecv_all_ports(uucpd_t)
@@ -32503,7 +33375,7 @@ index b775aaf..ec1562b 100644
dev_read_urand(uucpd_t)
-@@ -113,6 +114,10 @@ optional_policy(`
+@@ -113,13 +113,17 @@ optional_policy(`
kerberos_use(uucpd_t)
')
@@ -32514,6 +33386,14 @@ index b775aaf..ec1562b 100644
########################################
#
# UUX Local policy
+ #
+
+ allow uux_t self:capability { setuid setgid };
+-allow uux_t self:fifo_file write_file_perms;
++allow uux_t self:fifo_file write_fifo_file_perms;
+
+ uucp_append_log(uux_t)
+ uucp_manage_spool(uux_t)
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
index b4d90ac..fe5ce10 100644
--- a/policy/modules/services/varnishd.if
@@ -32611,9 +33491,24 @@ index b4d90ac..fe5ce10 100644
-
')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
-index 1cc80e8..95c6dc3 100644
+index 1cc80e8..c6bf70e 100644
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
+@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow varnishd to connect to all ports,
+-## not just HTTP.
+-## </p>
++## <p>
++## Allow varnishd to connect to all ports,
++## not just HTTP.
++## </p>
+ ## </desc>
+ gen_tunable(varnishd_connect_any, false)
+
@@ -50,7 +50,8 @@ files_type(varnishlog_log_t)
# varnishd local policy
#
@@ -32624,6 +33519,24 @@ index 1cc80e8..95c6dc3 100644
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket create_stream_socket_perms;
+@@ -69,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+ files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
+
+ manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
+-files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file })
++files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
+
+ kernel_read_system_state(varnishd_t)
+
+@@ -107,7 +108,7 @@ tunable_policy(`varnishd_connect_any',`
+ #
+
+ manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
+-files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file })
++files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
+
+ manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+ manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index 1f872b5..da605ba 100644
--- a/policy/modules/services/vhostmd.if
@@ -32693,9 +33606,18 @@ index 1f872b5..da605ba 100644
-
')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
-index 32a3c13..f56f51f 100644
+index 32a3c13..7baeb6f 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
+@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
+
+ allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+ allow vhostmd_t self:process { setsched getsched };
+-allow vhostmd_t self:fifo_file rw_file_perms;
++allow vhostmd_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t)
corenet_tcp_connect_soundd_port(vhostmd_t)
@@ -33013,32 +33935,82 @@ index 7c5d8d8..dbdc0e0 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..8dac607 100644
+index 3eca020..62e349a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
- #
+@@ -5,57 +5,66 @@ policy_module(virt, 1.4.0)
# Declarations
#
+
+attribute virsh_transition_domain;
++
+ ## <desc>
+-## <p>
+-## Allow virt to use serial/parallell communication ports
+-## </p>
++## <p>
++## Allow virt to use serial/parallell communication ports
++## </p>
+ ## </desc>
+ gen_tunable(virt_use_comm, false)
## <desc>
- ## <p>
-@@ -42,6 +43,13 @@ gen_tunable(virt_use_sysfs, false)
+-## <p>
+-## Allow virt to read fuse files
+-## </p>
++## <p>
++## Allow virt to read fuse files
++## </p>
+ ## </desc>
+ gen_tunable(virt_use_fusefs, false)
## <desc>
- ## <p>
-+## Allow virtual machine to interact with the xserver
-+## </p>
+-## <p>
+-## Allow virt to manage nfs files
+-## </p>
++## <p>
++## Allow virt to manage nfs files
++## </p>
+ ## </desc>
+ gen_tunable(virt_use_nfs, false)
+
+ ## <desc>
+-## <p>
+-## Allow virt to manage cifs files
+-## </p>
++## <p>
++## Allow virt to manage cifs files
++## </p>
+ ## </desc>
+ gen_tunable(virt_use_samba, false)
+
+ ## <desc>
+-## <p>
+-## Allow virt to manage device configuration, (pci)
+-## </p>
++## <p>
++## Allow virt to manage device configuration, (pci)
++## </p>
+ ## </desc>
+ gen_tunable(virt_use_sysfs, false)
+
+ ## <desc>
+-## <p>
+-## Allow virt to use usb devices
+-## </p>
++## <p>
++## Allow virtual machine to interact with the xserver
++## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
-+## <p>
- ## Allow virt to use usb devices
- ## </p>
++## <p>
++## Allow virt to use usb devices
++## </p>
## </desc>
-@@ -50,12 +58,12 @@ gen_tunable(virt_use_usb, true)
+ gen_tunable(virt_use_usb, true)
+
virt_domain_template(svirt)
role system_r types svirt_t;
@@ -33054,7 +34026,7 @@ index 3eca020..8dac607 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -65,20 +73,25 @@ files_type(virt_etc_rw_t)
+@@ -65,20 +74,25 @@ files_type(virt_etc_rw_t)
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@@ -33081,7 +34053,7 @@ index 3eca020..8dac607 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +102,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +103,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -33093,7 +34065,7 @@ index 3eca020..8dac607 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +122,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +123,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -33110,7 +34082,7 @@ index 3eca020..8dac607 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -147,11 +162,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +163,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -33126,7 +34098,7 @@ index 3eca020..8dac607 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +179,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +180,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -33149,13 +34121,13 @@ index 3eca020..8dac607 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,22 +204,29 @@ optional_policy(`
+@@ -174,22 +205,28 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+-
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
-
allow virtd_t self:fifo_file rw_fifo_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -33291,7 +34263,14 @@ index 3eca020..8dac607 100644
')
optional_policy(`
-@@ -402,6 +479,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -396,12 +473,25 @@ optional_policy(`
+
+ allow virt_domain self:capability { dac_read_search dac_override kill };
+ allow virt_domain self:process { execmem execstack signal getsched signull };
+-allow virt_domain self:fifo_file rw_file_perms;
++allow virt_domain self:fifo_file rw_fifo_file_perms;
+ allow virt_domain self:shm create_shm_perms;
+ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -33344,7 +34323,7 @@ index 3eca020..8dac607 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +555,121 @@ optional_policy(`
+@@ -457,8 +555,117 @@ optional_policy(`
')
optional_policy(`
@@ -33364,15 +34343,12 @@ index 3eca020..8dac607 100644
+#
+type virsh_t;
+type virsh_exec_t;
-+domain_type(virsh_t)
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
+allow virsh_t self:process { getcap getsched setcap signal };
-+
-+# internal communication is often done using fifo and unix sockets.
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
@@ -33440,7 +34416,7 @@ index 3eca020..8dac607 100644
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
-+ vhostmd_stream_connect(virsh_t)
++ vhostmd_stream_connect(virsh_t)
+ vhostmd_dontaudit_rw_stream_connect(virsh_t)
+')
+
@@ -33465,7 +34441,6 @@ index 3eca020..8dac607 100644
+
+ userdom_search_admin_dir(virsh_ssh_t)
+')
-+
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
new file mode 100644
index 0000000..7667c31
@@ -33480,7 +34455,7 @@ index 0000000..7667c31
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
new file mode 100644
-index 0000000..14f8906
+index 0000000..b9104b7
--- /dev/null
+++ b/policy/modules/services/vnstatd.if
@@ -0,0 +1,144 @@
@@ -33492,7 +34467,7 @@ index 0000000..14f8906
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
@@ -33510,7 +34485,7 @@ index 0000000..14f8906
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
@@ -33630,11 +34605,11 @@ index 0000000..14f8906
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
-index 0000000..db526e6
+index 0000000..8ec07ff
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,69 @@
-+policy_module(vnstatd,1.0.0)
+@@ -0,0 +1,65 @@
++policy_module(vnstatd, 1.0.0)
+
+########################################
+#
@@ -33660,13 +34635,12 @@ index 0000000..db526e6
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
-+
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
+domain_use_interactive_fds(vnstatd_t)
+
@@ -33680,14 +34654,13 @@ index 0000000..db526e6
+#
+# vnstat local policy
+#
-+allow vnstat_t self:process { signal };
-+
++allow vnstat_t self:process signal;
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
++files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
@@ -33701,8 +34674,6 @@ index 0000000..db526e6
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
-+
-+
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index 1174ad8..f4c4c1b 100644
--- a/policy/modules/services/w3c.te
@@ -34762,52 +35733,80 @@ index da2601a..ef2a773 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..29d5384 100644
+index e226da4..c80794b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
-@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
+@@ -26,27 +26,43 @@ gen_require(`
+ #
## <desc>
- ## <p>
-+## Allows XServer to execute writable memory
-+## </p>
+-## <p>
+-## Allows clients to write to the X server shared
+-## memory segments.
+-## </p>
++## <p>
++## Allows clients to write to the X server shared
++## memory segments.
++## </p>
+ ## </desc>
+ gen_tunable(allow_write_xshm, false)
+
+ ## <desc>
+-## <p>
+-## Allow xdm logins as sysadm
+-## </p>
++## <p>
++## Allows XServer to execute writable memory
++## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem, false)
+
+## <desc>
-+## <p>
- ## Allow xdm logins as sysadm
- ## </p>
++## <p>
++## Allow xdm logins as sysadm
++## </p>
## </desc>
-@@ -47,6 +54,16 @@ gen_tunable(xdm_sysadm_login, false)
+ gen_tunable(xdm_sysadm_login, false)
+
+ ## <desc>
+-## <p>
+-## Support X userspace object manager
+-## </p>
++## <p>
++## Support X userspace object manager
++## </p>
## </desc>
gen_tunable(xserver_object_manager, false)
+## <desc>
-+## <p>
-+## Allow regular users direct dri device access
-+## </p>
++## <p>
++## Allow regular users direct dri device access
++## </p>
+## </desc>
+gen_tunable(user_direct_dri, false)
+
+attribute xdmhomewriter;
+attribute x_userdomain;
-+
attribute x_domain;
# X Events
-@@ -109,21 +126,26 @@ xserver_common_x_domain_template(remote,remote_t)
+@@ -104,26 +120,30 @@ typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xeven
+
+ type remote_t;
+ xserver_object_types_template(remote)
+-xserver_common_x_domain_template(remote,remote_t)
++xserver_common_x_domain_template(remote, remote_t)
+
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
-+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
++typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
userdom_user_home_content(user_fonts_t)
type user_fonts_cache_t;
typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
-+;
userdom_user_home_content(user_fonts_cache_t)
type user_fonts_config_t;
@@ -34823,12 +35822,11 @@ index e226da4..29d5384 100644
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
-@@ -131,22 +153,28 @@ ubac_constrained(iceauth_t)
+@@ -131,22 +151,26 @@ ubac_constrained(iceauth_t)
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
-+typealias iceauth_home_t alias { xguest_iceauth_home_t };
-+files_poly_member(iceauth_home_t)
++typealias iceauth_home_t alias { xguest_iceauth_home_t };
userdom_user_home_content(iceauth_home_t)
type xauth_t;
@@ -34843,7 +35841,6 @@ index e226da4..29d5384 100644
typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
-+files_poly_member(xauth_home_t)
userdom_user_home_content(xauth_home_t)
type xauth_tmp_t;
@@ -34852,7 +35849,7 @@ index e226da4..29d5384 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -161,15 +189,21 @@ type xdm_t;
+@@ -161,15 +185,21 @@ type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -34876,7 +35873,7 @@ index e226da4..29d5384 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -177,13 +211,27 @@ files_type(xdm_var_lib_t)
+@@ -177,13 +207,27 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -34905,7 +35902,7 @@ index e226da4..29d5384 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -196,15 +244,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -196,15 +240,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -34923,7 +35920,7 @@ index e226da4..29d5384 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,9 +276,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,9 +272,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -34937,17 +35934,17 @@ index e226da4..29d5384 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -246,50 +292,105 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -246,50 +288,105 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
-+ifdef(`hide_broken_symptoms', `
++ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+ fs_dontaudit_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
-+ term_dontaudit_use_unallocated_ttys(iceauth_t)
++ term_dontaudit_use_unallocated_ttys(iceauth_t)
+
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
@@ -35015,18 +36012,18 @@ index e226da4..29d5384 100644
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
-+
-+ifdef(`hide_broken_symptoms', `
-+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
-+ fs_dontaudit_list_inotifyfs(xauth_t)
-+ userdom_manage_user_home_content_files(xauth_t)
-+ userdom_manage_user_tmp_files(xauth_t)
-+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
-+ miscfiles_read_fonts(xauth_t)
-+')
xserver_rw_xdm_tmp_files(xauth_t)
++ifdef(`hide_broken_symptoms',`
++ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
++ fs_dontaudit_list_inotifyfs(xauth_t)
++ userdom_manage_user_home_content_files(xauth_t)
++ userdom_manage_user_tmp_files(xauth_t)
++ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
++ miscfiles_read_fonts(xauth_t)
++')
++
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(xauth_t)
+ fs_read_nfs_symlinks(xauth_t)
@@ -35036,8 +36033,8 @@ index e226da4..29d5384 100644
fs_manage_cifs_files(xauth_t)
')
-+ifdef(`hide_broken_symptoms', `
-+ term_dontaudit_use_unallocated_ttys(xauth_t)
++ifdef(`hide_broken_symptoms',`
++ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
+')
+
@@ -35048,15 +36045,14 @@ index e226da4..29d5384 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -301,20 +402,33 @@ optional_policy(`
+@@ -301,20 +398,32 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
-+allow xdm_t self:process { getattr getcap setcap };
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -35070,9 +36066,10 @@ index e226da4..29d5384 100644
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
- allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
@@ -35085,7 +36082,7 @@ index e226da4..29d5384 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -322,32 +436,55 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -322,43 +431,69 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -35110,7 +36107,8 @@ index e226da4..29d5384 100644
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-+
+
+-manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+fs_getattr_all_fs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
@@ -35124,8 +36122,8 @@ index e226da4..29d5384 100644
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
-
- manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
++
++manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
@@ -35146,7 +36144,8 @@ index e226da4..29d5384 100644
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -355,10 +492,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
++allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -35160,7 +36159,7 @@ index e226da4..29d5384 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,15 +507,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -367,15 +502,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -35184,7 +36183,7 @@ index e226da4..29d5384 100644
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -390,18 +537,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -390,18 +532,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -35208,7 +36207,7 @@ index e226da4..29d5384 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +561,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -410,18 +556,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -35235,7 +36234,7 @@ index e226da4..29d5384 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +588,17 @@ files_list_mnt(xdm_t)
+@@ -432,9 +583,17 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -35253,7 +36252,7 @@ index e226da4..29d5384 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +607,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -443,28 +602,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -35292,7 +36291,7 @@ index e226da4..29d5384 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +645,13 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,10 +640,25 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -35306,7 +36305,19 @@ index e226da4..29d5384 100644
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,11 +683,17 @@ tunable_policy(`xdm_sysadm_login',`
+
++ifndef(`distro_redhat',`
++ allow xdm_t self:process { execheap execmem };
++')
++
++ifdef(`distro_rhel4',`
++ allow xdm_t self:process { execheap execmem };
++')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(xdm_t)
+ fs_manage_nfs_files(xdm_t)
+@@ -504,11 +686,17 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -35324,7 +36335,7 @@ index e226da4..29d5384 100644
')
optional_policy(`
-@@ -516,12 +701,51 @@ optional_policy(`
+@@ -516,12 +704,49 @@ optional_policy(`
')
optional_policy(`
@@ -35355,10 +36366,8 @@ index e226da4..29d5384 100644
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
-+
+')
+
-+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
@@ -35376,11 +36385,11 @@ index e226da4..29d5384 100644
hostname_exec(xdm_t)
')
-@@ -539,20 +763,64 @@ optional_policy(`
+@@ -539,28 +764,63 @@ optional_policy(`
')
optional_policy(`
-+ policykit_dbus_chat(xdm_t)
++ policykit_dbus_chat(xdm_t)
+ policykit_domtrans_auth(xdm_t)
+ policykit_read_lib(xdm_t)
+ policykit_read_reload(xdm_t)
@@ -35423,35 +36432,33 @@ index e226da4..29d5384 100644
')
optional_policy(`
+- udev_read_db(xdm_t)
+ ssh_signull(xdm_t)
-+')
-+
-+optional_policy(`
-+ shutdown_domtrans(xdm_t)
-+')
-+
-+optional_policy(`
- udev_read_db(xdm_t)
')
optional_policy(`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
-+ unconfined_shell_domtrans(xdm_t)
-+ unconfined_signal(xdm_t)
++ shutdown_domtrans(xdm_t)
+')
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
-@@ -561,7 +829,6 @@ optional_policy(`
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
--')
+- ifndef(`distro_redhat',`
+- allow xdm_t self:process { execheap execmem };
+- ')
++optional_policy(`
++ udev_read_db(xdm_t)
++')
+
+- ifdef(`distro_rhel4',`
+- allow xdm_t self:process { execheap execmem };
+- ')
++optional_policy(`
++ unconfined_shell_domtrans(xdm_t)
++ unconfined_signal(xdm_t)
+ ')
optional_policy(`
- userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +839,10 @@ optional_policy(`
+@@ -572,6 +832,10 @@ optional_policy(`
')
optional_policy(`
@@ -35462,7 +36469,7 @@ index e226da4..29d5384 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +867,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +860,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -35471,17 +36478,13 @@ index e226da4..29d5384 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +881,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +874,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-+# Device rules
-+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
-+allow x_domain xserver_t:x_screen getattr;
-+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
@@ -35490,17 +36493,17 @@ index e226da4..29d5384 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +912,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +901,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
-allow xserver_t xauth_home_t:file read_file_perms;
-+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
++manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
+
-+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
++manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
@@ -35512,7 +36515,7 @@ index e226da4..29d5384 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +932,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +921,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -35520,7 +36523,7 @@ index e226da4..29d5384 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +959,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +948,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -35528,7 +36531,7 @@ index e226da4..29d5384 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +968,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +957,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -35542,7 +36545,7 @@ index e226da4..29d5384 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +988,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +977,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -35556,7 +36559,7 @@ index e226da4..29d5384 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1016,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1005,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -35571,7 +36574,7 @@ index e226da4..29d5384 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1076,28 @@ optional_policy(`
+@@ -773,12 +1065,28 @@ optional_policy(`
')
optional_policy(`
@@ -35601,7 +36604,7 @@ index e226da4..29d5384 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1106,10 @@ optional_policy(`
+@@ -787,6 +1095,10 @@ optional_policy(`
')
optional_policy(`
@@ -35612,34 +36615,40 @@ index e226da4..29d5384 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1114,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
-allow xserver_t xdm_var_lib_t:file { getattr read };
+-dontaudit xserver_t xdm_var_lib_t:dir search;
+allow xserver_t xdm_var_lib_t:file read_file_perms;
- dontaudit xserver_t xdm_var_lib_t:dir search;
++dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1149,13 @@ init_use_fds(xserver_t)
+@@ -813,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+
+ # Run xkbcomp.
+-allow xserver_t xkb_var_lib_t:lnk_file read;
++allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
+ can_exec(xserver_t, xkb_var_lib_t)
+
+ # VNC v4 module in X server
+@@ -826,6 +1138,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
+userdom_read_all_users_state(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
-+
-+optional_policy(`
-+ userhelper_search_config(xserver_t)
-+')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1156,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -35656,20 +36665,77 @@ index e226da4..29d5384 100644
')
optional_policy(`
-@@ -991,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
- allow xserver_unconfined_type xextension_type:x_extension *;
- allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
- allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-+
+@@ -853,6 +1171,10 @@ optional_policy(`
+ rhgb_rw_tmpfs_files(xserver_t)
+ ')
+
+optional_policy(`
-+ unconfined_rw_shm(xserver_t)
-+ unconfined_execmem_rw_shm(xserver_t)
-+
-+ # xserver signals unconfined user on startx
-+ unconfined_signal(xserver_t)
-+ unconfined_getpgid(xserver_t)
++ userhelper_search_config(xserver_t)
+')
+
+ ########################################
+ #
+ # Rules common to all X window domains
+@@ -896,7 +1218,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+ allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
+ # operations allowed on my windows
+ allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+-allow x_domain self:x_drawable { blend };
++allow x_domain self:x_drawable blend;
+ # operations allowed on all windows
+ allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
+
+@@ -950,11 +1272,31 @@ allow x_domain self:x_resource { read write };
+ # can mess with the screensaver
+ allow x_domain xserver_t:x_screen { getattr saver_getattr };
+
++# Device rules
++allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
++allow x_domain xserver_t:x_screen getattr;
++
+ ########################################
+ #
+ # Rules for unconfined access to this module
+ #
+
++allow xserver_unconfined_type xserver_t:x_server *;
++allow xserver_unconfined_type xdrawable_type:x_drawable *;
++allow xserver_unconfined_type xserver_t:x_screen *;
++allow xserver_unconfined_type x_domain:x_gc *;
++allow xserver_unconfined_type xcolormap_type:x_colormap *;
++allow xserver_unconfined_type xproperty_type:x_property *;
++allow xserver_unconfined_type xselection_type:x_selection *;
++allow xserver_unconfined_type x_domain:x_cursor *;
++allow xserver_unconfined_type x_domain:x_client *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
++allow xserver_unconfined_type xextension_type:x_extension *;
++allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
++allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
++
+ tunable_policy(`! xserver_object_manager',`
+ # should be xserver_unconfined(x_domain),
+ # but typeattribute doesnt work in conditionals
+@@ -976,18 +1318,32 @@ tunable_policy(`! xserver_object_manager',`
+ allow x_domain xevent_type:{ x_event x_synthetic_event } *;
+ ')
+
+-allow xserver_unconfined_type xserver_t:x_server *;
+-allow xserver_unconfined_type xdrawable_type:x_drawable *;
+-allow xserver_unconfined_type xserver_t:x_screen *;
+-allow xserver_unconfined_type x_domain:x_gc *;
+-allow xserver_unconfined_type xcolormap_type:x_colormap *;
+-allow xserver_unconfined_type xproperty_type:x_property *;
+-allow xserver_unconfined_type xselection_type:x_selection *;
+-allow xserver_unconfined_type x_domain:x_cursor *;
+-allow xserver_unconfined_type x_domain:x_client *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+-allow xserver_unconfined_type xextension_type:x_extension *;
+-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+tunable_policy(`allow_xserver_execmem',`
+ allow xserver_t self:process { execheap execmem execstack };
+')
@@ -35690,6 +36756,15 @@ index e226da4..29d5384 100644
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
++
++optional_policy(`
++ unconfined_rw_shm(xserver_t)
++ unconfined_execmem_rw_shm(xserver_t)
++
++ # xserver signals unconfined user on startx
++ unconfined_signal(xserver_t)
++ unconfined_getpgid(xserver_t)
++')
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index d77e631..4776863 100644
--- a/policy/modules/services/zabbix.if
@@ -35718,6 +36793,24 @@ index d77e631..4776863 100644
## </param>
#
interface(`zabbix_append_log',`
+diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
+index b8dd21a..20d7cde 100644
+--- a/policy/modules/services/zabbix.te
++++ b/policy/modules/services/zabbix.te
+@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
+ #
+
+ allow zabbix_t self:capability { setuid setgid };
+-allow zabbix_t self:fifo_file rw_file_perms;
++allow zabbix_t self:fifo_file rw_fifo_file_perms;
+ allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+
+ # log files
+-allow zabbix_t zabbix_log_t:dir setattr;
++allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
+ manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+ logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
index 0000000..56cb5af
@@ -35861,10 +36954,10 @@ index 0000000..4f2dde8
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..3509088
+index 0000000..3ce4d86
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,132 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -35914,7 +37007,7 @@ index 0000000..3509088
+# zarafa_server local policy
+#
+
-+allow zarafa_server_t self:capability { chown kill net_bind_service};
++allow zarafa_server_t self:capability { chown kill net_bind_service };
+allow zarafa_server_t self:process { setrlimit signal };
+
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
@@ -35940,7 +37033,7 @@ index 0000000..3509088
+#
+
+allow zarafa_spooler_t self:capability { chown kill };
-+allow zarafa_spooler_t self:process { signal };
++allow zarafa_spooler_t self:process signal;
+
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
@@ -35977,7 +37070,6 @@ index 0000000..3509088
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override setgid setuid };
-+
+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
@@ -36022,6 +37114,34 @@ index 6b87605..347f754 100644
')
allow $1 zebra_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
+index c349adc..f0b1201 100644
+--- a/policy/modules/services/zebra.te
++++ b/policy/modules/services/zebra.te
+@@ -6,11 +6,10 @@ policy_module(zebra, 1.11.1)
+ #
+
+ ## <desc>
+-## <p>
+-## Allow zebra daemon to write it configuration files
+-## </p>
++## <p>
++## Allow zebra daemon to write it configuration files
++## </p>
+ ## </desc>
+-#
+ gen_tunable(allow_zebra_write_config, false)
+
+ type zebra_t;
+@@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
+ read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+ read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+-allow zebra_t zebra_log_t:dir setattr;
++allow zebra_t zebra_log_t:dir setattr_dir_perms;
+ manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+ manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+ logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 702e768..13f0eef 100644
--- a/policy/modules/services/zosremote.if
@@ -36046,6 +37166,19 @@ index 702e768..13f0eef 100644
#
interface(`zosremote_run',`
gen_require(`
+diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
+index f9a06d2..3d407c6 100644
+--- a/policy/modules/services/zosremote.te
++++ b/policy/modules/services/zosremote.te
+@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+ #
+
+ allow zos_remote_t self:process signal;
+-allow zos_remote_t self:fifo_file rw_file_perms;
++allow zos_remote_t self:fifo_file rw_fifo_file_perms;
+ allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+ files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index ac50333..108595b 100644
--- a/policy/modules/system/application.if
@@ -37123,7 +38256,7 @@ index f6aafe7..666a58f 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..d7abdd1 100644
+index 698c11e..00283ba 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -37460,7 +38593,7 @@ index 698c11e..d7abdd1 100644
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
-+miscfiles_manage_cert_files(initrc_t)
++miscfiles_manage_generic_cert_files(initrc_t)
modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 80e32c1..24032e1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Fri Sep 24 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-5
+- Pull in cleanups from dgrift
+- Allow mozilla_plugin_t to execute mozilla_home_t
+- Allow rpc.quota to do quotamod
+
* Thu Sep 23 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-4
- Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
More information about the scm-commits
mailing list