[selinux-policy/f15/master] - Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Apr 4 21:04:08 UTC 2011
commit ed80d7f61c2df002feb2fa014e0d68d05356d79b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Apr 4 23:04:43 2011 +0000
- Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
booleans-mls.conf | 4 +
booleans-targeted.conf | 4 +
file_contexts.subs | 1 +
policy-F15.patch | 911 ++++++++++++++++++++++++++----------------------
selinux-policy.spec | 12 +-
5 files changed, 521 insertions(+), 411 deletions(-)
---
diff --git a/booleans-mls.conf b/booleans-mls.conf
index ed149cd..73fe0b9 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -231,3 +231,7 @@ xserver_object_manager = true
# System uses init upstart program
#
init_upstart = true
+
+# Allow BIND to bind apache port.
+#
+named_bind_http_port=false
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index d795e1c..ceb39c4 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -295,3 +295,7 @@ authlogin_nsswitch_use_ldap=true
## Default to on so normal users do not trip over it, it should be off on build servers
#
mock_enable_homedirs=true
+
+## Allow BIND to bind apache port.
+#
+named_bind_http_port=false
diff --git a/file_contexts.subs b/file_contexts.subs
index 7499c75..f8d0cb3 100644
--- a/file_contexts.subs
+++ b/file_contexts.subs
@@ -1,2 +1,3 @@
/run /var/run
/run/lock /var/lock
+/var/run/lock /var/lock
diff --git a/policy-F15.patch b/policy-F15.patch
index 998064a..3ccc998 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1316,7 +1316,7 @@ index c633aea..c489eec 100644
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..f77e897 100644
+index af55369..a8ef22f 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1390,7 +1390,7 @@ index af55369..f77e897 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,7 +163,7 @@ optional_policy(`
+@@ -148,17 +163,26 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -1399,7 +1399,11 @@ index af55369..f77e897 100644
libs_exec_ld_so(prelink_cron_system_t)
-@@ -158,7 +173,14 @@ optional_policy(`
+ logging_search_logs(prelink_cron_system_t)
+
++ init_stream_connect(prelink_cron_system_t)
++
+ miscfiles_read_localization(prelink_cron_system_t)
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
@@ -7185,7 +7189,7 @@ index 2ba7787..9f12b51 100644
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..ae61e3c 100644
+index c2d20a2..df078e0 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7236,10 +7240,10 @@ index c2d20a2..ae61e3c 100644
')
+
+optional_policy(`
-+ qemu_manage_tmpfs_files(pulseaudio_t)
++ virt_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..85fb63b 100644
+index c1d5f50..2d73705 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -98,61 +98,40 @@ template(`qemu_domain_template',`
@@ -7325,7 +7329,7 @@ index c1d5f50..85fb63b 100644
#
interface(`qemu_run',`
gen_require(`
-@@ -177,10 +157,6 @@ interface(`qemu_run',`
+@@ -177,10 +157,8 @@ interface(`qemu_run',`
qemu_domtrans($1)
role $2 types qemu_t;
@@ -7333,10 +7337,12 @@ index c1d5f50..85fb63b 100644
- optional_policy(`
- samba_run_smb(qemu_t, $2, $3)
- ')
++ allow qemu_t $1:process signull;
++ allow $1 qemu_t:process signull;
')
########################################
-@@ -275,6 +251,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -275,6 +253,67 @@ interface(`qemu_domtrans_unconfined',`
########################################
## <summary>
@@ -7404,7 +7410,7 @@ index c1d5f50..85fb63b 100644
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
-@@ -308,3 +345,42 @@ interface(`qemu_manage_tmp_files',`
+@@ -308,3 +347,22 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -7427,28 +7433,8 @@ index c1d5f50..85fb63b 100644
+
+ domain_entry_file($1, qemu_exec_t)
+')
-+
-+########################################
-+## <summary>
-+## allow domain to manage
-+## qemu tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+#
-+interface(`qemu_manage_tmpfs_files',`
-+ gen_require(`
-+ attribute qemu_tmpfs_type;
-+ ')
-+
-+ allow $1 qemu_tmpfs_type:file manage_file_perms;
-+')
-+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..c01d37c 100644
+index 5ef2f7d..13057b7 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -7479,17 +7465,21 @@ index 5ef2f7d..c01d37c 100644
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
-@@ -90,10 +91,18 @@ tunable_policy(`qemu_use_usb',`
+@@ -90,10 +91,22 @@ tunable_policy(`qemu_use_usb',`
')
optional_policy(`
- samba_domtrans_smbd(qemu_t)
-+ tunable_policy(`qemu_use_cifs',`
-+ samba_domtrans_smbd(qemu_t)
-+ ')
++ dbus_read_lib_files(qemu_t)
')
optional_policy(`
++ tunable_policy(`qemu_use_cifs',`
++ samba_domtrans_smbd(qemu_t)
++ ')
++')
++
++optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
@@ -7499,7 +7489,7 @@ index 5ef2f7d..c01d37c 100644
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
-@@ -102,6 +111,11 @@ optional_policy(`
+@@ -102,6 +115,11 @@ optional_policy(`
xen_rw_image_files(qemu_t)
')
@@ -7511,7 +7501,7 @@ index 5ef2f7d..c01d37c 100644
########################################
#
# Unconfined qemu local policy
-@@ -112,6 +126,8 @@ optional_policy(`
+@@ -112,6 +130,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -10129,7 +10119,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..c4607c9 100644
+index e9313fb..60437ca 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -10403,10 +10393,28 @@ index e9313fb..c4607c9 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3954,6 +4026,24 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
++## Relabel hardware state directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabel_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
@@ -10428,7 +10436,7 @@ index e9313fb..c4607c9 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4514,6 +4604,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',`
########################################
## <summary>
@@ -10453,7 +10461,7 @@ index e9313fb..c4607c9 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4856,23 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4874,23 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -12256,7 +12264,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..5da5ee1 100644
+index dfe361a..be9572b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12277,13 +12285,13 @@ index dfe361a..5da5ee1 100644
+## </summary>
+## </param>
+#
-+interface(`fs_relabelto_cgroup_dirs',`
++interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
-+ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
++ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
@@ -12827,11 +12835,11 @@ index dfe361a..5da5ee1 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3989,6 +4334,78 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
-+## dontaudit Read and write block nodes on tmpfs filesystems.
++## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12839,53 +12847,24 @@ index dfe361a..5da5ee1 100644
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
-+')
-+
-+######################################
-+## <summary>
-+## Allow setattr on directory on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_setattr_tmpfs_dir',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ setattr_dirs_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Create directory on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_create_tmpfs_dir',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ create_dirs_pattern($1, tmpfs_t, tmpfs_t)
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
-+## Relabelfrom directory on tmpfs filesystems.
+ ## Create, read, write, and delete
+ ## tmpfs directories
+ ## </summary>
+@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ## <summary>
++## dontaudit Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12893,12 +12872,12 @@ index dfe361a..5da5ee1 100644
+## </summary>
+## </param>
+#
-+interface(`fs_relabelfrom_tmpfs_dir',`
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
+########################################
@@ -12906,7 +12885,7 @@ index dfe361a..5da5ee1 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4688,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -12915,7 +12894,7 @@ index dfe361a..5da5ee1 100644
')
########################################
-@@ -4681,3 +5100,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -13515,7 +13494,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..4cbc36c 100644
+index f3acfee..3440a84 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -274,7 +274,6 @@ interface(`term_dontaudit_read_console',`
@@ -13548,7 +13527,32 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -658,6 +659,25 @@ interface(`term_use_controlling_term',`
+@@ -462,6 +463,24 @@ interface(`term_list_ptys',`
+
+ ########################################
+ ## <summary>
++## Relabel the /dev/pts directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_relabel_ptys_dirs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir relabel_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read the
+ ## /dev/pts directory.
+ ## </summary>
+@@ -658,6 +677,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
@@ -13574,7 +13578,7 @@ index f3acfee..4cbc36c 100644
########################################
## <summary>
## Do not audit attempts to get attributes
-@@ -855,7 +875,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +893,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -13583,7 +13587,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1123,7 +1143,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1161,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -13592,7 +13596,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1222,7 +1242,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1260,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -13601,7 +13605,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1238,11 +1258,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1276,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -13615,7 +13619,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1259,10 +1281,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1299,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -13628,7 +13632,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1301,7 +1325,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1343,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -13637,7 +13641,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1359,7 +1383,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1401,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -13646,7 +13650,7 @@ index f3acfee..4cbc36c 100644
')
########################################
-@@ -1475,3 +1499,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1517,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -13795,7 +13799,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..9440b5f 100644
+index 2be17d2..7ccb554 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -13847,7 +13851,7 @@ index 2be17d2..9440b5f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,138 @@ optional_policy(`
+@@ -27,25 +63,139 @@ optional_policy(`
')
optional_policy(`
@@ -13920,6 +13924,7 @@ index 2be17d2..9440b5f 100644
optional_policy(`
+ qemu_run(staff_t, staff_r)
++ virt_manage_tmpfs_files(staff_t)
+')
+
+optional_policy(`
@@ -13988,7 +13993,7 @@ index 2be17d2..9440b5f 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +239,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13999,7 +14004,7 @@ index 2be17d2..9440b5f 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +283,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14010,7 +14015,7 @@ index 2be17d2..9440b5f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +314,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -14019,10 +14024,10 @@ index 2be17d2..9440b5f 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..054eaa8 100644
+index 4a8d146..6b0999e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -14037,6 +14042,8 @@ index 4a8d146..054eaa8 100644
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
++
++storage_setattr_fixed_disk_dev(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
@@ -14049,7 +14056,6 @@ index 4a8d146..054eaa8 100644
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
-+
+miscfiles_read_hwdata(sysadm_t)
# Add/remove user home directories
@@ -14063,7 +14069,7 @@ index 4a8d146..054eaa8 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +75,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -14071,7 +14077,7 @@ index 4a8d146..054eaa8 100644
')
tunable_policy(`allow_ptrace',`
-@@ -69,7 +90,6 @@ optional_policy(`
+@@ -69,7 +91,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -14079,7 +14085,7 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
-@@ -98,6 +118,10 @@ optional_policy(`
+@@ -98,6 +119,10 @@ optional_policy(`
')
optional_policy(`
@@ -14090,7 +14096,7 @@ index 4a8d146..054eaa8 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +138,7 @@ optional_policy(`
+@@ -114,7 +139,7 @@ optional_policy(`
')
optional_policy(`
@@ -14099,7 +14105,7 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
-@@ -124,6 +148,10 @@ optional_policy(`
+@@ -124,6 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -14110,7 +14116,7 @@ index 4a8d146..054eaa8 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +191,13 @@ optional_policy(`
+@@ -163,6 +192,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -14124,7 +14130,7 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
-@@ -170,15 +205,15 @@ optional_policy(`
+@@ -170,15 +206,15 @@ optional_policy(`
')
optional_policy(`
@@ -14143,7 +14149,7 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
-@@ -198,18 +233,12 @@ optional_policy(`
+@@ -198,18 +234,12 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -14164,7 +14170,7 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
-@@ -225,6 +254,10 @@ optional_policy(`
+@@ -225,6 +255,10 @@ optional_policy(`
')
optional_policy(`
@@ -14175,7 +14181,7 @@ index 4a8d146..054eaa8 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,7 +286,7 @@ optional_policy(`
+@@ -253,7 +287,7 @@ optional_policy(`
')
optional_policy(`
@@ -14184,7 +14190,7 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
-@@ -265,20 +298,14 @@ optional_policy(`
+@@ -265,20 +299,14 @@ optional_policy(`
')
optional_policy(`
@@ -14206,7 +14212,7 @@ index 4a8d146..054eaa8 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -307,11 +334,12 @@ optional_policy(`
+@@ -307,7 +335,7 @@ optional_policy(`
')
optional_policy(`
@@ -14215,11 +14221,6 @@ index 4a8d146..054eaa8 100644
')
optional_policy(`
- ssh_role_template(sysadm, sysadm_r, sysadm_t)
-+ ssh_run_keygen(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
@@ -332,10 +360,6 @@ optional_policy(`
')
@@ -22109,7 +22110,7 @@ index 35241ed..b6402c9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..9941737 100644
+index f7583ab..220ba1b 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -22251,13 +22252,14 @@ index f7583ab..9941737 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,11 +220,16 @@ files_list_usr(crond_t)
+@@ -203,11 +220,17 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
++init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
@@ -22268,7 +22270,7 @@ index f7583ab..9941737 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -22279,7 +22281,7 @@ index f7583ab..9941737 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +258,7 @@ ifdef(`distro_debian',`
')
')
@@ -22288,7 +22290,7 @@ index f7583ab..9941737 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -22319,7 +22321,7 @@ index f7583ab..9941737 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +307,8 @@ optional_policy(`
+@@ -264,6 +308,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -22328,7 +22330,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -289,12 +334,18 @@ optional_policy(`
+@@ -289,12 +335,18 @@ optional_policy(`
udev_read_db(crond_t)
')
@@ -22347,7 +22349,7 @@ index f7583ab..9941737 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +358,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -22368,7 +22370,7 @@ index f7583ab..9941737 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +390,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -22376,7 +22378,7 @@ index f7583ab..9941737 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +402,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -22391,7 +22393,7 @@ index f7583ab..9941737 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +431,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -22399,7 +22401,7 @@ index f7583ab..9941737 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +458,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -22407,7 +22409,7 @@ index f7583ab..9941737 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +481,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -22419,7 +22421,7 @@ index f7583ab..9941737 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +508,8 @@ optional_policy(`
+@@ -439,6 +509,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -22428,7 +22430,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -446,6 +517,14 @@ optional_policy(`
+@@ -446,6 +518,14 @@ optional_policy(`
')
optional_policy(`
@@ -22443,7 +22445,7 @@ index f7583ab..9941737 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +535,24 @@ optional_policy(`
+@@ -456,15 +536,24 @@ optional_policy(`
')
optional_policy(`
@@ -22468,7 +22470,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -480,7 +568,7 @@ optional_policy(`
+@@ -480,7 +569,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -22477,7 +22479,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -495,6 +583,7 @@ optional_policy(`
+@@ -495,6 +584,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -22485,7 +22487,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -502,7 +591,13 @@ optional_policy(`
+@@ -502,7 +592,13 @@ optional_policy(`
')
optional_policy(`
@@ -22499,7 +22501,7 @@ index f7583ab..9941737 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +691,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -30332,7 +30334,7 @@ index 256166a..15daf47 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..2f948ad 100644
+index 343cee3..3d7edf0 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -30346,7 +30348,15 @@ index 343cee3..2f948ad 100644
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
-@@ -158,6 +158,7 @@ template(`mta_base_mail_template',`
+@@ -104,6 +104,7 @@ template(`mta_base_mail_template',`
+
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
++ postfix_rw_master_pipes($1_mail_t)
+ ')
+
+ optional_policy(`
+@@ -158,6 +159,7 @@ template(`mta_base_mail_template',`
## User domain for the role
## </summary>
## </param>
@@ -30354,7 +30364,7 @@ index 343cee3..2f948ad 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,7 +170,7 @@ interface(`mta_role',`
+@@ -169,7 +171,7 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -30363,7 +30373,7 @@ index 343cee3..2f948ad 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
-@@ -220,6 +221,25 @@ interface(`mta_agent_executable',`
+@@ -220,6 +222,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -30389,7 +30399,7 @@ index 343cee3..2f948ad 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +326,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -30397,7 +30407,7 @@ index 343cee3..2f948ad 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -30410,7 +30420,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -350,9 +363,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -30421,7 +30431,7 @@ index 343cee3..2f948ad 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +374,10 @@ interface(`mta_send_mail',`
+@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -30432,7 +30442,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -391,12 +407,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -30450,7 +30460,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -409,7 +428,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -30458,7 +30468,7 @@ index 343cee3..2f948ad 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +438,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -30483,7 +30493,7 @@ index 343cee3..2f948ad 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -474,7 +510,8 @@ interface(`mta_write_config',`
+@@ -474,7 +511,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -30493,7 +30503,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -552,7 +589,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -30502,7 +30512,7 @@ index 343cee3..2f948ad 100644
')
#######################################
-@@ -646,8 +683,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -30513,7 +30523,7 @@ index 343cee3..2f948ad 100644
')
#######################################
-@@ -697,8 +734,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +735,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -30524,7 +30534,7 @@ index 343cee3..2f948ad 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +875,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -30533,7 +30543,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -899,3 +936,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -32171,7 +32181,7 @@ index 23c769c..be5a5b4 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 4e28d58..5b9cf6d 100644
+index 4e28d58..1835068 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -32192,11 +32202,12 @@ index 4e28d58..5b9cf6d 100644
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -37,9 +37,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -37,9 +37,13 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
files_read_etc_files(nslcd_t)
+files_read_usr_symlinks(nslcd_t)
++files_list_tmp(nslcd_t)
auth_use_nsswitch(nslcd_t)
@@ -34421,7 +34432,7 @@ index 55e62d2..6082184 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..9b8c3eb 100644
+index 46bee12..37bd751 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -34523,7 +34534,7 @@ index 46bee12..9b8c3eb 100644
+ type postfix_master_t;
+ ')
+
-+ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -35638,7 +35649,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..2a70dd1 100644
+index 29b9295..609ff86 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -35687,17 +35698,18 @@ index 29b9295..2a70dd1 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -128,6 +137,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nagios_search_spool(procmail_t)
+@@ -125,6 +134,11 @@ optional_policy(`
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
++ postfix_rw_master_pipes(procmail_t)
+')
+
+optional_policy(`
- pyzor_domtrans(procmail_t)
- pyzor_signal(procmail_t)
++ nagios_search_spool(procmail_t)
')
+
+ optional_policy(`
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index bc329d1..0589f97 100644
--- a/policy/modules/services/psad.if
@@ -39193,7 +39205,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..ef1edc6 100644
+index e30bb63..b931194 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -39218,7 +39230,7 @@ index e30bb63..ef1edc6 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -40856,7 +40868,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..d9913e0 100644
+index 22adaca..0f2729b 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -41058,17 +41070,19 @@ index 22adaca..d9913e0 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -398,9 +413,6 @@ template(`ssh_role_template',`
+@@ -398,9 +413,8 @@ template(`ssh_role_template',`
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
++
++ ssh_run_keygen($3,$2)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +489,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -41079,7 +41093,7 @@ index 22adaca..d9913e0 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +507,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -41088,7 +41102,7 @@ index 22adaca..d9913e0 100644
')
########################################
-@@ -586,6 +599,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +601,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -41113,7 +41127,7 @@ index 22adaca..d9913e0 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +649,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -41122,7 +41136,7 @@ index 22adaca..d9913e0 100644
files_search_pids($1)
')
-@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -41155,7 +41169,7 @@ index 22adaca..d9913e0 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -41164,7 +41178,7 @@ index 22adaca..d9913e0 100644
')
######################################
-@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -41187,7 +41201,7 @@ index 22adaca..d9913e0 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..503a845 100644
+index 2dad3c8..8da0601 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -41515,7 +41529,7 @@ index 2dad3c8..503a845 100644
') dnl endif TODO
########################################
-@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -41531,11 +41545,18 @@ index 2dad3c8..503a845 100644
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+
+ dev_read_sysfs(ssh_keygen_t)
++dev_read_rand(ssh_keygen_t)
+ dev_read_urand(ssh_keygen_t)
+
+ term_dontaudit_use_console(ssh_keygen_t)
+@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -42691,10 +42712,10 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..d885f6b 100644
+index 7c5d8d8..9b24cb5 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -13,14 +13,14 @@
+@@ -13,14 +13,15 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -42702,6 +42723,7 @@ index 7c5d8d8..d885f6b 100644
- attribute virt_image_type;
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
++ attribute virt_tmpfs_type;
')
type $1_t, virt_domain;
@@ -42712,7 +42734,14 @@ index 7c5d8d8..d885f6b 100644
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,17 +35,18 @@ template(`virt_domain_template',`
+@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+- type $1_tmpfs_t;
++ type $1_tmpfs_t, virt_tmpfs_type;
+ files_tmpfs_file($1_tmpfs_t)
+
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -42735,7 +42764,7 @@ index 7c5d8d8..d885f6b 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +58,6 @@ template(`virt_domain_template',`
+@@ -57,18 +59,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -42754,7 +42783,7 @@ index 7c5d8d8..d885f6b 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +90,9 @@ interface(`virt_image',`
+@@ -101,9 +91,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
@@ -42766,7 +42795,7 @@ index 7c5d8d8..d885f6b 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -42782,7 +42811,7 @@ index 7c5d8d8..d885f6b 100644
')
########################################
-@@ -185,13 +174,13 @@ interface(`virt_read_config',`
+@@ -185,13 +175,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -42798,7 +42827,7 @@ index 7c5d8d8..d885f6b 100644
')
########################################
-@@ -231,6 +220,24 @@ interface(`virt_read_content',`
+@@ -231,6 +221,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -42823,7 +42852,7 @@ index 7c5d8d8..d885f6b 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -42860,7 +42889,7 @@ index 7c5d8d8..d885f6b 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -42885,7 +42914,7 @@ index 7c5d8d8..d885f6b 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +407,9 @@ interface(`virt_read_log',`
+@@ -352,9 +408,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -42897,7 +42926,7 @@ index 7c5d8d8..d885f6b 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +479,24 @@ interface(`virt_read_images',`
+@@ -424,6 +480,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -42922,7 +42951,7 @@ index 7c5d8d8..d885f6b 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +506,15 @@ interface(`virt_read_images',`
+@@ -433,15 +507,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -42943,7 +42972,7 @@ index 7c5d8d8..d885f6b 100644
')
########################################
-@@ -516,3 +589,107 @@ interface(`virt_admin',`
+@@ -516,3 +590,144 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -43051,11 +43080,48 @@ index 7c5d8d8..d885f6b 100644
+ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
+
++########################################
++## <summary>
++## allow domain to read
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_read_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++## allow domain to manage
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_manage_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file manage_file_perms;
++')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..cb878ae 100644
+index 3eca020..9d3bc6d 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
# Declarations
#
@@ -43136,13 +43202,14 @@ index 3eca020..cb878ae 100644
-
attribute virt_domain;
attribute virt_image_type;
-
++attribute virt_tmpfs_type;
++
+type virt_cache_t alias svirt_cache_t;
+files_type(virt_cache_t)
-+
+
type virt_etc_t;
files_config_file(virt_etc_t)
-
+@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -43175,7 +43242,7 @@ index 3eca020..cb878ae 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -43187,7 +43254,7 @@ index 3eca020..cb878ae 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +126,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -43204,7 +43271,7 @@ index 3eca020..cb878ae 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +152,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -43213,7 +43280,7 @@ index 3eca020..cb878ae 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +168,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -43229,7 +43296,7 @@ index 3eca020..cb878ae 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +185,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -43252,7 +43319,7 @@ index 3eca020..cb878ae 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +210,33 @@ optional_policy(`
+@@ -174,21 +211,33 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -43290,7 +43357,7 @@ index 3eca020..cb878ae 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +248,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -43307,7 +43374,7 @@ index 3eca020..cb878ae 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +274,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -43315,7 +43382,7 @@ index 3eca020..cb878ae 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +294,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -43348,7 +43415,7 @@ index 3eca020..cb878ae 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +326,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -43367,7 +43434,7 @@ index 3eca020..cb878ae 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +361,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -43398,7 +43465,7 @@ index 3eca020..cb878ae 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +403,10 @@ optional_policy(`
+@@ -313,6 +404,10 @@ optional_policy(`
')
optional_policy(`
@@ -43409,7 +43476,7 @@ index 3eca020..cb878ae 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +423,10 @@ optional_policy(`
+@@ -329,6 +424,10 @@ optional_policy(`
')
optional_policy(`
@@ -43420,7 +43487,7 @@ index 3eca020..cb878ae 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +463,8 @@ optional_policy(`
+@@ -365,6 +464,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -43429,7 +43496,7 @@ index 3eca020..cb878ae 100644
')
optional_policy(`
-@@ -394,14 +494,26 @@ optional_policy(`
+@@ -394,14 +495,26 @@ optional_policy(`
# virtual domains common policy
#
@@ -43458,7 +43525,7 @@ index 3eca020..cb878ae 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +534,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +535,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -43466,7 +43533,7 @@ index 3eca020..cb878ae 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +542,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +543,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -43479,7 +43546,7 @@ index 3eca020..cb878ae 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +555,14 @@ files_search_all(virt_domain)
+@@ -440,6 +556,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -43494,7 +43561,7 @@ index 3eca020..cb878ae 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +580,117 @@ optional_policy(`
+@@ -457,8 +581,117 @@ optional_policy(`
')
optional_policy(`
@@ -46631,10 +46698,10 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..9017b02 100644
+index ac50333..b784a12 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,75 @@ interface(`application_signull',`
+@@ -130,3 +130,93 @@ interface(`application_signull',`
allow $1 application_domain_type:process signull;
')
@@ -46710,6 +46777,24 @@ index ac50333..9017b02 100644
+
+ allow $1 application_domain_type:process signal;
+')
++
++########################################
++## <summary>
++## Getattr all application sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_getattr_socket',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:socket_class_set getattr;
++')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
index 88df85d..2fa3974 100644
--- a/policy/modules/system/application.te
@@ -46766,7 +46851,7 @@ index 2952cef..d845132 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..3c1892d 100644
+index 42b4f0f..3e15a8c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -46947,10 +47032,14 @@ index 42b4f0f..3c1892d 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +812,46 @@ interface(`auth_rw_faillog',`
- allow $1 faillog_t:file rw_file_perms;
- ')
+@@ -733,7 +809,47 @@ interface(`auth_rw_faillog',`
+ ')
+ logging_search_logs($1)
+- allow $1 faillog_t:file rw_file_perms;
++ rw_files_pattern($1, faillog_t, faillog_t)
++')
++
+########################################
+## <summary>
+## Relabel the login failure log.
@@ -46989,11 +47078,9 @@ index 42b4f0f..3c1892d 100644
+ files_search_pids($1)
+ allow $1 faillog_t:dir manage_dir_perms;
+ allow $1 faillog_t:file manage_file_perms;
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Read the last logins log.
@@ -874,6 +990,46 @@ interface(`auth_exec_pam',`
########################################
@@ -48368,7 +48455,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..a0980c0 100644
+index ea29513..3a08853 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -48527,7 +48614,7 @@ index ea29513..a0980c0 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +234,109 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,113 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -48544,6 +48631,7 @@ index ea29513..a0980c0 100644
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
@@ -48569,6 +48657,7 @@ index ea29513..a0980c0 100644
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
++ dev_relabel_sysfs_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
@@ -48582,13 +48671,13 @@ index ea29513..a0980c0 100644
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
-+ fs_relabelfrom_tmpfs_dir(init_t)
++ fs_relabel_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_autofs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_write_cgroup_files(init_t)
-+ fs_relabelto_cgroup_dirs(init_t)
++ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
+
+ selinux_compute_create_context(init_t)
@@ -48597,6 +48686,8 @@ index ea29513..a0980c0 100644
+
+ storage_getattr_removable_dev(init_t)
+
++ term_relabel_ptys_dirs(init_t)
++
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
+
@@ -48637,7 +48728,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -199,10 +344,25 @@ optional_policy(`
+@@ -199,10 +348,25 @@ optional_policy(`
')
optional_policy(`
@@ -48663,7 +48754,7 @@ index ea29513..a0980c0 100644
unconfined_domain(init_t)
')
-@@ -212,7 +372,7 @@ optional_policy(`
+@@ -212,7 +376,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -48672,7 +48763,7 @@ index ea29513..a0980c0 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +401,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +405,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -48688,7 +48779,7 @@ index ea29513..a0980c0 100644
init_write_initctl(initrc_t)
-@@ -258,20 +421,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +425,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -48725,7 +48816,7 @@ index ea29513..a0980c0 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +454,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +458,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -48733,7 +48824,7 @@ index ea29513..a0980c0 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +467,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +471,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -48741,7 +48832,7 @@ index ea29513..a0980c0 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +475,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +479,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -48757,7 +48848,7 @@ index ea29513..a0980c0 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +493,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +497,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -48765,7 +48856,7 @@ index ea29513..a0980c0 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +501,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +505,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -48777,7 +48868,7 @@ index ea29513..a0980c0 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +520,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +524,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -48791,7 +48882,7 @@ index ea29513..a0980c0 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +535,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +539,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -48800,7 +48891,7 @@ index ea29513..a0980c0 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +549,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +553,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -48808,7 +48899,7 @@ index ea29513..a0980c0 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +561,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +565,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -48816,7 +48907,7 @@ index ea29513..a0980c0 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +582,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +586,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -48832,7 +48923,7 @@ index ea29513..a0980c0 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +665,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +669,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -48841,7 +48932,7 @@ index ea29513..a0980c0 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +680,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +684,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -48849,7 +48940,7 @@ index ea29513..a0980c0 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -524,6 +712,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +716,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -48873,7 +48964,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -531,10 +736,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +740,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -48891,7 +48982,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -549,6 +761,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +765,39 @@ ifdef(`distro_suse',`
')
')
@@ -48931,7 +49022,7 @@ index ea29513..a0980c0 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +806,8 @@ optional_policy(`
+@@ -561,6 +810,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -48940,7 +49031,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -577,6 +824,7 @@ optional_policy(`
+@@ -577,6 +828,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -48948,7 +49039,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -589,6 +837,11 @@ optional_policy(`
+@@ -589,6 +841,11 @@ optional_policy(`
')
optional_policy(`
@@ -48960,7 +49051,7 @@ index ea29513..a0980c0 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +858,13 @@ optional_policy(`
+@@ -605,9 +862,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -48974,7 +49065,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -649,6 +906,11 @@ optional_policy(`
+@@ -649,6 +910,11 @@ optional_policy(`
')
optional_policy(`
@@ -48986,7 +49077,7 @@ index ea29513..a0980c0 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +968,13 @@ optional_policy(`
+@@ -706,7 +972,13 @@ optional_policy(`
')
optional_policy(`
@@ -49000,7 +49091,7 @@ index ea29513..a0980c0 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +997,10 @@ optional_policy(`
+@@ -729,6 +1001,10 @@ optional_policy(`
')
optional_policy(`
@@ -49011,7 +49102,7 @@ index ea29513..a0980c0 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1010,20 @@ optional_policy(`
+@@ -738,10 +1014,20 @@ optional_policy(`
')
optional_policy(`
@@ -49032,7 +49123,7 @@ index ea29513..a0980c0 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1032,10 @@ optional_policy(`
+@@ -750,6 +1036,10 @@ optional_policy(`
')
optional_policy(`
@@ -49043,7 +49134,7 @@ index ea29513..a0980c0 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1057,6 @@ optional_policy(`
+@@ -771,8 +1061,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -49052,7 +49143,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -781,14 +1065,21 @@ optional_policy(`
+@@ -781,14 +1069,21 @@ optional_policy(`
')
optional_policy(`
@@ -49074,7 +49165,7 @@ index ea29513..a0980c0 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1091,6 @@ optional_policy(`
+@@ -800,7 +1095,6 @@ optional_policy(`
')
optional_policy(`
@@ -49082,7 +49173,7 @@ index ea29513..a0980c0 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1100,24 @@ optional_policy(`
+@@ -810,11 +1104,24 @@ optional_policy(`
')
optional_policy(`
@@ -49108,7 +49199,7 @@ index ea29513..a0980c0 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1127,25 @@ optional_policy(`
+@@ -824,6 +1131,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -49134,7 +49225,7 @@ index ea29513..a0980c0 100644
')
optional_policy(`
-@@ -849,3 +1171,42 @@ optional_policy(`
+@@ -849,3 +1175,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -53461,10 +53552,10 @@ index 0000000..aabfb0d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3c7493b
+index 0000000..10cd4b2
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,167 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -53546,9 +53637,8 @@ index 0000000..3c7493b
+dev_write_kmsg(systemd_tmpfiles_t)
+
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
-+fs_create_tmpfs_dir(systemd_tmpfiles_t)
-+fs_relabelfrom_tmpfs_dir(systemd_tmpfiles_t)
-+fs_setattr_tmpfs_dir(systemd_tmpfiles_t)
++fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
@@ -54767,7 +54857,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..8e51296 100644
+index 28b88de..c5d64fd 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -55219,7 +55309,7 @@ index 28b88de..8e51296 100644
##############################
#
-@@ -500,73 +570,79 @@ template(`userdom_common_user_template',`
+@@ -500,73 +570,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -55285,6 +55375,8 @@ index 28b88de..8e51296 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
+ logging_send_syslog_msg($1_usertype)
@@ -55338,7 +55430,7 @@ index 28b88de..8e51296 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +650,122 @@ template(`userdom_common_user_template',`
+@@ -574,67 +652,122 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -55352,23 +55444,23 @@ index 28b88de..8e51296 100644
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ canna_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ colord_read_lib_files($1_usertype)
++ canna_stream_connect($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
++ chrome_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ colord_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -55384,49 +55476,49 @@ index 28b88de..8e51296 100644
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
++ hal_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
- ')
++ ')
+
+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
@@ -55479,7 +55571,7 @@ index 28b88de..8e51296 100644
')
optional_policy(`
-@@ -650,41 +781,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -55511,53 +55603,51 @@ index 28b88de..8e51296 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
+
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
')
#######################################
-@@ -712,13 +852,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -55565,7 +55655,9 @@ index 28b88de..8e51296 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -55573,7 +55665,7 @@ index 28b88de..8e51296 100644
userdom_change_password_template($1)
-@@ -736,72 +889,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +891,70 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -55640,10 +55732,10 @@ index 28b88de..8e51296 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -55681,7 +55773,7 @@ index 28b88de..8e51296 100644
')
')
-@@ -833,6 +984,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -55691,7 +55783,7 @@ index 28b88de..8e51296 100644
##############################
#
# Local policy
-@@ -874,45 +1028,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -55762,40 +55854,40 @@ index 28b88de..8e51296 100644
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-+
-+ optional_policy(`
-+ consolekit_dontaudit_read_log($1_usertype)
-+ consolekit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ consolekit_dontaudit_read_log($1_usertype)
++ consolekit_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
-+ openoffice_role_template($1, $1_r, $1_usertype)
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
+ ')
+
+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
++ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
++ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ pulseaudio_role($1_r, $1_usertype)
+ ')
+
@@ -55816,7 +55908,7 @@ index 28b88de..8e51296 100644
')
')
-@@ -947,7 +1169,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -55825,7 +55917,7 @@ index 28b88de..8e51296 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1178,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -55895,13 +55987,16 @@ index 28b88de..8e51296 100644
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ gnomeclock_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ gpm_stream_connect($1_usertype)
+ ')
+
@@ -55924,22 +56019,19 @@ index 28b88de..8e51296 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
- ')
-
++ ')
++
+ # Run pppd in pppd_t by default for user
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1039,7 +1290,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -55948,7 +56040,7 @@ index 28b88de..8e51296 100644
')
##############################
-@@ -1066,6 +1317,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -55956,7 +56048,7 @@ index 28b88de..8e51296 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1326,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -55966,7 +56058,7 @@ index 28b88de..8e51296 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1343,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -55974,7 +56066,7 @@ index 28b88de..8e51296 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1361,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -55988,7 +56080,7 @@ index 28b88de..8e51296 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,15 +1378,19 @@ template(`userdom_admin_user_template',`
+@@ -1119,15 +1380,19 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -56008,7 +56100,7 @@ index 28b88de..8e51296 100644
term_use_all_terms($1_t)
-@@ -1141,7 +1404,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -56020,7 +56112,7 @@ index 28b88de..8e51296 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1476,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -56029,7 +56121,7 @@ index 28b88de..8e51296 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1490,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -56037,7 +56129,7 @@ index 28b88de..8e51296 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1506,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -56045,7 +56137,7 @@ index 28b88de..8e51296 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1549,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -56083,7 +56175,7 @@ index 28b88de..8e51296 100644
ubac_constrained($1)
')
-@@ -1395,6 +1691,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -56091,7 +56183,7 @@ index 28b88de..8e51296 100644
files_search_home($1)
')
-@@ -1441,6 +1738,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -56106,7 +56198,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1456,9 +1761,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -56118,7 +56210,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1515,10 +1822,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -56131,7 +56223,7 @@ index 28b88de..8e51296 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,22 +1833,58 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -56154,7 +56246,6 @@ index 28b88de..8e51296 100644
+## Relabel user home files.
## </summary>
-## <desc>
--## <p>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -56195,11 +56286,10 @@ index 28b88de..8e51296 100644
+## user home directory.
+## </summary>
+## <desc>
-+## <p>
+ ## <p>
## Do a domain transition to the specified
## domain when executing a program in the
- ## user home directory.
-@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -56208,7 +56298,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -56223,7 +56313,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -56249,7 +56339,7 @@ index 28b88de..8e51296 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -56282,7 +56372,7 @@ index 28b88de..8e51296 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -56300,7 +56390,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -56310,7 +56400,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -56324,18 +56414,19 @@ index 28b88de..8e51296 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -56344,7 +56435,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -56360,7 +56451,7 @@ index 28b88de..8e51296 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -56387,7 +56478,7 @@ index 28b88de..8e51296 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3178,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3180,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -56396,7 +56487,7 @@ index 28b88de..8e51296 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3194,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3196,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -56412,7 +56503,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -2917,7 +3282,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3284,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -56421,7 +56512,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -2972,7 +3337,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3339,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -56468,7 +56559,7 @@ index 28b88de..8e51296 100644
')
########################################
-@@ -3009,6 +3412,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3414,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -56476,7 +56567,7 @@ index 28b88de..8e51296 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3491,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3493,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -56501,7 +56592,7 @@ index 28b88de..8e51296 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3561,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3563,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f317cd8..8bafbd8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,16 @@ exit 0
%endif
%changelog
+* Mon Apr 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-12
+- Add /var/run/lock /var/lock definition to file_contexts.subs
+- nslcd_t is looking for kerberos cc files
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow sysadm_t to set attributes on fixed disks
+- allow user domains to execute lsof and look at application sockets
+- prelink_cron job calls telinit -u if init is rewritten
+- Fixes to run qemu_t from staff_t
+
* Sat Apr 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
More information about the scm-commits
mailing list