[selinux-policy/f16] - Add policy for sa-update being run out of cron jobs - Add create perms to postgresql_manage_db - n
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Aug 23 08:59:39 UTC 2011
commit f212e8d785c60627a125c2535fdab8eb338b9ccb
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Aug 23 10:59:14 2011 +0200
- Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to ma
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
policy-F16.patch | 1321 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 13 +-
2 files changed, 869 insertions(+), 465 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 02d58d6..d69b112 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1553,7 +1553,7 @@ index f68b573..59ee69c 100644
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
-index 3470036..30e0f64 100644
+index 3470036..66412e6 100644
--- a/policy/modules/admin/passenger.te
+++ b/policy/modules/admin/passenger.te
@@ -1,4 +1,4 @@
@@ -1562,6 +1562,23 @@ index 3470036..30e0f64 100644
########################################
#
+@@ -67,6 +67,8 @@ files_read_etc_files(passenger_t)
+
+ auth_use_nsswitch(passenger_t)
+
++logging_send_syslog_msg(passenger_t)
++
+ miscfiles_read_localization(passenger_t)
+
+ userdom_dontaudit_use_user_terminals(passenger_t)
+@@ -75,3 +77,7 @@ optional_policy(`
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+ ')
++
++optional_policy(`
++ puppet_manage_lib(passenger_t)
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -1647,7 +1664,7 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..5ede07b 100644
+index af55369..77b9b29 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1689,13 +1706,14 @@ index af55369..5ede07b 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -98,7 +102,13 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -98,7 +102,14 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
-userdom_use_user_terminals(prelink_t)
+userdom_use_inherited_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
++userdom_relabel_user_home_files(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
+
+systemd_read_unit_files(prelink_t)
@@ -1704,7 +1722,7 @@ index af55369..5ede07b 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,13 +119,22 @@ optional_policy(`
+@@ -109,13 +120,22 @@ optional_policy(`
')
optional_policy(`
@@ -1729,7 +1747,7 @@ index af55369..5ede07b 100644
########################################
#
# Prelink Cron system Policy
-@@ -129,6 +148,7 @@ optional_policy(`
+@@ -129,6 +149,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1737,7 +1755,7 @@ index af55369..5ede07b 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +168,28 @@ optional_policy(`
+@@ -148,17 +169,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -2198,7 +2216,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..0d42e00 100644
+index 47a8f7d..8d3c1d8 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -2242,11 +2260,12 @@ index 47a8f7d..0d42e00 100644
corecmd_exec_all_executables(rpm_t)
-@@ -127,6 +134,18 @@ corenet_sendrecv_all_client_packets(rpm_t)
+@@ -127,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
++dev_manage_all_dev_nodes(rpm_t)
+
+#devices_manage_all_device_types(rpm_t)
+dev_create_generic_blk_files(rpm_t)
@@ -2261,7 +2280,7 @@ index 47a8f7d..0d42e00 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -154,8 +173,8 @@ storage_raw_read_fixed_disk(rpm_t)
+@@ -154,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
@@ -2272,7 +2291,7 @@ index 47a8f7d..0d42e00 100644
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
-@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,11 +193,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -2286,7 +2305,7 @@ index 47a8f7d..0d42e00 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -189,7 +210,7 @@ logging_send_syslog_msg(rpm_t)
+@@ -189,7 +211,7 @@ logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
@@ -2295,7 +2314,7 @@ index 47a8f7d..0d42e00 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +228,7 @@ optional_policy(`
+@@ -207,6 +229,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -2303,7 +2322,7 @@ index 47a8f7d..0d42e00 100644
')
optional_policy(`
-@@ -214,7 +236,7 @@ optional_policy(`
+@@ -214,7 +237,7 @@ optional_policy(`
')
optional_policy(`
@@ -2312,7 +2331,7 @@ index 47a8f7d..0d42e00 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -257,12 +279,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -257,12 +280,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -2331,7 +2350,7 @@ index 47a8f7d..0d42e00 100644
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -299,15 +327,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,15 +328,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -2352,7 +2371,7 @@ index 47a8f7d..0d42e00 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -332,18 +362,18 @@ logging_send_syslog_msg(rpm_script_t)
+@@ -332,18 +363,18 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -2374,7 +2393,7 @@ index 47a8f7d..0d42e00 100644
')
')
-@@ -368,6 +398,11 @@ optional_policy(`
+@@ -368,6 +399,11 @@ optional_policy(`
')
optional_policy(`
@@ -2386,7 +2405,7 @@ index 47a8f7d..0d42e00 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +412,9 @@ optional_policy(`
+@@ -377,8 +413,9 @@ optional_policy(`
')
optional_policy(`
@@ -2515,7 +2534,7 @@ index 781ad7e..082f0c5 100644
#
interface(`shorewall_rw_lib_files',`
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
-index 95bce88..d1edd79 100644
+index 95bce88..1a53b7b 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -2528,13 +2547,15 @@ index 95bce88..d1edd79 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -83,13 +86,20 @@ fs_getattr_all_fs(shorewall_t)
+@@ -83,13 +86,22 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
+logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
++auth_use_nsswitch(shorewall_t)
++
miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
@@ -3706,10 +3727,10 @@ index 0000000..bacc639
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..22ddda5
+index 0000000..df2b2a9
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,125 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3794,6 +3815,7 @@ index 0000000..22ddda5
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
++ execmem_execmod(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -4039,10 +4061,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..6c038c8
+index 0000000..e455bba
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,129 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -4153,6 +4175,25 @@ index 0000000..6c038c8
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
++
++########################################
++## <summary>
++## Execmod the execmem_exec applications
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`execmem_execmod',`
++ gen_require(`
++ type execmem_exec_t;
++ ')
++
++ allow $1 execmem_exec_t:chr_file execmod;
++')
++
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
new file mode 100644
index 0000000..a7d37e2
@@ -4366,7 +4407,7 @@ index 00a19e3..d5acf98 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..940c1c4 100644
+index f5afe78..ab334b0 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,731 @@
@@ -5244,7 +5285,7 @@ index f5afe78..940c1c4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +831,354 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +831,355 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -5534,6 +5575,7 @@ index f5afe78..940c1c4 100644
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
++ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+')
+
+########################################
@@ -5615,7 +5657,7 @@ index f5afe78..940c1c4 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..0c8361a 100644
+index 2505654..c365443 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -5693,7 +5735,7 @@ index 2505654..0c8361a 100644
##############################
#
# Local Policy
-@@ -75,3 +113,167 @@ optional_policy(`
+@@ -75,3 +113,168 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -5824,6 +5866,7 @@ index 2505654..0c8361a 100644
+files_search_pids(gkeyringd_domain)
+
+fs_getattr_xattr_fs(gkeyringd_domain)
++fs_getattr_tmpfs(gkeyringd_domain)
+
+selinux_getattr_fs(gkeyringd_domain)
+
@@ -6761,7 +6804,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..2339227 100644
+index fbb5c5a..83fc139 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6799,11 +6842,10 @@ index fbb5c5a..2339227 100644
')
########################################
-@@ -228,6 +238,35 @@ interface(`mozilla_run_plugin',`
+@@ -203,6 +213,15 @@ interface(`mozilla_domtrans_plugin',`
- mozilla_domtrans_plugin($1)
- role $2 types mozilla_plugin_t;
-+
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ allow mozilla_plugin_t $1:process signull;
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:fd use;
+
@@ -6813,8 +6855,13 @@ index fbb5c5a..2339227 100644
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process { ptrace signal_perms };
-+')
-+
+ ')
+
+ ########################################
+@@ -230,6 +249,25 @@ interface(`mozilla_run_plugin',`
+ role $2 types mozilla_plugin_t;
+ ')
+
+#######################################
+## <summary>
+## Execute qemu unconfined programs in the role.
@@ -6832,10 +6879,12 @@ index fbb5c5a..2339227 100644
+ ')
+
+ role $1 types mozilla_plugin_t;
- ')
-
++')
++
########################################
-@@ -269,9 +308,27 @@ interface(`mozilla_rw_tcp_sockets',`
+ ## <summary>
+ ## Send and receive messages from
+@@ -269,9 +307,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -6864,7 +6913,7 @@ index fbb5c5a..2339227 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +336,28 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +335,28 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -8483,7 +8532,7 @@ index d1eace5..8522ab4 100644
+ virt_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index 268d691..6c7a005 100644
+index 268d691..da3a26d 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -76,7 +76,7 @@ template(`qemu_domain_template',`
@@ -8570,15 +8619,16 @@ index 268d691..6c7a005 100644
')
########################################
-@@ -274,6 +253,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -256,20 +235,63 @@ interface(`qemu_kill',`
########################################
## <summary>
+-## Execute a domain transition to run qemu unconfined.
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Execute qemu_exec_t
@@ -8588,7 +8638,7 @@ index 268d691..6c7a005 100644
+## domain.
+## </p>
+## </desc>
-+## <param name="domain">
+ ## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -8615,30 +8665,31 @@ index 268d691..6c7a005 100644
+')
+
+########################################
-+## <summary>
+ ## <summary>
+-## Domain allowed to transition.
+## Execute qemu unconfined programs in the role.
-+## </summary>
+ ## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the qemu unconfined domain.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`qemu_domtrans_unconfined',`
+interface(`qemu_unconfined_role',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_qemu_t, qemu_exec_t;
+ type unconfined_qemu_t;
+ type qemu_t;
-+ ')
+ ')
+-
+- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
-+')
-+
-+########################################
-+## <summary>
- ## Manage qemu temporary dirs.
- ## </summary>
- ## <param name="domain">
-@@ -307,3 +347,22 @@ interface(`qemu_manage_tmp_files',`
+ ')
+
+ ########################################
+@@ -307,3 +329,22 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -10640,7 +10691,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..c8607de 100644
+index 3fae11a..51756fc 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -10799,16 +10850,18 @@ index 3fae11a..c8607de 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -294,7 +299,7 @@ ifdef(`distro_gentoo',`
+@@ -293,8 +298,9 @@ ifdef(`distro_gentoo',`
+ /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,9 +312,8 @@ ifdef(`distro_redhat', `
+@@ -307,9 +313,8 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10819,7 +10872,7 @@ index 3fae11a..c8607de 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +323,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +324,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10831,7 +10884,7 @@ index 3fae11a..c8607de 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +369,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +370,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -10840,7 +10893,7 @@ index 3fae11a..c8607de 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +381,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +382,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10851,6 +10904,11 @@ index 3fae11a..c8607de 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -385,3 +393,4 @@ ifdef(`distro_suse', `
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+ ')
++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..59c2125 100644
--- a/policy/modules/kernel/corecommands.if
@@ -11987,7 +12045,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..8c65e82 100644
+index 99b71cb..d898d5a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12097,7 +12155,14 @@ index 99b71cb..8c65e82 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -120,6 +152,7 @@ network_port(i18n_input, tcp,9010,s0)
+@@ -114,12 +146,13 @@ network_port(hadoop_namenode, tcp,8020,s0)
+ network_port(hddtemp, tcp,7634,s0)
+ network_port(howl, tcp,5335,s0, udp,5353,s0)
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
++network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss
+ network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+ network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
@@ -13816,7 +13881,7 @@ index fae1ab1..1c54937 100644
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..b630279c 100644
+index c19518a..12e8e9c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -13827,13 +13892,14 @@ index c19518a..b630279c 100644
')
ifdef(`distro_suse',`
-@@ -53,10 +54,18 @@ ifdef(`distro_suse',`
+@@ -53,10 +54,17 @@ ifdef(`distro_suse',`
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -13846,7 +13912,7 @@ index c19518a..b630279c 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -68,7 +77,10 @@ ifdef(`distro_suse',`
+@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -13858,7 +13924,7 @@ index c19518a..b630279c 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -102,10 +114,9 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -13870,7 +13936,7 @@ index c19518a..b630279c 100644
#
# /lost+found
-@@ -146,7 +157,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -13879,7 +13945,7 @@ index c19518a..b630279c 100644
#
# /proc
-@@ -154,6 +165,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -13892,7 +13958,7 @@ index c19518a..b630279c 100644
#
# /run
#
-@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -13900,7 +13966,7 @@ index c19518a..b630279c 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +246,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -13922,14 +13988,14 @@ index c19518a..b630279c 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
-@@ -257,3 +276,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..ff0c14f 100644
+index ff006ea..9a8a169 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -13966,7 +14032,7 @@ index ff006ea..ff0c14f 100644
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
-+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
@@ -14489,7 +14555,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4165,33 +4461,69 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4165,34 +4461,70 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -14525,6 +14591,7 @@ index ff006ea..ff0c14f 100644
')
- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
@@ -14565,9 +14632,10 @@ index ff006ea..ff0c14f 100644
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
- relabel_dirs_pattern($1, tmpfile, tmpfile)
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
+ ########################################
@@ -4202,7 +4534,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
@@ -14702,7 +14770,8 @@ index ff006ea..ff0c14f 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+########################################
+## <summary>
+## Set the attributes of the /var/lock directory.
@@ -14717,8 +14786,7 @@ index ff006ea..ff0c14f 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+ allow $1 var_lock_t:dir setattr;
')
@@ -14847,7 +14915,33 @@ index ff006ea..ff0c14f 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5736,7 +6156,7 @@ interface(`files_pid_filetrans',`
+@@ -5629,6 +6049,25 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to search
++## the all /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ## </summary>
+@@ -5736,7 +6175,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14856,7 +14950,7 @@ index ff006ea..ff0c14f 100644
')
########################################
-@@ -5815,29 +6235,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6254,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -14890,7 +14984,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5845,42 +6261,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6280,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -14940,7 +15034,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5888,20 +6297,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6316,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -14964,7 +15058,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5909,56 +6315,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6334,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -15040,7 +15134,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5966,18 +6375,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6394,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -15063,7 +15157,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5985,19 +6393,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6412,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -15088,7 +15182,7 @@ index ff006ea..ff0c14f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6005,104 +6412,61 @@ interface(`files_read_generic_spool',`
+@@ -6005,50 +6431,61 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -15122,44 +15216,64 @@ index ff006ea..ff0c14f 100644
-## </summary>
-## </param>
-## <param name="class">
--## <summary>
++#
++interface(`files_mounton_all_poly_members',`
++ gen_require(`
++ attribute polymember;
++ ')
++
++ allow $1 polymember:dir mounton;
++')
++
++########################################
++## <summary>
++## Delete all process IDs.
++## </summary>
++## <param name="domain">
+ ## <summary>
-## Object class(es) (single or set including {}) for which this
-## the transition will occur.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
#
-interface(`files_spool_filetrans',`
-+interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pids',`
gen_require(`
- type var_t, var_spool_t;
-+ attribute polymember;
++ attribute pidfile;
++ type var_t, var_run_t;
')
-- allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_spool_t, $2, $3)
-+ allow $1 polymember:dir mounton;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
')
########################################
## <summary>
-## Allow access to manage all polyinstantiated
-## directories on the system.
-+## Delete all process IDs.
++## Delete all process ID directories.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -6056,23 +6493,275 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
-+## <rolecap/>
#
-interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_dirs',`
gen_require(`
- attribute polydir, polymember, polyparent;
- type poly_t;
+ attribute pidfile;
-+ type var_t, var_run_t;
++ type var_t;
')
- # Need to give access to /selinux/member
@@ -15170,64 +15284,12 @@ index ff006ea..ff0c14f 100644
-
- # Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ## <summary>
--## Unconfined access to files.
-+## Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6110,10 +6474,597 @@ interface(`files_polyinstantiate_all',`
- ## </summary>
- ## </param>
- #
--interface(`files_unconfined',`
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t;
-+ ')
-+
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-+
+
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+########################################
+## <summary>
+## Make the specified type a file
@@ -15487,47 +15549,10 @@ index ff006ea..ff0c14f 100644
+
+ # Need to give access to the polyinstantiated subdirectories
+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+## <summary>
-+## Unconfined access to files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_unconfined',`
- gen_require(`
- attribute files_unconfined_type;
- ')
+
+ # Need to give access to parent directories where original
+ # is remounted for polyinstantiation aware programs (like gdm)
+@@ -6117,3 +6806,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18250,7 +18275,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..1a6d9d1 100644
+index 2be17d2..afb3532 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
@@ -18356,7 +18381,7 @@ index 2be17d2..1a6d9d1 100644
+')
+
+optional_policy(`
-+ mozilla_run_plugin(staff_t, staff_r)
++ mozilla_run_plugin(staff_usertype, staff_r)
+')
+
+optional_policy(`
@@ -20171,7 +20196,7 @@ index 0000000..f88b087
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..127cbfa 100644
+index e5bfdd4..42c1458 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,82 @@ role user_r;
@@ -20217,7 +20242,7 @@ index e5bfdd4..127cbfa 100644
+')
+
+optional_policy(`
-+ mozilla_run_plugin(user_t, user_r)
++ mozilla_run_plugin(user_usertype, user_r)
+')
+
+optional_policy(`
@@ -20309,7 +20334,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..0eb55db 100644
+index e88b95f..1cd57fd 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -20413,7 +20438,7 @@ index e88b95f..0eb55db 100644
+')
+
+optional_policy(`
-+ mozilla_run_plugin(xguest_t, xguest_r)
++ mozilla_run_plugin(xguest_usertype, xguest_r)
+')
+
+optional_policy(`
@@ -21549,7 +21574,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..a0876b5 100644
+index 9e39aa5..d7a8d41 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -21572,16 +21597,17 @@ index 9e39aa5..a0876b5 100644
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-@@ -16,6 +21,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -16,6 +21,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
++/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +31,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,16 +32,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -21606,7 +21632,7 @@ index 9e39aa5..a0876b5 100644
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +51,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +52,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -21618,7 +21644,19 @@ index 9e39aa5..a0876b5 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -73,8 +82,10 @@ ifdef(`distro_suse', `
+@@ -54,9 +64,11 @@ ifdef(`distro_suse', `
+ /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+ /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+@@ -73,8 +85,10 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -21630,7 +21668,7 @@ index 9e39aa5..a0876b5 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -84,9 +95,10 @@ ifdef(`distro_suse', `
+@@ -84,9 +98,10 @@ ifdef(`distro_suse', `
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -21642,7 +21680,7 @@ index 9e39aa5..a0876b5 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +117,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +120,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -21671,7 +21709,7 @@ index 9e39aa5..a0876b5 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..970916e 100644
+index 6480167..13d57b7 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -21770,7 +21808,7 @@ index 6480167..970916e 100644
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,26 +123,36 @@ template(`apache_content_template',`
+@@ -140,26 +123,37 @@ template(`apache_content_template',`
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -21791,6 +21829,7 @@ index 6480167..970916e 100644
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
++ allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
+
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
@@ -21807,7 +21846,7 @@ index 6480167..970916e 100644
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
-@@ -172,6 +165,7 @@ template(`apache_content_template',`
+@@ -172,6 +166,7 @@ template(`apache_content_template',`
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -21815,7 +21854,7 @@ index 6480167..970916e 100644
')
optional_policy(`
-@@ -182,10 +176,6 @@ template(`apache_content_template',`
+@@ -182,10 +177,6 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -21826,7 +21865,7 @@ index 6480167..970916e 100644
')
optional_policy(`
-@@ -211,9 +201,8 @@ template(`apache_content_template',`
+@@ -211,9 +202,8 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
@@ -21838,7 +21877,7 @@ index 6480167..970916e 100644
')
role $1 types httpd_user_script_t;
-@@ -234,6 +223,13 @@ interface(`apache_role',`
+@@ -234,6 +224,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -21852,7 +21891,7 @@ index 6480167..970916e 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -248,6 +244,9 @@ interface(`apache_role',`
+@@ -248,6 +245,9 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -21862,7 +21901,7 @@ index 6480167..970916e 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +316,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +317,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -21888,7 +21927,7 @@ index 6480167..970916e 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -405,7 +423,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -21897,7 +21936,7 @@ index 6480167..970916e 100644
')
########################################
-@@ -487,7 +505,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -21906,7 +21945,7 @@ index 6480167..970916e 100644
')
########################################
-@@ -531,6 +549,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -21932,7 +21971,7 @@ index 6480167..970916e 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +586,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -21959,7 +21998,7 @@ index 6480167..970916e 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -699,7 +756,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -21968,7 +22007,7 @@ index 6480167..970916e 100644
')
########################################
-@@ -745,6 +802,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -21994,7 +22033,7 @@ index 6480167..970916e 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +837,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +838,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -22002,7 +22041,7 @@ index 6480167..970916e 100644
')
########################################
-@@ -802,6 +879,24 @@ interface(`apache_domtrans_rotatelogs',`
+@@ -802,6 +880,24 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
@@ -22027,7 +22066,7 @@ index 6480167..970916e 100644
########################################
## <summary>
## Allow the specified domain to list
-@@ -819,6 +914,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +915,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -22035,7 +22074,7 @@ index 6480167..970916e 100644
files_search_var($1)
')
-@@ -846,6 +942,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +943,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -22110,7 +22149,7 @@ index 6480167..970916e 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1026,12 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1027,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -22124,7 +22163,7 @@ index 6480167..970916e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1090,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1091,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -22136,7 +22175,7 @@ index 6480167..970916e 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1120,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1121,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -22145,7 +22184,7 @@ index 6480167..970916e 100644
')
########################################
-@@ -1091,6 +1261,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1262,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -22171,7 +22210,7 @@ index 6480167..970916e 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1297,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -22180,7 +22219,7 @@ index 6480167..970916e 100644
')
########################################
-@@ -1170,17 +1359,15 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1360,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -22203,7 +22242,7 @@ index 6480167..970916e 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1378,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1379,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -22216,7 +22255,7 @@ index 6480167..970916e 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1392,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1393,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -22292,7 +22331,7 @@ index 6480167..970916e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..0bd28a9 100644
+index 3136c6a..9b19325 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -22604,7 +22643,7 @@ index 3136c6a..0bd28a9 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,9 +337,13 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +337,25 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -22618,7 +22657,19 @@ index 3136c6a..0bd28a9 100644
optional_policy(`
prelink_object_file(httpd_modules_t)
-@@ -281,11 +368,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+ ')
+
++type httpd_passwd_t;
++type httpd_passwd_exec_t;
++application_domain(httpd_passwd_t, httpd_passwd_exec_t)
++role system_r types httpd_passwd_t;
++
++permissive httpd_passwd_t;
++
+ ########################################
+ #
+ # Apache server local policy
+@@ -281,11 +375,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -22632,7 +22683,7 @@ index 3136c6a..0bd28a9 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +418,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +425,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -22643,16 +22694,17 @@ index 3136c6a..0bd28a9 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +445,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +452,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
++kernel_read_network_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +457,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +465,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -22662,13 +22714,14 @@ index 3136c6a..0bd28a9 100644
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
++corenet_tcp_bind_puppet_port(httpd_t)
# Signal self for shutdown
-corenet_tcp_connect_http_port(httpd_t)
+#corenet_tcp_connect_http_port(httpd_t)
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +473,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +482,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -22684,7 +22737,7 @@ index 3136c6a..0bd28a9 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +486,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +495,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -22692,7 +22745,7 @@ index 3136c6a..0bd28a9 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +498,13 @@ files_read_etc_files(httpd_t)
+@@ -402,9 +507,20 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -22706,7 +22759,14 @@ index 3136c6a..0bd28a9 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +519,74 @@ seutil_dontaudit_search_config(httpd_t)
++ifdef(`hide_broken_symptoms',`
++ libs_exec_lib_files(httpd_t)
++')
++
+ logging_send_syslog_msg(httpd_t)
+
+ miscfiles_read_localization(httpd_t)
+@@ -416,34 +532,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -22783,7 +22843,7 @@ index 3136c6a..0bd28a9 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +599,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +612,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -22794,7 +22854,7 @@ index 3136c6a..0bd28a9 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +613,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +626,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -22824,7 +22884,7 @@ index 3136c6a..0bd28a9 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +643,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +656,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -22841,7 +22901,7 @@ index 3136c6a..0bd28a9 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +667,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +680,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -22862,7 +22922,7 @@ index 3136c6a..0bd28a9 100644
')
optional_policy(`
-@@ -513,7 +691,13 @@ optional_policy(`
+@@ -513,7 +704,13 @@ optional_policy(`
')
optional_policy(`
@@ -22877,7 +22937,7 @@ index 3136c6a..0bd28a9 100644
')
optional_policy(`
-@@ -528,7 +712,19 @@ optional_policy(`
+@@ -528,7 +725,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -22898,7 +22958,7 @@ index 3136c6a..0bd28a9 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +733,13 @@ optional_policy(`
+@@ -537,8 +746,13 @@ optional_policy(`
')
optional_policy(`
@@ -22913,7 +22973,7 @@ index 3136c6a..0bd28a9 100644
')
')
-@@ -556,7 +757,13 @@ optional_policy(`
+@@ -556,7 +770,13 @@ optional_policy(`
')
optional_policy(`
@@ -22927,7 +22987,7 @@ index 3136c6a..0bd28a9 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +774,7 @@ optional_policy(`
+@@ -567,6 +787,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -22935,7 +22995,7 @@ index 3136c6a..0bd28a9 100644
')
optional_policy(`
-@@ -577,6 +785,16 @@ optional_policy(`
+@@ -577,6 +798,20 @@ optional_policy(`
')
optional_policy(`
@@ -22945,6 +23005,10 @@ index 3136c6a..0bd28a9 100644
+')
+
+optional_policy(`
++ puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
@@ -22952,7 +23016,7 @@ index 3136c6a..0bd28a9 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +809,11 @@ optional_policy(`
+@@ -591,6 +826,11 @@ optional_policy(`
')
optional_policy(`
@@ -22964,7 +23028,7 @@ index 3136c6a..0bd28a9 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +826,12 @@ optional_policy(`
+@@ -603,6 +843,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -22977,7 +23041,7 @@ index 3136c6a..0bd28a9 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +845,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +862,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -22990,7 +23054,7 @@ index 3136c6a..0bd28a9 100644
########################################
#
-@@ -654,28 +887,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +904,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -23034,7 +23098,7 @@ index 3136c6a..0bd28a9 100644
')
########################################
-@@ -685,6 +920,8 @@ optional_policy(`
+@@ -685,6 +937,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -23043,7 +23107,7 @@ index 3136c6a..0bd28a9 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +936,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +953,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -23069,7 +23133,7 @@ index 3136c6a..0bd28a9 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +982,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +999,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -23102,7 +23166,7 @@ index 3136c6a..0bd28a9 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1029,25 @@ optional_policy(`
+@@ -769,6 +1046,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -23128,7 +23192,7 @@ index 3136c6a..0bd28a9 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1068,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1085,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -23146,7 +23210,7 @@ index 3136c6a..0bd28a9 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1087,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1104,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -23203,7 +23267,7 @@ index 3136c6a..0bd28a9 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1138,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1155,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -23234,7 +23298,7 @@ index 3136c6a..0bd28a9 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1173,20 @@ optional_policy(`
+@@ -842,10 +1190,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -23255,7 +23319,7 @@ index 3136c6a..0bd28a9 100644
')
########################################
-@@ -891,11 +1232,21 @@ optional_policy(`
+@@ -891,11 +1249,48 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -23273,13 +23337,40 @@ index 3136c6a..0bd28a9 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
++
++########################################
++#
++# httpd_passwd local policy
++#
++
++allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
++allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
++allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
++
++domain_use_interactive_fds(httpd_passwd_t)
++
++files_read_etc_files(httpd_passwd_t)
++
++miscfiles_read_localization(httpd_passwd_t)
++
++corecmd_exec_bin(httpd_passwd_t)
++
++kernel_read_system_state(httpd_passwd_t)
++
++dev_read_urand(httpd_passwd_t)
++
++systemd_passwd_agent_dev_template(httpd)
++
++domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
++dontaudit httpd_passwd_t httpd_config_t:file read;
++
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index cd07b96..9b7742f 100644
--- a/policy/modules/services/apcupsd.fc
@@ -27026,14 +27117,23 @@ index 0000000..2dfd363
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..5f0a8a4 100644
+index 74505cc..810b790 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
-@@ -41,8 +41,12 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
+ # colord local policy
+ #
+ allow colord_t self:capability { dac_read_search dac_override };
++dontaudit colord_t self:capability sys_admin;
+ allow colord_t self:process signal;
+ allow colord_t self:fifo_file rw_fifo_file_perms;
+ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -41,8 +42,13 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
-kernel_getattr_proc_files(colord_t)
++kernel_read_network_state(colord_t)
+kernel_read_system_state(colord_t)
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
@@ -27043,7 +27143,7 @@ index 74505cc..5f0a8a4 100644
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +54,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +56,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -27052,7 +27152,7 @@ index 74505cc..5f0a8a4 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +71,31 @@ files_list_mnt(colord_t)
+@@ -65,19 +73,31 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -27084,7 +27184,7 @@ index 74505cc..5f0a8a4 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +107,10 @@ optional_policy(`
+@@ -89,6 +109,10 @@ optional_policy(`
')
optional_policy(`
@@ -27095,7 +27195,7 @@ index 74505cc..5f0a8a4 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -98,3 +120,9 @@ optional_policy(`
+@@ -98,3 +122,9 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
@@ -27105,7 +27205,6 @@ index 74505cc..5f0a8a4 100644
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
-\ No newline at end of file
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index fd15dfe..d33cc41 100644
--- a/policy/modules/services/consolekit.if
@@ -27431,10 +27530,10 @@ index 04969e5..f0f7e1a 100644
optional_policy(`
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
-index 01d31f1..a390070 100644
+index 01d31f1..8e2754b 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
-@@ -6,15 +6,15 @@
+@@ -6,18 +6,18 @@
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
@@ -27458,7 +27557,11 @@ index 01d31f1..a390070 100644
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
ifdef(`distro_gentoo',`
- /usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+-/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
++/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+ ')
+
+ /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 9971337..870265d 100644
--- a/policy/modules/services/courier.if
@@ -27629,7 +27732,7 @@ index 2eefc08..34ab5ce 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..074392b 100644
+index 35241ed..92acfae 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -27945,7 +28048,33 @@ index 35241ed..074392b 100644
')
########################################
-@@ -481,6 +568,7 @@ interface(`cron_manage_pid_files',`
+@@ -468,6 +555,25 @@ interface(`cron_search_spool',`
+
+ ########################################
+ ## <summary>
++## Search the directory containing user cron tables.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_manage_system_spool',`
++ gen_require(`
++ type cron_system_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
++')
++
++########################################
++## <summary>
+ ## Manage pid files used by cron
+ ## </summary>
+ ## <param name="domain">
+@@ -481,6 +587,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -27953,7 +28082,7 @@ index 35241ed..074392b 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +624,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +643,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -27962,7 +28091,7 @@ index 35241ed..074392b 100644
')
########################################
-@@ -554,7 +642,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +661,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -27971,7 +28100,7 @@ index 35241ed..074392b 100644
')
########################################
-@@ -587,11 +675,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +694,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -27987,7 +28116,7 @@ index 35241ed..074392b 100644
')
########################################
-@@ -627,7 +718,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +737,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -30685,7 +30814,7 @@ index d2d9359..ee10625 100644
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
-index 0000000..9053288
+index 0000000..c6cbc80
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.fc
@@ -0,0 +1,13 @@
@@ -30697,11 +30826,11 @@ index 0000000..9053288
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
-+/usr/lib(64)?/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+/usr/lib(64)?/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
-+/usr/lib(64)?/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
-+/usr/lib(64)?/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
index 0000000..a951202
@@ -34509,7 +34638,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..eac72e4 100644
+index 4fde46b..a710ddc 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,32 @@ type gnomeclock_t;
@@ -34548,7 +34677,7 @@ index 4fde46b..eac72e4 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,48 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -34571,6 +34700,7 @@ index 4fde46b..eac72e4 100644
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
++ ntp_sysctl(gnomeclock_t)
+')
+
+optional_policy(`
@@ -37449,15 +37579,23 @@ index 93c14ca..f28acd2 100644
fs_read_cifs_files(lpr_t)
fs_read_cifs_symlinks(lpr_t)
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
-index 14ad189..b0c5d98 100644
+index 14ad189..2b8efd8 100644
--- a/policy/modules/services/mailman.fc
+++ b/policy/modules/services/mailman.fc
-@@ -1,4 +1,4 @@
+@@ -1,11 +1,11 @@
-/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+ /var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+ /var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+-/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
++/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_var_run_t,s0)
+
+ #
+ # distro_debian
@@ -25,10 +25,10 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
@@ -37496,10 +37634,20 @@ index 67c7fdd..84b7626 100644
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..999384c 100644
+index af4d572..cea085e 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
-@@ -61,14 +61,18 @@ optional_policy(`
+@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
+ type mailman_lock_t;
+ files_lock_file(mailman_lock_t)
+
++type mailman_var_run_t;
++files_pid_file(mailman_var_run_t)
++
+ mailman_domain_template(mail)
+ init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
+
+@@ -61,14 +64,22 @@ optional_policy(`
# Mailman mail local policy
#
@@ -37513,6 +37661,10 @@ index af4d572..999384c 100644
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
++manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
++manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
++files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
++
+# make NNTP gateway working
+corenet_tcp_connect_innd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
@@ -37520,7 +37672,7 @@ index af4d572..999384c 100644
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +85,16 @@ optional_policy(`
+@@ -81,11 +92,16 @@ optional_policy(`
')
optional_policy(`
@@ -37537,7 +37689,7 @@ index af4d572..999384c 100644
')
########################################
-@@ -104,6 +113,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
@@ -37546,7 +37698,7 @@ index af4d572..999384c 100644
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +136,4 @@ optional_policy(`
+@@ -125,4 +143,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
@@ -37732,11 +37884,11 @@ index 0000000..b1cf109
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..bce824e
+index 0000000..c502d10
--- /dev/null
+++ b/policy/modules/services/matahari.fc
@@ -0,0 +1,15 @@
-+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
+
@@ -38006,10 +38158,10 @@ index 0000000..0432f2e
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..dca01cd
+index 0000000..19d82c3
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,83 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -38068,6 +38220,7 @@ index 0000000..dca01cd
+#
+
+domain_use_interactive_fds(matahari_serviced_t)
++init_spec_domtrans_script(matahari_serviced_t)
+
+#######################################
+#
@@ -40731,7 +40884,7 @@ index 2324d9e..eebf5a7 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..79140e4 100644
+index 0619395..8785eef 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -40872,7 +41025,7 @@ index 0619395..79140e4 100644
')
')
-@@ -202,6 +239,17 @@ optional_policy(`
+@@ -202,10 +239,25 @@ optional_policy(`
')
optional_policy(`
@@ -40890,7 +41043,15 @@ index 0619395..79140e4 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +267,11 @@ optional_policy(`
+ optional_policy(`
++ netutils_exec_ping(NetworkManager_t)
++')
++
++optional_policy(`
+ nscd_domtrans(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+@@ -219,6 +271,11 @@ optional_policy(`
')
optional_policy(`
@@ -40902,7 +41063,7 @@ index 0619395..79140e4 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +316,7 @@ optional_policy(`
+@@ -263,6 +320,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -41384,10 +41545,10 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..d90ed98 100644
+index e80f8c0..766d99c 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +98,45 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -41410,10 +41571,30 @@ index e80f8c0..d90ed98 100644
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+')
+
++########################################
++## <summary>
++## Execute ntpd server in the ntpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ntp_sysctl',`
++ gen_require(`
++ type ntpd_unit_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 ntpd_unit_t:file read_file_perms;
++ allow $1 ntpd_unit_t:service all_service_perms;
++')
++
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +161,25 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -41439,7 +41620,7 @@ index e80f8c0..d90ed98 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',`
+@@ -140,11 +198,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -41453,8 +41634,15 @@ index e80f8c0..d90ed98 100644
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+@@ -162,4 +219,6 @@ interface(`ntp_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, ntpd_var_run_t)
++
++ ntp_sysctl($1)
+ ')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
-index c61adc8..11909b0 100644
+index c61adc8..09bb140 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
@@ -41467,7 +41655,7 @@ index c61adc8..11909b0 100644
type ntpd_key_t;
files_type(ntpd_key_t)
-@@ -96,9 +99,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
+@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
@@ -41479,6 +41667,9 @@ index c61adc8..11909b0 100644
+fs_rw_tmpfs_files(ntpd_t)
term_use_ptmx(ntpd_t)
++term_use_unallocated_ttys(ntpd_t)
+
+ auth_use_nsswitch(ntpd_t)
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
index ff962dd..c856c64 100644
@@ -42060,8 +42251,18 @@ index b246bdd..07baada 100644
files_read_etc_files(pads_t)
files_search_spool(pads_t)
+diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc
+index 87f17e8..63ee18a 100644
+--- a/policy/modules/services/pcscd.fc
++++ b/policy/modules/services/pcscd.fc
+@@ -1,4 +1,5 @@
+ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
++/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
-index 1c2a091..ea5ae69 100644
+index 1c2a091..10f264c 100644
--- a/policy/modules/services/pcscd.if
+++ b/policy/modules/services/pcscd.if
@@ -5,9 +5,9 @@
@@ -42076,6 +42277,15 @@ index 1c2a091..ea5ae69 100644
## </param>
#
interface(`pcscd_domtrans',`
+@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',`
+ ')
+
+ files_search_pids($1)
+- allow $1 pcscd_var_run_t:file read_file_perms;
++ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+ ')
+
+ ########################################
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index ceafba6..9eb6967 100644
--- a/policy/modules/services/pcscd.te
@@ -44403,7 +44613,7 @@ index f03fad4..1865d8f 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
-index 09aeffa..dd70b14 100644
+index 09aeffa..f8a0d88 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@@ -44457,7 +44667,7 @@ index 09aeffa..dd70b14 100644
')
########################################
-@@ -298,6 +299,7 @@ interface(`postgresql_search_db',`
+@@ -298,14 +299,16 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
@@ -44465,16 +44675,19 @@ index 09aeffa..dd70b14 100644
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
-@@ -305,7 +307,7 @@ interface(`postgresql_manage_db',`
+ ')
- allow $1 postgresql_db_t:dir rw_dir_perms;
- allow $1 postgresql_db_t:file rw_file_perms;
+- allow $1 postgresql_db_t:dir rw_dir_perms;
+- allow $1 postgresql_db_t:file rw_file_perms;
- allow $1 postgresql_db_t:lnk_file { getattr read };
-+ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
++ manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
')
########################################
-@@ -395,7 +397,6 @@ interface(`postgresql_tcp_connect',`
+@@ -395,7 +398,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
@@ -44482,7 +44695,7 @@ index 09aeffa..dd70b14 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
-@@ -403,10 +404,8 @@ interface(`postgresql_stream_connect',`
+@@ -403,10 +405,8 @@ interface(`postgresql_stream_connect',`
')
files_search_pids($1)
@@ -44495,7 +44708,7 @@ index 09aeffa..dd70b14 100644
')
########################################
-@@ -468,6 +467,7 @@ interface(`postgresql_unpriv_client',`
+@@ -468,6 +468,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
@@ -44503,7 +44716,7 @@ index 09aeffa..dd70b14 100644
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
-@@ -492,6 +492,7 @@ interface(`postgresql_unpriv_client',`
+@@ -492,6 +493,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
@@ -44511,7 +44724,7 @@ index 09aeffa..dd70b14 100644
')
########################################
-@@ -531,13 +532,10 @@ interface(`postgresql_unconfined',`
+@@ -531,13 +533,10 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@@ -44529,7 +44742,7 @@ index 09aeffa..dd70b14 100644
')
typeattribute $1 sepgsql_admin_type;
-@@ -550,14 +548,19 @@ interface(`postgresql_admin',`
+@@ -550,14 +549,19 @@ interface(`postgresql_admin',`
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
@@ -45081,7 +45294,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..609ff86 100644
+index 29b9295..e1ae545 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -45103,9 +45316,12 @@ index 29b9295..609ff86 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -76,9 +79,15 @@ files_search_pids(procmail_t)
+@@ -75,10 +78,18 @@ files_search_pids(procmail_t)
+ # for spamassasin
files_read_usr_files(procmail_t)
++application_exec_all(procmail_t)
++
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
@@ -45119,7 +45335,7 @@ index 29b9295..609ff86 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -45130,7 +45346,7 @@ index 29b9295..609ff86 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +134,11 @@ optional_policy(`
+@@ -125,6 +136,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -45351,7 +45567,7 @@ index 2f1e529..8c0b242 100644
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..c71fa1e 100644
+index 2855a44..2898ff9 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -8,6 +8,53 @@
@@ -45417,6 +45633,48 @@ index 2855a44..c71fa1e 100644
gen_require(`
type puppet_tmp_t;
')
+@@ -29,3 +76,41 @@ interface(`puppet_rw_tmp', `
+ allow $1 puppet_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+ ')
++
++################################################
++## <summary>
++## Read Puppet lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_read_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
++
++###############################################
++## <summary>
++## Manage Puppet lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_manage_lib',`
++ gen_require(`
++ type puppet_var_lib_t;
++ ')
++
++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
++ files_search_var_lib($1)
++')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 64c5f95..313f77d 100644
--- a/policy/modules/services/puppet.te
@@ -46298,7 +46556,7 @@ index 5a9630c..c403abc 100644
+ allow $1 qpidd_t:shm rw_shm_perms;
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
-index cb7ecb5..dadd322 100644
+index cb7ecb5..3df1532 100644
--- a/policy/modules/services/qpid.te
+++ b/policy/modules/services/qpid.te
@@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -46317,7 +46575,7 @@ index cb7ecb5..dadd322 100644
########################################
#
# qpidd local policy
-@@ -30,24 +30,26 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,27 +30,30 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
@@ -46349,7 +46607,11 @@ index cb7ecb5..dadd322 100644
dev_read_urand(qpidd_t)
files_read_etc_files(qpidd_t)
-@@ -61,3 +63,8 @@ sysnet_dns_name_resolve(qpidd_t)
++files_read_usr_files(qpidd_t)
+
+ logging_send_syslog_msg(qpidd_t)
+
+@@ -61,3 +64,8 @@ sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
corosync_stream_connect(qpidd_t)
')
@@ -51020,10 +51282,10 @@ index 93fe7bf..4a15633 100644
allow $1 soundd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
-index 6b3abf9..d445f78 100644
+index 6b3abf9..a785741 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
-@@ -1,15 +1,27 @@
+@@ -1,15 +1,28 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -51036,6 +51298,7 @@ index 6b3abf9..d445f78 100644
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -51248,10 +51511,10 @@ index c954f31..c7cadcb 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..e1f3477 100644
+index ec1eb1e..4d649e1 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -6,56 +6,95 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,103 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
@@ -51364,6 +51627,14 @@ index ec1eb1e..e1f3477 100644
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
+')
++
++type spamd_update_t;
++type spamd_update_exec_t;
++application_domain(spamd_update_t, spamd_update_exec_t)
++cron_system_entry(spamd_update_t, spamd_update_exec_t)
++role system_r types spamd_update_t;
++
++permissive spamd_update_t;
type spamd_t;
type spamd_exec_t;
@@ -51384,7 +51655,7 @@ index ec1eb1e..e1f3477 100644
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
-@@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+@@ -108,6 +155,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -51392,7 +51663,7 @@ index ec1eb1e..e1f3477 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +188,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +196,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -51402,7 +51673,7 @@ index ec1eb1e..e1f3477 100644
sysnet_read_config(spamassassin_t)
')
-@@ -184,6 +227,8 @@ optional_policy(`
+@@ -184,6 +235,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -51411,7 +51682,7 @@ index ec1eb1e..e1f3477 100644
')
########################################
-@@ -206,15 +251,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +259,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -51444,7 +51715,7 @@ index ec1eb1e..e1f3477 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +288,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +296,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -51452,7 +51723,7 @@ index ec1eb1e..e1f3477 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +307,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +315,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -51467,7 +51738,7 @@ index ec1eb1e..e1f3477 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +322,46 @@ seutil_read_config(spamc_t)
+@@ -254,27 +330,46 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -51520,7 +51791,7 @@ index ec1eb1e..e1f3477 100644
')
########################################
-@@ -286,7 +373,7 @@ optional_policy(`
+@@ -286,7 +381,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -51529,7 +51800,7 @@ index ec1eb1e..e1f3477 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +389,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +397,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -51548,7 +51819,7 @@ index ec1eb1e..e1f3477 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +408,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +416,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -51566,7 +51837,7 @@ index ec1eb1e..e1f3477 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +465,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +473,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -51598,7 +51869,7 @@ index ec1eb1e..e1f3477 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +502,9 @@ optional_policy(`
+@@ -399,7 +510,9 @@ optional_policy(`
')
optional_policy(`
@@ -51608,7 +51879,7 @@ index ec1eb1e..e1f3477 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +513,17 @@ optional_policy(`
+@@ -408,25 +521,17 @@ optional_policy(`
')
optional_policy(`
@@ -51636,7 +51907,7 @@ index ec1eb1e..e1f3477 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +534,10 @@ optional_policy(`
+@@ -437,6 +542,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -51647,6 +51918,50 @@ index ec1eb1e..e1f3477 100644
')
optional_policy(`
+@@ -451,3 +560,43 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(spamd_t)
+ ')
++
++########################################
++#
++# spamd_update local policy
++#
++
++allow spamd_update_t self:fifo_file manage_fifo_file_perms;
++allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
++dontaudit spamd_update_t self:capability dac_override;
++
++manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
++manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
++files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
++
++allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
++manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
++
++corecmd_exec_bin(spamd_update_t)
++
++dev_read_urand(spamd_update_t)
++
++domain_use_interactive_fds(spamd_update_t)
++
++files_read_etc_files(spamd_update_t)
++files_read_usr_files(spamd_update_t)
++
++auth_use_nsswitch(spamd_update_t)
++auth_dontaudit_read_shadow(spamd_update_t)
++
++miscfiles_read_localization(spamd_update_t)
++
++mta_read_config(spamd_update_t)
++
++userdom_use_inherited_user_ptys(spamd_update_t)
++
++optional_policy(`
++ gpg_domtrans(spamd_update_t)
++')
++
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
index 6cc4a90..2015152 100644
--- a/policy/modules/services/squid.fc
@@ -58398,10 +58713,18 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..5cae905 100644
+index 28ad538..5b765ce 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -45,5 +45,4 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+
+ /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+ /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+@@ -45,5 +46,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
@@ -59348,7 +59671,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..417ec32 100644
+index 94fd8dd..26c973e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -59594,7 +59917,7 @@ index 94fd8dd..417ec32 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +589,29 @@ interface(`init_sigchld',`
+@@ -519,10 +589,48 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -59604,7 +59927,8 @@ index 94fd8dd..417ec32 100644
- allow $1 init_t:unix_stream_socket connectto;
+ files_search_pids($1)
-+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
++ allow $1 init_t:unix_stream_socket getattr;
+')
+
+#######################################
@@ -59623,10 +59947,28 @@ index 94fd8dd..417ec32 100644
+ ')
+
+ dontaudit $1 init_t:unix_stream_socket connectto;
++')
++
++######################################
++## <summary>
++## Dontaudit read and write to init with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_rw_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket { read write };
')
########################################
-@@ -688,19 +777,25 @@ interface(`init_telinit',`
+@@ -688,19 +796,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -59653,7 +59995,7 @@ index 94fd8dd..417ec32 100644
')
')
-@@ -730,7 +825,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +844,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -59662,7 +60004,7 @@ index 94fd8dd..417ec32 100644
## </summary>
## </param>
#
-@@ -773,18 +868,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +887,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -59686,7 +60028,7 @@ index 94fd8dd..417ec32 100644
')
')
-@@ -800,23 +896,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +915,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -59709,11 +60051,11 @@ index 94fd8dd..417ec32 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -59726,17 +60068,13 @@ index 94fd8dd..417ec32 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -868,9 +986,14 @@ interface(`init_script_file_domtrans',`
+ ')
+
+ ########################################
+@@ -868,9 +1005,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -59751,7 +60089,7 @@ index 94fd8dd..417ec32 100644
files_search_etc($1)
')
-@@ -1079,6 +1202,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1221,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -59776,7 +60114,7 @@ index 94fd8dd..417ec32 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1290,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -59790,7 +60128,7 @@ index 94fd8dd..417ec32 100644
')
########################################
-@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1530,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -59818,7 +60156,7 @@ index 94fd8dd..417ec32 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1637,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -59844,7 +60182,7 @@ index 94fd8dd..417ec32 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1695,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1714,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -59869,7 +60207,32 @@ index 94fd8dd..417ec32 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1586,6 +1799,24 @@ interface(`init_read_utmp',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to read utmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_read_utmp',`
++ gen_require(`
++ type initrc_var_run_t;
++ ')
++
++ dontaudit $1 initrc_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to write utmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -1674,7 +1905,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -59878,7 +60241,7 @@ index 94fd8dd..417ec32 100644
')
########################################
-@@ -1715,6 +1909,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1946,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -60007,7 +60370,7 @@ index 94fd8dd..417ec32 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2065,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2102,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -60165,7 +60528,7 @@ index 94fd8dd..417ec32 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..2163271 100644
+index 29a9565..f131c5a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -60350,7 +60713,8 @@ index 29a9565..2163271 100644
+storage_raw_rw_fixed_disk(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
+')
+
@@ -60454,16 +60818,15 @@ index 29a9565..2163271 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ lvm_rw_pipes(init_t)
- ')
-
- optional_policy(`
-+ consolekit_manage_log(init_t)
+')
+
+optional_policy(`
++ consolekit_manage_log(init_t)
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -60827,7 +61190,7 @@ index 29a9565..2163271 100644
')
optional_policy(`
-@@ -589,6 +893,11 @@ optional_policy(`
+@@ -589,6 +893,17 @@ optional_policy(`
')
optional_policy(`
@@ -60836,10 +61199,16 @@ index 29a9565..2163271 100644
+')
+
+optional_policy(`
++ cron_read_pipes(initrc_t)
++ # managing /etc/cron.d/mailman content
++ cron_manage_system_spool(initrc_t)
++')
++
++optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +914,13 @@ optional_policy(`
+@@ -605,9 +920,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -60853,7 +61222,7 @@ index 29a9565..2163271 100644
')
optional_policy(`
-@@ -649,6 +962,11 @@ optional_policy(`
+@@ -649,6 +968,11 @@ optional_policy(`
')
optional_policy(`
@@ -60865,7 +61234,7 @@ index 29a9565..2163271 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1007,7 @@ optional_policy(`
+@@ -689,6 +1013,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -60873,7 +61242,7 @@ index 29a9565..2163271 100644
')
optional_policy(`
-@@ -706,7 +1025,13 @@ optional_policy(`
+@@ -706,7 +1031,13 @@ optional_policy(`
')
optional_policy(`
@@ -60887,7 +61256,7 @@ index 29a9565..2163271 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1054,10 @@ optional_policy(`
+@@ -729,6 +1060,10 @@ optional_policy(`
')
optional_policy(`
@@ -60898,7 +61267,7 @@ index 29a9565..2163271 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1067,20 @@ optional_policy(`
+@@ -738,10 +1073,20 @@ optional_policy(`
')
optional_policy(`
@@ -60919,7 +61288,7 @@ index 29a9565..2163271 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1089,10 @@ optional_policy(`
+@@ -750,6 +1095,10 @@ optional_policy(`
')
optional_policy(`
@@ -60930,7 +61299,7 @@ index 29a9565..2163271 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1114,6 @@ optional_policy(`
+@@ -771,8 +1120,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -60939,7 +61308,7 @@ index 29a9565..2163271 100644
')
optional_policy(`
-@@ -790,10 +1131,12 @@ optional_policy(`
+@@ -790,10 +1137,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -60952,7 +61321,7 @@ index 29a9565..2163271 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1148,6 @@ optional_policy(`
+@@ -805,7 +1154,6 @@ optional_policy(`
')
optional_policy(`
@@ -60960,7 +61329,7 @@ index 29a9565..2163271 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1157,24 @@ optional_policy(`
+@@ -815,11 +1163,24 @@ optional_policy(`
')
optional_policy(`
@@ -60986,7 +61355,7 @@ index 29a9565..2163271 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1184,25 @@ optional_policy(`
+@@ -829,6 +1190,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -61012,7 +61381,7 @@ index 29a9565..2163271 100644
')
optional_policy(`
-@@ -844,6 +1218,10 @@ optional_policy(`
+@@ -844,6 +1224,10 @@ optional_policy(`
')
optional_policy(`
@@ -61023,7 +61392,7 @@ index 29a9565..2163271 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1232,149 @@ optional_policy(`
+@@ -854,3 +1238,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -65625,10 +65994,10 @@ index 34d0ec5..7564ed4 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..3248032
+index 0000000..500db64
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,19 @@
+@@ -0,0 +1,18 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
@@ -65647,13 +66016,12 @@ index 0000000..3248032
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
-+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..d46fb42
+index 0000000..fc27830
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,376 @@
+@@ -0,0 +1,377 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -65986,6 +66354,7 @@ index 0000000..d46fb42
+ allow $1_t systemd_$1_device_t:file manage_file_perms;
+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
++ allow systemd_passwd_agent_t $1_t:process signull;
+ allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto;
+ allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write;
+ allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms;
@@ -66032,10 +66401,10 @@ index 0000000..d46fb42
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d079aca
+index 0000000..f4df137
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,337 @@
+@@ -0,0 +1,350 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -66205,6 +66574,8 @@ index 0000000..d079aca
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
++userdom_use_user_ptys(systemd_passwd_agent_t)
++
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
@@ -66243,6 +66614,8 @@ index 0000000..d079aca
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
+files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
++files_delete_usr_dirs(systemd_tmpfiles_t)
++files_delete_usr_files(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
@@ -66285,6 +66658,15 @@ index 0000000..d079aca
+')
+
+optional_policy(`
++ apache_delete_sys_content_rw(systemd_tmpfiles_t)
++ apache_list_cache(systemd_tmpfiles_t)
++ apache_delete_cache_dirs(systemd_tmpfiles_t)
++ apache_delete_cache_files(systemd_tmpfiles_t)
++ apache_setattr_cache_dirs(systemd_tmpfiles_t)
++')
++
++
++optional_policy(`
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
+
@@ -66595,7 +66977,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..6932809 100644
+index d88f7c3..91fae52 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -66679,7 +67061,7 @@ index d88f7c3..6932809 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +113,28 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +113,29 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -66696,6 +67078,7 @@ index d88f7c3..6932809 100644
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
files_exec_etc_files(udev_t)
++files_exec_usr_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -66709,7 +67092,7 @@ index d88f7c3..6932809 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -66717,7 +67100,7 @@ index d88f7c3..6932809 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -66726,7 +67109,7 @@ index d88f7c3..6932809 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,15 +204,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +205,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -66747,7 +67130,7 @@ index d88f7c3..6932809 100644
')
optional_policy(`
-@@ -216,11 +235,16 @@ optional_policy(`
+@@ -216,11 +236,16 @@ optional_policy(`
')
optional_policy(`
@@ -66765,7 +67148,7 @@ index d88f7c3..6932809 100644
')
optional_policy(`
-@@ -230,10 +254,20 @@ optional_policy(`
+@@ -230,10 +255,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -66786,7 +67169,7 @@ index d88f7c3..6932809 100644
')
optional_policy(`
-@@ -259,6 +293,10 @@ optional_policy(`
+@@ -259,6 +294,10 @@ optional_policy(`
')
optional_policy(`
@@ -66797,7 +67180,7 @@ index d88f7c3..6932809 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +311,11 @@ optional_policy(`
+@@ -273,6 +312,11 @@ optional_policy(`
')
optional_policy(`
@@ -67584,7 +67967,7 @@ index db75976..cca4cd1 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..76d6c05 100644
+index 4b2878a..07569a4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -68867,7 +69250,7 @@ index 4b2878a..76d6c05 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1437,37 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -68892,6 +69275,7 @@ index 4b2878a..76d6c05 100644
auth_getattr_shadow($1_t)
# Manage almost all files
- auth_manage_all_files_except_shadow($1_t)
++ files_manage_non_security_dirs($1_t)
+ files_manage_non_security_files($1_t)
# Relabel almost all files
- auth_relabel_all_files_except_shadow($1_t)
@@ -68909,7 +69293,7 @@ index 4b2878a..76d6c05 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1477,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -68918,7 +69302,7 @@ index 4b2878a..76d6c05 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1538,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -68927,7 +69311,7 @@ index 4b2878a..76d6c05 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1552,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -68938,7 +69322,7 @@ index 4b2878a..76d6c05 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1565,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -68967,7 +69351,7 @@ index 4b2878a..76d6c05 100644
')
optional_policy(`
-@@ -1251,12 +1593,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -68983,7 +69367,7 @@ index 4b2878a..76d6c05 100644
')
optional_policy(`
-@@ -1279,54 +1621,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1622,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -69065,7 +69449,7 @@ index 4b2878a..76d6c05 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,7 +1688,44 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1689,44 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
@@ -69111,7 +69495,7 @@ index 4b2878a..76d6c05 100644
gen_require(`
type user_devpts_t;
')
-@@ -1395,6 +1786,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -69119,7 +69503,7 @@ index 4b2878a..76d6c05 100644
files_search_home($1)
')
-@@ -1441,6 +1833,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -69134,7 +69518,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -1456,9 +1856,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -69146,7 +69530,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -1515,6 +1917,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -69189,7 +69573,7 @@ index 4b2878a..76d6c05 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2027,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -69198,7 +69582,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -1603,10 +2043,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -69213,7 +69597,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -1649,6 +2091,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -69257,7 +69641,7 @@ index 4b2878a..76d6c05 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2147,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -69283,7 +69667,7 @@ index 4b2878a..76d6c05 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2198,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2199,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -69316,7 +69700,7 @@ index 4b2878a..76d6c05 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2234,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2235,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -69334,7 +69718,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -1779,6 +2300,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2301,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -69395,7 +69779,7 @@ index 4b2878a..76d6c05 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2385,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2386,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -69405,7 +69789,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -1827,20 +2401,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2402,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -69430,7 +69814,7 @@ index 4b2878a..76d6c05 100644
########################################
## <summary>
-@@ -1941,6 +2509,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2510,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -69455,7 +69839,7 @@ index 4b2878a..76d6c05 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2594,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2595,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -69464,7 +69848,7 @@ index 4b2878a..76d6c05 100644
files_search_home($1)
')
-@@ -2182,7 +2768,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2769,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -69473,7 +69857,16 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -2435,13 +3021,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2390,7 +2977,7 @@ interface(`userdom_user_tmp_filetrans',`
+ type user_tmp_t;
+ ')
+
+- filetrans_pattern($1, user_tmp_t, $2, $3)
++ filetrans_pattern($1, user_tmp_t, $2, $3, $4)
+ files_search_tmp($1)
+ ')
+
+@@ -2435,13 +3022,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -69489,7 +69882,7 @@ index 4b2878a..76d6c05 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3049,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3050,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -69516,7 +69909,7 @@ index 4b2878a..76d6c05 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3139,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3140,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -69525,7 +69918,7 @@ index 4b2878a..76d6c05 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3147,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3148,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -69694,7 +70087,7 @@ index 4b2878a..76d6c05 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2736,24 +3371,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3372,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -69719,7 +70112,7 @@ index 4b2878a..76d6c05 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3389,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3390,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -69745,7 +70138,7 @@ index 4b2878a..76d6c05 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3450,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3451,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -69754,7 +70147,7 @@ index 4b2878a..76d6c05 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3466,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3467,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -69788,7 +70181,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -2972,7 +3554,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3555,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -69797,7 +70190,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -3027,7 +3609,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3610,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -69844,7 +70237,7 @@ index 4b2878a..76d6c05 100644
')
########################################
-@@ -3064,6 +3684,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3685,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -69852,7 +70245,7 @@ index 4b2878a..76d6c05 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3763,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3764,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -69877,7 +70270,7 @@ index 4b2878a..76d6c05 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3833,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3834,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 47fe4ef..e1f66d7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 23 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-19
+- Add policy for sa-update being run out of cron jobs
+- Add create perms to postgresql_manage_db
+- ntpd using a gps has to be able to read/write generic tty_device_t
+- If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev
+- fix spec file
+- Remove qemu_domtrans_unconfined() interface
+- Make passenger working together with puppet
+- Add init_dontaudit_rw_stream_socket interface
+- Fixes for wordpress
+
* Thu Aug 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-18
- Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
More information about the scm-commits
mailing list