[selinux-policy/f16] - Allow Postfix to deliver to Dovecot LMTP socket - Ignore bogus sys_module for lldpad - Allow chron
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 29 11:52:22 UTC 2011
commit a8066ad4b18b0d25515d9f25e28f2ec22cc3485d
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Aug 29 13:51:53 2011 +0200
- Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs
modules-targeted.conf | 8 +
policy-F16.patch | 1428 ++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 12 +-
3 files changed, 828 insertions(+), 620 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index beed176..a65d10b 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -716,6 +716,14 @@ hddtemp = module
#
passenger = module
+ Layer: admin
+
+# Module: permissivedomains
+#
+# Contains all permissivedomains shipped by distribution
+#
+permissivedomains = module
+
# Layer: services
# Module: policykit
#
diff --git a/policy-F16.patch b/policy-F16.patch
index 207bd6d..d704566 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -336,10 +336,27 @@ index e3e0701..3fd0282 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
-index 46d467c..3305e15 100644
+index 46d467c..53c116c 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
-@@ -200,12 +200,14 @@ files_search_pids(amanda_recover_t)
+@@ -58,7 +58,7 @@ optional_policy(`
+ #
+
+ allow amanda_t self:capability { chown dac_override setuid kill };
+-allow amanda_t self:process { setpgid signal };
++allow amanda_t self:process { getsched setsched setpgid signal };
+ allow amanda_t self:fifo_file rw_fifo_file_perms;
+ allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+ allow amanda_t self:unix_dgram_socket create_socket_perms;
+@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+
+ manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
++manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+
+ allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+@@ -200,12 +201,14 @@ files_search_pids(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -472,7 +489,7 @@ index 63eb96b..17a9f6d 100644
## <summary>
## Execute bootloader interactively and do
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..559bc9b 100644
+index d3da8f2..9152065 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -506,29 +523,30 @@ index d3da8f2..559bc9b 100644
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -162,12 +162,18 @@ ifdef(`distro_redhat',`
+@@ -162,8 +162,10 @@ ifdef(`distro_redhat',`
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
- # for mke2fs
- mount_domtrans(bootloader_t)
--
- optional_policy(`
-- unconfined_domain(bootloader_t)
++ optional_policy(`
+ # for mke2fs
+ mount_domtrans(bootloader_t)
- ')
-+
-+ #optional_policy(`
-+ # unconfined_domain(bootloader_t)
-+ #')
++ ')
+
+ optional_policy(`
+ unconfined_domain(bootloader_t)
+@@ -171,6 +173,10 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(bootloader_t)
+')
+
+optional_policy(`
-+ devicekit_dontaudit_read_pid_files(bootloader_t)
+ fstools_exec(bootloader_t)
')
- optional_policy(`
@@ -197,10 +203,7 @@ optional_policy(`
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
@@ -966,7 +984,7 @@ index 9dd6880..4b7fa27 100644
optional_policy(`
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
-index 4f7bd3c..6c420a4 100644
+index 4f7bd3c..a29af21 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t)
@@ -999,12 +1017,11 @@ index 4f7bd3c..6c420a4 100644
')
optional_policy(`
-@@ -141,5 +140,5 @@ optional_policy(`
+@@ -141,5 +140,4 @@ optional_policy(`
optional_policy(`
unconfined_domtrans(kudzu_t)
- unconfined_domain(kudzu_t)
-+ #unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 7090dae..6eac7b9 100644
@@ -1579,6 +1596,243 @@ index 3470036..66412e6 100644
+optional_policy(`
+ puppet_manage_lib(passenger_t)
+')
+diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc
+new file mode 100644
+index 0000000..6e6a8fc
+--- /dev/null
++++ b/policy/modules/admin/permissivedomains.fc
+@@ -0,0 +1 @@
++# No file contexts
+diff --git a/policy/modules/admin/permissivedomains.if b/policy/modules/admin/permissivedomains.if
+new file mode 100644
+index 0000000..bd83148
+--- /dev/null
++++ b/policy/modules/admin/permissivedomains.if
+@@ -0,0 +1 @@
++## <summary>No Interfaces</summary>
+diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
+new file mode 100644
+index 0000000..3b8c1e9
+--- /dev/null
++++ b/policy/modules/admin/permissivedomains.te
+@@ -0,0 +1,217 @@
++policy_module(permissivedomains,16)
++
++optional_policy(`
++ gen_require(`
++ type systemd_logger_t;
++ ')
++
++ permissive systemd_logger_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ permissive systemd_logind_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type fcoemon_t;
++ ')
++
++ permissive fcoemon_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type httpd_passwd_t;
++ ')
++
++ permissive httpd_passwd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type puppetca_t;
++ ')
++
++ permissive puppetca_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type spamd_update_t;
++ ')
++
++ permissive spamd_update_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type rhev_agentd_t;
++ ')
++
++ permissive rhev_agentd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type abrt_handle_event_t;
++ ')
++
++ permissive abrt_handle_event_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type cfengine_serverd_t;
++ ')
++
++ permissive cfengine_serverd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type cfengine_execd_t;
++ ')
++
++ permissive cfengine_execd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type cfengine_monitord_t;
++ ')
++
++ permissive cfengine_monitord_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type rhsmcertd_t;
++ ')
++
++ permissive rhsmcertd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type fail2ban_client_t;
++ ')
++
++ permissive fail2ban_client_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type ctdbd_t;
++ ')
++
++ permissive ctdbd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type mscan_t;
++ ')
++
++ permissive mscan_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type lldpad_t;
++ ')
++
++ permissive lldpad_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type sblim_gatherd_t;
++ ')
++
++ permissive sblim_gatherd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type sblim_gatherd_t;
++ ')
++
++ permissive sblim_gatherd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type callweaver_t;
++ ')
++
++ permissive callweaver_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type sanlock_t;
++ ')
++
++ permissive sanlock_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type uuidd_t;
++ ')
++
++ permissive uuidd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type wdmd_t;
++ ')
++
++ permissive wdmd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type dspam_t;
++ ')
++
++ permissive dspam_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type virt_lxc_t;
++ ')
++
++ permissive virt_lxc_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type virtd_t;
++ ')
++
++ permissive virtd_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type pyicqt_t;
++ ')
++
++ permissive pyicqt_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type telepathy_logger_t;
++ ')
++
++ permissive telepathy_logger_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -1664,7 +1918,7 @@ index 93ec175..0e42018 100644
')
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..77b9b29 100644
+index af55369..e83b341 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1722,31 +1976,22 @@ index af55369..77b9b29 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,13 +120,22 @@ optional_policy(`
+@@ -109,6 +120,15 @@ optional_policy(`
')
optional_policy(`
-- rpm_manage_tmp_files(prelink_t)
+ gnome_dontaudit_read_config(prelink_t)
+ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
- ')
-
- optional_policy(`
-- unconfined_domain(prelink_t)
++')
++
++optional_policy(`
+ nsplugin_manage_rw_files(prelink_t)
+')
+
+optional_policy(`
-+ rpm_manage_tmp_files(prelink_t)
+ rpm_manage_tmp_files(prelink_t)
')
-+#optional_policy(`
-+# unconfined_domain(prelink_t)
-+#')
-+
- ########################################
- #
- # Prelink Cron system Policy
@@ -129,6 +149,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
@@ -3016,7 +3261,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..de58aeb 100644
+index 6a5004b..90cf622 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -3076,7 +3321,7 @@ index 6a5004b..de58aeb 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +78,17 @@ optional_policy(`
+@@ -66,9 +78,13 @@ optional_policy(`
')
optional_policy(`
@@ -3092,10 +3337,6 @@ index 6a5004b..de58aeb 100644
- unconfined_domain(tmpreaper_t)
+ rpm_manage_cache(tmpreaper_t)
')
-+
-+#optional_policy(`
-+# unconfined_domain(tmpreaper_t)
-+#')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
index 2ae8b62..a8e786b 100644
--- a/policy/modules/admin/tripwire.te
@@ -3346,7 +3587,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..233bbc6 100644
+index 441cf22..3d2f418 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t)
@@ -3479,15 +3720,15 @@ index 441cf22..233bbc6 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,20 +503,16 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
@@ -3498,14 +3739,10 @@ index 441cf22..233bbc6 100644
- unconfined_domain(useradd_t)
- ')
-')
-+#ifdef(`distro_redhat',`
-+# optional_policy(`
-+# unconfined_domain(useradd_t)
-+# ')
-+#')
-
+-
optional_policy(`
apache_manage_all_user_content(useradd_t)
+ ')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ebf4b26..453a827 100644
--- a/policy/modules/admin/vpn.te
@@ -6538,10 +6775,10 @@ index 0000000..cf65577
+')
diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
new file mode 100644
-index 0000000..bb02f40
+index 0000000..6d0c9e3
--- /dev/null
+++ b/policy/modules/apps/kde.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,43 @@
+policy_module(kde,1.0.0)
+
+########################################
@@ -6553,8 +6790,6 @@ index 0000000..bb02f40
+type kdebacklighthelper_exec_t;
+dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
-+permissive kdebacklighthelper_t;
-+
+########################################
+#
+# backlighthelper local policy
@@ -10008,19 +10243,10 @@ index 3cfb128..609921d 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..e6e956f 100644
+index 2533ea0..7c8de51 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
-@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
- telepathy_domain_template(idle)
- telepathy_domain_template(logger)
-
-+permissive telepathy_logger_t;
-+
- type telepathy_logger_cache_home_t;
- userdom_user_home_content(telepathy_logger_cache_home_t)
-
-@@ -67,6 +69,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
@@ -10035,7 +10261,7 @@ index 2533ea0..e6e956f 100644
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +122,10 @@ optional_policy(`
+@@ -112,6 +120,10 @@ optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
@@ -10046,7 +10272,7 @@ index 2533ea0..e6e956f 100644
#######################################
#
# Telepathy Idle local policy.
-@@ -148,9 +162,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -148,9 +160,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
@@ -10058,7 +10284,7 @@ index 2533ea0..e6e956f 100644
files_read_etc_files(telepathy_logger_t)
files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +184,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
@@ -10070,7 +10296,7 @@ index 2533ea0..e6e956f 100644
#######################################
#
# Telepathy Mission-Control local policy.
-@@ -176,6 +197,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -10078,7 +10304,7 @@ index 2533ea0..e6e956f 100644
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +216,16 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +214,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
@@ -10095,7 +10321,7 @@ index 2533ea0..e6e956f 100644
#######################################
#
# Telepathy Butterfly and Haze local policy.
-@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +235,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -10107,7 +10333,7 @@ index 2533ea0..e6e956f 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +281,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +279,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -10118,7 +10344,7 @@ index 2533ea0..e6e956f 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -365,10 +404,9 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +402,9 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
@@ -10130,7 +10356,7 @@ index 2533ea0..e6e956f 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +414,23 @@ optional_policy(`
+@@ -376,5 +412,23 @@ optional_policy(`
')
optional_policy(`
@@ -12049,7 +12275,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..d898d5a 100644
+index 99b71cb..2039d50 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -12182,7 +12408,7 @@ index 99b71cb..d898d5a 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -18530,7 +18756,7 @@ index 2be17d2..afb3532 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..9db59b0 100644
+index e14b961..7ef880f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -18665,14 +18891,14 @@ index e14b961..9db59b0 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -18705,7 +18931,7 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -225,17 +278,29 @@ optional_policy(`
+@@ -225,21 +278,37 @@ optional_policy(`
')
optional_policy(`
@@ -18735,7 +18961,15 @@ index e14b961..9db59b0 100644
oav_run_update(sysadm_t, sysadm_r)
')
-@@ -253,19 +318,19 @@ optional_policy(`
+ optional_policy(`
++ openvpn_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r)
+ ')
+
+@@ -253,19 +322,19 @@ optional_policy(`
')
optional_policy(`
@@ -18759,7 +18993,7 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -274,10 +339,7 @@ optional_policy(`
+@@ -274,10 +343,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -18771,7 +19005,7 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -302,12 +364,18 @@ optional_policy(`
+@@ -302,12 +368,18 @@ optional_policy(`
')
optional_policy(`
@@ -18791,7 +19025,7 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -332,7 +400,7 @@ optional_policy(`
+@@ -332,7 +404,7 @@ optional_policy(`
')
optional_policy(`
@@ -18800,7 +19034,7 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -343,19 +411,15 @@ optional_policy(`
+@@ -343,19 +415,15 @@ optional_policy(`
')
optional_policy(`
@@ -18822,7 +19056,7 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -367,45 +431,45 @@ optional_policy(`
+@@ -367,45 +435,45 @@ optional_policy(`
')
optional_policy(`
@@ -18879,7 +19113,7 @@ index e14b961..9db59b0 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +503,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +507,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -18887,36 +19121,36 @@ index e14b961..9db59b0 100644
')
optional_policy(`
-@@ -446,11 +511,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +515,62 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ lockdev_role(sysadm_r, sysadm_t)
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
-+ mozilla_role(sysadm_r, sysadm_t)
++ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
-+ mplayer_role(sysadm_r, sysadm_t)
++ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
++ mplayer_role(sysadm_r, sysadm_t)
+ ')
+-')
+
++ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
@@ -20745,7 +20979,7 @@ index 0b827c5..e03a970 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..e96a565 100644
+index 30861ec..ee2d7f1 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -20775,7 +21009,7 @@ index 30861ec..e96a565 100644
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,9 +50,24 @@ files_type(abrt_var_cache_t)
+@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -20783,8 +21017,6 @@ index 30861ec..e96a565 100644
+type abrt_dump_oops_exec_t;
+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
-+permissive abrt_dump_oops_t;
-+
+# type for abrt-handle-event to handle
+# ABRT event scripts
+type abrt_handle_event_t, abrt_domain;
@@ -20792,8 +21024,6 @@ index 30861ec..e96a565 100644
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
+role system_r types abrt_handle_event_t;
+
-+permissive abrt_handle_event_t;
-+
# type needed to allow all domains
# to handle /var/cache/abrt
-type abrt_helper_t;
@@ -20801,7 +21031,7 @@ index 30861ec..e96a565 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +76,37 @@ ifdef(`enable_mcs',`
+@@ -43,14 +72,34 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -20819,9 +21049,6 @@ index 30861ec..e96a565 100644
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
+
-+permissive abrt_retrace_worker_exec_t;
-+permissive abrt_retrace_coredump_t;
-+
+type abrt_retrace_cache_t;
+files_type(abrt_retrace_cache_t)
+
@@ -20841,7 +21068,7 @@ index 30861ec..e96a565 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +115,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -20849,7 +21076,7 @@ index 30861ec..e96a565 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +126,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -20857,7 +21084,7 @@ index 30861ec..e96a565 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +140,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -20869,7 +21096,7 @@ index 30861ec..e96a565 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +161,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -20877,7 +21104,7 @@ index 30861ec..e96a565 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -20887,7 +21114,7 @@ index 30861ec..e96a565 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +180,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -20896,7 +21123,7 @@ index 30861ec..e96a565 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +192,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -20923,7 +21150,7 @@ index 30861ec..e96a565 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +219,11 @@ optional_policy(`
+@@ -150,6 +212,11 @@ optional_policy(`
')
optional_policy(`
@@ -20935,7 +21162,7 @@ index 30861ec..e96a565 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +241,7 @@ optional_policy(`
+@@ -167,6 +234,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -20943,7 +21170,7 @@ index 30861ec..e96a565 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +253,35 @@ optional_policy(`
+@@ -178,12 +246,35 @@ optional_policy(`
')
optional_policy(`
@@ -20980,7 +21207,7 @@ index 30861ec..e96a565 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -21009,7 +21236,7 @@ index 30861ec..e96a565 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +321,126 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -21027,7 +21254,7 @@ index 30861ec..e96a565 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
- ')
++')
+
+#######################################
+#
@@ -21095,7 +21322,7 @@ index 30861ec..e96a565 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
-+')
+ ')
+
+########################################
+#
@@ -22333,7 +22560,7 @@ index 6480167..13d57b7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..9b19325 100644
+index 3136c6a..ee04348 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -22645,7 +22872,7 @@ index 3136c6a..9b19325 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +337,25 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +337,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -22666,12 +22893,10 @@ index 3136c6a..9b19325 100644
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
-+permissive httpd_passwd_t;
-+
########################################
#
# Apache server local policy
-@@ -281,11 +375,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +373,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -22685,7 +22910,7 @@ index 3136c6a..9b19325 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +425,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +423,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -22696,7 +22921,7 @@ index 3136c6a..9b19325 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +452,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +450,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -22706,7 +22931,7 @@ index 3136c6a..9b19325 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +465,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +463,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -22723,7 +22948,7 @@ index 3136c6a..9b19325 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +482,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +480,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -22739,7 +22964,7 @@ index 3136c6a..9b19325 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +495,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +493,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -22747,7 +22972,7 @@ index 3136c6a..9b19325 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,9 +507,20 @@ files_read_etc_files(httpd_t)
+@@ -402,9 +505,20 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -22768,7 +22993,7 @@ index 3136c6a..9b19325 100644
logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
-@@ -416,34 +532,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +530,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -22845,7 +23070,7 @@ index 3136c6a..9b19325 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +612,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +610,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -22856,7 +23081,7 @@ index 3136c6a..9b19325 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +626,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +624,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -22886,7 +23111,7 @@ index 3136c6a..9b19325 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +656,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +654,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -22903,7 +23128,7 @@ index 3136c6a..9b19325 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +680,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +678,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -22924,7 +23149,7 @@ index 3136c6a..9b19325 100644
')
optional_policy(`
-@@ -513,7 +704,13 @@ optional_policy(`
+@@ -513,7 +702,13 @@ optional_policy(`
')
optional_policy(`
@@ -22939,7 +23164,7 @@ index 3136c6a..9b19325 100644
')
optional_policy(`
-@@ -528,7 +725,19 @@ optional_policy(`
+@@ -528,7 +723,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -22960,7 +23185,7 @@ index 3136c6a..9b19325 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +746,13 @@ optional_policy(`
+@@ -537,8 +744,13 @@ optional_policy(`
')
optional_policy(`
@@ -22975,7 +23200,7 @@ index 3136c6a..9b19325 100644
')
')
-@@ -556,7 +770,13 @@ optional_policy(`
+@@ -556,7 +768,13 @@ optional_policy(`
')
optional_policy(`
@@ -22989,7 +23214,7 @@ index 3136c6a..9b19325 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +787,7 @@ optional_policy(`
+@@ -567,6 +785,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -22997,7 +23222,7 @@ index 3136c6a..9b19325 100644
')
optional_policy(`
-@@ -577,6 +798,20 @@ optional_policy(`
+@@ -577,6 +796,20 @@ optional_policy(`
')
optional_policy(`
@@ -23018,7 +23243,7 @@ index 3136c6a..9b19325 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +826,11 @@ optional_policy(`
+@@ -591,6 +824,11 @@ optional_policy(`
')
optional_policy(`
@@ -23030,7 +23255,7 @@ index 3136c6a..9b19325 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +843,12 @@ optional_policy(`
+@@ -603,6 +841,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -23043,7 +23268,7 @@ index 3136c6a..9b19325 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +862,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +860,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -23056,7 +23281,7 @@ index 3136c6a..9b19325 100644
########################################
#
-@@ -654,28 +904,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +902,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -23100,7 +23325,7 @@ index 3136c6a..9b19325 100644
')
########################################
-@@ -685,6 +937,8 @@ optional_policy(`
+@@ -685,6 +935,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -23109,7 +23334,7 @@ index 3136c6a..9b19325 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +953,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +951,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -23135,7 +23360,7 @@ index 3136c6a..9b19325 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +999,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +997,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -23168,7 +23393,7 @@ index 3136c6a..9b19325 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1046,25 @@ optional_policy(`
+@@ -769,6 +1044,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -23194,7 +23419,7 @@ index 3136c6a..9b19325 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1085,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1083,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -23212,7 +23437,7 @@ index 3136c6a..9b19325 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1104,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1102,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -23269,7 +23494,7 @@ index 3136c6a..9b19325 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1155,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1153,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -23300,7 +23525,7 @@ index 3136c6a..9b19325 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1190,20 @@ optional_policy(`
+@@ -842,10 +1188,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -23321,7 +23546,7 @@ index 3136c6a..9b19325 100644
')
########################################
-@@ -891,11 +1249,48 @@ optional_policy(`
+@@ -891,11 +1247,48 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -23446,7 +23671,7 @@ index 1ea99b2..9427dd5 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..4ae8a51 100644
+index 1c8c27e..21b91de 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -23552,19 +23777,17 @@ index 1c8c27e..4ae8a51 100644
')
optional_policy(`
-@@ -218,9 +232,9 @@ optional_policy(`
- udev_read_state(apmd_t) #necessary?
+@@ -219,10 +233,6 @@ optional_policy(`
')
--optional_policy(`
+ optional_policy(`
- unconfined_domain(apmd_t)
-')
-+#optional_policy(`
-+# unconfined_domain(apmd_t)
-+#')
-
- optional_policy(`
+-
+-optional_policy(`
vbetool_domtrans(apmd_t)
+ ')
+
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index c804110..bdefbe1 100644
--- a/policy/modules/services/arpwatch.if
@@ -25272,10 +25495,10 @@ index 0000000..564acbd
+')
diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
new file mode 100644
-index 0000000..a7c96a5
+index 0000000..4cfc9f8
--- /dev/null
+++ b/policy/modules/services/callweaver.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,77 @@
+policy_module(callweaver,1.0.0)
+
+########################################
@@ -25287,8 +25510,6 @@ index 0000000..a7c96a5
+type callweaver_exec_t;
+init_daemon_domain(callweaver_t, callweaver_exec_t)
+
-+permissive callweaver_t;
-+
+type callweaver_initrc_exec_t;
+init_script_file(callweaver_initrc_exec_t)
+
@@ -25674,10 +25895,10 @@ index 0000000..12fe9ce
+
diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
new file mode 100644
-index 0000000..db2ac2d
+index 0000000..1ba0484
--- /dev/null
+++ b/policy/modules/services/cfengine.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
@@ -25689,8 +25910,6 @@ index 0000000..db2ac2d
+type cfengine_serverd_exec_t;
+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t)
+
-+permissive cfengine_serverd_t;
-+
+type cfengine_initrc_exec_t;
+init_script_file(cfengine_initrc_exec_t)
+
@@ -25701,14 +25920,10 @@ index 0000000..db2ac2d
+type cfengine_execd_exec_t;
+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t)
+
-+permissive cfengine_execd_t;
-+
+type cfengine_monitord_t;
+type cfengine_monitord_exec_t;
+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t)
+
-+permissive cfengine_monitord_t;
-+
+########################################
+#
+# cfengine-server local policy
@@ -25894,14 +26109,14 @@ index dad226c..7617c53 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..46678a2 100644
+index fd8cd0b..3d61138 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
@@ -2,8 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-+/lib/systemd/system/chonyd\.service -- gen_context(system_u:object_r:chronyd_unit_t,s0)
++/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
@@ -25911,7 +26126,7 @@ index fd8cd0b..46678a2 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..f599a70 100644
+index 9a0da94..6a9d3d8 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -25939,7 +26154,7 @@ index 9a0da94..f599a70 100644
####################################
## <summary>
## Execute chronyd
-@@ -56,6 +74,103 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,122 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
@@ -26040,10 +26255,29 @@ index 9a0da94..f599a70 100644
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+')
+
++########################################
++## <summary>
++## Send to chronyd over a unix domain
++## datagram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`chronyd_dgram_send',`
++ gen_require(`
++ type chronyd_t;
++ ')
++
++ allow $1 chronyd_t:unix_dgram_socket sendto;
++')
++
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,9 +190,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +209,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -26056,7 +26290,7 @@ index 9a0da94..f599a70 100644
')
allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +203,19 @@ interface(`chronyd_admin',`
+@@ -88,18 +222,19 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
@@ -27119,10 +27353,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..2dfd363
+index 0000000..207f706
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,57 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -27134,8 +27368,6 @@ index 0000000..2dfd363
+type collectd_exec_t;
+init_daemon_domain(collectd_t, collectd_exec_t)
+
-+permissive collectd_t;
-+
+type collectd_initrc_exec_t;
+init_script_file(collectd_initrc_exec_t)
+
@@ -27178,7 +27410,6 @@ index 0000000..2dfd363
+
+optional_policy(`
+ apache_content_template(collectd)
-+ permissive httpd_collectd_script_t;
+
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
@@ -28950,10 +29181,10 @@ index 0000000..1c3a90b
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..758f972
+index 0000000..e6042d9
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,113 @@
+policy_module(ctdbd, 1.0.0)
+
+########################################
@@ -28965,8 +29196,6 @@ index 0000000..758f972
+type ctdbd_exec_t;
+init_daemon_domain(ctdbd_t, ctdbd_exec_t)
+
-+permissive ctdbd_t;
-+
+type ctdbd_initrc_exec_t;
+init_script_file(ctdbd_initrc_exec_t)
+
@@ -30591,7 +30820,7 @@ index f706b99..13d3a35 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..4506fa3 100644
+index f231f17..5a06fc7 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -30658,11 +30887,11 @@ index f231f17..4506fa3 100644
virt_manage_images(devicekit_disk_t)
')
-+#optional_policy(`
-+# unconfined_domain(devicekit_t)
-+# unconfined_domain(devicekit_power_t)
-+# unconfined_domain(devicekit_disk_t)
-+#')
++optional_policy(`
++ unconfined_domain(devicekit_t)
++ unconfined_domain(devicekit_power_t)
++ unconfined_domain(devicekit_disk_t)
++')
+
########################################
#
@@ -32681,10 +32910,10 @@ index 0000000..d7a7118
+')
diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te
new file mode 100644
-index 0000000..66e9629
+index 0000000..d409571
--- /dev/null
+++ b/policy/modules/services/dspam.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,95 @@
+
+policy_module(dspam, 1.0.0)
+
@@ -32697,8 +32926,6 @@ index 0000000..66e9629
+type dspam_exec_t;
+init_daemon_domain(dspam_t, dspam_exec_t)
+
-+permissive dspam_t;
-+
+type dspam_initrc_exec_t;
+init_script_file(dspam_initrc_exec_t)
+
@@ -33099,10 +33326,10 @@ index f590a1f..338e5bf 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..7b33bda 100644
+index 2a69e5e..35a2c0b 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
-@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
+@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -33113,9 +33340,6 @@ index 2a69e5e..7b33bda 100644
+type fail2ban_client_exec_t;
+init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t)
+
-+# new in F16
-+permissive fail2ban_client_t;
-+
########################################
#
-# fail2ban local policy
@@ -33127,7 +33351,7 @@ index 2a69e5e..7b33bda 100644
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -36,7 +46,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
@@ -33136,7 +33360,7 @@ index 2a69e5e..7b33bda 100644
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
-@@ -50,6 +60,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+@@ -50,6 +57,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
@@ -33148,7 +33372,7 @@ index 2a69e5e..7b33bda 100644
kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
-@@ -66,6 +81,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
+@@ -66,6 +78,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
dev_read_urand(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)
@@ -33156,7 +33380,7 @@ index 2a69e5e..7b33bda 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +110,34 @@ optional_policy(`
+@@ -94,5 +107,34 @@ optional_policy(`
')
optional_policy(`
@@ -33301,10 +33525,10 @@ index 0000000..d827274
+
diff --git a/policy/modules/services/fcoemon.te b/policy/modules/services/fcoemon.te
new file mode 100644
-index 0000000..eb4be44
+index 0000000..1f39a80
--- /dev/null
+++ b/policy/modules/services/fcoemon.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,46 @@
+policy_module(fcoemon, 1.0.0)
+
+########################################
@@ -33316,8 +33540,6 @@ index 0000000..eb4be44
+type fcoemon_exec_t;
+init_daemon_domain(fcoemon_t, fcoemon_exec_t)
+
-+permissive fcoemon_t;
-+
+type fcoemon_var_run_t;
+files_pid_file(fcoemon_var_run_t)
+
@@ -34731,15 +34953,14 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..983ab3e 100644
+index 4fde46b..ab59945 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -9,24 +9,32 @@ type gnomeclock_t;
+@@ -9,24 +9,31 @@ type gnomeclock_t;
type gnomeclock_exec_t;
dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+systemd_systemctl_domain(gnomeclock)
-+permissive gnomeclock_systemctl_t;
+
########################################
#
@@ -34770,7 +34991,7 @@ index 4fde46b..983ab3e 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -34885,7 +35106,7 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..6ba7c74 100644
+index 03742d8..d9232fe 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t)
@@ -34899,7 +35120,14 @@ index 03742d8..6ba7c74 100644
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -43,9 +43,13 @@ corenet_all_recvfrom_netlabel(gpsd_t)
+@@ -38,14 +38,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+ manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+ files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
++kernel_list_proc(gpsd_t)
++
+ corenet_all_recvfrom_unlabeled(gpsd_t)
+ corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
corenet_tcp_sendrecv_generic_node(gpsd_t)
corenet_tcp_sendrecv_all_ports(gpsd_t)
@@ -34908,18 +35136,20 @@ index 03742d8..6ba7c74 100644
corenet_tcp_bind_gpsd_port(gpsd_t)
+dev_read_sysfs(gpsd_t)
++dev_rw_realtime_clock(gpsd_t)
+
+domain_dontaudit_read_all_domains_state(gpsd_t)
+
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
-@@ -56,6 +60,11 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +63,12 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
+ chronyd_rw_shm(gpsd_t)
+ chronyd_stream_connect(gpsd_t)
++ chronyd_dgram_send(gpsd_t)
+')
+
+optional_policy(`
@@ -35377,10 +35607,15 @@ index 87b4531..db2d189 100644
+ files_list_etc($1)
')
diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
-index c234b32..32f1b6d 100644
+index c234b32..6c0a73d 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
-@@ -42,8 +42,12 @@ files_search_etc(hddtemp_t)
+@@ -38,12 +38,16 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
+ corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+ corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
+
+-files_search_etc(hddtemp_t)
++files_read_etc_files(hddtemp_t)
files_read_usr_files(hddtemp_t)
storage_raw_read_fixed_disk(hddtemp_t)
@@ -35954,10 +36189,10 @@ index 9878499..81fcd0f 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..6538d66 100644
+index da2127e..a666df2 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
-@@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0)
+@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0)
# Declarations
#
@@ -35969,8 +36204,6 @@ index da2127e..6538d66 100644
+jabber_domain_template(jabberd)
+jabber_domain_template(jabberd_router)
+jabber_domain_template(pyicqt)
-+
-+permissive pyicqt_t;
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
@@ -36043,15 +36276,15 @@ index da2127e..6538d66 100644
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
++
++fs_getattr_all_fs(jabberd_router_t)
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
-+fs_getattr_all_fs(jabberd_router_t)
++miscfiles_read_generic_certs(jabberd_router_t)
-domain_use_interactive_fds(jabberd_t)
-+miscfiles_read_generic_certs(jabberd_router_t)
-+
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
@@ -36091,8 +36324,8 @@ index da2127e..6538d66 100644
optional_policy(`
- seutil_sigchld_newrole(jabberd_t)
+ udev_read_db(jabberd_t)
-+')
-+
+ ')
+
+######################################
+#
+# Local policy for pyicq-t
@@ -36125,15 +36358,15 @@ index da2127e..6538d66 100644
+libs_use_shared_libs(pyicqt_t)
+
+# needed for pyicq-t-mysql
-+optional_policy(`
-+ corenet_tcp_connect_mysqld_port(pyicqt_t)
- ')
-
optional_policy(`
- udev_read_db(jabberd_t)
-+ sysnet_use_ldap(pyicqt_t)
++ corenet_tcp_connect_mysqld_port(pyicqt_t)
')
+
++optional_policy(`
++ sysnet_use_ldap(pyicqt_t)
++')
++
+#######################################
+#
+# Local policy for jabberd domains
@@ -36944,10 +37177,10 @@ index 0000000..5783d58
+
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..02359ec
+index 0000000..4aac893
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,56 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -36959,8 +37192,6 @@ index 0000000..02359ec
+type l2tpd_exec_t;
+init_daemon_domain(l2tpd_t, l2tpd_exec_t)
+
-+permissive l2tpd_t;
-+
+type l2tpd_initrc_exec_t;
+init_script_file(l2tpd_initrc_exec_t)
+
@@ -37472,10 +37703,10 @@ index 0000000..9d1bac3
+
diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
new file mode 100644
-index 0000000..b5ba929
+index 0000000..b7f4268
--- /dev/null
+++ b/policy/modules/services/lldpad.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,72 @@
+policy_module(lldpad, 1.0.0)
+
+########################################
@@ -37487,8 +37718,6 @@ index 0000000..b5ba929
+type lldpad_exec_t;
+init_daemon_domain(lldpad_t, lldpad_exec_t)
+
-+permissive lldpad_t;
-+
+type lldpad_initrc_exec_t;
+init_script_file(lldpad_initrc_exec_t)
+
@@ -37507,6 +37736,10 @@ index 0000000..b5ba929
+#
+
+allow lldpad_t self:capability { net_admin net_raw };
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit lldpad_t self:capability sys_module;
++')
+
+allow lldpad_t self:shm create_shm_perms;
+allow lldpad_t self:fifo_file rw_fifo_file_perms;
@@ -37899,10 +38132,10 @@ index 0000000..39c12cb
+')
diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
new file mode 100644
-index 0000000..b1cf109
+index 0000000..5b84980
--- /dev/null
+++ b/policy/modules/services/mailscanner.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,87 @@
+policy_module(mailscanner, 1.0.0)
+
+########################################
@@ -37926,9 +38159,6 @@ index 0000000..b1cf109
+type mscan_var_run_t;
+files_pid_file(mscan_var_run_t)
+
-+# New in F16
-+permissive mscan_t;
-+
+########################################
+#
+# Local policy
@@ -39629,7 +39859,7 @@ index 343cee3..f8c4fb6 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..cdcf4c7 100644
+index 64268e4..8d3091f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -39751,7 +39981,7 @@ index 64268e4..cdcf4c7 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +165,6 @@ optional_policy(`
+@@ -158,22 +165,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -39770,7 +40000,14 @@ index 64268e4..cdcf4c7 100644
')
optional_policy(`
-@@ -189,6 +184,10 @@ optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
++ qmail_manage_spool_dirs(system_mail_t)
++ qmail_manage_spool_files(system_mail_t)
++ qmail_rw_spool_pipes(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -189,6 +187,10 @@ optional_policy(`
')
optional_policy(`
@@ -39781,7 +40018,7 @@ index 64268e4..cdcf4c7 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +198,16 @@ optional_policy(`
+@@ -199,15 +201,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -39802,7 +40039,7 @@ index 64268e4..cdcf4c7 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -39812,7 +40049,7 @@ index 64268e4..cdcf4c7 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +243,10 @@ optional_policy(`
+@@ -242,6 +246,10 @@ optional_policy(`
')
optional_policy(`
@@ -39823,7 +40060,7 @@ index 64268e4..cdcf4c7 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +254,25 @@ optional_policy(`
+@@ -249,16 +257,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -39851,7 +40088,7 @@ index 64268e4..cdcf4c7 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +306,44 @@ optional_policy(`
+@@ -292,3 +309,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -42426,7 +42663,7 @@ index ceafba6..9eb6967 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..6f2f1d4 100644
+index 3185114..4abd429 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -16,7 +16,7 @@ type pegasus_tmp_t;
@@ -42443,7 +42680,7 @@ index 3185114..6f2f1d4 100644
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
-+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -42823,10 +43060,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..0ac1a0c
+index 0000000..aaf3fa8
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,295 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -43086,10 +43323,6 @@ index 0000000..0ac1a0c
+ udev_read_db(piranha_pulse_t)
+')
+
-+#optional_policy(`
-+# unconfined_domain(piranha_pulse_t)
-+#')
-+
+####################################
+#
+# piranha domains common policy
@@ -44280,7 +44513,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..511cb5f 100644
+index a32c4b3..4f41f4e 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -44623,10 +44856,14 @@ index a32c4b3..511cb5f 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +641,10 @@ optional_policy(`
+@@ -565,6 +641,14 @@ optional_policy(`
')
optional_policy(`
++ dovecot_stream_connect(postfix_smtp_t)
++')
++
++optional_policy(`
+ dspam_stream_connect(postfix_smtp_t)
+')
+
@@ -44634,7 +44871,7 @@ index a32c4b3..511cb5f 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +668,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -44651,7 +44888,7 @@ index a32c4b3..511cb5f 100644
')
optional_policy(`
-@@ -611,8 +697,8 @@ optional_policy(`
+@@ -611,8 +701,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -44661,7 +44898,7 @@ index a32c4b3..511cb5f 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +716,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +720,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -45787,17 +46024,13 @@ index 2855a44..2898ff9 100644
+ files_search_var_lib($1)
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..313f77d 100644
+index 64c5f95..7041ad9 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
-@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
- # Declarations
+@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
#
-+# New in Fedora16
-+permissive puppetca_t;
-+
-+## <desc>
+ ## <desc>
+## <p>
+## Allow Puppet client to manage all file
+## types.
@@ -45805,7 +46038,7 @@ index 64c5f95..313f77d 100644
+## </desc>
+gen_tunable(puppet_manage_all_files, false)
+
- ## <desc>
++## <desc>
## <p>
-## Allow Puppet client to manage all file
-## types.
@@ -45817,7 +46050,7 @@ index 64c5f95..313f77d 100644
type puppet_t;
type puppet_exec_t;
-@@ -35,6 +45,11 @@ files_type(puppet_var_lib_t)
+@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
@@ -45829,7 +46062,7 @@ index 64c5f95..313f77d 100644
type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
-@@ -63,7 +78,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -45838,7 +46071,7 @@ index 64c5f95..313f77d 100644
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -132,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t)
+@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
@@ -45847,7 +46080,7 @@ index 64c5f95..313f77d 100644
')
optional_policy(`
-@@ -162,7 +177,60 @@ optional_policy(`
+@@ -162,7 +174,60 @@ optional_policy(`
########################################
#
@@ -45909,7 +46142,7 @@ index 64c5f95..313f77d 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +239,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +236,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -45948,7 +46181,7 @@ index 64c5f95..313f77d 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +277,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -45998,7 +46231,7 @@ index 64c5f95..313f77d 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +330,9 @@ optional_policy(`
+@@ -231,3 +327,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -46234,8 +46467,20 @@ index cd683f9..a272112 100644
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
+diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc
+index 0055e54..f988f51 100644
+--- a/policy/modules/services/qmail.fc
++++ b/policy/modules/services/qmail.fc
+@@ -17,6 +17,7 @@
+ /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+ /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
++/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+ /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
-index a55bf44..77a25f5 100644
+index a55bf44..27007ed 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',`
@@ -46270,6 +46515,66 @@ index a55bf44..77a25f5 100644
')
')
+@@ -149,3 +147,59 @@ interface(`qmail_smtpd_service_domain',`
+
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete qmail
++## spool directories.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_manage_spool_dirs',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete qmail
++## spool files.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`qmail_manage_spool_files',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++## Read and write to qmail spool pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`qmail_rw_spool_pipes',`
++ gen_require(`
++ type qmail_spool_t;
++ ')
++
++ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
++')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 355b2a2..88e6f40 100644
--- a/policy/modules/services/qmail.te
@@ -47282,7 +47587,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..d95e136 100644
+index 00fa514..e605105 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -47413,19 +47718,6 @@ index 00fa514..d95e136 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -193,9 +220,9 @@ optional_policy(`
- virt_stream_connect(rgmanager_t)
- ')
-
--optional_policy(`
-- unconfined_domain(rgmanager_t)
--')
-+#optional_policy(`
-+# unconfined_domain(rgmanager_t)
-+#')
-
- optional_policy(`
- xen_domtrans_xm(rgmanager_t)
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index c2ba53b..853eeb5 100644
--- a/policy/modules/services/rhcs.fc
@@ -47965,10 +48257,10 @@ index 0000000..bf11e25
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..bc97a21
+index 0000000..23ba402
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,82 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -47987,8 +48279,6 @@ index 0000000..bc97a21
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
-+permissive rhev_agentd_t;
-+
+########################################
+#
+# rhev_agentd_t local policy
@@ -48408,10 +48698,10 @@ index 0000000..811c52e
+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..9f9c62f
+index 0000000..4d1d0c7
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,61 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
@@ -48423,8 +48713,6 @@ index 0000000..9f9c62f
+type rhsmcertd_exec_t;
+init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
+
-+permissive rhsmcertd_t;
-+
+type rhsmcertd_initrc_exec_t;
+init_script_file(rhsmcertd_initrc_exec_t)
+
@@ -50364,10 +50652,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..dae577a
+index 0000000..46930eb
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,63 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -50379,8 +50667,6 @@ index 0000000..dae577a
+type sanlock_exec_t;
+init_daemon_domain(sanlock_t, sanlock_exec_t)
+
-+permissive sanlock_t;
-+
+type sanlock_var_run_t;
+files_pid_file(sanlock_var_run_t)
+
@@ -50605,10 +50891,10 @@ index 0000000..8aef188
+
diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
new file mode 100644
-index 0000000..74080f1
+index 0000000..785c2f3
--- /dev/null
+++ b/policy/modules/services/sblim.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,102 @@
+policy_module(sblim, 1.0.0)
+
+########################################
@@ -50622,14 +50908,10 @@ index 0000000..74080f1
+type sblim_gatherd_exec_t;
+init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
+
-+permissive sblim_gatherd_t;
-+
+type sblim_reposd_t, sblim_domain;
+type sblim_reposd_exec_t;
+init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+
-+permissive sblim_gatherd_t;
-+
+type sblim_var_run_t;
+files_pid_file(sblim_var_run_t)
+
@@ -51622,10 +51904,10 @@ index c954f31..c7cadcb 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..4d649e1 100644
+index ec1eb1e..659d854 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -6,56 +6,103 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
@@ -51744,8 +52026,6 @@ index ec1eb1e..4d649e1 100644
+application_domain(spamd_update_t, spamd_update_exec_t)
+cron_system_entry(spamd_update_t, spamd_update_exec_t)
+role system_r types spamd_update_t;
-+
-+permissive spamd_update_t;
type spamd_t;
type spamd_exec_t;
@@ -51766,7 +52046,7 @@ index ec1eb1e..4d649e1 100644
type spamd_tmp_t;
files_tmp_file(spamd_tmp_t)
-@@ -108,6 +155,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+@@ -108,6 +153,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -51774,7 +52054,7 @@ index ec1eb1e..4d649e1 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -148,6 +196,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +194,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -51784,7 +52064,7 @@ index ec1eb1e..4d649e1 100644
sysnet_read_config(spamassassin_t)
')
-@@ -184,6 +235,8 @@ optional_policy(`
+@@ -184,6 +233,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -51793,7 +52073,7 @@ index ec1eb1e..4d649e1 100644
')
########################################
-@@ -206,15 +259,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +257,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -51826,7 +52106,7 @@ index ec1eb1e..4d649e1 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +296,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +294,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -51834,7 +52114,7 @@ index ec1eb1e..4d649e1 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -244,9 +315,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +313,14 @@ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -51849,7 +52129,7 @@ index ec1eb1e..4d649e1 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +330,46 @@ seutil_read_config(spamc_t)
+@@ -254,27 +328,46 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -51902,7 +52182,7 @@ index ec1eb1e..4d649e1 100644
')
########################################
-@@ -286,7 +381,7 @@ optional_policy(`
+@@ -286,7 +379,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -51911,7 +52191,7 @@ index ec1eb1e..4d649e1 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +397,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -51930,7 +52210,7 @@ index ec1eb1e..4d649e1 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +416,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -51948,7 +52228,7 @@ index ec1eb1e..4d649e1 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +473,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -51980,7 +52260,7 @@ index ec1eb1e..4d649e1 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +510,9 @@ optional_policy(`
+@@ -399,7 +508,9 @@ optional_policy(`
')
optional_policy(`
@@ -51990,7 +52270,7 @@ index ec1eb1e..4d649e1 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +521,17 @@ optional_policy(`
+@@ -408,25 +519,17 @@ optional_policy(`
')
optional_policy(`
@@ -52018,7 +52298,7 @@ index ec1eb1e..4d649e1 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +542,10 @@ optional_policy(`
+@@ -437,6 +540,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -52029,7 +52309,7 @@ index ec1eb1e..4d649e1 100644
')
optional_policy(`
-@@ -451,3 +560,43 @@ optional_policy(`
+@@ -451,3 +558,43 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -54057,10 +54337,10 @@ index 0000000..5a2fd4c
+')
diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te
new file mode 100644
-index 0000000..7826086
+index 0000000..ac053f3
--- /dev/null
+++ b/policy/modules/services/uuidd.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,46 @@
+policy_module(uuidd, 1.0.0)
+
+########################################
@@ -54072,8 +54352,6 @@ index 0000000..7826086
+type uuidd_exec_t;
+init_daemon_domain(uuidd_t, uuidd_exec_t)
+
-+permissive uuidd_t;
-+
+type uuidd_initrc_exec_t;
+init_script_file(uuidd_initrc_exec_t)
+
@@ -54981,7 +55259,7 @@ index 7c5d8d8..d83a9a2 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..e18ede2 100644
+index 3eca020..9c42952 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -55118,7 +55396,7 @@ index 3eca020..e18ede2 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -99,20 +123,33 @@ ifdef(`enable_mls',`
+@@ -99,20 +123,29 @@ ifdef(`enable_mls',`
########################################
#
@@ -55132,10 +55410,6 @@ index 3eca020..e18ede2 100644
+type virt_lxc_var_run_t;
+files_pid_file(virt_lxc_var_run_t)
+
-+permissive virt_lxc_t;
-+
-+permissive virtd_t;
-+
+########################################
+#
# svirt local policy
@@ -55156,7 +55430,7 @@ index 3eca020..e18ede2 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +163,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -55170,7 +55444,7 @@ index 3eca020..e18ede2 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +184,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -55186,7 +55460,7 @@ index 3eca020..e18ede2 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +201,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -55209,7 +55483,7 @@ index 3eca020..e18ede2 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +230,35 @@ optional_policy(`
+@@ -174,21 +226,35 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -55250,7 +55524,7 @@ index 3eca020..e18ede2 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +266,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -55268,7 +55542,7 @@ index 3eca020..e18ede2 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +290,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -55284,7 +55558,7 @@ index 3eca020..e18ede2 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +318,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -55317,7 +55591,7 @@ index 3eca020..e18ede2 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +350,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -55336,14 +55610,14 @@ index 3eca020..e18ede2 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +385,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -55366,7 +55640,7 @@ index 3eca020..e18ede2 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +430,10 @@ optional_policy(`
+@@ -313,6 +426,10 @@ optional_policy(`
')
optional_policy(`
@@ -55377,7 +55651,7 @@ index 3eca020..e18ede2 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,11 +450,17 @@ optional_policy(`
+@@ -329,11 +446,17 @@ optional_policy(`
')
optional_policy(`
@@ -55395,7 +55669,7 @@ index 3eca020..e18ede2 100644
')
optional_policy(`
-@@ -365,6 +492,12 @@ optional_policy(`
+@@ -365,6 +488,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -55408,19 +55682,7 @@ index 3eca020..e18ede2 100644
')
optional_policy(`
-@@ -385,29 +518,45 @@ optional_policy(`
- udev_read_db(virtd_t)
- ')
-
--optional_policy(`
-- unconfined_domain(virtd_t)
--')
-+#optional_policy(`
-+# unconfined_domain(virtd_t)
-+#')
-
- ########################################
- #
+@@ -394,20 +523,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -55459,7 +55721,7 @@ index 3eca020..e18ede2 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -55472,7 +55734,7 @@ index 3eca020..e18ede2 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +579,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +575,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -55485,7 +55747,7 @@ index 3eca020..e18ede2 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,14 +592,20 @@ files_search_all(virt_domain)
+@@ -440,14 +588,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -55493,12 +55755,12 @@ index 3eca020..e18ede2 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -55509,7 +55771,7 @@ index 3eca020..e18ede2 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +615,176 @@ optional_policy(`
+@@ -457,8 +611,176 @@ optional_policy(`
')
optional_policy(`
@@ -55893,10 +56155,10 @@ index 0000000..a554011
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..b9d6149
+index 0000000..307c99e
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,51 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -55908,8 +56170,6 @@ index 0000000..b9d6149
+type wdmd_exec_t;
+init_daemon_domain(wdmd_t, wdmd_exec_t)
+
-+permissive wdmd_t;
-+
+type wdmd_var_run_t;
+files_pid_file(wdmd_var_run_t)
+
@@ -57291,7 +57551,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..798589f 100644
+index 143c893..00b270e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -57459,7 +57719,7 @@ index 143c893..798589f 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -196,15 +247,11 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -196,15 +247,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -57468,8 +57728,7 @@ index 143c893..798589f 100644
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
-+permissive xserver_t;
-
+-
type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
@@ -57478,7 +57737,7 @@ index 143c893..798589f 100644
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -234,10 +281,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -57497,7 +57756,7 @@ index 143c893..798589f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -247,52 +301,113 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,52 +299,113 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
@@ -57617,7 +57876,7 @@ index 143c893..798589f 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -304,20 +419,36 @@ optional_policy(`
+@@ -304,20 +417,36 @@ optional_policy(`
# XDM Local policy
#
@@ -57658,7 +57917,7 @@ index 143c893..798589f 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +456,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -57727,7 +57986,7 @@ index 143c893..798589f 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +520,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -57755,7 +58014,7 @@ index 143c893..798589f 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -57809,7 +58068,7 @@ index 143c893..798589f 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +604,23 @@ files_list_mnt(xdm_t)
+@@ -435,9 +602,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -57833,7 +58092,7 @@ index 143c893..798589f 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -57873,7 +58132,7 @@ index 143c893..798589f 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -57904,7 +58163,7 @@ index 143c893..798589f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -57919,7 +58178,7 @@ index 143c893..798589f 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -57941,7 +58200,7 @@ index 143c893..798589f 100644
')
optional_policy(`
-@@ -519,12 +750,62 @@ optional_policy(`
+@@ -519,12 +748,62 @@ optional_policy(`
')
optional_policy(`
@@ -58004,7 +58263,7 @@ index 143c893..798589f 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +823,69 @@ optional_policy(`
+@@ -542,28 +821,69 @@ optional_policy(`
')
optional_policy(`
@@ -58083,7 +58342,7 @@ index 143c893..798589f 100644
')
optional_policy(`
-@@ -575,6 +897,14 @@ optional_policy(`
+@@ -575,6 +895,14 @@ optional_policy(`
')
optional_policy(`
@@ -58098,7 +58357,7 @@ index 143c893..798589f 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -58107,7 +58366,7 @@ index 143c893..798589f 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -58123,7 +58382,7 @@ index 143c893..798589f 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -58145,7 +58404,7 @@ index 143c893..798589f 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -58153,7 +58412,7 @@ index 143c893..798589f 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -58161,7 +58420,7 @@ index 143c893..798589f 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -58179,7 +58438,7 @@ index 143c893..798589f 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -58193,7 +58452,7 @@ index 143c893..798589f 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1066,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1064,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -58202,7 +58461,7 @@ index 143c893..798589f 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -58217,7 +58476,7 @@ index 143c893..798589f 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1132,40 @@ optional_policy(`
+@@ -778,16 +1130,40 @@ optional_policy(`
')
optional_policy(`
@@ -58255,11 +58514,11 @@ index 143c893..798589f 100644
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
-+ #unconfined_domain(xserver_t)
++ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1174,10 @@ optional_policy(`
+@@ -796,6 +1172,10 @@ optional_policy(`
')
optional_policy(`
@@ -58270,7 +58529,7 @@ index 143c893..798589f 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1193,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -58284,7 +58543,7 @@ index 143c893..798589f 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1204,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -58293,7 +58552,7 @@ index 143c893..798589f 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1217,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1215,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -58303,7 +58562,7 @@ index 143c893..798589f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1227,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -58315,7 +58574,7 @@ index 143c893..798589f 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1240,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -58332,7 +58591,7 @@ index 143c893..798589f 100644
')
optional_policy(`
-@@ -862,6 +1255,10 @@ optional_policy(`
+@@ -862,6 +1253,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -58343,7 +58602,7 @@ index 143c893..798589f 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -58352,7 +58611,7 @@ index 143c893..798589f 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1356,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -58384,7 +58643,7 @@ index 143c893..798589f 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1402,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -58582,7 +58841,7 @@ index 21ae664..3e448dd 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..a59cfc2 100644
+index 9fb4747..afe5e5f 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -58596,15 +58855,15 @@ index 9fb4747..a59cfc2 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -32,6 +36,8 @@ zarafa_domain_template(spooler)
- type zarafa_var_lib_t;
- files_tmp_file(zarafa_var_lib_t)
+@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
+ manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
-+permissive zarafa_indexer_t;
++dev_read_rand(zarafa_deliver_t)
+
########################################
#
- # zarafa-deliver local policy
+ # zarafa_gateway local policy
@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -59576,7 +59835,7 @@ index a97a096..ab1e16a 100644
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index c28da1c..bf8ea27 100644
+index c28da1c..38390f5 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
@@ -59620,26 +59879,15 @@ index c28da1c..bf8ea27 100644
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
-@@ -147,13 +156,13 @@ miscfiles_read_localization(fsadm_t)
+@@ -147,7 +156,7 @@ miscfiles_read_localization(fsadm_t)
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
+term_use_all_inherited_terms(fsadm_t)
--ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_domain(fsadm_t)
-- ')
--')
-+#ifdef(`distro_redhat',`
-+# optional_policy(`
-+# unconfined_domain(fsadm_t)
-+# ')
-+#')
-
- optional_policy(`
- amanda_rw_dumpdates_files(fsadm_t)
+ ifdef(`distro_redhat',`
+ optional_policy(`
@@ -166,6 +175,11 @@ optional_policy(`
')
@@ -62615,7 +62863,7 @@ index 808ba93..ed84884 100644
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..b32b945 100644
+index e5836d3..c76046b 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -62669,17 +62917,13 @@ index e5836d3..b32b945 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +153,7 @@ optional_policy(`
+@@ -141,6 +153,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
-optional_policy(`
- unconfined_domain(ldconfig_t)
-')
-+#optional_policy(`
-+# unconfined_domain(ldconfig_t)
-+#')
-+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index a0b379d..2a55eab 100644
--- a/policy/modules/system/locallogin.te
@@ -63372,7 +63616,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..4513ab9 100644
+index a0a0ebf..e55e967 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -63405,26 +63649,18 @@ index a0a0ebf..4513ab9 100644
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
-@@ -134,10 +141,15 @@ userdom_dontaudit_search_user_home_dirs(clvmd_t)
- lvm_domtrans(clvmd_t)
- lvm_read_config(clvmd_t)
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+ ')
--ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_domain(clvmd_t)
-- ')
-+#ifdef(`distro_redhat',`
-+# optional_policy(`
-+# unconfined_domain(clvmd_t)
-+# ')
-+#')
-+
-+optional_policy(`
+ optional_policy(`
+ aisexec_stream_connect(clvmd_t)
+ corosync_stream_connect(clvmd_t)
++')
++
++optional_policy(`
+ ccs_stream_connect(clvmd_t)
')
- optional_policy(`
@@ -167,9 +179,10 @@ optional_policy(`
# net_admin for multipath
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
@@ -63530,7 +63766,7 @@ index a0a0ebf..4513ab9 100644
miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
-@@ -299,15 +324,23 @@ seutil_read_file_contexts(lvm_t)
+@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -63541,22 +63777,18 @@ index a0a0ebf..4513ab9 100644
ifdef(`distro_redhat',`
# this is from the initrd:
- files_rw_isid_type_dirs(lvm_t)
+@@ -311,6 +339,11 @@ ifdef(`distro_redhat',`
+ ')
-- optional_policy(`
-- unconfined_domain(lvm_t)
-- ')
-+ #optional_policy(`
-+ # unconfined_domain(lvm_t)
-+ #')
+ optional_policy(`
++ aisexec_stream_connect(lvm_t)
++ corosync_stream_connect(lvm_t)
+')
+
+optional_policy(`
-+ aisexec_stream_connect(lvm_t)
-+ corosync_stream_connect(lvm_t)
+ bootloader_rw_tmp_files(lvm_t)
')
- optional_policy(`
@@ -331,14 +364,26 @@ optional_policy(`
')
@@ -63705,7 +63937,7 @@ index 9c0faab..dd6530e 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..8b724a5 100644
+index a0eef20..d5408ff 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,11 +18,12 @@ type insmod_t;
@@ -63761,21 +63993,15 @@ index a0eef20..8b724a5 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -94,21 +102,22 @@ optional_policy(`
- rpm_manage_script_tmp_files(depmod_t)
+@@ -95,7 +103,6 @@ optional_policy(`
')
--optional_policy(`
+ optional_policy(`
- # Read System.map from home directories.
-- unconfined_domain(depmod_t)
--')
-+#optional_policy(`
-+# # Read System.map from home directories.
-+# unconfined_domain(depmod_t)
-+#')
+ unconfined_domain(depmod_t)
+ ')
- ########################################
- #
+@@ -104,11 +111,12 @@ optional_policy(`
# insmod local policy
#
@@ -63789,7 +64015,7 @@ index a0eef20..8b724a5 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
@@ -63799,7 +64025,7 @@ index a0eef20..8b724a5 100644
kernel_load_module(insmod_t)
kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
-@@ -126,6 +138,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -63807,7 +64033,7 @@ index a0eef20..8b724a5 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +156,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -63815,7 +64041,7 @@ index a0eef20..8b724a5 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +175,18 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -63834,7 +64060,7 @@ index a0eef20..8b724a5 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +195,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -63844,7 +64070,7 @@ index a0eef20..8b724a5 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -187,28 +207,27 @@ optional_policy(`
+@@ -187,28 +206,27 @@ optional_policy(`
')
optional_policy(`
@@ -63879,13 +64105,7 @@ index a0eef20..8b724a5 100644
')
optional_policy(`
-@@ -231,11 +250,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-- unconfined_domain(insmod_t)
-+ #unconfined_domain(insmod_t)
- unconfined_dontaudit_rw_pipes(insmod_t)
+@@ -236,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -63896,7 +64116,7 @@ index a0eef20..8b724a5 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -64651,7 +64871,7 @@ index b1a85b5..db0d815 100644
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index a19ecea..4e2ef36 100644
+index a19ecea..dbcca4d 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -64713,16 +64933,6 @@ index a19ecea..4e2ef36 100644
term_dontaudit_list_ptys(mdadm_t)
-@@ -95,6 +97,6 @@ optional_policy(`
- udev_read_db(mdadm_t)
- ')
-
--optional_policy(`
-- unconfined_domain(mdadm_t)
--')
-+#optional_policy(`
-+# unconfined_domain(mdadm_t)
-+#')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..167c358 100644
--- a/policy/modules/system/selinuxutil.fc
@@ -65190,7 +65400,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..3e78f42 100644
+index 7ed9819..4e8cb38 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -65500,11 +65710,11 @@ index 7ed9819..3e78f42 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
+-locallogin_use_fds(semanage_t)
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -65594,25 +65804,25 @@ index 7ed9819..3e78f42 100644
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
--
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
--init_use_fds(setfiles_t)
--init_use_script_fds(setfiles_t)
--init_use_script_ptys(setfiles_t)
--init_exec_script_files(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+-
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
+-
-logging_send_syslog_msg(setfiles_t)
+########################################
+#
@@ -65679,12 +65889,10 @@ index 7ed9819..3e78f42 100644
')
')
--optional_policy(`
+ optional_policy(`
- hotplug_use_fds(setfiles_t)
--')
-+#optional_policy(`
-+# unconfined_domain(setfiles_mac_t)
-+#')
++ unconfined_domain(setfiles_mac_t)
+ ')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..cdc0223 100644
--- a/policy/modules/system/setrans.te
@@ -66634,10 +66842,10 @@ index 0000000..fc27830
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..f4df137
+index 0000000..d1bcd34
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,350 @@
+@@ -0,0 +1,346 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -66649,15 +66857,10 @@ index 0000000..f4df137
+attribute systemd_domain;
+attribute systemctl_domain;
+
-+# New in f16
-+permissive systemd_logger_t;
-+
+type systemd_logger_t;
+type systemd_logger_exec_t;
+init_systemd_domain(systemd_logger_t, systemd_logger_exec_t)
+
-+permissive systemd_logind_t;
-+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_systemd_domain(systemd_logind_t, systemd_logind_exec_t)
@@ -66725,9 +66928,10 @@ index 0000000..f4df137
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_kvm_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
-+dev_setattr_kvm_dev(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
@@ -67210,15 +67414,10 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..91fae52 100644
+index d88f7c3..2627fa4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
- domain_interactive_fd(udev_t)
- init_daemon_domain(udev_t, udev_exec_t)
-
-+permissive udev_t;
-+
+@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -67234,7 +67433,7 @@ index d88f7c3..91fae52 100644
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
+@@ -38,6 +36,12 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
@@ -67247,7 +67446,7 @@ index d88f7c3..91fae52 100644
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
-@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -67255,7 +67454,7 @@ index d88f7c3..91fae52 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,17 +67,16 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -67278,7 +67477,7 @@ index d88f7c3..91fae52 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +91,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@@ -67286,7 +67485,7 @@ index d88f7c3..91fae52 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@@ -67294,7 +67493,7 @@ index d88f7c3..91fae52 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +113,29 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +111,29 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -67325,7 +67524,7 @@ index d88f7c3..91fae52 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -67333,7 +67532,7 @@ index d88f7c3..91fae52 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -67342,7 +67541,7 @@ index d88f7c3..91fae52 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,15 +205,16 @@ ifdef(`distro_redhat',`
+@@ -186,8 +203,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -67353,17 +67552,7 @@ index d88f7c3..91fae52 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-
-- optional_policy(`
-- unconfined_domain(udev_t)
-- ')
-+ #optional_policy(`
-+ # unconfined_domain(udev_t)
-+ #')
- ')
-
- optional_policy(`
-@@ -216,11 +236,16 @@ optional_policy(`
+@@ -216,11 +234,16 @@ optional_policy(`
')
optional_policy(`
@@ -67381,7 +67570,7 @@ index d88f7c3..91fae52 100644
')
optional_policy(`
-@@ -230,10 +255,20 @@ optional_policy(`
+@@ -230,10 +253,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -67402,7 +67591,7 @@ index d88f7c3..91fae52 100644
')
optional_policy(`
-@@ -259,6 +294,10 @@ optional_policy(`
+@@ -259,6 +292,10 @@ optional_policy(`
')
optional_policy(`
@@ -67413,7 +67602,7 @@ index d88f7c3..91fae52 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +312,11 @@ optional_policy(`
+@@ -273,6 +310,11 @@ optional_policy(`
')
optional_policy(`
@@ -68200,7 +68389,7 @@ index db75976..cca4cd1 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..07569a4 100644
+index 4b2878a..022f6e7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -69342,7 +69531,7 @@ index 4b2878a..07569a4 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1238,71 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1238,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -69420,10 +69609,11 @@ index 4b2878a..07569a4 100644
- netutils_run_ping_cond($1_t, $1_r)
- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
++ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1312,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -69434,7 +69624,7 @@ index 4b2878a..07569a4 100644
')
')
-@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1350,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -69443,7 +69633,7 @@ index 4b2878a..07569a4 100644
')
##############################
-@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1377,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -69451,7 +69641,7 @@ index 4b2878a..07569a4 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1386,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -69461,7 +69651,7 @@ index 4b2878a..07569a4 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1403,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -69469,7 +69659,7 @@ index 4b2878a..07569a4 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1421,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -69483,7 +69673,7 @@ index 4b2878a..07569a4 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1438,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -69526,7 +69716,7 @@ index 4b2878a..07569a4 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1479,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -69535,7 +69725,7 @@ index 4b2878a..07569a4 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1540,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -69544,7 +69734,7 @@ index 4b2878a..07569a4 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1554,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -69555,7 +69745,7 @@ index 4b2878a..07569a4 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1567,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -69584,7 +69774,7 @@ index 4b2878a..07569a4 100644
')
optional_policy(`
-@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1595,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -69600,7 +69790,7 @@ index 4b2878a..07569a4 100644
')
optional_policy(`
-@@ -1279,54 +1622,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1623,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -69682,7 +69872,7 @@ index 4b2878a..07569a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,7 +1689,44 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1690,44 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
@@ -69728,7 +69918,7 @@ index 4b2878a..07569a4 100644
gen_require(`
type user_devpts_t;
')
-@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1788,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -69736,7 +69926,7 @@ index 4b2878a..07569a4 100644
files_search_home($1)
')
-@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1835,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -69751,7 +69941,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1858,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -69763,7 +69953,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1919,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -69806,7 +69996,7 @@ index 4b2878a..07569a4 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2029,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -69815,7 +70005,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2045,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -69830,7 +70020,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2093,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -69874,7 +70064,7 @@ index 4b2878a..07569a4 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2149,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -69900,7 +70090,7 @@ index 4b2878a..07569a4 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2199,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2200,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -69933,7 +70123,7 @@ index 4b2878a..07569a4 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2235,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -69951,7 +70141,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -1779,6 +2301,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -70012,7 +70202,7 @@ index 4b2878a..07569a4 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2386,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -70022,7 +70212,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -1827,20 +2402,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -70047,7 +70237,7 @@ index 4b2878a..07569a4 100644
########################################
## <summary>
-@@ -1941,6 +2510,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -70072,7 +70262,7 @@ index 4b2878a..07569a4 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2595,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -70081,7 +70271,7 @@ index 4b2878a..07569a4 100644
files_search_home($1)
')
-@@ -2182,7 +2769,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -70090,7 +70280,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -2390,7 +2977,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -70099,7 +70289,7 @@ index 4b2878a..07569a4 100644
files_search_tmp($1)
')
-@@ -2435,13 +3022,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3023,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -70115,7 +70305,7 @@ index 4b2878a..07569a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3050,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3051,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -70142,7 +70332,7 @@ index 4b2878a..07569a4 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3140,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3141,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -70151,7 +70341,7 @@ index 4b2878a..07569a4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3148,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3149,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -70320,7 +70510,7 @@ index 4b2878a..07569a4 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2736,24 +3372,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3373,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -70345,7 +70535,7 @@ index 4b2878a..07569a4 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3390,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3391,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -70371,7 +70561,7 @@ index 4b2878a..07569a4 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3451,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3452,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -70380,7 +70570,7 @@ index 4b2878a..07569a4 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3467,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3468,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -70414,7 +70604,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -2972,7 +3555,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3556,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -70423,7 +70613,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -3027,7 +3610,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3611,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -70470,7 +70660,7 @@ index 4b2878a..07569a4 100644
')
########################################
-@@ -3064,6 +3685,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3686,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -70478,7 +70668,7 @@ index 4b2878a..07569a4 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3764,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3765,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -70503,7 +70693,7 @@ index 4b2878a..07569a4 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3834,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3835,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cca2336..23c0704 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Aug 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-22
+- Allow Postfix to deliver to Dovecot LMTP socket
+- Ignore bogus sys_module for lldpad
+- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
+- systemd_logind_t sets the attributes on usb devices
+- Allow hddtemp_t to read etc_t files
+- Add permissivedomains module
+- Move all permissive domains calls to permissivedomain.te
+- Allow pegasis to send kill signals to other UIDs
+
* Wed Aug 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-21
- Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
More information about the scm-commits
mailing list