[selinux-policy] - Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix dup

Tue Jan 11 12:45:00 UTC 2011

commit b1863350de219dbdae5a5bd3b65b4453d99e21e7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Jan 11 13:44:47 2011 +0000

    - Add firewalld policy
    - Allow vmware_host to read samba config
    - Kernel wants to read /proc Fix duplicate grub def in cobbler
    - Chrony sends mail, executes shell, uses fifo_file and reads /proc
    - devicekitdisk getattr all file systems
    - sambd daemon writes wtmp file
    - libvirt transitions to dmidecode

 modules-targeted.conf |    7 +
 policy-F15.patch      |  569 +++++++++++++++++++++++++++++++++++++++++--------
 selinux-policy.spec   |   11 +-
 3 files changed, 494 insertions(+), 93 deletions(-)
---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index 5fd759d..905cd44 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2328,3 +2328,10 @@ milter = module
 # /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
 #
 keyboardd = module
+
+# Layer: services
+# Module: firewalld
+#
+# firewalld is firewall service daemon that provides dynamic customizable
+# 
+firewalld = module
diff --git a/policy-F15.patch b/policy-F15.patch
index af42ac2..bb4ab9d 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -352,7 +352,7 @@ index 63eb96b..17a9f6d 100644
  ## <summary>
  ##	Execute bootloader interactively and do
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..c171daf 100644
+index d3da8f2..9799904 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -364,6 +364,17 @@ index d3da8f2..c171daf 100644
  
  #
  # The temp file is used for initrd creation;
+@@ -171,6 +171,10 @@ ifdef(`distro_redhat',`
+ ')
+ 
+ optional_policy(`
++	devicekit_dontaudit_read_pid_files(bootloader_t)
++')
++
++optional_policy(`
+ 	fstools_exec(bootloader_t)
+ ')
+ 
 diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
 index 2c2cdb6..73b3814 100644
 --- a/policy/modules/admin/brctl.if
@@ -416,10 +427,18 @@ index 9de382b..682e78e 100644
  optional_policy(`
  	apache_exec_modules(certwatch_t)
 diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index cd5e005..7f3f992 100644
+index cd5e005..24f73ca 100644
 --- a/policy/modules/admin/consoletype.te
 +++ b/policy/modules/admin/consoletype.te
-@@ -79,16 +79,18 @@ optional_policy(`
+@@ -48,6 +48,7 @@ mls_file_read_all_levels(consoletype_t)
+ mls_file_write_all_levels(consoletype_t)
+ 
+ term_use_all_terms(consoletype_t)
++term_use_ptmx(consoletype_t)
+ 
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+@@ -79,16 +80,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -442,7 +461,7 @@ index cd5e005..7f3f992 100644
  ')
  
  optional_policy(`
-@@ -114,6 +116,7 @@ optional_policy(`
+@@ -114,6 +117,7 @@ optional_policy(`
  
  optional_policy(`
  	userdom_use_unpriv_users_fds(consoletype_t)
@@ -1764,7 +1783,7 @@ index d0604cf..679d61c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..80939b0 100644
+index 8966ec9..fb8d63f 100644
 --- a/policy/modules/admin/shutdown.te
 +++ b/policy/modules/admin/shutdown.te
 @@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -1775,7 +1794,14 @@ index 8966ec9..80939b0 100644
  application_domain(shutdown_t, shutdown_exec_t)
  role system_r types shutdown_t;
  
-@@ -38,13 +39,14 @@ domain_use_interactive_fds(shutdown_t)
+@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+ manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+ 
++kernel_read_system_state(shutdown_t)
++
+ domain_use_interactive_fds(shutdown_t)
+ 
  files_read_etc_files(shutdown_t)
  files_read_generic_pids(shutdown_t)
  
@@ -1792,7 +1818,7 @@ index 8966ec9..80939b0 100644
  init_stream_connect(shutdown_t)
  init_telinit(shutdown_t)
  
-@@ -59,5 +61,10 @@ optional_policy(`
+@@ -59,5 +63,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -2001,7 +2027,7 @@ index 81fb26f..cd18ca8 100644
  
  	optional_policy(`
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..e1b55f8 100644
+index 441cf22..b90d4cc 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
@@ -2015,7 +2041,17 @@ index 441cf22..e1b55f8 100644
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(chfn_t)
-@@ -291,17 +289,18 @@ selinux_compute_create_context(passwd_t)
+@@ -194,8 +192,7 @@ selinux_compute_create_context(groupadd_t)
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+ 
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_terms(groupadd_t)
+ 
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -291,17 +288,18 @@ selinux_compute_create_context(passwd_t)
  selinux_compute_relabel_context(passwd_t)
  selinux_compute_user_contexts(passwd_t)
  
@@ -2038,7 +2074,7 @@ index 441cf22..e1b55f8 100644
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -332,6 +331,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +330,7 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2046,7 +2082,17 @@ index 441cf22..e1b55f8 100644
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -426,7 +426,7 @@ optional_policy(`
+@@ -381,8 +380,7 @@ dev_read_urand(sysadm_passwd_t)
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+ 
+-term_use_all_ttys(sysadm_passwd_t)
+-term_use_all_ptys(sysadm_passwd_t)
++term_use_all_terms(sysadm_passwd_t)
+ 
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+@@ -426,7 +424,7 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -2055,7 +2101,17 @@ index 441cf22..e1b55f8 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -498,12 +498,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -469,8 +467,7 @@ selinux_compute_create_context(useradd_t)
+ selinux_compute_relabel_context(useradd_t)
+ selinux_compute_user_contexts(useradd_t)
+ 
+-term_use_all_ttys(useradd_t)
+-term_use_all_ptys(useradd_t)
++term_use_all_terms(useradd_t)
+ 
+ auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+@@ -498,12 +495,8 @@ seutil_domtrans_setfiles(useradd_t)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -6857,6 +6913,19 @@ index 0000000..5259647
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
 +')
 +
+diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
+index 320df26..879e804 100644
+--- a/policy/modules/apps/screen.if
++++ b/policy/modules/apps/screen.if
+@@ -81,8 +81,6 @@ template(`screen_role_template',`
+ 	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+ 
+ 	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+-	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+-	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ 	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ 
+ 	kernel_read_system_state($1_screen_t)
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
 index 1dc7a85..7455c19 100644
 --- a/policy/modules/apps/seunshare.if
@@ -7187,10 +7256,10 @@ index 0000000..46368cc
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
 new file mode 100644
-index 0000000..24f8037
+index 0000000..d4e5e9e
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,331 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -7374,6 +7443,8 @@ index 0000000..24f8037
 +
 +dev_read_rand(telepathy_mission_control_t)
 +
++fs_getattr_all_fs(telepathy_mission_control_t)
++
 +files_read_etc_files(telepathy_mission_control_t)
 +files_read_usr_files(telepathy_mission_control_t)
 +
@@ -7681,7 +7752,7 @@ index 5872ea2..028c994 100644
  /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
  /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
 diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index c76ceb2..d7df452 100644
+index c76ceb2..9562e78 100644
 --- a/policy/modules/apps/vmware.te
 +++ b/policy/modules/apps/vmware.te
 @@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -7708,7 +7779,7 @@ index c76ceb2..d7df452 100644
  
  userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
  userdom_dontaudit_search_user_home_dirs(vmware_host_t)
-@@ -158,8 +161,19 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+@@ -158,8 +161,23 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
  netutils_domtrans_ping(vmware_host_t)
  
  optional_policy(`
@@ -7720,6 +7791,10 @@ index c76ceb2..d7df452 100644
 +') 
 +
 +optional_policy(`
++	samba_read_config(vmware_host_t)
++')
++
++optional_policy(`
  	seutil_sigchld_newrole(vmware_host_t)
 +')
  
@@ -10986,7 +11061,7 @@ index b4ad6d7..67e89f0 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 9e2e6d7..08e82d9 100644
+index 9e2e6d7..d5c4f76 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -11016,7 +11091,7 @@ index 9e2e6d7..08e82d9 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -268,19 +272,30 @@ files_list_root(kernel_t)
+@@ -268,19 +272,31 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -11030,6 +11105,7 @@ index 9e2e6d7..08e82d9 100644
  
  mls_process_read_up(kernel_t)
  mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
  mls_file_write_all_levels(kernel_t)
  mls_file_read_all_levels(kernel_t)
 +mls_socket_write_all_levels(kernel_t) 
@@ -11047,7 +11123,7 @@ index 9e2e6d7..08e82d9 100644
  optional_policy(`
  	hotplug_search_config(kernel_t)
  ')
-@@ -357,6 +372,10 @@ optional_policy(`
+@@ -357,6 +373,10 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -11508,7 +11584,7 @@ index be4de58..cce681a 100644
  ########################################
  #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..faaf889 100644
+index 2be17d2..5728fc1 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -11560,7 +11636,7 @@ index 2be17d2..faaf889 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +63,108 @@ optional_policy(`
+@@ -27,25 +63,112 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -11581,6 +11657,10 @@ index 2be17d2..faaf889 100644
 +')
 +
 +optional_policy(`
++	mock_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	kerneloops_dbus_chat(staff_t)
 +')
 +
@@ -11671,7 +11751,7 @@ index 2be17d2..faaf889 100644
  
  optional_policy(`
  	vlock_run(staff_t, staff_r)
-@@ -137,10 +256,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +260,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -12710,10 +12790,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..7d5de28
+index 0000000..ec21f9a
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,489 @@
+@@ -0,0 +1,493 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -13043,6 +13123,10 @@ index 0000000..7d5de28
 +')
 +
 +optional_policy(`
++	mock_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
 +	modutils_run_update_mods(unconfined_t, unconfined_r)
 +')
 +
@@ -17628,7 +17712,7 @@ index 9a0da94..2ede737 100644
 +	admin_pattern($1, chronyd_tmpfs_t)
  ')
 diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..7f4ca47 100644
+index fa82327..db20d26 100644
 --- a/policy/modules/services/chronyd.te
 +++ b/policy/modules/services/chronyd.te
 @@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
@@ -17641,7 +17725,11 @@ index fa82327..7f4ca47 100644
  type chronyd_var_lib_t;
  files_type(chronyd_var_lib_t)
  
-@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms;
+@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+ allow chronyd_t self:shm create_shm_perms;
+ allow chronyd_t self:udp_socket create_socket_perms;
+ allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:fifo_file rw_fifo_file_perms;
  
  allow chronyd_t chronyd_keys_t:file read_file_perms;
  
@@ -17652,14 +17740,27 @@ index fa82327..7f4ca47 100644
  manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
  manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
  manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
  manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
  files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
  
++kernel_read_system_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
++
 +corenet_udp_bind_generic_node(chronyd_t)
  corenet_udp_bind_ntp_port(chronyd_t)
  # bind to udp/323
  corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t)
+ 
+ miscfiles_read_localization(chronyd_t)
+ 
++mta_send_mail(chronyd_t)
++
+ optional_policy(`
+ 	gpsd_rw_shm(chronyd_t)
+ ')
 diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
 index 1f11572..7f6a7ab 100644
 --- a/policy/modules/services/clamav.if
@@ -18058,10 +18159,10 @@ index 0000000..a2c7134
 +	corosync_stream_connect(cmirrord_t)
 +')
 diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..90c60df 100644
+index 1cf6c4e..e4bac67 100644
 --- a/policy/modules/services/cobbler.fc
 +++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,32 @@
+@@ -1,7 +1,33 @@
 -/etc/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_etc_t, s0)
 -/etc/rc\.d/init\.d/cobblerd --	gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
  
@@ -18075,6 +18176,7 @@ index 1cf6c4e..90c60df 100644
 +/var/lib/cobbler(/.*)?					gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +
 +/var/lib/tftpboot/etc(/.*)?				gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)?             gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +/var/lib/tftpboot/images(/.*)?                        	gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +/var/lib/tftpboot/memdisk			--      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 +/var/lib/tftpboot/menu\.c32			--      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -20520,7 +20622,7 @@ index f706b99..22b862e 100644
 +	files_list_pids($1)
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..4ecd4b7 100644
+index f231f17..10c33ed 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
 @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -20546,7 +20648,7 @@ index f231f17..4ecd4b7 100644
  kernel_getattr_message_if(devicekit_disk_t)
  kernel_read_fs_sysctls(devicekit_disk_t)
  kernel_read_network_state(devicekit_disk_t)
-@@ -105,8 +110,10 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t)
  
  files_dontaudit_read_all_symlinks(devicekit_disk_t)
  files_getattr_all_sockets(devicekit_disk_t)
@@ -20558,7 +20660,14 @@ index f231f17..4ecd4b7 100644
  files_manage_isid_type_dirs(devicekit_disk_t)
  files_manage_mnt_dirs(devicekit_disk_t)
  files_read_etc_files(devicekit_disk_t)
-@@ -178,25 +185,47 @@ optional_policy(`
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
+ 
++fs_getattr_all_fs(devicekit_disk_t)
+ fs_list_inotifyfs(devicekit_disk_t)
+ fs_manage_fusefs_dirs(devicekit_disk_t)
+ fs_mount_all_fs(devicekit_disk_t)
+@@ -178,25 +186,47 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -20607,7 +20716,7 @@ index f231f17..4ecd4b7 100644
  kernel_search_debugfs(devicekit_power_t)
  kernel_write_proc_files(devicekit_power_t)
  
-@@ -212,12 +241,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +242,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
  dev_rw_generic_chr_files(devicekit_power_t)
  dev_rw_netcontrol(devicekit_power_t)
  dev_rw_sysfs(devicekit_power_t)
@@ -20624,7 +20733,7 @@ index f231f17..4ecd4b7 100644
  
  term_use_all_terms(devicekit_power_t)
  
-@@ -225,8 +258,11 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +259,11 @@ auth_use_nsswitch(devicekit_power_t)
  
  miscfiles_read_localization(devicekit_power_t)
  
@@ -20636,7 +20745,7 @@ index f231f17..4ecd4b7 100644
  
  userdom_read_all_users_state(devicekit_power_t)
  
-@@ -261,14 +297,21 @@ optional_policy(`
+@@ -261,14 +298,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20659,7 +20768,7 @@ index f231f17..4ecd4b7 100644
  	policykit_dbus_chat(devicekit_power_t)
  	policykit_domtrans_auth(devicekit_power_t)
  	policykit_read_lib(devicekit_power_t)
-@@ -276,9 +319,21 @@ optional_policy(`
+@@ -276,9 +320,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22302,6 +22411,173 @@ index 6537214..7d64c0a 100644
  	ps_process_pattern($1, fetchmail_t)
  
  	files_list_etc($1)
+diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
+new file mode 100644
+index 0000000..ba9a7a9
+--- /dev/null
++++ b/policy/modules/services/firewalld.fc
+@@ -0,0 +1,10 @@
++
++/etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
++
++
++/usr/sbin/firewalld		--	gen_context(system_u:object_r:firewalld_exec_t,s0)
++
++/var/log/firewalld		--	gen_context(system_u:object_r:firewalld_var_log_t,s0)
++
++/var/run/firewalld(/.*)?			gen_context(system_u:object_r:firewalld_var_run_t,s0)
++/var/run/firewalld\.pid			--	gen_context(system_u:object_r:firewalld_var_run_t,s0)
+diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
+new file mode 100644
+index 0000000..84d1768
+--- /dev/null
++++ b/policy/modules/services/firewalld.if
+@@ -0,0 +1,73 @@
++
++## <summary>policy for firewalld</summary>
++
++
++########################################
++## <summary>
++##	Execute a domain transition to run firewalld.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`firewalld_domtrans',`
++	gen_require(`
++		type firewalld_t, firewalld_exec_t;
++	')
++
++	domtrans_pattern($1, firewalld_exec_t, firewalld_t)
++')
++
++
++########################################
++## <summary>
++##	Execute firewalld server in the firewalld domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`firewalld_initrc_domtrans',`
++	gen_require(`
++		type firewalld_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an firewalld environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`firewalld_admin',`
++	gen_require(`
++		type firewalld_t;
++		type firewalld_initrc_exec_t;
++	')
++
++	allow $1 firewalld_t:process { ptrace signal_perms };
++	ps_process_pattern($1, firewalld_t)
++
++	firewalld_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 firewalld_initrc_exec_t system_r;
++	allow $2 system_r;
++
++')
+diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
+new file mode 100644
+index 0000000..ebb76c1
+--- /dev/null
++++ b/policy/modules/services/firewalld.te
+@@ -0,0 +1,66 @@
++
++policy_module(firewalld,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type firewalld_t;
++type firewalld_exec_t;
++init_daemon_domain(firewalld_t, firewalld_exec_t)
++
++permissive firewalld_t;
++
++type firewalld_initrc_exec_t;
++init_script_file(firewalld_initrc_exec_t)
++
++type firewalld_var_log_t;
++logging_log_file(firewalld_var_log_t)
++
++type firewalld_var_run_t;
++files_pid_file(firewalld_var_run_t)
++
++########################################
++#
++# firewalld local policy
++#
++
++allow firewalld_t self:fifo_file rw_fifo_file_perms;
++allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
++
++append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
++
++# should be fixed to cooperate with systemd to create /var/run/firewalld directory
++manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
++files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
++
++kernel_read_network_state(firewalld_t)
++kernel_read_system_state(firewalld_t)
++
++corecmd_exec_bin(firewalld_t)
++
++domain_use_interactive_fds(firewalld_t)
++
++files_read_etc_files(firewalld_t)
++files_read_usr_files(firewalld_t)
++
++logging_send_syslog_msg(firewalld_t)
++
++miscfiles_read_localization(firewalld_t)
++
++optional_policy(`
++    dbus_system_domain(firewalld_t, firewalld_exec_t)
++')
++
++optional_policy(`
++	iptables_domtrans(firewalld_t)
++')
++
++optional_policy(`
++    modutils_domtrans_insmod(firewalld_t)
++')
 diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
 index ebad8c4..c02062c 100644
 --- a/policy/modules/services/fprintd.if
@@ -25552,10 +25828,10 @@ index 0000000..6395ec8
 +')
 diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
 new file mode 100644
-index 0000000..b05a9cd
+index 0000000..36d15ad
 --- /dev/null
 +++ b/policy/modules/services/mock.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
 +policy_module(mock,1.0.0)
 +
 +########################################
@@ -25588,6 +25864,8 @@ index 0000000..b05a9cd
 +
 +allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
 +allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
++# Needed because mock can run java and mono withing build environment
++allow mock_t self:process { execmem execstack };
 +dontaudit mock_t self:process { siginh noatsecure rlimitinh };
 +allow mock_t self:fifo_file manage_fifo_file_perms;
 +allow mock_t self:unix_stream_socket create_stream_socket_perms;
@@ -26054,10 +26332,10 @@ index 0000000..311aaed
 +')
 diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
 new file mode 100644
-index 0000000..92e86a2
+index 0000000..d87d442
 --- /dev/null
 +++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,143 @@
 +policy_module(mpd, 1.0.0)
 +
 +########################################
@@ -26127,6 +26405,8 @@ index 0000000..92e86a2
 +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
 +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
 +
++# needed by pulseaudio
++kernel_getattr_proc(mpd_t)
 +kernel_read_system_state(mpd_t)
 +kernel_read_kernel_sysctls(mpd_t)
 +
@@ -26141,6 +26421,7 @@ index 0000000..92e86a2
 +corenet_tcp_bind_soundd_port(mpd_t)
 +
 +dev_read_sound(mpd_t)
++dev_write_sound(mpd_t)
 +dev_read_sysfs(mpd_t)
 +
 +files_read_usr_files(mpd_t)
@@ -26173,6 +26454,10 @@ index 0000000..92e86a2
 +')
 +
 +optional_policy(`
++    consolekit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
 +	dbus_system_bus_client(mpd_t)
 +')
 +
@@ -26183,8 +26468,17 @@ index 0000000..92e86a2
 +')
 +
 +optional_policy(`
++    rtkit_daemon_dontaudit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
 +	udev_read_db(mpd_t)
 +')
++
++optional_policy(`
++    xserver_dontaudit_stream_connect(mpd_t)
++    xserver_dontaudit_read_xdm_pid(mpd_t)
++')
 diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
 index 256166a..c526ce8 100644
 --- a/policy/modules/services/mta.fc
@@ -26996,7 +27290,7 @@ index f17583b..8f01394 100644
 +
 +miscfiles_read_localization(munin_plugin_domain)
 diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..06034b8 100644
+index e9c0982..a12d5ea 100644
 --- a/policy/modules/services/mysql.if
 +++ b/policy/modules/services/mysql.if
 @@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -27024,7 +27318,32 @@ index e9c0982..06034b8 100644
  ########################################
  ## <summary>
  ##	Send a generic signal to MySQL.
-@@ -73,6 +91,7 @@ interface(`mysql_stream_connect',`
+@@ -36,6 +54,24 @@ interface(`mysql_signal',`
+ 	allow $1 mysqld_t:process signal;
+ ')
+ 
++#######################################
++## <summary>
++##  Send a null signal to mysql.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`mysql_signull',`
++    gen_require(`
++        type mysqld_t;
++    ')
++
++    allow $1 mysqld_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to connect to postgresql with a tcp socket.
+@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
  		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
  	')
  
@@ -27032,7 +27351,7 @@ index e9c0982..06034b8 100644
  	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
  	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
  ')
-@@ -252,7 +271,7 @@ interface(`mysql_write_log',`
+@@ -252,7 +289,7 @@ interface(`mysql_write_log',`
  	')
  
  	logging_search_logs($1)
@@ -27041,7 +27360,7 @@ index e9c0982..06034b8 100644
  ')
  
  ######################################
-@@ -329,10 +348,9 @@ interface(`mysql_search_pid_files',`
+@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',`
  #
  interface(`mysql_admin',`
  	gen_require(`
@@ -27055,7 +27374,7 @@ index e9c0982..06034b8 100644
  	')
  
  	allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +361,17 @@ interface(`mysql_admin',`
+@@ -343,13 +379,17 @@ interface(`mysql_admin',`
  	role_transition $2 mysqld_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -27074,7 +27393,7 @@ index e9c0982..06034b8 100644
  	admin_pattern($1, mysqld_tmp_t)
  ')
 diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..d02b476 100644
+index 0a0d63c..024120d 100644
 --- a/policy/modules/services/mysql.te
 +++ b/policy/modules/services/mysql.te
 @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -27142,7 +27461,7 @@ index 0a0d63c..d02b476 100644
  files_read_etc_files(mysqld_safe_t)
  files_read_usr_files(mysqld_safe_t)
  files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+@@ -183,11 +186,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  
  hostname_exec(mysqld_safe_t)
  
@@ -27151,6 +27470,12 @@ index 0a0d63c..d02b476 100644
  miscfiles_read_localization(mysqld_safe_t)
  
  mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
++mysql_signull(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
+ 
+ ########################################
 diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
 index 8581040..cfcdf10 100644
 --- a/policy/modules/services/nagios.if
@@ -27239,7 +27564,7 @@ index 8581040..cfcdf10 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..86c9cba 100644
+index bf64a4c..331ad53 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -27338,7 +27663,7 @@ index bf64a4c..86c9cba 100644
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
  fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,10 +328,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  
  allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
  allow nagios_services_plugin_t self:process { signal sigkill };
@@ -27346,7 +27671,12 @@ index bf64a4c..86c9cba 100644
  allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
  allow nagios_services_plugin_t self:udp_socket create_socket_perms;
  
-@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
++kernel_read_system_state(nagios_services_plugin_t)
++
+ corecmd_exec_bin(nagios_services_plugin_t)
+ 
+ corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+@@ -340,6 +346,8 @@ files_read_usr_files(nagios_services_plugin_t)
  
  optional_policy(`
  	netutils_domtrans_ping(nagios_services_plugin_t)
@@ -34358,7 +34688,7 @@ index 82cb169..9e72970 100644
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..6e627d6 100644
+index e30bb63..a7f61a3 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -34398,7 +34728,7 @@ index e30bb63..6e627d6 100644
  
  allow smbd_t swat_t:process signal;
  
-@@ -323,10 +320,12 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +320,18 @@ dev_getattr_all_blk_files(smbd_t)
  dev_getattr_all_chr_files(smbd_t)
  
  fs_getattr_all_fs(smbd_t)
@@ -34411,7 +34741,13 @@ index e30bb63..6e627d6 100644
  
  auth_use_nsswitch(smbd_t)
  auth_domtrans_chk_passwd(smbd_t)
-@@ -343,6 +342,7 @@ files_read_usr_files(smbd_t)
+ auth_domtrans_upd_passwd(smbd_t)
+ auth_manage_cache(smbd_t)
++auth_write_login_records(smbd_t)
+ 
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+@@ -343,6 +343,7 @@ files_read_usr_files(smbd_t)
  files_search_spool(smbd_t)
  # smbd seems to getattr all mountpoints
  files_dontaudit_getattr_all_dirs(smbd_t)
@@ -34419,7 +34755,7 @@ index e30bb63..6e627d6 100644
  # Allow samba to list mnt_t for potential mounted dirs
  files_list_mnt(smbd_t)
  
-@@ -385,12 +385,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +386,7 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -34433,7 +34769,7 @@ index e30bb63..6e627d6 100644
  ')
  
  # Support Samba sharing of NFS mount points
-@@ -445,8 +440,8 @@ optional_policy(`
+@@ -445,8 +441,8 @@ optional_policy(`
  tunable_policy(`samba_create_home_dirs',`
  	allow smbd_t self:capability chown;
  	userdom_create_user_home_dirs(smbd_t)
@@ -34443,7 +34779,7 @@ index e30bb63..6e627d6 100644
  
  tunable_policy(`samba_export_all_ro',`
  	fs_read_noxattr_fs_files(smbd_t) 
-@@ -462,8 +457,8 @@ tunable_policy(`samba_export_all_rw',`
+@@ -462,8 +458,8 @@ tunable_policy(`samba_export_all_rw',`
  	auth_manage_all_files_except_shadow(smbd_t)
  	fs_read_noxattr_fs_files(nmbd_t) 
  	auth_manage_all_files_except_shadow(nmbd_t)
@@ -34453,7 +34789,7 @@ index e30bb63..6e627d6 100644
  
  ########################################
  #
-@@ -484,8 +479,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +480,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
  allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
@@ -34464,7 +34800,7 @@ index e30bb63..6e627d6 100644
  
  read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +556,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +557,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
  allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
  
  allow smbcontrol_t nmbd_t:process { signal signull };
@@ -34482,7 +34818,7 @@ index e30bb63..6e627d6 100644
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +674,7 @@ samba_domtrans_nmbd(swat_t)
  allow swat_t nmbd_t:process { signal signull };
  allow nmbd_t swat_t:process signal;
  
@@ -34491,7 +34827,7 @@ index e30bb63..6e627d6 100644
  
  allow swat_t smbd_port_t:tcp_socket name_bind;
  
-@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +689,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
  manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
  
  manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -34506,7 +34842,7 @@ index e30bb63..6e627d6 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +709,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
  domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
  allow swat_t winbind_t:process { signal signull };
  
@@ -34514,7 +34850,7 @@ index e30bb63..6e627d6 100644
  allow swat_t winbind_var_run_t:dir { write add_name remove_name };
  allow swat_t winbind_var_run_t:sock_file { create unlink };
  
-@@ -754,6 +753,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +754,8 @@ logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
  
@@ -34523,7 +34859,7 @@ index e30bb63..6e627d6 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,14 +808,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  allow winbind_t winbind_log_t:file manage_file_perms;
  logging_log_filetrans(winbind_t, winbind_log_t, file)
  
@@ -34543,7 +34879,7 @@ index e30bb63..6e627d6 100644
  
  kernel_read_kernel_sysctls(winbind_t)
  kernel_read_system_state(winbind_t)
-@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +835,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -34551,7 +34887,7 @@ index e30bb63..6e627d6 100644
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
  
-@@ -922,6 +924,18 @@ optional_policy(`
+@@ -922,6 +925,18 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -34570,7 +34906,7 @@ index e30bb63..6e627d6 100644
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -932,9 +946,12 @@ optional_policy(`
+@@ -932,9 +947,12 @@ optional_policy(`
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -36228,7 +36564,7 @@ index 22adaca..784c363 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..f4626c0 100644
+index 2dad3c8..2b6aef5 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -36497,7 +36833,7 @@ index 2dad3c8..f4626c0 100644
 +')
 +
 +optional_policy(`
-+	amanda_search_lib(sshd_t)
++	amanda_search_var_lib(sshd_t)
  ')
  
  optional_policy(`
@@ -37997,7 +38333,7 @@ index 7c5d8d8..5e2f264 100644
 +	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 +')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..191efb7 100644
+index 3eca020..d81582c 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -38312,9 +38648,9 @@ index 3eca020..191efb7 100644
  
  logging_send_syslog_msg(virtd_t)
 +logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
  
++selinux_validate_context(virtd_t)
++
 +seutil_read_config(virtd_t)
  seutil_read_default_contexts(virtd_t)
 +seutil_read_file_contexts(virtd_t)
@@ -38338,7 +38674,18 @@ index 3eca020..191efb7 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +450,8 @@ optional_policy(`
+@@ -329,6 +414,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ 	dnsmasq_domtrans(virtd_t)
+ 	dnsmasq_signal(virtd_t)
+ 	dnsmasq_kill(virtd_t)
+@@ -365,6 +454,8 @@ optional_policy(`
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -38347,7 +38694,7 @@ index 3eca020..191efb7 100644
  ')
  
  optional_policy(`
-@@ -396,12 +483,25 @@ optional_policy(`
+@@ -396,12 +487,25 @@ optional_policy(`
  
  allow virt_domain self:capability { dac_read_search dac_override kill };
  allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -38374,7 +38721,7 @@ index 3eca020..191efb7 100644
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +522,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +526,7 @@ corenet_rw_tun_tap_dev(virt_domain)
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -38382,7 +38729,7 @@ index 3eca020..191efb7 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +530,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +534,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -38395,7 +38742,7 @@ index 3eca020..191efb7 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,6 +543,11 @@ files_search_all(virt_domain)
+@@ -440,6 +547,11 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -38407,7 +38754,7 @@ index 3eca020..191efb7 100644
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +565,117 @@ optional_policy(`
+@@ -457,8 +569,117 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38933,7 +39280,7 @@ index 6f1e3c7..ecfe665 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..6b12229 100644
+index da2601a..61bce48 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -39325,16 +39672,34 @@ index da2601a..6b12229 100644
  ')
  
  ########################################
-@@ -805,7 +869,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +869,25 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
 -	allow $1 xdm_var_run_t:file read_file_perms;
 +	read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++######################################
++## <summary>
++##  Dontaudit Read XDM pid files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++    gen_require(`
++        type xdm_var_run_t;
++    ')
++
++    dontaudit $1 xdm_var_run_t:file read_file_perms;
  ')
  
  ########################################
-@@ -897,7 +961,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +979,7 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -39343,7 +39708,7 @@ index da2601a..6b12229 100644
  ')
  
  ########################################
-@@ -916,7 +980,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +998,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -39352,7 +39717,7 @@ index da2601a..6b12229 100644
  ')
  
  ########################################
-@@ -963,6 +1027,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1045,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -39398,7 +39763,7 @@ index da2601a..6b12229 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1079,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1097,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -39407,7 +39772,7 @@ index da2601a..6b12229 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1159,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -39450,7 +39815,7 @@ index da2601a..6b12229 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1209,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -39459,7 +39824,7 @@ index da2601a..6b12229 100644
  ')
  
  ########################################
-@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1227,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -39471,15 +39836,34 @@ index da2601a..6b12229 100644
  ')
  
  ########################################
-@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1344,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
 +	allow xserver_t $1:shm rw_shm_perms;
++')
++
++######################################
++## <summary>
++##  Dontaudit attempts to connect to xserver
++##  over an unix stream socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`xserver_dontaudit_stream_connect',`
++    gen_require(`
++        type xserver_t, xserver_tmp_t;
++    ')
++
++    stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
  ')
  
  ########################################
-@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1389,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -39488,7 +39872,7 @@ index da2601a..6b12229 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1399,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -39513,7 +39897,7 @@ index da2601a..6b12229 100644
  ')
  
  ########################################
-@@ -1243,10 +1395,393 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1432,393 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -47450,10 +47834,10 @@ index 0000000..5f0352b
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..52a952b
+index 0000000..174dd0c
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
 +
 +policy_module(systemd, 1.0.0)
 +
@@ -47532,6 +47916,7 @@ index 0000000..52a952b
 +files_relabelfrom_tmp_files(systemd_tmpfiles_t)
 +files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
 +files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_getattr_lost_found_dirs(systemd_tmpfiles_t)
 +
 +init_dgram_send(systemd_tmpfiles_t)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1669f5d..b77d2c2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.12
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
 %endif
 
 %changelog
+* Tue Jan 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.12-6
+- Add firewalld policy
+- Allow vmware_host to read samba config
+- Kernel wants to read /proc Fix duplicate grub def in cobbler
+- Chrony sends mail, executes shell, uses fifo_file and reads /proc
+- devicekitdisk getattr all file systems
+- sambd daemon writes wtmp file
+- libvirt transitions to dmidecode
+
 * Wed Jan 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.12-5
 - Add initial policy for system-setup-keyboard which is now daemon
 - Label /var/lock/subsys/shorewall as shorewall_lock_t
