[selinux-policy] - A lot of users are running yum -y update while in /root which is causing ldc - Allow colord to int
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 12 07:44:30 UTC 2011
commit 330eac58488e2a2a279957477b0d20e814ac8580
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 12 09:44:07 2011 +0200
- A lot of users are running yum -y update while in /root which is causing ldc
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to b
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run di
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
policy-F16.patch | 749 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 15 +-
2 files changed, 538 insertions(+), 226 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d7e32b1..e2cd782 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -857,10 +857,18 @@ index 4f7bd3c..b5c346f 100644
+ #unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..893ea9a 100644
+index 7090dae..ee8eaf6 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -116,17 +116,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -102,6 +102,7 @@ files_read_var_lib_files(logrotate_t)
+ files_manage_generic_spool(logrotate_t)
+ files_manage_generic_spool_dirs(logrotate_t)
+ files_getattr_generic_locks(logrotate_t)
++files_dontaudit_list_mnt(logrotate_t)
+
+ # cjp: why is this needed?
+ init_domtrans_script(logrotate_t)
+@@ -116,17 +117,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -883,7 +891,7 @@ index 7090dae..893ea9a 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -162,10 +160,20 @@ optional_policy(`
+@@ -162,10 +161,20 @@ optional_policy(`
')
optional_policy(`
@@ -904,7 +912,7 @@ index 7090dae..893ea9a 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +211,6 @@ optional_policy(`
+@@ -203,7 +212,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -912,7 +920,7 @@ index 7090dae..893ea9a 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +235,14 @@ optional_policy(`
+@@ -228,3 +236,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -1027,19 +1035,20 @@ index 75ce30f..b48b383 100644
+ cron_use_system_job_fds(logwatch_mail_t)
+')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
-index 56c43c0..de535e4 100644
+index 56c43c0..0641226 100644
--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
-@@ -1 +1,4 @@
+@@ -1 +1,5 @@
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
-+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
++/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+
++/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..24a6ad6 100644
+index 5671977..ef8bc09 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
-@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0)
+@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
type mcelog_t;
type mcelog_exec_t;
@@ -1049,13 +1058,20 @@ index 5671977..24a6ad6 100644
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
++
++type mcelog_log_t;
++logging_log_file(mcelog_log_t)
########################################
#
-@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
++manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
++
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
@@ -1071,7 +1087,7 @@ index 5671977..24a6ad6 100644
files_read_etc_files(mcelog_t)
-@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t)
+@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t)
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
@@ -3071,7 +3087,7 @@ index 441cf22..4e2205c 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
-index ebf4b26..6dcf1da 100644
+index ebf4b26..453a827 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -21,7 +21,7 @@ files_pid_file(vpnc_var_run_t)
@@ -3094,7 +3110,16 @@ index ebf4b26..6dcf1da 100644
corecmd_exec_all_executables(vpnc_t)
-@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t)
+@@ -89,6 +89,8 @@ files_dontaudit_search_home(vpnc_t)
+
+ auth_use_nsswitch(vpnc_t)
+
++init_dontaudit_use_fds(vpnc_t)
++
+ libs_exec_ld_so(vpnc_t)
+ libs_exec_lib_files(vpnc_t)
+
+@@ -106,7 +108,8 @@ sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
@@ -3282,10 +3307,10 @@ index 0000000..7b1047f
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..0fbe8cc
+index 0000000..9f6478c
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,117 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3386,6 +3411,7 @@ index 0000000..0fbe8cc
+ fs_search_nfs(chrome_sandbox_t)
+ fs_exec_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_files(chrome_sandbox_t)
++ fs_rw_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
@@ -3393,6 +3419,7 @@ index 0000000..0fbe8cc
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_exec_cifs_files(chrome_sandbox_t)
++ fs_rw_inherited_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
@@ -6155,7 +6182,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..90c34fa 100644
+index fbb5c5a..8f91e55 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6193,12 +6220,13 @@ index fbb5c5a..90c34fa 100644
')
########################################
-@@ -228,6 +238,29 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +238,30 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
+
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
++ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+')
@@ -6223,7 +6251,7 @@ index fbb5c5a..90c34fa 100644
')
########################################
-@@ -269,9 +302,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +303,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -6252,7 +6280,7 @@ index fbb5c5a..90c34fa 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +330,28 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +331,28 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -8491,10 +8519,10 @@ index 0000000..6efdeca
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..61a5e86
+index 0000000..0b38d9d
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,493 @@
+@@ -0,0 +1,486 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8665,25 +8693,20 @@ index 0000000..61a5e86
+#
+# sandbox_x_domain local policy
+#
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
-+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
-+allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms };
-+
-+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
-+allow sandbox_x_domain self:shm create_shm_perms;
-+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
-+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
-+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
@@ -8833,7 +8856,6 @@ index 0000000..61a5e86
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
-+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
@@ -8862,7 +8884,6 @@ index 0000000..61a5e86
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
-+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
@@ -12946,7 +12967,7 @@ index c19518a..ba08cfe 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..5ce2d76 100644
+index ff006ea..c0e0b1e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -13709,7 +13730,7 @@ index ff006ea..5ce2d76 100644
')
########################################
-@@ -5815,6 +6165,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6165,98 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -13749,6 +13770,24 @@ index ff006ea..5ce2d76 100644
+
+########################################
+## <summary>
++## Create all pid sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_all_pid_sockets',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:sock_file create_sock_file_perms;
++')
++
++########################################
++## <summary>
+## Delete all pid named pipes
+## </summary>
+## <param name="domain">
@@ -13790,7 +13829,7 @@ index ff006ea..5ce2d76 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6256,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6274,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -13835,7 +13874,7 @@ index ff006ea..5ce2d76 100644
')
########################################
-@@ -6042,7 +6504,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6522,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13844,7 +13883,7 @@ index ff006ea..5ce2d76 100644
')
########################################
-@@ -6117,3 +6579,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6597,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -16710,7 +16749,7 @@ index 2be17d2..1a6d9d1 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..bd304b2 100644
+index e14b961..a9aeb68 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -16962,18 +17001,16 @@ index e14b961..bd304b2 100644
')
optional_policy(`
-@@ -332,10 +396,6 @@ optional_policy(`
+@@ -332,7 +396,7 @@ optional_policy(`
')
optional_policy(`
- thunderbird_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- tripwire_run_siggen(sysadm_t, sysadm_r)
- tripwire_run_tripwire(sysadm_t, sysadm_r)
- tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +403,15 @@ optional_policy(`
++ systemd_passwd_agent_run(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -343,19 +407,15 @@ optional_policy(`
')
optional_policy(`
@@ -16995,7 +17032,7 @@ index e14b961..bd304b2 100644
')
optional_policy(`
-@@ -367,45 +423,45 @@ optional_policy(`
+@@ -367,45 +427,45 @@ optional_policy(`
')
optional_policy(`
@@ -17052,7 +17089,7 @@ index e14b961..bd304b2 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +495,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +499,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -17060,20 +17097,20 @@ index e14b961..bd304b2 100644
')
optional_policy(`
-@@ -446,11 +503,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +507,62 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
-+ lockdev_role(sysadm_r, sysadm_t)
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
++ lockdev_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
@@ -18701,21 +18738,23 @@ index e88b95f..0eb55db 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..7112560 100644
+index 1bd5812..f7a7a96 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -3,8 +3,9 @@
+@@ -1,11 +1,9 @@
+ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+ /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
- /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-
+-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-@@ -15,6 +16,21 @@
+ /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+@@ -15,6 +13,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -18735,8 +18774,6 @@ index 1bd5812..7112560 100644
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+
-+
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c5..7382308 100644
--- a/policy/modules/services/abrt.if
@@ -18937,7 +18974,7 @@ index 0b827c5..7382308 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..28604d3 100644
+index 30861ec..a7f44c9 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -18955,7 +18992,14 @@ index 30861ec..28604d3 100644
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -43,14 +51,37 @@ ifdef(`enable_mcs',`
+@@ -37,20 +45,44 @@ files_pid_file(abrt_var_run_t)
+ type abrt_helper_t;
+ type abrt_helper_exec_t;
+ application_domain(abrt_helper_t, abrt_helper_exec_t)
++init_system_domain(abrt_helper_t, abrt_helper_exec_t)
+ role system_r types abrt_helper_t;
+
+ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -18995,7 +19039,7 @@ index 30861ec..28604d3 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +91,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -19003,7 +19047,7 @@ index 30861ec..28604d3 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +102,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -19011,7 +19055,7 @@ index 30861ec..28604d3 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,7 +116,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -19020,7 +19064,7 @@ index 30861ec..28604d3 100644
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +138,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -19028,7 +19072,7 @@ index 30861ec..28604d3 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +148,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -19038,7 +19082,7 @@ index 30861ec..28604d3 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +157,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -19047,7 +19091,7 @@ index 30861ec..28604d3 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +169,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -19056,7 +19100,7 @@ index 30861ec..28604d3 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +178,16 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -19073,7 +19117,7 @@ index 30861ec..28604d3 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +197,11 @@ optional_policy(`
+@@ -150,6 +198,11 @@ optional_policy(`
')
optional_policy(`
@@ -19085,7 +19129,7 @@ index 30861ec..28604d3 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +219,7 @@ optional_policy(`
+@@ -167,6 +220,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -19093,7 +19137,7 @@ index 30861ec..28604d3 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +231,18 @@ optional_policy(`
+@@ -178,12 +232,18 @@ optional_policy(`
')
optional_policy(`
@@ -19113,7 +19157,12 @@ index 30861ec..28604d3 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -200,9 +260,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+ read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+
++corecmd_read_all_executables(abrt_helper_t)
++
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -19121,7 +19170,7 @@ index 30861ec..28604d3 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +279,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -19131,7 +19180,7 @@ index 30861ec..28604d3 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +288,100 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -19610,10 +19659,18 @@ index d96fdfa..e07158f 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..841fa8f 100644
+index deca9d3..4556eb2 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
-@@ -153,24 +153,28 @@ sysnet_use_ldap(amavis_t)
+@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t)
+
+ dev_read_rand(amavis_t)
+ dev_read_urand(amavis_t)
++dev_read_sysfs(amavis_t)
+
+ domain_use_interactive_fds(amavis_t)
+
+@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -21577,10 +21634,18 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..e343da3 100644
+index b3b0176..0e8a352 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
-@@ -39,7 +39,7 @@ files_pid_file(asterisk_var_run_t)
+@@ -23,6 +23,7 @@ files_type(asterisk_spool_t)
+
+ type asterisk_tmp_t;
+ files_tmp_file(asterisk_tmp_t)
++mta_system_content(asterisk_tmp_t)
+
+ type asterisk_tmpfs_t;
+ files_tmpfs_file(asterisk_tmpfs_t)
+@@ -39,7 +40,7 @@ files_pid_file(asterisk_var_run_t)
#
# dac_override for /var/run/asterisk
@@ -21589,7 +21654,7 @@ index b3b0176..e343da3 100644
dontaudit asterisk_t self:capability sys_tty_config;
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
-@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
@@ -21602,7 +21667,7 @@ index b3b0176..e343da3 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +109,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
@@ -21611,7 +21676,15 @@ index b3b0176..e343da3 100644
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
-@@ -125,6 +128,7 @@ files_search_spool(asterisk_t)
+@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t)
+ dev_read_sysfs(asterisk_t)
+ dev_read_sound(asterisk_t)
+ dev_write_sound(asterisk_t)
++dev_read_rand(asterisk_t)
+ dev_read_urand(asterisk_t)
+
+ domain_use_interactive_fds(asterisk_t)
+@@ -125,6 +130,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -21619,7 +21692,7 @@ index b3b0176..e343da3 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -24578,10 +24651,10 @@ index 0258b48..8535cc6 100644
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..a58903f 100644
+index 74505cc..07f38d7 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
-@@ -41,8 +41,9 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +41,12 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -24589,10 +24662,13 @@ index 74505cc..a58903f 100644
+kernel_read_system_state(colord_t)
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
++
++#reads *.ini files
++corecmd_read_bin_files(colord_t)
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +51,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +54,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -24601,7 +24677,7 @@ index 74505cc..a58903f 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,8 +68,16 @@ files_list_mnt(colord_t)
+@@ -65,19 +71,31 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -24618,9 +24694,11 @@ index 74505cc..a58903f 100644
logging_send_syslog_msg(colord_t)
miscfiles_read_localization(colord_t)
-@@ -74,10 +85,12 @@ miscfiles_read_localization(colord_t)
+
sysnet_dns_name_resolve(colord_t)
++userdom_rw_user_tmpfs_files(colord_t)
++
tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(colord_t)
fs_read_nfs_files(colord_t)
@@ -24631,7 +24709,7 @@ index 74505cc..a58903f 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +102,10 @@ optional_policy(`
+@@ -89,6 +107,10 @@ optional_policy(`
')
optional_policy(`
@@ -25034,7 +25112,7 @@ index 13d2f63..a048c53 100644
type cpuspeed_t;
type cpuspeed_exec_t;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..6030f34 100644
+index 2eefc08..34ab5ce 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -14,9 +14,10 @@
@@ -25049,14 +25127,12 @@ index 2eefc08..6030f34 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-@@ -45,3 +46,7 @@ ifdef(`distro_suse', `
+@@ -45,3 +46,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
-+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 35241ed..3a54286 100644
--- a/policy/modules/services/cron.if
@@ -27496,10 +27572,10 @@ index 0000000..60c81d6
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
-index 0000000..b7fc006
+index 0000000..5214120
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,101 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -27523,7 +27599,8 @@ index 0000000..b7fc006
+# Local policy for the daemon
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
-+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
++allow dirsrvadmin_t self:process setrlimit;
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -32743,6 +32820,208 @@ index ca5cfdf..554ad30 100644
auth_use_nsswitch(ktalkd_t)
+diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
+new file mode 100644
+index 0000000..76d879e
+--- /dev/null
++++ b/policy/modules/services/l2tpd.fc
+@@ -0,0 +1,11 @@
++
++/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++
++/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
++
++/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++
++/var/run/xl2tpd\.pid gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++
+diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
+new file mode 100644
+index 0000000..5783d58
+--- /dev/null
++++ b/policy/modules/services/l2tpd.if
+@@ -0,0 +1,115 @@
++
++## <summary>policy for l2tpd</summary>
++
++########################################
++## <summary>
++## Transition to l2tpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`l2tpd_domtrans',`
++ gen_require(`
++ type l2tpd_t, l2tpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
++')
++
++
++########################################
++## <summary>
++## Execute l2tpd server in the l2tpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_initrc_domtrans',`
++ gen_require(`
++ type l2tpd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Read l2tpd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_read_pid_files',`
++ gen_require(`
++ type l2tpd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 l2tpd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write l2tpd unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_rw_pipes',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an l2tpd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`l2tpd_admin',`
++ gen_require(`
++ type l2tpd_t;
++ type l2tpd_initrc_exec_t;
++ type l2tpd_var_run_t;
++ ')
++
++ allow $1 l2tpd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, l2tpd_t)
++
++ l2tpd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 l2tpd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_pids($1)
++ admin_pattern($1, l2tpd_var_run_t)
++')
++
+diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
+new file mode 100644
+index 0000000..02359ec
+--- /dev/null
++++ b/policy/modules/services/l2tpd.te
+@@ -0,0 +1,58 @@
++policy_module(l2tpd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type l2tpd_t;
++type l2tpd_exec_t;
++init_daemon_domain(l2tpd_t, l2tpd_exec_t)
++
++permissive l2tpd_t;
++
++type l2tpd_initrc_exec_t;
++init_script_file(l2tpd_initrc_exec_t)
++
++type l2tpd_tmp_t;
++files_tmp_file(l2tpd_tmp_t)
++
++type l2tpd_var_run_t;
++files_pid_file(l2tpd_var_run_t)
++
++########################################
++#
++# l2tpd local policy
++#
++allow l2tpd_t self:capability net_bind_service;
++allow l2tpd_t self:process signal;
++
++allow l2tpd_t self:fifo_file rw_fifo_file_perms;
++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++allow l2tpd_t self:tcp_socket create_stream_socket_perms;
++
++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++
++manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
++files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
++
++corenet_tcp_bind_generic_node(l2tpd_t)
++corenet_udp_bind_generic_node(l2tpd_t)
++corenet_udp_bind_generic_port(l2tpd_t)
++corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++
++dev_read_urand(l2tpd_t)
++
++domain_use_interactive_fds(l2tpd_t)
++
++files_read_etc_files(l2tpd_t)
++
++logging_send_syslog_msg(l2tpd_t)
++
++miscfiles_read_localization(l2tpd_t)
++
++sysnet_dns_name_resolve(l2tpd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..92f3475 100644
--- a/policy/modules/services/ldap.fc
@@ -39286,7 +39565,7 @@ index 69c331e..0555635 100644
auth_rw_login_records(portslave_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index a3e85c9..6b97fa5 100644
+index a3e85c9..c0e0959 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@@ -39334,7 +39613,7 @@ index a3e85c9..6b97fa5 100644
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -42,9 +44,10 @@ ifdef(`distro_redhat', `
+@@ -42,9 +44,11 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -39344,6 +39623,7 @@ index a3e85c9..6b97fa5 100644
-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
++/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
@@ -39689,7 +39969,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..06be6b1 100644
+index a32c4b3..701607c 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -39973,20 +40253,19 @@ index a32c4b3..06be6b1 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +579,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +579,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
-+allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms;
-+allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms;
++manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +603,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +602,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -39997,7 +40276,7 @@ index a32c4b3..06be6b1 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +631,10 @@ optional_policy(`
+@@ -565,6 +630,10 @@ optional_policy(`
')
optional_policy(`
@@ -40008,7 +40287,7 @@ index a32c4b3..06be6b1 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +657,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -40025,7 +40304,7 @@ index a32c4b3..06be6b1 100644
')
optional_policy(`
-@@ -611,8 +687,8 @@ optional_policy(`
+@@ -611,8 +686,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -40035,7 +40314,7 @@ index a32c4b3..06be6b1 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +705,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -41074,7 +41353,7 @@ index 2855a44..c71fa1e 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..1f3974c 100644
+index 64c5f95..cb7c5e2 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
@@ -41225,7 +41504,7 @@ index 64c5f95..1f3974c 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +279,45 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -41235,6 +41514,7 @@ index 64c5f95..1f3974c 100644
+
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
++dev_search_sysfs(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
@@ -41274,7 +41554,7 @@ index 64c5f95..1f3974c 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +328,9 @@ optional_policy(`
+@@ -231,3 +329,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -41921,7 +42201,7 @@ index 5a9630c..c403abc 100644
+ allow $1 qpidd_t:shm rw_shm_perms;
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
-index cb7ecb5..ebf59f1 100644
+index cb7ecb5..dadd322 100644
--- a/policy/modules/services/qpid.te
+++ b/policy/modules/services/qpid.te
@@ -12,12 +12,12 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -41940,7 +42220,7 @@ index cb7ecb5..ebf59f1 100644
########################################
#
# qpidd local policy
-@@ -30,23 +30,24 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -30,24 +30,26 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket create_stream_socket_perms;
allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
@@ -41968,9 +42248,11 @@ index cb7ecb5..ebf59f1 100644
corenet_tcp_bind_amqp_port(qpidd_t)
+corenet_tcp_bind_matahari_port(qpidd_t)
++dev_read_sysfs(qpidd_t)
dev_read_urand(qpidd_t)
-@@ -61,3 +62,8 @@ sysnet_dns_name_resolve(qpidd_t)
+ files_read_etc_files(qpidd_t)
+@@ -61,3 +63,8 @@ sysnet_dns_name_resolve(qpidd_t)
optional_policy(`
corosync_stream_connect(qpidd_t)
')
@@ -46539,7 +46821,7 @@ index c954f31..c7cadcb 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..7e51d2b 100644
+index ec1eb1e..7573826 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0)
@@ -46755,7 +47037,7 @@ index ec1eb1e..7e51d2b 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +322,41 @@ seutil_read_config(spamc_t)
+@@ -254,27 +322,46 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -46771,21 +47053,26 @@ index ec1eb1e..7e51d2b 100644
+ fs_manage_cifs_symlinks(spamc_t)
+')
+
++
optional_policy(`
- # Allow connection to spamd socket above
- evolution_stream_connect(spamc_t)
+- # Allow connection to spamd socket above
+- evolution_stream_connect(spamc_t)
++ abrt_stream_connect(spamc_t)
')
optional_policy(`
- # Needed for pyzor/razor called from spamd
- milter_manage_spamass_state(spamc_t)
+- milter_manage_spamass_state(spamc_t)
++ # Allow connection to spamd socket above
++ evolution_stream_connect(spamc_t)
')
optional_policy(`
- nis_use_ypbind(spamc_t)
--')
--
--optional_policy(`
++ milter_manage_spamass_state(spamc_t)
+ ')
+
+ optional_policy(`
- nscd_socket_use(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
@@ -46803,7 +47090,7 @@ index ec1eb1e..7e51d2b 100644
')
########################################
-@@ -286,7 +368,7 @@ optional_policy(`
+@@ -286,7 +373,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -46812,7 +47099,7 @@ index ec1eb1e..7e51d2b 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +384,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +389,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -46831,7 +47118,7 @@ index ec1eb1e..7e51d2b 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +403,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +408,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -46849,7 +47136,7 @@ index ec1eb1e..7e51d2b 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +465,27 @@ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -46881,7 +47168,7 @@ index ec1eb1e..7e51d2b 100644
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +497,9 @@ optional_policy(`
+@@ -399,7 +502,9 @@ optional_policy(`
')
optional_policy(`
@@ -46891,7 +47178,7 @@ index ec1eb1e..7e51d2b 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +508,17 @@ optional_policy(`
+@@ -408,25 +513,17 @@ optional_policy(`
')
optional_policy(`
@@ -46919,7 +47206,7 @@ index ec1eb1e..7e51d2b 100644
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +529,10 @@ optional_policy(`
+@@ -437,6 +534,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -51560,7 +51847,7 @@ index 130ced9..ea8077d 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..5774644 100644
+index 143c893..bc547bf 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -51766,7 +52053,7 @@ index 143c893..5774644 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -247,52 +301,112 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,52 +301,113 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
@@ -51796,12 +52083,13 @@ index 143c893..5774644 100644
allow xauth_t self:process signal;
+allow xauth_t self:shm create_shm_perms;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
-
++allow xauth_t self:unix_dgram_socket create_socket_perms;
++
+allow xauth_t xdm_t:process sigchld;
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_xserver_port(xauth_t)
-+
+
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
@@ -51816,9 +52104,9 @@ index 143c893..5774644 100644
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+
-+kernel_read_system_state(xauth_t)
++kernel_read_network_state(xauth_t)
++kernel_read_system_state(xauth_t)
kernel_request_load_module(xauth_t)
domain_use_interactive_fds(xauth_t)
@@ -51885,7 +52173,7 @@ index 143c893..5774644 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -304,20 +418,36 @@ optional_policy(`
+@@ -304,20 +419,36 @@ optional_policy(`
# XDM Local policy
#
@@ -51926,7 +52214,7 @@ index 143c893..5774644 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +455,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +456,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -51995,7 +52283,7 @@ index 143c893..5774644 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +520,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -52023,7 +52311,7 @@ index 143c893..5774644 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -52077,7 +52365,7 @@ index 143c893..5774644 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +603,23 @@ files_list_mnt(xdm_t)
+@@ -435,9 +604,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -52101,7 +52389,7 @@ index 143c893..5774644 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +628,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +629,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -52140,7 +52428,7 @@ index 143c893..5774644 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -52171,7 +52459,7 @@ index 143c893..5774644 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -52186,7 +52474,7 @@ index 143c893..5774644 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -52208,7 +52496,7 @@ index 143c893..5774644 100644
')
optional_policy(`
-@@ -519,12 +748,62 @@ optional_policy(`
+@@ -519,12 +749,62 @@ optional_policy(`
')
optional_policy(`
@@ -52271,7 +52559,7 @@ index 143c893..5774644 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +821,70 @@ optional_policy(`
+@@ -542,28 +822,70 @@ optional_policy(`
')
optional_policy(`
@@ -52351,7 +52639,7 @@ index 143c893..5774644 100644
')
optional_policy(`
-@@ -575,6 +896,14 @@ optional_policy(`
+@@ -575,6 +897,14 @@ optional_policy(`
')
optional_policy(`
@@ -52366,7 +52654,7 @@ index 143c893..5774644 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -52375,7 +52663,7 @@ index 143c893..5774644 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -52391,7 +52679,7 @@ index 143c893..5774644 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -52413,7 +52701,7 @@ index 143c893..5774644 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -52421,7 +52709,7 @@ index 143c893..5774644 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -52429,7 +52717,7 @@ index 143c893..5774644 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -52447,7 +52735,7 @@ index 143c893..5774644 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -52461,7 +52749,7 @@ index 143c893..5774644 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1065,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1066,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -52470,7 +52758,7 @@ index 143c893..5774644 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -52485,7 +52773,7 @@ index 143c893..5774644 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1131,36 @@ optional_policy(`
+@@ -778,16 +1132,36 @@ optional_policy(`
')
optional_policy(`
@@ -52523,7 +52811,7 @@ index 143c893..5774644 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1169,10 @@ optional_policy(`
+@@ -796,6 +1170,10 @@ optional_policy(`
')
optional_policy(`
@@ -52534,7 +52822,7 @@ index 143c893..5774644 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1188,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1189,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -52548,7 +52836,7 @@ index 143c893..5774644 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1199,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1200,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -52557,7 +52845,7 @@ index 143c893..5774644 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1212,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1213,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -52567,7 +52855,7 @@ index 143c893..5774644 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1222,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1223,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -52579,7 +52867,7 @@ index 143c893..5774644 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1235,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1236,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -52596,7 +52884,7 @@ index 143c893..5774644 100644
')
optional_policy(`
-@@ -862,6 +1250,10 @@ optional_policy(`
+@@ -862,6 +1251,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -52607,7 +52895,7 @@ index 143c893..5774644 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1298,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -52616,7 +52904,7 @@ index 143c893..5774644 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1351,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1352,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -52648,7 +52936,7 @@ index 143c893..5774644 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1397,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1398,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -53058,7 +53346,7 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..e053e7d 100644
+index 73554ec..4983a9b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -53083,7 +53371,14 @@ index 73554ec..e053e7d 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -111,8 +116,10 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +110,17 @@ interface(`auth_login_pgm_domain',`
+
+ # Needed for pam_selinux_permit to cleanup properly
+ domain_read_all_domains_state($1)
++ corecmd_getattr_all_executables($1)
+ domain_kill_all_domains($1)
+
+ # pam_keyring
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -53094,7 +53389,7 @@ index 73554ec..e053e7d 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -123,13 +130,19 @@ interface(`auth_login_pgm_domain',`
+@@ -123,13 +131,19 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -53115,7 +53410,7 @@ index 73554ec..e053e7d 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +158,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +159,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -53124,7 +53419,7 @@ index 73554ec..e053e7d 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +170,68 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +171,68 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -53195,7 +53490,7 @@ index 73554ec..e053e7d 100644
## Use the login program as an entry point program.
## </summary>
## <param name="domain">
-@@ -368,13 +438,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +439,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -53212,7 +53507,7 @@ index 73554ec..e053e7d 100644
')
########################################
-@@ -421,6 +493,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +494,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -53238,7 +53533,7 @@ index 73554ec..e053e7d 100644
')
########################################
-@@ -736,7 +827,47 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +828,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -53287,7 +53582,7 @@ index 73554ec..e053e7d 100644
')
#######################################
-@@ -932,9 +1063,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1064,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -53321,7 +53616,7 @@ index 73554ec..e053e7d 100644
')
########################################
-@@ -1387,6 +1539,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1540,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -53347,7 +53642,7 @@ index 73554ec..e053e7d 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1541,24 +1712,6 @@ interface(`auth_manage_login_records',`
+@@ -1541,24 +1713,6 @@ interface(`auth_manage_login_records',`
########################################
## <summary>
@@ -53372,7 +53667,7 @@ index 73554ec..e053e7d 100644
## Use nsswitch to look up user, password, group, or
## host information.
## </summary>
-@@ -1579,28 +1732,36 @@ interface(`auth_relabel_login_records',`
+@@ -1579,28 +1733,36 @@ interface(`auth_relabel_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -53416,7 +53711,7 @@ index 73554ec..e053e7d 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1610,7 +1771,7 @@ interface(`auth_use_nsswitch',`
+@@ -1610,7 +1772,7 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -54596,7 +54891,7 @@ index 94fd8dd..2ae760f 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..ad617a2 100644
+index 29a9565..e30550a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -54771,7 +55066,7 @@ index 29a9565..ad617a2 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +244,122 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +244,125 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -54822,9 +55117,12 @@ index 29a9565..ad617a2 100644
+ files_manage_all_pid_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
++ files_create_all_pid_sockets(init_t)
+ files_delete_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
++ files_list_spool(init_t)
++ files_list_var(init_t)
+ files_create_lock_dirs(init_t)
+ files_relabel_all_lock_dirs(init_t)
+
@@ -54894,7 +55192,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -199,10 +367,26 @@ optional_policy(`
+@@ -199,10 +370,26 @@ optional_policy(`
')
optional_policy(`
@@ -54921,7 +55219,7 @@ index 29a9565..ad617a2 100644
unconfined_domain(init_t)
')
-@@ -212,7 +396,7 @@ optional_policy(`
+@@ -212,7 +399,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -54930,7 +55228,7 @@ index 29a9565..ad617a2 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +425,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +428,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -54946,7 +55244,7 @@ index 29a9565..ad617a2 100644
init_write_initctl(initrc_t)
-@@ -258,20 +445,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +448,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -54983,7 +55281,7 @@ index 29a9565..ad617a2 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +478,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +481,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -54991,7 +55289,7 @@ index 29a9565..ad617a2 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +489,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +492,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -55002,7 +55300,7 @@ index 29a9565..ad617a2 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +500,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +503,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -55019,7 +55317,7 @@ index 29a9565..ad617a2 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +519,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +522,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -55027,7 +55325,7 @@ index 29a9565..ad617a2 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +527,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +530,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -55039,7 +55337,7 @@ index 29a9565..ad617a2 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +546,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +549,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -55053,7 +55351,7 @@ index 29a9565..ad617a2 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +561,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +564,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -55062,7 +55360,7 @@ index 29a9565..ad617a2 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +575,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +578,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -55070,7 +55368,7 @@ index 29a9565..ad617a2 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +587,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +590,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -55078,7 +55376,7 @@ index 29a9565..ad617a2 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +608,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +611,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -55100,7 +55398,7 @@ index 29a9565..ad617a2 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +671,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +674,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -55111,7 +55409,7 @@ index 29a9565..ad617a2 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +695,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +698,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -55120,7 +55418,7 @@ index 29a9565..ad617a2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +710,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +713,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -55128,7 +55426,7 @@ index 29a9565..ad617a2 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +740,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +743,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -55162,7 +55460,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -531,10 +774,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +777,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -55185,7 +55483,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -549,6 +804,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +807,39 @@ ifdef(`distro_suse',`
')
')
@@ -55225,7 +55523,7 @@ index 29a9565..ad617a2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +849,8 @@ optional_policy(`
+@@ -561,6 +852,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -55234,7 +55532,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -577,6 +867,7 @@ optional_policy(`
+@@ -577,6 +870,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -55242,7 +55540,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -589,6 +880,11 @@ optional_policy(`
+@@ -589,6 +883,11 @@ optional_policy(`
')
optional_policy(`
@@ -55254,7 +55552,7 @@ index 29a9565..ad617a2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +901,13 @@ optional_policy(`
+@@ -605,9 +904,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -55268,7 +55566,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -649,6 +949,11 @@ optional_policy(`
+@@ -649,6 +952,11 @@ optional_policy(`
')
optional_policy(`
@@ -55280,7 +55578,7 @@ index 29a9565..ad617a2 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +1011,13 @@ optional_policy(`
+@@ -706,7 +1014,13 @@ optional_policy(`
')
optional_policy(`
@@ -55294,7 +55592,7 @@ index 29a9565..ad617a2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1040,10 @@ optional_policy(`
+@@ -729,6 +1043,10 @@ optional_policy(`
')
optional_policy(`
@@ -55305,7 +55603,7 @@ index 29a9565..ad617a2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1053,20 @@ optional_policy(`
+@@ -738,10 +1056,20 @@ optional_policy(`
')
optional_policy(`
@@ -55326,7 +55624,7 @@ index 29a9565..ad617a2 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1075,10 @@ optional_policy(`
+@@ -750,6 +1078,10 @@ optional_policy(`
')
optional_policy(`
@@ -55337,7 +55635,7 @@ index 29a9565..ad617a2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1100,6 @@ optional_policy(`
+@@ -771,8 +1103,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -55346,7 +55644,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -790,10 +1117,12 @@ optional_policy(`
+@@ -790,10 +1120,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -55359,7 +55657,7 @@ index 29a9565..ad617a2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1134,6 @@ optional_policy(`
+@@ -805,7 +1137,6 @@ optional_policy(`
')
optional_policy(`
@@ -55367,7 +55665,7 @@ index 29a9565..ad617a2 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1143,24 @@ optional_policy(`
+@@ -815,11 +1146,24 @@ optional_policy(`
')
optional_policy(`
@@ -55393,7 +55691,7 @@ index 29a9565..ad617a2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1170,25 @@ optional_policy(`
+@@ -829,6 +1173,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -55419,7 +55717,7 @@ index 29a9565..ad617a2 100644
')
optional_policy(`
-@@ -844,6 +1204,10 @@ optional_policy(`
+@@ -844,6 +1207,10 @@ optional_policy(`
')
optional_policy(`
@@ -55430,7 +55728,7 @@ index 29a9565..ad617a2 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1218,45 @@ optional_policy(`
+@@ -854,3 +1221,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -56324,7 +56622,7 @@ index 808ba93..ed84884 100644
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..1db2eab 100644
+index e5836d3..b32b945 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -56354,10 +56652,11 @@ index e5836d3..1db2eab 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +105,11 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +105,12 @@ ifdef(`distro_ubuntu',`
')
')
++userdom_dontaudit_list_admin_dir(ldconfig_t)
+userdom_list_user_home_dirs(ldconfig_t)
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
@@ -56366,7 +56665,7 @@ index e5836d3..1db2eab 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -131,6 +138,10 @@ optional_policy(`
+@@ -131,6 +139,10 @@ optional_policy(`
')
optional_policy(`
@@ -56377,7 +56676,7 @@ index e5836d3..1db2eab 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +152,7 @@ optional_policy(`
+@@ -141,6 +153,7 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f34ed44..b41e2be 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 12 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-3
+- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit
+- Allow colord to interact with the users through the tmpfs file system
+- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files
+- Add label for /var/log/mcelog
+- Allow asterisk to read /dev/random if it uses TLS
+- Allow colord to read ini files which are labeled as bin_t
+- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
+- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first.
+- Also lists /var and /var/spool directories
+- Add openl2tpd to l2tpd policy
+- qpidd is reading the sysfs file
+
* Thu Jun 30 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-2
- Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains
More information about the scm-commits
mailing list