[selinux-policy] - Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltcli
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 19 15:44:44 UTC 2011
commit 2ed5289fc9a18884a571a3735b4b74aed98f7d79
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Jul 19 17:44:23 2011 +0200
- Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
policy-F16.patch | 993 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 13 +-
2 files changed, 696 insertions(+), 310 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index e3ba6d4..f6c009f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1514,7 +1514,7 @@ index 7f1d18e..a68d519 100644
ifdef(`hide_broken_symptoms',`
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..e12af8e 100644
+index af55369..5ede07b 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1556,7 +1556,7 @@ index af55369..e12af8e 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -98,7 +102,11 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -98,7 +102,13 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
@@ -1565,11 +1565,13 @@ index af55369..e12af8e 100644
+userdom_manage_user_home_content(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
+
++systemd_read_unit_files(prelink_t)
++
+term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,13 +117,22 @@ optional_policy(`
+@@ -109,13 +119,22 @@ optional_policy(`
')
optional_policy(`
@@ -1594,7 +1596,7 @@ index af55369..e12af8e 100644
########################################
#
# Prelink Cron system Policy
-@@ -129,6 +146,7 @@ optional_policy(`
+@@ -129,6 +148,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1602,7 +1604,7 @@ index af55369..e12af8e 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +166,28 @@ optional_policy(`
+@@ -148,17 +168,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -2554,7 +2556,7 @@ index 8966ec9..8fbe943 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
-index bc00875..819a10b 100644
+index bc00875..2efc0d7 100644
--- a/policy/modules/admin/smoltclient.te
+++ b/policy/modules/admin/smoltclient.te
@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
@@ -2573,7 +2575,7 @@ index bc00875..819a10b 100644
fs_getattr_all_fs(smoltclient_t)
fs_getattr_all_dirs(smoltclient_t)
-@@ -46,15 +46,21 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_files(smoltclient_t)
@@ -2588,6 +2590,10 @@ index bc00875..819a10b 100644
miscfiles_read_localization(smoltclient_t)
optional_policy(`
++ abrt_stream_connect(smoltclient_t)
++')
++
++optional_policy(`
+ cron_system_entry(smoltclient_t, smoltclient_exec_t)
+')
+
@@ -13117,10 +13123,18 @@ index c19518a..ba08cfe 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..c0e0b1e 100644
+index ff006ea..d6ca227 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
+@@ -55,6 +55,7 @@
+ ## <li>files_pid_file()</li>
+ ## <li>files_security_file()</li>
+ ## <li>files_security_mountpoint()</li>
++## <li>files_spool_file()</li>
+ ## <li>files_tmp_file()</li>
+ ## <li>files_tmpfs_file()</li>
+ ## <li>logging_log_file()</li>
+@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -13133,7 +13147,7 @@ index ff006ea..c0e0b1e 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1480,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -13176,7 +13190,7 @@ index ff006ea..c0e0b1e 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1562,7 +1596,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -13185,7 +13199,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -1848,7 +1882,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -13194,7 +13208,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -2372,6 +2406,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -13219,7 +13233,7 @@ index ff006ea..c0e0b1e 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2503,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -13228,7 +13242,7 @@ index ff006ea..c0e0b1e 100644
## </summary>
## </param>
#
-@@ -2525,6 +2577,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -13253,7 +13267,7 @@ index ff006ea..c0e0b1e 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2694,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -13262,7 +13276,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -2680,24 +2750,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -13287,7 +13301,7 @@ index ff006ea..c0e0b1e 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2790,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -13312,7 +13326,7 @@ index ff006ea..c0e0b1e 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2845,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -13320,7 +13334,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -3364,7 +3435,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -13329,7 +13343,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -3502,20 +3573,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -13373,7 +13387,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -3900,6 +3989,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13473,7 +13487,7 @@ index ff006ea..c0e0b1e 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3945,7 +4127,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -13482,7 +13496,7 @@ index ff006ea..c0e0b1e 100644
## </summary>
## </param>
#
-@@ -4017,7 +4199,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -13491,7 +13505,7 @@ index ff006ea..c0e0b1e 100644
## </summary>
## </param>
#
-@@ -4029,6 +4211,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13516,7 +13530,7 @@ index ff006ea..c0e0b1e 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4285,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -13549,7 +13563,7 @@ index ff006ea..c0e0b1e 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4365,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -13592,7 +13606,7 @@ index ff006ea..c0e0b1e 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4464,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -13601,7 +13615,7 @@ index ff006ea..c0e0b1e 100644
## </summary>
## </param>
#
-@@ -4262,7 +4524,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -13610,7 +13624,7 @@ index ff006ea..c0e0b1e 100644
## </summary>
## </param>
#
-@@ -4318,7 +4580,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -13619,7 +13633,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -4342,6 +4604,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13636,7 +13650,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -4681,7 +4953,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -13645,7 +13659,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5084,7 +5356,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -13654,7 +13668,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5219,7 +5491,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13663,7 +13677,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5304,6 +5576,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -13689,7 +13703,7 @@ index ff006ea..c0e0b1e 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5608,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5609,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -13698,7 +13712,7 @@ index ff006ea..c0e0b1e 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5629,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -13714,7 +13728,7 @@ index ff006ea..c0e0b1e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5644,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -13747,7 +13761,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5373,6 +5686,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -13755,7 +13769,7 @@ index ff006ea..c0e0b1e 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5699,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -13763,7 +13777,7 @@ index ff006ea..c0e0b1e 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5725,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -13772,7 +13786,7 @@ index ff006ea..c0e0b1e 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5741,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -13789,7 +13803,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5452,7 +5765,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -13798,7 +13812,7 @@ index ff006ea..c0e0b1e 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5806,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -13807,7 +13821,7 @@ index ff006ea..c0e0b1e 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5828,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -13816,7 +13830,7 @@ index ff006ea..c0e0b1e 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5860,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -13827,7 +13841,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5608,6 +5921,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +5922,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -13871,7 +13885,7 @@ index ff006ea..c0e0b1e 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5736,7 +6086,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -13880,7 +13894,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -5815,6 +6165,98 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6166,98 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -13979,7 +13993,7 @@ index ff006ea..c0e0b1e 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6274,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6275,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -14024,7 +14038,98 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -6042,7 +6522,7 @@ interface(`files_spool_filetrans',`
+@@ -5900,6 +6381,90 @@ interface(`files_delete_all_pid_dirs',`
+
+ ########################################
+ ## <summary>
++## Make the specified type a file
++## used for spool files.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
++## <summary>
++## Type of the file to be used as a
++## spool file.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`files_spool_file',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ files_type($1)
++ typeattribute $1 spoolfile;
++')
++
++########################################
++## <summary>
++## Create all spool sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file create_sock_file_perms;
++')
++
++########################################
++## <summary>
++## Delete all spool sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_spool_sockets',`
++ gen_require(`
++ attribute spoolfile;
++ ')
++
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++## <summary>
+ ## Search the contents of generic spool
+ ## directories (/var/spool).
+ ## </summary>
+@@ -6042,7 +6607,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14033,7 +14138,7 @@ index ff006ea..c0e0b1e 100644
')
########################################
-@@ -6117,3 +6597,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6682,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -14319,18 +14424,20 @@ index ff006ea..c0e0b1e 100644
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..567322b 100644
+index 22821ff..20251b0 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
-@@ -11,6 +11,7 @@ attribute lockfile;
+@@ -10,7 +10,9 @@ attribute files_unconfined_type;
+ attribute lockfile;
attribute mountpoint;
attribute pidfile;
++attribute spoolfile;
attribute configfile;
+attribute etcfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
-@@ -58,12 +59,21 @@ files_type(etc_t)
+@@ -58,12 +60,21 @@ files_type(etc_t)
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
@@ -14353,7 +14460,7 @@ index 22821ff..567322b 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
-@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t)
+@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
@@ -14361,6 +14468,14 @@ index 22821ff..567322b 100644
#
# var_run_t is the type of /var/run, usually
+@@ -181,6 +193,7 @@ files_mountpoint(var_run_t)
+ #
+ type var_spool_t;
+ files_tmp_file(var_spool_t)
++files_spool_file(var_spool_t)
+
+ ########################################
+ #
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 97fcdac..3babb37 100644
--- a/policy/modules/kernel/filesystem.if
@@ -18888,14 +19003,14 @@ index e88b95f..0eb55db 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..f7a7a96 100644
+index 1bd5812..b3631d6 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
@@ -1,11 +1,9 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
@@ -19124,7 +19239,7 @@ index 0b827c5..7382308 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..ffe6d41 100644
+index 30861ec..b8f91da 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -19142,7 +19257,20 @@ index 30861ec..ffe6d41 100644
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -43,14 +51,37 @@ ifdef(`enable_mcs',`
+@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t)
+ type abrt_var_run_t;
+ files_pid_file(abrt_var_run_t)
+
++type abrt_dump_oops_t;
++type abrt_dump_oops_exec_t;
++init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
++
++permissive abrt_dump_oops_t;
++
+ # type needed to allow all domains
+ # to handle /var/cache/abrt
+ type abrt_helper_t;
+@@ -43,14 +57,37 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -19167,7 +19295,7 @@ index 30861ec..ffe6d41 100644
+files_type(abrt_retrace_cache_t)
+
+type abrt_retrace_spool_t;
-+files_type(abrt_retrace_spool_t)
++files_spool_file(abrt_retrace_spool_t)
+
########################################
#
@@ -19182,7 +19310,7 @@ index 30861ec..ffe6d41 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -19190,7 +19318,7 @@ index 30861ec..ffe6d41 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -19198,7 +19326,7 @@ index 30861ec..ffe6d41 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -19207,7 +19335,7 @@ index 30861ec..ffe6d41 100644
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -19215,7 +19343,7 @@ index 30861ec..ffe6d41 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -19225,7 +19353,7 @@ index 30861ec..ffe6d41 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -19234,7 +19362,7 @@ index 30861ec..ffe6d41 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -19243,7 +19371,7 @@ index 30861ec..ffe6d41 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -19260,7 +19388,7 @@ index 30861ec..ffe6d41 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +197,11 @@ optional_policy(`
+@@ -150,6 +203,11 @@ optional_policy(`
')
optional_policy(`
@@ -19272,7 +19400,7 @@ index 30861ec..ffe6d41 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +219,7 @@ optional_policy(`
+@@ -167,6 +225,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -19280,7 +19408,7 @@ index 30861ec..ffe6d41 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +231,18 @@ optional_policy(`
+@@ -178,12 +237,18 @@ optional_policy(`
')
optional_policy(`
@@ -19300,7 +19428,7 @@ index 30861ec..ffe6d41 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,9 +259,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -19313,7 +19441,7 @@ index 30861ec..ffe6d41 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +278,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -19323,7 +19451,7 @@ index 30861ec..ffe6d41 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +287,100 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +293,130 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -19331,7 +19459,7 @@ index 30861ec..ffe6d41 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
-+')
+ ')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -19423,7 +19551,37 @@ index 30861ec..ffe6d41 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
- ')
++')
++
++########################################
++#
++# abrt_dump_oops local policy
++#
++
++allow abrt_dump_oops_t self:capability dac_override;
++allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
++
++files_search_spool(abrt_dump_oops_t)
++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
++manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
++files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
++
++read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
++read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
++
++kernel_read_kernel_sysctls(abrt_dump_oops_t)
++kernel_read_ring_buffer(abrt_dump_oops_t)
++
++domain_use_interactive_fds(abrt_dump_oops_t)
++
++files_read_etc_files(abrt_dump_oops_t)
++
++logging_read_generic_logs(abrt_helper_t)
++logging_send_syslog_msg(abrt_dump_oops_t)
++
++miscfiles_read_localization(abrt_dump_oops_t)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
@@ -19802,9 +19960,18 @@ index d96fdfa..e07158f 100644
ifdef(`distro_debian',`
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..4556eb2 100644
+index deca9d3..ae8c579 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
+@@ -38,7 +38,7 @@ type amavis_quarantine_t;
+ files_type(amavis_quarantine_t)
+
+ type amavis_spool_t;
+-files_type(amavis_spool_t)
++files_spool_file(amavis_spool_t)
+
+ ########################################
+ #
@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
@@ -20575,7 +20742,7 @@ index 6480167..b32b10e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..a079c51 100644
+index 3136c6a..edeae62 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20877,7 +21044,7 @@ index 3136c6a..a079c51 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t)
+@@ -254,9 +334,13 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -20887,7 +21054,11 @@ index 3136c6a..a079c51 100644
# File Type of squirrelmail attachments
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
-@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
++files_spool_file(squirrelmail_spool_t)
+
+ optional_policy(`
+ prelink_object_file(httpd_modules_t)
+@@ -281,11 +365,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -20901,7 +21072,7 @@ index 3136c6a..a079c51 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +415,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -20912,7 +21083,7 @@ index 3136c6a..a079c51 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +441,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +442,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -20921,7 +21092,7 @@ index 3136c6a..a079c51 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +454,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -20937,7 +21108,7 @@ index 3136c6a..a079c51 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +470,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -20953,7 +21124,7 @@ index 3136c6a..a079c51 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +482,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +483,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -20961,7 +21132,7 @@ index 3136c6a..a079c51 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +494,13 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +495,13 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -20975,7 +21146,7 @@ index 3136c6a..a079c51 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +515,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +516,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -21052,7 +21223,7 @@ index 3136c6a..a079c51 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +595,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +596,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -21063,7 +21234,7 @@ index 3136c6a..a079c51 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +609,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +610,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -21093,7 +21264,7 @@ index 3136c6a..a079c51 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +639,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +640,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -21110,7 +21281,7 @@ index 3136c6a..a079c51 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +663,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +664,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -21131,7 +21302,7 @@ index 3136c6a..a079c51 100644
')
optional_policy(`
-@@ -513,7 +687,13 @@ optional_policy(`
+@@ -513,7 +688,13 @@ optional_policy(`
')
optional_policy(`
@@ -21146,7 +21317,7 @@ index 3136c6a..a079c51 100644
')
optional_policy(`
-@@ -528,7 +708,18 @@ optional_policy(`
+@@ -528,7 +709,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -21166,7 +21337,7 @@ index 3136c6a..a079c51 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +728,13 @@ optional_policy(`
+@@ -537,8 +729,13 @@ optional_policy(`
')
optional_policy(`
@@ -21181,7 +21352,7 @@ index 3136c6a..a079c51 100644
')
')
-@@ -556,7 +752,13 @@ optional_policy(`
+@@ -556,7 +753,13 @@ optional_policy(`
')
optional_policy(`
@@ -21195,7 +21366,7 @@ index 3136c6a..a079c51 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +769,7 @@ optional_policy(`
+@@ -567,6 +770,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -21203,7 +21374,7 @@ index 3136c6a..a079c51 100644
')
optional_policy(`
-@@ -577,6 +780,16 @@ optional_policy(`
+@@ -577,6 +781,16 @@ optional_policy(`
')
optional_policy(`
@@ -21220,7 +21391,7 @@ index 3136c6a..a079c51 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +804,11 @@ optional_policy(`
+@@ -591,6 +805,11 @@ optional_policy(`
')
optional_policy(`
@@ -21232,7 +21403,7 @@ index 3136c6a..a079c51 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +821,12 @@ optional_policy(`
+@@ -603,6 +822,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -21245,7 +21416,7 @@ index 3136c6a..a079c51 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +840,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +841,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -21258,7 +21429,7 @@ index 3136c6a..a079c51 100644
########################################
#
-@@ -654,28 +882,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +883,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -21302,7 +21473,7 @@ index 3136c6a..a079c51 100644
')
########################################
-@@ -685,6 +915,8 @@ optional_policy(`
+@@ -685,6 +916,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -21311,7 +21482,7 @@ index 3136c6a..a079c51 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +931,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +932,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -21337,7 +21508,7 @@ index 3136c6a..a079c51 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +977,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +978,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -21370,7 +21541,7 @@ index 3136c6a..a079c51 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1024,25 @@ optional_policy(`
+@@ -769,6 +1025,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -21396,7 +21567,7 @@ index 3136c6a..a079c51 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1063,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1064,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -21414,7 +21585,7 @@ index 3136c6a..a079c51 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1082,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1083,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -21471,7 +21642,7 @@ index 3136c6a..a079c51 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1133,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1134,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -21502,7 +21673,7 @@ index 3136c6a..a079c51 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1168,20 @@ optional_policy(`
+@@ -842,10 +1169,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -21523,7 +21694,7 @@ index 3136c6a..a079c51 100644
')
########################################
-@@ -891,11 +1227,21 @@ optional_policy(`
+@@ -891,11 +1228,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -21781,10 +21952,15 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..0e8a352 100644
+index b3b0176..c873197 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
-@@ -23,6 +23,7 @@ files_type(asterisk_spool_t)
+@@ -19,10 +19,11 @@ type asterisk_log_t;
+ logging_log_file(asterisk_log_t)
+
+ type asterisk_spool_t;
+-files_type(asterisk_spool_t)
++files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
@@ -23381,7 +23557,7 @@ index 0000000..564acbd
+')
diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
new file mode 100644
-index 0000000..a67f732
+index 0000000..a7c96a5
--- /dev/null
+++ b/policy/modules/services/callweaver.te
@@ -0,0 +1,79 @@
@@ -23411,7 +23587,7 @@ index 0000000..a67f732
+files_pid_file(callweaver_var_run_t)
+
+type callweaver_spool_t;
-+files_type(callweaver_spool_t)
++files_spool_file(callweaver_spool_t)
+
+########################################
+#
@@ -25244,9 +25420,18 @@ index 9971337..f081899 100644
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
-index 838dec7..452741c 100644
+index 838dec7..59d0f96 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
+@@ -15,7 +15,7 @@ courier_domain_template(pcp)
+ courier_domain_template(pop)
+
+ type courier_spool_t;
+-files_type(courier_spool_t)
++files_spool_file(courier_spool_t)
+
+ courier_domain_template(tcpd)
+
@@ -95,7 +95,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
@@ -25688,7 +25873,7 @@ index 35241ed..2976df7 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..1812563 100644
+index f7583ab..894130f 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -25718,7 +25903,15 @@ index f7583ab..1812563 100644
## </desc>
gen_tunable(fcron_crond, false)
-@@ -38,7 +38,7 @@ type cron_var_lib_t;
+@@ -31,14 +31,14 @@ type anacron_exec_t;
+ application_executable_file(anacron_exec_t)
+
+ type cron_spool_t;
+-files_type(cron_spool_t)
++files_spool_file(cron_spool_t)
+
+ # var/lib files
+ type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
@@ -25740,15 +25933,17 @@ index f7583ab..1812563 100644
type crontab_exec_t;
application_executable_file(crontab_exec_t)
-@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
- files_type(system_cron_spool_t)
-@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t;
+-files_type(system_cron_spool_t)
++files_spool_file(system_cron_spool_t)
+
+ type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
@@ -25767,9 +25962,12 @@ index f7583ab..1812563 100644
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
-@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
+@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
+ type user_cron_spool_t, cron_spool_type;
+ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
- files_type(user_cron_spool_t)
+-files_type(user_cron_spool_t)
++files_spool_file(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
@@ -26368,7 +26566,7 @@ index 0000000..3317390
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..8ce09c4
+index 0000000..82ba45e
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
@@ -0,0 +1,90 @@
@@ -26392,7 +26590,7 @@ index 0000000..8ce09c4
+logging_log_file(ctdbd_log_t)
+
+type ctdbd_spool_t;
-+files_type(ctdbd_spool_t)
++files_spool_file(ctdbd_spool_t)
+
+type ctdbd_tmp_t;
+files_tmp_file(ctdbd_tmp_t)
@@ -29013,7 +29211,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..4bbff24 100644
+index acf6d4f..87949e8 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -29035,6 +29233,15 @@ index acf6d4f..4bbff24 100644
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
+@@ -36,7 +39,7 @@ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+
+ type dovecot_spool_t;
+-files_type(dovecot_spool_t)
++files_spool_file(dovecot_spool_t)
+
+ type dovecot_tmp_t;
+ files_tmp_file(dovecot_tmp_t)
@@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t)
# dovecot local policy
#
@@ -29933,7 +30140,7 @@ index 6bef7f8..464669c 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..0b19f11 100644
+index f28f64b..6419b55 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -29971,7 +30178,7 @@ index f28f64b..0b19f11 100644
## </desc>
gen_tunable(exim_manage_user_files, false)
-@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
+@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t)
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
@@ -29981,6 +30188,12 @@ index f28f64b..0b19f11 100644
type exim_log_t;
logging_log_file(exim_log_t)
+ type exim_spool_t;
+-files_type(exim_spool_t)
++files_spool_file(exim_spool_t)
+
+ type exim_tmp_t;
+ files_tmp_file(exim_tmp_t)
@@ -171,6 +174,10 @@ optional_policy(`
')
@@ -32397,7 +32610,7 @@ index ebc9e0d..2f3d8dc 100644
allow $1 innd_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
-index 9fab1dc..dc7dd01 100644
+index 9fab1dc..2462aa7 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0)
@@ -32408,7 +32621,13 @@ index 9fab1dc..dc7dd01 100644
type innd_t;
type innd_exec_t;
init_daemon_domain(innd_t, innd_exec_t)
-@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t)
+@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t)
+
+ type news_spool_t;
+ files_mountpoint(news_spool_t)
++files_spool_file(news_spool_t)
+
+ ########################################
#
# Local policy
#
@@ -32416,7 +32635,7 @@ index 9fab1dc..dc7dd01 100644
allow innd_t self:capability { dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
-@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
can_exec(innd_t, innd_exec_t)
manage_files_pattern(innd_t, innd_log_t, innd_log_t)
@@ -32425,7 +32644,7 @@ index 9fab1dc..dc7dd01 100644
logging_log_filetrans(innd_t, innd_log_t, file)
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
-@@ -56,7 +58,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
+@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -32434,7 +32653,7 @@ index 9fab1dc..dc7dd01 100644
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
-@@ -105,6 +107,7 @@ sysnet_read_config(innd_t)
+@@ -105,6 +108,7 @@ sysnet_read_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
userdom_dontaudit_search_user_home_dirs(innd_t)
@@ -32648,7 +32867,7 @@ index 9878499..81fcd0f 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..0ba2bdc 100644
+index da2127e..6538d66 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0)
@@ -32684,7 +32903,7 @@ index da2127e..0ba2bdc 100644
-########################################
+type pyicqt_var_spool_t;
-+files_type(pyicqt_var_spool_t)
++files_spool_file(pyicqt_var_spool_t)
+
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
@@ -32861,7 +33080,7 @@ index da2127e..0ba2bdc 100644
+
+sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..923e979 100644
+index 3525d24..74ec098 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -32873,9 +33092,13 @@ index 3525d24..923e979 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -31,3 +31,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++
++krb5_host_rcache_t
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
@@ -34251,7 +34474,7 @@ index a4f32f5..ea7dca0 100644
type lpr_t, lpr_exec_t;
')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..c08de17 100644
+index 93c14ca..f28acd2 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -34267,7 +34490,15 @@ index 93c14ca..c08de17 100644
## </desc>
gen_tunable(use_lpd_server, false)
-@@ -54,7 +54,7 @@ type printer_t;
+@@ -47,14 +47,14 @@ ubac_constrained(lpr_tmp_t)
+ type print_spool_t;
+ typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+ typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+-files_type(print_spool_t)
++files_spool_file(print_spool_t)
+ ubac_constrained(print_spool_t)
+
+ type printer_t;
files_type(printer_t)
type printconf_t;
@@ -36275,10 +36506,10 @@ index 343cee3..5e792cc 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..dbddbef 100644
+index 64268e4..3bd4ceb 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
-@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
+@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -36289,7 +36520,15 @@ index 64268e4..dbddbef 100644
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
++files_spool_file(mqueue_spool_t)
+
+ type mail_spool_t;
+ files_mountpoint(mail_spool_t)
++files_spool_file(mail_spool_t)
+
+ type sendmail_exec_t;
+ mta_agent_executable(sendmail_exec_t)
+@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
@@ -36313,7 +36552,7 @@ index 64268e4..dbddbef 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -80,8 +69,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t)
+@@ -80,8 +71,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -36329,7 +36568,7 @@ index 64268e4..dbddbef 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +87,28 @@ optional_policy(`
+@@ -92,17 +89,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -36359,7 +36598,7 @@ index 64268e4..dbddbef 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +117,8 @@ optional_policy(`
+@@ -111,6 +119,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -36368,7 +36607,7 @@ index 64268e4..dbddbef 100644
')
optional_policy(`
-@@ -124,12 +132,9 @@ optional_policy(`
+@@ -124,12 +134,9 @@ optional_policy(`
')
optional_policy(`
@@ -36383,7 +36622,7 @@ index 64268e4..dbddbef 100644
')
optional_policy(`
-@@ -146,6 +151,10 @@ optional_policy(`
+@@ -146,6 +153,10 @@ optional_policy(`
')
optional_policy(`
@@ -36394,7 +36633,7 @@ index 64268e4..dbddbef 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +167,6 @@ optional_policy(`
+@@ -158,18 +169,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -36413,7 +36652,7 @@ index 64268e4..dbddbef 100644
')
optional_policy(`
-@@ -189,6 +186,10 @@ optional_policy(`
+@@ -189,6 +188,10 @@ optional_policy(`
')
optional_policy(`
@@ -36424,7 +36663,7 @@ index 64268e4..dbddbef 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +200,7 @@ optional_policy(`
+@@ -199,7 +202,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -36433,7 +36672,7 @@ index 64268e4..dbddbef 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +221,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -36443,7 +36682,7 @@ index 64268e4..dbddbef 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +244,10 @@ optional_policy(`
+@@ -242,6 +246,10 @@ optional_policy(`
')
optional_policy(`
@@ -36454,7 +36693,7 @@ index 64268e4..dbddbef 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +255,25 @@ optional_policy(`
+@@ -249,16 +257,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -36482,7 +36721,7 @@ index 64268e4..dbddbef 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +307,44 @@ optional_policy(`
+@@ -292,3 +309,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -36973,7 +37212,7 @@ index e9c0982..14af30a 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..91de41a 100644
+index 0a0d63c..a02ffc9 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -37003,7 +37242,7 @@ index 0a0d63c..91de41a 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,12 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -37015,14 +37254,14 @@ index 0a0d63c..91de41a 100644
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-
++kernel_request_load_module(mysqld_t)
++
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
-+
+
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
- corenet_tcp_sendrecv_generic_if(mysqld_t)
-@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+@@ -127,8 +133,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
userdom_read_user_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
@@ -37032,7 +37271,7 @@ index 0a0d63c..91de41a 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +159,7 @@ optional_policy(`
+@@ -155,6 +160,7 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -37040,7 +37279,7 @@ index 0a0d63c..91de41a 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -37302,9 +37541,18 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..8a9789c 100644
+index bf64a4c..971f741 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
+@@ -25,7 +25,7 @@ type nagios_var_run_t;
+ files_pid_file(nagios_var_run_t)
+
+ type nagios_spool_t;
+-files_type(nagios_spool_t)
++files_spool_file(nagios_spool_t)
+
+ nagios_plugin_template(admin)
+ nagios_plugin_template(checkdisk)
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
kernel_read_system_state(nagios_t)
@@ -39742,10 +39990,10 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..208ef3a 100644
+index 06e217d..4f9a575 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
-@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
+@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1)
type plymouth_t;
type plymouth_exec_t;
application_domain(plymouth_t, plymouth_exec_t)
@@ -39753,7 +40001,12 @@ index 06e217d..208ef3a 100644
type plymouthd_t;
type plymouthd_exec_t;
-@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t)
+ init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+ type plymouthd_spool_t;
+-files_type(plymouthd_spool_t)
++files_spool_file(plymouthd_spool_t)
+
type plymouthd_var_lib_t;
files_type(plymouthd_var_lib_t)
@@ -40302,7 +40555,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..c22af86 100644
+index 46bee12..9e2714e 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -40538,7 +40791,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -40641,9 +40894,13 @@ index 46bee12..c22af86 100644
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write };
++ ')
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..701607c 100644
+index a32c4b3..3f5751c 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -40661,15 +40918,17 @@ index a32c4b3..701607c 100644
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
-@@ -12,7 +20,7 @@ attribute postfix_user_domtrans;
+@@ -12,8 +20,8 @@ attribute postfix_user_domtrans;
postfix_server_domain_template(bounce)
-type postfix_spool_bounce_t;
+-files_type(postfix_spool_bounce_t)
+type postfix_spool_bounce_t, postfix_spool_type;
- files_type(postfix_spool_bounce_t)
++files_spool_file(postfix_spool_bounce_t)
postfix_server_domain_template(cleanup)
+
@@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t;
# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
@@ -40688,23 +40947,27 @@ index a32c4b3..701607c 100644
type postfix_private_t;
files_type(postfix_private_t)
-@@ -65,13 +77,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
-type postfix_spool_t;
+-files_type(postfix_spool_t)
+type postfix_spool_t, postfix_spool_type;
- files_type(postfix_spool_t)
++files_spool_file(postfix_spool_t)
-type postfix_spool_maildrop_t;
+-files_type(postfix_spool_maildrop_t)
+type postfix_spool_maildrop_t, postfix_spool_type;
- files_type(postfix_spool_maildrop_t)
++files_spool_file(postfix_spool_maildrop_t)
-type postfix_spool_flush_t;
+-files_type(postfix_spool_flush_t)
+type postfix_spool_flush_t, postfix_spool_type;
- files_type(postfix_spool_flush_t)
++files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
+ files_type(postfix_public_t)
@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
# chown is to set the correct ownership of queue dirs
@@ -40774,7 +41037,18 @@ index a32c4b3..701607c 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -264,8 +285,8 @@ optional_policy(`
+@@ -249,6 +270,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+
++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
+ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+
+ corecmd_exec_bin(postfix_cleanup_t)
+@@ -264,8 +289,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -40784,7 +41058,7 @@ index a32c4b3..701607c 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +294,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +298,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -40793,7 +41067,7 @@ index a32c4b3..701607c 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +309,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +313,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -40812,7 +41086,7 @@ index a32c4b3..701607c 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +325,10 @@ optional_policy(`
+@@ -297,6 +329,10 @@ optional_policy(`
')
optional_policy(`
@@ -40823,7 +41097,7 @@ index a32c4b3..701607c 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +336,22 @@ optional_policy(`
+@@ -304,9 +340,22 @@ optional_policy(`
')
optional_policy(`
@@ -40846,7 +41120,7 @@ index a32c4b3..701607c 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +417,7 @@ optional_policy(`
+@@ -372,6 +421,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -40854,7 +41128,7 @@ index a32c4b3..701607c 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -385,13 +431,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+@@ -385,13 +435,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -40872,7 +41146,7 @@ index a32c4b3..701607c 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +450,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -40881,7 +41155,7 @@ index a32c4b3..701607c 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +471,7 @@ optional_policy(`
+@@ -420,6 +475,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -40889,7 +41163,7 @@ index a32c4b3..701607c 100644
')
optional_policy(`
-@@ -436,11 +488,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -40907,7 +41181,7 @@ index a32c4b3..701607c 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +545,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +549,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -40918,7 +41192,7 @@ index a32c4b3..701607c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +565,8 @@ optional_policy(`
+@@ -507,6 +569,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -40927,7 +41201,7 @@ index a32c4b3..701607c 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +579,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +583,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -40939,7 +41213,7 @@ index a32c4b3..701607c 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +602,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +606,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -40950,7 +41224,7 @@ index a32c4b3..701607c 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +630,10 @@ optional_policy(`
+@@ -565,6 +634,10 @@ optional_policy(`
')
optional_policy(`
@@ -40961,7 +41235,7 @@ index a32c4b3..701607c 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +657,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +661,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -40978,7 +41252,7 @@ index a32c4b3..701607c 100644
')
optional_policy(`
-@@ -611,8 +686,8 @@ optional_policy(`
+@@ -611,8 +690,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -40988,7 +41262,7 @@ index a32c4b3..701607c 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +705,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +709,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -41278,6 +41552,19 @@ index ad15fde..6f55445 100644
')
allow $1 postgrey_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
+index db843e2..4389e81 100644
+--- a/policy/modules/services/postgrey.te
++++ b/policy/modules/services/postgrey.te
+@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
+ init_script_file(postgrey_initrc_exec_t)
+
+ type postgrey_spool_t;
+-files_type(postgrey_spool_t)
++files_spool_file(postgrey_spool_t)
+
+ type postgrey_var_lib_t;
+ files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 2d82c6d..352032a 100644
--- a/policy/modules/services/ppp.fc
@@ -41586,9 +41873,18 @@ index 2316653..77ef768 100644
+ admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
-index b1bc02c..8f0b07e 100644
+index b1bc02c..e0c0f70 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
+@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
+ init_script_file(prelude_initrc_exec_t)
+
+ type prelude_spool_t;
+-files_type(prelude_spool_t)
++files_spool_file(prelude_spool_t)
+
+ type prelude_log_t;
+ logging_log_file(prelude_log_t)
@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
type prelude_correlator_t;
type prelude_correlator_exec_t;
@@ -42238,6 +42534,19 @@ index 64c5f95..cb7c5e2 100644
+ usermanage_access_check_passwd(puppetmaster_t)
+ usermanage_access_check_useradd(puppetmaster_t)
+')
+diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te
+index a841221..b62a01f 100644
+--- a/policy/modules/services/pyicqt.te
++++ b/policy/modules/services/pyicqt.te
+@@ -13,7 +13,7 @@ type pyicqt_conf_t;
+ files_config_file(pyicqt_conf_t)
+
+ type pyicqt_spool_t;
+-files_type(pyicqt_spool_t)
++files_spool_file(pyicqt_spool_t)
+
+ type pyicqt_var_run_t;
+ files_pid_file(pyicqt_var_run_t)
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index d4a7750..705196e 100644
--- a/policy/modules/services/pyzor.fc
@@ -42488,9 +42797,18 @@ index a55bf44..77a25f5 100644
')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
-index 355b2a2..54329f9 100644
+index 355b2a2..88e6f40 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
+@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+ type qmail_spool_t;
+-files_type(qmail_spool_t)
++files_spool_file(qmail_spool_t)
+
+ type qmail_start_t;
+ type qmail_start_exec_t;
@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
########################################
#
@@ -45287,7 +45605,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..e8ee29b 100644
+index b1468ed..06e637c 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -45393,14 +45711,14 @@ index b1468ed..e8ee29b 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -196,6 +214,7 @@ kernel_signal(gssd_t)
-
- corecmd_exec_bin(gssd_t)
-
-+fs_search_nfsd_fs(gssd_t)
+@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
++fs_search_nfsd_fs(gssd_t)
+
+ fs_list_inotifyfs(gssd_t)
+ files_list_tmp(gssd_t)
@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -45774,9 +46092,18 @@ index 71ea0ea..664e68e 100644
#
interface(`rwho_domtrans',`
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
-index a07b2f4..0ba4495 100644
+index a07b2f4..ee39810 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
+@@ -16,7 +16,7 @@ type rwho_log_t;
+ files_type(rwho_log_t)
+
+ type rwho_spool_t;
+-files_type(rwho_spool_t)
++files_spool_file(rwho_spool_t)
+
+ ########################################
+ #
@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
@@ -46952,6 +47279,19 @@ index 086cd5f..79347e7 100644
optional_policy(`
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
+diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
+index e5e72fd..92eecec 100644
+--- a/policy/modules/services/slrnpull.te
++++ b/policy/modules/services/slrnpull.te
+@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
+ files_pid_file(slrnpull_var_run_t)
+
+ type slrnpull_spool_t;
+-files_type(slrnpull_spool_t)
++files_spool_file(slrnpull_spool_t)
+
+ type slrnpull_log_t;
+ logging_log_file(slrnpull_log_t)
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index adea9f9..d5b2d93 100644
--- a/policy/modules/services/smartmon.if
@@ -47503,10 +47843,10 @@ index c954f31..c7cadcb 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..7573826 100644
+index ec1eb1e..e1f3477 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
-@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,95 @@ policy_module(spamassassin, 2.4.0)
#
## <desc>
@@ -47634,8 +47974,11 @@ index ec1eb1e..7573826 100644
+logging_log_file(spamd_log_t)
+
type spamd_spool_t;
- files_type(spamd_spool_t)
+-files_type(spamd_spool_t)
++files_spool_file(spamd_spool_t)
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
@@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
dev_read_urand(spamassassin_t)
@@ -49585,9 +49928,18 @@ index 3b953f5..70f687a 100644
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
-index c2cf97e..037a1e8 100644
+index c2cf97e..1f8f768 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
+@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t;
+ files_config_file(uptimed_etc_t)
+
+ type uptimed_spool_t;
+-files_type(uptimed_spool_t)
++files_spool_file(uptimed_spool_t)
+
+ type uptimed_var_run_t;
+ files_pid_file(uptimed_var_run_t)
@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
@@ -49610,9 +49962,18 @@ index 4440aa6..34ffbfd 100644
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index d4349e9..4d112ba 100644
+index d4349e9..5e7be4f 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
+@@ -24,7 +24,7 @@ type uucpd_ro_t;
+ files_type(uucpd_ro_t)
+
+ type uucpd_spool_t;
+-files_type(uucpd_spool_t)
++files_spool_file(uucpd_spool_t)
+
+ type uucpd_log_t;
+ logging_log_file(uucpd_log_t)
@@ -125,6 +125,8 @@ optional_policy(`
allow uux_t self:capability { setuid setgid };
allow uux_t self:fifo_file write_fifo_file_perms;
@@ -52729,7 +53090,7 @@ index 130ced9..10b57e0 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..bc547bf 100644
+index 143c893..0ad8e41 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -52864,7 +53225,7 @@ index 143c893..bc547bf 100644
+files_config_file(xdm_rw_etc_t)
+
+type xdm_spool_t;
-+files_type(xdm_spool_t)
++files_spool_file(xdm_spool_t)
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
@@ -54228,7 +54589,7 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..c2dc2c5 100644
+index 73554ec..dedb917 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -54301,7 +54662,7 @@ index 73554ec..c2dc2c5 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +171,113 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +171,89 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -54349,30 +54710,10 @@ index 73554ec..c2dc2c5 100644
+ ')
+
+ optional_policy(`
++ systemd_dbus_chat_logind($1)
+ systemd_use_fds_logind($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
- ')
- ')
-
- ########################################
- ## <summary>
-+## Send and receive messages from
-+## login program domains over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`authlogin_dbus_chat',`
-+ gen_require(`
-+ attribute polydomain;
-+ class dbus send_msg;
+ ')
-+
-+ allow $1 polydomain:dbus send_msg;
-+ allow polydomain $1:dbus send_msg;
+')
+
+########################################
@@ -54407,17 +54748,13 @@ index 73554ec..c2dc2c5 100644
+interface(`authlogin_rw_pipes',`
+ gen_require(`
+ attribute polydomain;
-+ ')
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Use the login program as an entry point program.
- ## </summary>
- ## <param name="domain">
-@@ -368,13 +484,15 @@ interface(`auth_domtrans_chk_passwd',`
+ ')
+
+ ########################################
+@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -54434,7 +54771,7 @@ index 73554ec..c2dc2c5 100644
')
########################################
-@@ -421,6 +539,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -54460,7 +54797,7 @@ index 73554ec..c2dc2c5 100644
')
########################################
-@@ -736,7 +873,47 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -54509,7 +54846,7 @@ index 73554ec..c2dc2c5 100644
')
#######################################
-@@ -932,9 +1109,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -54543,7 +54880,7 @@ index 73554ec..c2dc2c5 100644
')
########################################
-@@ -1387,6 +1585,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -54569,7 +54906,7 @@ index 73554ec..c2dc2c5 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1541,24 +1758,6 @@ interface(`auth_manage_login_records',`
+@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',`
########################################
## <summary>
@@ -54594,7 +54931,7 @@ index 73554ec..c2dc2c5 100644
## Use nsswitch to look up user, password, group, or
## host information.
## </summary>
-@@ -1579,28 +1778,36 @@ interface(`auth_relabel_login_records',`
+@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -54638,7 +54975,7 @@ index 73554ec..c2dc2c5 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1610,7 +1817,7 @@ interface(`auth_use_nsswitch',`
+@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -55860,7 +56197,7 @@ index 94fd8dd..0d7aa40 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..82cf8ae 100644
+index 29a9565..308297d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -56035,7 +56372,7 @@ index 29a9565..82cf8ae 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +244,126 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +244,129 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -56081,6 +56418,7 @@ index 29a9565..82cf8ae 100644
+ dev_manage_sysfs_dirs(init_t)
+ dev_relabel_sysfs_dirs(init_t)
+
++ files_search_all(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
@@ -56088,6 +56426,8 @@ index 29a9565..82cf8ae 100644
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_delete_all_pid_sockets(init_t)
++ files_create_all_spool_sockets(init_t)
++ files_delete_all_spool_sockets(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
@@ -56162,7 +56502,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -199,10 +371,26 @@ optional_policy(`
+@@ -199,10 +374,26 @@ optional_policy(`
')
optional_policy(`
@@ -56189,7 +56529,7 @@ index 29a9565..82cf8ae 100644
unconfined_domain(init_t)
')
-@@ -212,7 +400,7 @@ optional_policy(`
+@@ -212,7 +403,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -56198,7 +56538,7 @@ index 29a9565..82cf8ae 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +429,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -56214,7 +56554,7 @@ index 29a9565..82cf8ae 100644
init_write_initctl(initrc_t)
-@@ -258,20 +449,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -56251,7 +56591,7 @@ index 29a9565..82cf8ae 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +482,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -56259,7 +56599,7 @@ index 29a9565..82cf8ae 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +493,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -56270,7 +56610,7 @@ index 29a9565..82cf8ae 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +504,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -56287,7 +56627,7 @@ index 29a9565..82cf8ae 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +523,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -56295,7 +56635,7 @@ index 29a9565..82cf8ae 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +531,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -56307,7 +56647,7 @@ index 29a9565..82cf8ae 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +550,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -56321,7 +56661,7 @@ index 29a9565..82cf8ae 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +565,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -56330,7 +56670,7 @@ index 29a9565..82cf8ae 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +579,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -56338,7 +56678,7 @@ index 29a9565..82cf8ae 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +591,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -56346,7 +56686,7 @@ index 29a9565..82cf8ae 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +612,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -56368,7 +56708,7 @@ index 29a9565..82cf8ae 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +675,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -56379,7 +56719,7 @@ index 29a9565..82cf8ae 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +699,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +702,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -56388,7 +56728,7 @@ index 29a9565..82cf8ae 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +714,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +717,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -56396,7 +56736,7 @@ index 29a9565..82cf8ae 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +744,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +747,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -56430,7 +56770,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -531,10 +778,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +781,26 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -56457,7 +56797,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -549,6 +812,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
')
')
@@ -56497,7 +56837,7 @@ index 29a9565..82cf8ae 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +857,8 @@ optional_policy(`
+@@ -561,6 +860,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -56506,7 +56846,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -577,6 +875,7 @@ optional_policy(`
+@@ -577,6 +878,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -56514,7 +56854,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -589,6 +888,11 @@ optional_policy(`
+@@ -589,6 +891,11 @@ optional_policy(`
')
optional_policy(`
@@ -56526,7 +56866,7 @@ index 29a9565..82cf8ae 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +909,13 @@ optional_policy(`
+@@ -605,9 +912,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -56540,7 +56880,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -649,6 +957,11 @@ optional_policy(`
+@@ -649,6 +960,11 @@ optional_policy(`
')
optional_policy(`
@@ -56552,7 +56892,7 @@ index 29a9565..82cf8ae 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1002,7 @@ optional_policy(`
+@@ -689,6 +1005,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -56560,7 +56900,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -706,7 +1020,13 @@ optional_policy(`
+@@ -706,7 +1023,13 @@ optional_policy(`
')
optional_policy(`
@@ -56574,7 +56914,7 @@ index 29a9565..82cf8ae 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1049,10 @@ optional_policy(`
+@@ -729,6 +1052,10 @@ optional_policy(`
')
optional_policy(`
@@ -56585,7 +56925,7 @@ index 29a9565..82cf8ae 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1062,20 @@ optional_policy(`
+@@ -738,10 +1065,20 @@ optional_policy(`
')
optional_policy(`
@@ -56606,7 +56946,7 @@ index 29a9565..82cf8ae 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1084,10 @@ optional_policy(`
+@@ -750,6 +1087,10 @@ optional_policy(`
')
optional_policy(`
@@ -56617,7 +56957,7 @@ index 29a9565..82cf8ae 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1109,6 @@ optional_policy(`
+@@ -771,8 +1112,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -56626,7 +56966,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -790,10 +1126,12 @@ optional_policy(`
+@@ -790,10 +1129,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -56639,7 +56979,7 @@ index 29a9565..82cf8ae 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1143,6 @@ optional_policy(`
+@@ -805,7 +1146,6 @@ optional_policy(`
')
optional_policy(`
@@ -56647,7 +56987,7 @@ index 29a9565..82cf8ae 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1152,24 @@ optional_policy(`
+@@ -815,11 +1155,24 @@ optional_policy(`
')
optional_policy(`
@@ -56673,7 +57013,7 @@ index 29a9565..82cf8ae 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1179,25 @@ optional_policy(`
+@@ -829,6 +1182,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -56699,7 +57039,7 @@ index 29a9565..82cf8ae 100644
')
optional_policy(`
-@@ -844,6 +1213,10 @@ optional_policy(`
+@@ -844,6 +1216,10 @@ optional_policy(`
')
optional_policy(`
@@ -56710,7 +57050,7 @@ index 29a9565..82cf8ae 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1227,45 @@ optional_policy(`
+@@ -854,3 +1230,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -56959,7 +57299,7 @@ index 05fb364..6b895d1 100644
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index f3e1b57..a7b2adc 100644
+index f3e1b57..d6a93ac 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -56983,7 +57323,15 @@ index f3e1b57..a7b2adc 100644
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -61,6 +58,9 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+ allow iptables_t iptables_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
++kernel_getattr_proc(iptables_t)
+ kernel_request_load_module(iptables_t)
+ kernel_read_system_state(iptables_t)
+ kernel_read_network_state(iptables_t)
+@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -56993,7 +57341,7 @@ index f3e1b57..a7b2adc 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -69,11 +69,13 @@ fs_list_inotifyfs(iptables_t)
+@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -57008,7 +57356,7 @@ index f3e1b57..a7b2adc 100644
auth_use_nsswitch(iptables_t)
-@@ -82,6 +84,7 @@ init_use_script_ptys(iptables_t)
+@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -57016,7 +57364,7 @@ index f3e1b57..a7b2adc 100644
logging_send_syslog_msg(iptables_t)
-@@ -90,7 +93,7 @@ miscfiles_read_localization(iptables_t)
+@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
@@ -57025,7 +57373,7 @@ index f3e1b57..a7b2adc 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -99,6 +102,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -57034,7 +57382,7 @@ index f3e1b57..a7b2adc 100644
')
optional_policy(`
-@@ -121,6 +126,7 @@ optional_policy(`
+@@ -121,6 +127,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -57042,7 +57390,7 @@ index f3e1b57..a7b2adc 100644
')
optional_policy(`
-@@ -134,6 +140,7 @@ optional_policy(`
+@@ -134,6 +141,7 @@ optional_policy(`
optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
@@ -57946,14 +58294,14 @@ index 831b909..57064ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..eedd444 100644
+index b6ec597..fa034d6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
-+files_type(audit_spool_t)
++files_spool_file(audit_spool_t)
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
@@ -61082,10 +61430,10 @@ index 0000000..3248032
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..9cc3fb6
+index 0000000..16371df
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,325 @@
+@@ -0,0 +1,344 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -61198,6 +61546,25 @@ index 0000000..9cc3fb6
+
+######################################
+## <summary>
++## Read systemd_login PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_read_pid_files',`
++ gen_require(`
++ type systemd_logind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
++')
++
++######################################
++## <summary>
+## Use and and inherited systemd
+## logind file descriptors.
+## </summary>
@@ -61413,10 +61780,10 @@ index 0000000..9cc3fb6
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..06e5b12
+index 0000000..155a839
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,310 @@
+@@ -0,0 +1,309 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -61484,7 +61851,7 @@ index 0000000..06e5b12
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown dac_override };
++allow systemd_logind_t self:capability { chown dac_override fowner };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -61522,7 +61889,6 @@ index 0000000..06e5b12
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
+
-+authlogin_dbus_chat(systemd_logind_t)
+authlogin_read_state(systemd_logind_t)
+
+dbus_connect_system_bus(systemd_logind_t)
@@ -61949,7 +62315,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..ca207d7 100644
+index d88f7c3..73c1dbc 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -62068,7 +62434,16 @@ index d88f7c3..ca207d7 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,15 +200,16 @@ ifdef(`distro_redhat',`
+@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t)
+ sysnet_manage_config(udev_t)
+ sysnet_etc_filetrans_config(udev_t)
+
++systemd_login_read_pid_files(udev_t)
++
+ userdom_dontaudit_search_user_home_content(udev_t)
+
+ ifdef(`distro_gentoo',`
+@@ -186,15 +202,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -62089,7 +62464,7 @@ index d88f7c3..ca207d7 100644
')
optional_policy(`
-@@ -216,11 +231,16 @@ optional_policy(`
+@@ -216,11 +233,16 @@ optional_policy(`
')
optional_policy(`
@@ -62107,7 +62482,7 @@ index d88f7c3..ca207d7 100644
')
optional_policy(`
-@@ -230,6 +250,15 @@ optional_policy(`
+@@ -230,6 +252,15 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -62123,7 +62498,7 @@ index d88f7c3..ca207d7 100644
')
optional_policy(`
-@@ -259,6 +288,10 @@ optional_policy(`
+@@ -259,6 +290,10 @@ optional_policy(`
')
optional_policy(`
@@ -62134,7 +62509,7 @@ index d88f7c3..ca207d7 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +306,11 @@ optional_policy(`
+@@ -273,6 +308,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b8fbc05..ad718c0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-6
+- Add initial policy for abrt_dump_oops_t
+- xtables-multi wants to getattr of the proc fs
+- Smoltclient is connecting to abrt
+- Dontaudit leaked file descriptors to postdrop
+- Allow abrt_dump_oops to look at kernel sysctls
+- Abrt_dump_oops_t reads kernel ring buffer
+- Allow mysqld to request the kernel to load modules
+- systemd-login needs fowner
+- Allow postfix_cleanup_t to searh maildrop
+
* Mon Jul 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-5
- Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
More information about the scm-commits
mailing list