[selinux-policy] systemd fixes
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jul 21 15:23:08 UTC 2011
commit 273e9346116f8816c3dcc594ff63874f49cc4d1f
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Jul 21 17:22:47 2011 +0200
systemd fixes
policy-F16.patch | 717 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 5 +-
2 files changed, 446 insertions(+), 276 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index f6c009f..db25c5a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3310,10 +3310,10 @@ index 0000000..1f468aa
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..7b1047f
+index 0000000..bbbba63
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,128 @@
+
+## <summary>policy for chrome</summary>
+
@@ -3335,6 +3335,8 @@ index 0000000..7b1047f
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+
++ allow $1 chrome_sandbox_t:fd use;
++
+ ifdef(`hide_broken_symptoms',`
+ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
@@ -13123,7 +13125,7 @@ index c19518a..ba08cfe 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..d6ca227 100644
+index ff006ea..9097e58 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -13894,7 +13896,7 @@ index ff006ea..d6ca227 100644
')
########################################
-@@ -5815,6 +6166,98 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6166,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -13952,6 +13954,24 @@ index ff006ea..d6ca227 100644
+
+########################################
+## <summary>
++## Create all pid named pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_all_pid_pipes',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
++')
++
++########################################
++## <summary>
+## Delete all pid named pipes
+## </summary>
+## <param name="domain">
@@ -13993,7 +14013,7 @@ index ff006ea..d6ca227 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6275,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6293,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -14038,7 +14058,7 @@ index ff006ea..d6ca227 100644
')
########################################
-@@ -5900,6 +6381,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6399,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -14129,7 +14149,7 @@ index ff006ea..d6ca227 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6607,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6625,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14138,7 +14158,7 @@ index ff006ea..d6ca227 100644
')
########################################
-@@ -6117,3 +6682,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6700,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18137,10 +18157,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..230d370
+index 0000000..99f35d5
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,543 @@
+@@ -0,0 +1,545 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -18263,6 +18283,8 @@ index 0000000..230d370
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
++systemd_config_all_services(unconfined_t)
++
+optional_policy(`
+ mount_run_unconfined(unconfined_t, unconfined_r)
+ # Unconfined running as system_r
@@ -19239,7 +19261,7 @@ index 0b827c5..7382308 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..b8f91da 100644
+index 30861ec..2fe2895 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -19578,7 +19600,7 @@ index 30861ec..b8f91da 100644
+
+files_read_etc_files(abrt_dump_oops_t)
+
-+logging_read_generic_logs(abrt_helper_t)
++logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
+
+miscfiles_read_localization(abrt_dump_oops_t)
@@ -20017,7 +20039,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..70d68cb 100644
+index 9e39aa5..a0876b5 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -20040,7 +20062,16 @@ index 9e39aa5..70d68cb 100644
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-@@ -24,16 +29,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -16,6 +21,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+ /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
++
+ /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+@@ -24,16 +31,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -20065,7 +20096,7 @@ index 9e39aa5..70d68cb 100644
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +49,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +51,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -20077,7 +20108,7 @@ index 9e39aa5..70d68cb 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -73,8 +80,10 @@ ifdef(`distro_suse', `
+@@ -73,8 +82,10 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -20089,7 +20120,7 @@ index 9e39aa5..70d68cb 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -84,9 +93,10 @@ ifdef(`distro_suse', `
+@@ -84,9 +95,10 @@ ifdef(`distro_suse', `
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
@@ -20101,7 +20132,12 @@ index 9e39aa5..70d68cb 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +119,22 @@ ifdef(`distro_debian', `
+@@ -105,7 +117,27 @@ ifdef(`distro_debian', `
+
+ /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/html(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -20125,7 +20161,7 @@ index 9e39aa5..70d68cb 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..b32b10e 100644
+index 6480167..970916e 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -20564,11 +20600,12 @@ index 6480167..b32b10e 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1026,11 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1026,12 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
- type httpd_sys_script_t;
++ type httpd_sys_script_exec_t;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
@@ -20577,7 +20614,7 @@ index 6480167..b32b10e 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1089,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1090,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -20589,7 +20626,7 @@ index 6480167..b32b10e 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1119,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1120,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -20598,7 +20635,7 @@ index 6480167..b32b10e 100644
')
########################################
-@@ -1091,6 +1260,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1261,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -20624,7 +20661,7 @@ index 6480167..b32b10e 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1295,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -20633,7 +20670,7 @@ index 6480167..b32b10e 100644
')
########################################
-@@ -1170,17 +1358,14 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1359,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -20648,6 +20685,7 @@ index 6480167..b32b10e 100644
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
++ type httpd_unit_t;
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
@@ -20655,7 +20693,7 @@ index 6480167..b32b10e 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1376,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1378,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -20668,7 +20706,7 @@ index 6480167..b32b10e 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1390,67 @@ interface(`apache_admin',`
+@@ -1205,14 +1392,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -20687,6 +20725,8 @@ index 6480167..b32b10e 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
++ allow $1 httpd_unit_t:service all_service_perms;
++
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
+ seutil_setsebool_role_template($1, $3, $2)
@@ -20742,7 +20782,7 @@ index 6480167..b32b10e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..edeae62 100644
+index 3136c6a..8115e0e 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -21006,7 +21046,17 @@ index 3136c6a..edeae62 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -177,6 +242,9 @@ role system_r types httpd_helper_t;
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+
++type httpd_unit_t;
++systemd_unit_file(httpd_unit_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+
+@@ -216,7 +284,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -21025,7 +21075,7 @@ index 3136c6a..edeae62 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +304,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -21036,7 +21086,7 @@ index 3136c6a..edeae62 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +315,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -21044,7 +21094,7 @@ index 3136c6a..edeae62 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,9 +334,13 @@ files_type(httpd_var_lib_t)
+@@ -254,9 +337,13 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -21058,7 +21108,7 @@ index 3136c6a..edeae62 100644
optional_policy(`
prelink_object_file(httpd_modules_t)
-@@ -281,11 +365,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +368,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -21072,7 +21122,7 @@ index 3136c6a..edeae62 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +415,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +418,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -21083,7 +21133,7 @@ index 3136c6a..edeae62 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +442,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +445,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -21092,7 +21142,7 @@ index 3136c6a..edeae62 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +454,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +457,14 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -21108,7 +21158,7 @@ index 3136c6a..edeae62 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +470,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +473,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -21124,7 +21174,7 @@ index 3136c6a..edeae62 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +483,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +486,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -21132,7 +21182,7 @@ index 3136c6a..edeae62 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +495,13 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +498,13 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -21146,7 +21196,7 @@ index 3136c6a..edeae62 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +516,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +519,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -21223,7 +21273,7 @@ index 3136c6a..edeae62 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +596,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +599,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -21234,7 +21284,7 @@ index 3136c6a..edeae62 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +610,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +613,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -21264,7 +21314,7 @@ index 3136c6a..edeae62 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +640,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +643,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -21281,7 +21331,7 @@ index 3136c6a..edeae62 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +664,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +667,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -21302,7 +21352,7 @@ index 3136c6a..edeae62 100644
')
optional_policy(`
-@@ -513,7 +688,13 @@ optional_policy(`
+@@ -513,7 +691,13 @@ optional_policy(`
')
optional_policy(`
@@ -21317,7 +21367,7 @@ index 3136c6a..edeae62 100644
')
optional_policy(`
-@@ -528,7 +709,18 @@ optional_policy(`
+@@ -528,7 +712,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -21337,7 +21387,7 @@ index 3136c6a..edeae62 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +729,13 @@ optional_policy(`
+@@ -537,8 +732,13 @@ optional_policy(`
')
optional_policy(`
@@ -21352,7 +21402,7 @@ index 3136c6a..edeae62 100644
')
')
-@@ -556,7 +753,13 @@ optional_policy(`
+@@ -556,7 +756,13 @@ optional_policy(`
')
optional_policy(`
@@ -21366,7 +21416,7 @@ index 3136c6a..edeae62 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +770,7 @@ optional_policy(`
+@@ -567,6 +773,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -21374,7 +21424,7 @@ index 3136c6a..edeae62 100644
')
optional_policy(`
-@@ -577,6 +781,16 @@ optional_policy(`
+@@ -577,6 +784,16 @@ optional_policy(`
')
optional_policy(`
@@ -21391,7 +21441,7 @@ index 3136c6a..edeae62 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +805,11 @@ optional_policy(`
+@@ -591,6 +808,11 @@ optional_policy(`
')
optional_policy(`
@@ -21403,7 +21453,7 @@ index 3136c6a..edeae62 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +822,12 @@ optional_policy(`
+@@ -603,6 +825,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -21416,7 +21466,7 @@ index 3136c6a..edeae62 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +841,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +844,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -21429,7 +21479,7 @@ index 3136c6a..edeae62 100644
########################################
#
-@@ -654,28 +883,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +886,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -21473,7 +21523,7 @@ index 3136c6a..edeae62 100644
')
########################################
-@@ -685,6 +916,8 @@ optional_policy(`
+@@ -685,6 +919,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -21482,7 +21532,7 @@ index 3136c6a..edeae62 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +932,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +935,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -21508,7 +21558,7 @@ index 3136c6a..edeae62 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +978,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +981,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -21541,7 +21591,7 @@ index 3136c6a..edeae62 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1025,25 @@ optional_policy(`
+@@ -769,6 +1028,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -21567,7 +21617,7 @@ index 3136c6a..edeae62 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1064,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1067,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -21585,7 +21635,7 @@ index 3136c6a..edeae62 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1083,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1086,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -21642,7 +21692,7 @@ index 3136c6a..edeae62 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1134,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1137,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -21673,7 +21723,7 @@ index 3136c6a..edeae62 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1169,20 @@ optional_policy(`
+@@ -842,10 +1172,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -21694,7 +21744,7 @@ index 3136c6a..edeae62 100644
')
########################################
-@@ -891,11 +1228,21 @@ optional_policy(`
+@@ -891,11 +1231,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -25873,7 +25923,7 @@ index 35241ed..2976df7 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..894130f 100644
+index f7583ab..3c9cf5a 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -26049,10 +26099,11 @@ index f7583ab..894130f 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +243,11 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
++userdom_list_admin_dir(crond_t)
+userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
@@ -26060,7 +26111,7 @@ index f7583ab..894130f 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +258,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +259,7 @@ ifdef(`distro_debian',`
')
')
@@ -26069,7 +26120,7 @@ index f7583ab..894130f 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +276,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -26100,7 +26151,7 @@ index f7583ab..894130f 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +308,8 @@ optional_policy(`
+@@ -264,6 +309,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -26109,7 +26160,7 @@ index f7583ab..894130f 100644
')
optional_policy(`
-@@ -286,15 +332,26 @@ optional_policy(`
+@@ -286,15 +333,26 @@ optional_policy(`
')
optional_policy(`
@@ -26136,7 +26187,7 @@ index f7583ab..894130f 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +364,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -26157,7 +26208,7 @@ index f7583ab..894130f 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +396,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -26165,7 +26216,7 @@ index f7583ab..894130f 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +408,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -26180,7 +26231,7 @@ index f7583ab..894130f 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +437,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -26188,7 +26239,7 @@ index f7583ab..894130f 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +464,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -26196,7 +26247,7 @@ index f7583ab..894130f 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +487,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -26208,7 +26259,7 @@ index f7583ab..894130f 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +514,8 @@ optional_policy(`
+@@ -439,6 +515,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -26217,7 +26268,7 @@ index f7583ab..894130f 100644
')
optional_policy(`
-@@ -446,6 +523,14 @@ optional_policy(`
+@@ -446,6 +524,14 @@ optional_policy(`
')
optional_policy(`
@@ -26232,7 +26283,7 @@ index f7583ab..894130f 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +541,24 @@ optional_policy(`
+@@ -456,15 +542,24 @@ optional_policy(`
')
optional_policy(`
@@ -26257,7 +26308,7 @@ index f7583ab..894130f 100644
')
optional_policy(`
-@@ -480,7 +574,7 @@ optional_policy(`
+@@ -480,7 +575,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -26266,7 +26317,7 @@ index f7583ab..894130f 100644
')
optional_policy(`
-@@ -495,6 +589,7 @@ optional_policy(`
+@@ -495,6 +590,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -26274,7 +26325,7 @@ index f7583ab..894130f 100644
')
optional_policy(`
-@@ -502,7 +597,13 @@ optional_policy(`
+@@ -502,7 +598,13 @@ optional_policy(`
')
optional_policy(`
@@ -26288,7 +26339,7 @@ index f7583ab..894130f 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +696,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +697,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -26304,10 +26355,10 @@ index f7583ab..894130f 100644
diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc
new file mode 100644
-index 0000000..a7c4f1e
+index 0000000..e490a2a
--- /dev/null
+++ b/policy/modules/services/ctdbd.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,15 @@
+
+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+
@@ -26320,14 +26371,15 @@ index 0000000..a7c4f1e
+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
-index 0000000..3317390
+index 0000000..9146ef1
--- /dev/null
+++ b/policy/modules/services/ctdbd.if
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,255 @@
+
+## <summary>policy for ctdbd</summary>
+
@@ -26523,6 +26575,25 @@ index 0000000..3317390
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
++#######################################
++## <summary>
++## Connect to ctdbd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ctdbd_stream_connect',`
++ gen_require(`
++ type ctdbd_t, ctdbd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -26566,10 +26637,10 @@ index 0000000..3317390
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..82ba45e
+index 0000000..09cb39f
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,114 @@
+policy_module(ctdbd, 1.0.0)
+
+########################################
@@ -26590,7 +26661,8 @@ index 0000000..82ba45e
+logging_log_file(ctdbd_log_t)
+
+type ctdbd_spool_t;
-+files_spool_file(ctdbd_spool_t)
++files_type(ctdbd_spool_t)
++#files_spool_file(ctdbd_spool_t)
+
+type ctdbd_tmp_t;
+files_tmp_file(ctdbd_tmp_t)
@@ -26605,10 +26677,13 @@ index 0000000..82ba45e
+#
+# ctdbd local policy
+#
-+allow ctdbd_t self:capability { chown ipc_lock sys_nice };
++
++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace };
+allow ctdbd_t self:process { setpgid signal_perms setsched };
++
+allow ctdbd_t self:fifo_file rw_fifo_file_perms;
+allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ctdbd_t self:packet_socket create_socket_perms;
+allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+
@@ -26616,14 +26691,16 @@ index 0000000..82ba45e
+manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } )
+
++manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t)
-+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, sock_file)
++files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file})
+
+manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
+manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t)
+files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file })
+
++exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } )
@@ -26632,6 +26709,8 @@ index 0000000..82ba45e
+manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file })
+
++kernel_read_network_state(ctdbd_t)
++kernel_rw_net_sysctls(ctdbd_t)
+kernel_read_system_state(ctdbd_t)
+
+corenet_tcp_bind_generic_node(ctdbd_t)
@@ -26639,27 +26718,43 @@ index 0000000..82ba45e
+corecmd_exec_bin(ctdbd_t)
+corecmd_exec_shell(ctdbd_t)
+
++dev_read_sysfs(ctdbd_t)
++
+domain_use_interactive_fds(ctdbd_t)
+domain_dontaudit_read_all_domains_state(ctdbd_t)
+
+files_read_etc_files(ctdbd_t)
-+
-+iptables_domtrans(ctdbd_t)
++files_search_all_mountpoints(ctdbd_t)
+
+logging_send_syslog_msg(ctdbd_t)
+
+miscfiles_read_localization(ctdbd_t)
+
-+sysnet_domtrans_ifconfig(ctdbd_t)
+
+# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
+# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
+
+optional_policy(`
-+ samba_initrc_domtrans(ctdbd_t)
++ consoletype_exec(ctdbd_t)
++')
++
++optional_policy(`
++ hostname_exec(ctdbd_t)
++')
++
++optional_policy(`
++ iptables_domtrans(ctdbd_t)
+')
+
++optional_policy(`
++ samba_initrc_domtrans(ctdbd_t)
++ samba_domtrans_net(ctdbd_t)
++ samba_read_var_files(ctdbd_t)
++')
+
++optional_policy(`
++ sysnet_domtrans_ifconfig(ctdbd_t)
++')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index 1b492ed..c79454d 100644
--- a/policy/modules/services/cups.fc
@@ -37212,7 +37307,7 @@ index e9c0982..14af30a 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..a02ffc9 100644
+index 0a0d63c..91de41a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -37242,7 +37337,7 @@ index 0a0d63c..a02ffc9 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,12 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -37254,14 +37349,14 @@ index 0a0d63c..a02ffc9 100644
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-+kernel_request_load_module(mysqld_t)
-+
+
+corecmd_exec_bin(mysqld_t)
+corecmd_exec_shell(mysqld_t)
-
++
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
-@@ -127,8 +133,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
+@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
userdom_read_user_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
@@ -37271,7 +37366,7 @@ index 0a0d63c..a02ffc9 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +160,7 @@ optional_policy(`
+@@ -155,6 +159,7 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -37279,7 +37374,7 @@ index 0a0d63c..a02ffc9 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -40900,7 +40995,7 @@ index 46bee12..9e2714e 100644
+ ')
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..3f5751c 100644
+index a32c4b3..d60a654 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -41128,7 +41223,17 @@ index a32c4b3..3f5751c 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -385,13 +435,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+@@ -379,19 +429,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+ rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+
++allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
++read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++
+ postfix_list_spool(postfix_pickup_t)
+
+ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -41146,7 +41251,7 @@ index a32c4b3..3f5751c 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +458,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -41155,7 +41260,7 @@ index a32c4b3..3f5751c 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +475,7 @@ optional_policy(`
+@@ -420,6 +479,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -41163,7 +41268,7 @@ index a32c4b3..3f5751c 100644
')
optional_policy(`
-@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +496,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -41181,7 +41286,7 @@ index a32c4b3..3f5751c 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +549,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +553,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -41192,7 +41297,7 @@ index a32c4b3..3f5751c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +569,8 @@ optional_policy(`
+@@ -507,6 +573,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -41201,7 +41306,7 @@ index a32c4b3..3f5751c 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +583,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -41209,11 +41314,12 @@ index a32c4b3..3f5751c 100644
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +606,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -41224,7 +41330,7 @@ index a32c4b3..3f5751c 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +634,10 @@ optional_policy(`
+@@ -565,6 +639,10 @@ optional_policy(`
')
optional_policy(`
@@ -41235,7 +41341,7 @@ index a32c4b3..3f5751c 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +661,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +666,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -41252,7 +41358,7 @@ index a32c4b3..3f5751c 100644
')
optional_policy(`
-@@ -611,8 +690,8 @@ optional_policy(`
+@@ -611,8 +695,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -41262,7 +41368,7 @@ index a32c4b3..3f5751c 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +709,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +714,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -42193,7 +42299,7 @@ index bc329d1..0589f97 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
-index d4000e0..312e537 100644
+index d4000e0..f35afa4 100644
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t)
@@ -42205,6 +42311,15 @@ index d4000e0..312e537 100644
type psad_initrc_exec_t;
init_script_file(psad_initrc_exec_t)
+@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t)
+
+ allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+ dontaudit psad_t self:capability sys_tty_config;
+-allow psad_t self:process signull;
++allow psad_t self:process signal_perms;
+ allow psad_t self:fifo_file rw_fifo_file_perms;
+ allow psad_t self:rawip_socket create_socket_perms;
+
@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
@@ -43806,7 +43921,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..034544f 100644
+index 00fa514..9e237a7 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -43866,7 +43981,7 @@ index 00fa514..034544f 100644
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
@@ -43891,7 +44006,12 @@ index 00fa514..034544f 100644
# needed by resources scripts
auth_read_all_files_except_shadow(rgmanager_t)
-@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t)
+ auth_dontaudit_getattr_shadow(rgmanager_t)
+ auth_use_nsswitch(rgmanager_t)
+
++init_domtrans_script(rgmanager_t)
++
+ logging_send_syslog_msg(rgmanager_t)
miscfiles_read_localization(rgmanager_t)
@@ -43900,7 +44020,7 @@ index 00fa514..034544f 100644
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +126,14 @@ optional_policy(`
+@@ -118,6 +128,14 @@ optional_policy(`
')
optional_policy(`
@@ -43915,7 +44035,7 @@ index 00fa514..034544f 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +156,15 @@ optional_policy(`
+@@ -140,6 +158,15 @@ optional_policy(`
')
optional_policy(`
@@ -43931,7 +44051,7 @@ index 00fa514..034544f 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
-@@ -193,9 +218,9 @@ optional_policy(`
+@@ -193,9 +220,9 @@ optional_policy(`
virt_stream_connect(rgmanager_t)
')
@@ -46364,7 +46484,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..941f823 100644
+index e30bb63..fdfa9bf 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -46461,7 +46581,17 @@ index e30bb63..941f823 100644
')
# Support Samba sharing of NFS mount points
-@@ -445,8 +442,8 @@ optional_policy(`
+@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',`
+ fs_search_fusefs(smbd_t)
+ ')
+
++optional_policy(`
++ ctdbd_stream_connect(smbd_t)
++')
+
+ optional_policy(`
+ cups_read_rw_config(smbd_t)
+@@ -445,8 +445,8 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -46471,7 +46601,7 @@ index e30bb63..941f823 100644
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
-@@ -462,8 +459,8 @@ tunable_policy(`samba_export_all_rw',`
+@@ -462,8 +462,8 @@ tunable_policy(`samba_export_all_rw',`
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -46481,7 +46611,7 @@ index e30bb63..941f823 100644
########################################
#
-@@ -484,8 +481,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -46492,7 +46622,7 @@ index e30bb63..941f823 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +558,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -46510,7 +46640,7 @@ index e30bb63..941f823 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -578,7 +576,7 @@ files_read_etc_files(smbcontrol_t)
+@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -46519,7 +46649,7 @@ index e30bb63..941f823 100644
########################################
#
-@@ -644,19 +642,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -46544,7 +46674,7 @@ index e30bb63..941f823 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -46553,7 +46683,7 @@ index e30bb63..941f823 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -46568,7 +46698,7 @@ index e30bb63..941f823 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -46576,7 +46706,7 @@ index e30bb63..941f823 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +757,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +760,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -46585,7 +46715,7 @@ index e30bb63..941f823 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -46607,7 +46737,7 @@ index e30bb63..941f823 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -46615,7 +46745,7 @@ index e30bb63..941f823 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +911,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -46624,7 +46754,7 @@ index e30bb63..941f823 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +929,18 @@ optional_policy(`
+@@ -922,6 +932,18 @@ optional_policy(`
#
optional_policy(`
@@ -46643,7 +46773,7 @@ index e30bb63..941f823 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +951,12 @@ optional_policy(`
+@@ -932,9 +954,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -50804,7 +50934,7 @@ index 7c5d8d8..59ba27c 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..ae4a925 100644
+index 3eca020..6182880 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -51039,8 +51169,9 @@ index 3eca020..ae4a925 100644
+')
-allow virtd_t self:fifo_file rw_fifo_file_perms;
+-allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
- allow virtd_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow virtd_t self:tcp_socket create_stream_socket_perms;
allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:rawip_socket create_socket_perms;
@@ -53090,7 +53221,7 @@ index 130ced9..10b57e0 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..0ad8e41 100644
+index 143c893..d293052 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -53632,7 +53763,7 @@ index 143c893..0ad8e41 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +629,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -53640,6 +53771,7 @@ index 143c893..0ad8e41 100644
term_setattr_console(xdm_t)
+term_use_console(xdm_t)
++term_use_virtio_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
term_setattr_unallocated_ttys(xdm_t)
+term_relabel_all_ttys(xdm_t)
@@ -53671,7 +53803,7 @@ index 143c893..0ad8e41 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -53702,7 +53834,7 @@ index 143c893..0ad8e41 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -53717,7 +53849,7 @@ index 143c893..0ad8e41 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -53739,7 +53871,7 @@ index 143c893..0ad8e41 100644
')
optional_policy(`
-@@ -519,12 +749,62 @@ optional_policy(`
+@@ -519,12 +750,62 @@ optional_policy(`
')
optional_policy(`
@@ -53802,7 +53934,7 @@ index 143c893..0ad8e41 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +822,70 @@ optional_policy(`
+@@ -542,28 +823,70 @@ optional_policy(`
')
optional_policy(`
@@ -53882,7 +54014,7 @@ index 143c893..0ad8e41 100644
')
optional_policy(`
-@@ -575,6 +897,14 @@ optional_policy(`
+@@ -575,6 +898,14 @@ optional_policy(`
')
optional_policy(`
@@ -53897,7 +54029,7 @@ index 143c893..0ad8e41 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +930,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -53906,7 +54038,7 @@ index 143c893..0ad8e41 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +944,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -53922,7 +54054,7 @@ index 143c893..0ad8e41 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +971,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -53944,7 +54076,7 @@ index 143c893..0ad8e41 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +991,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -53952,7 +54084,7 @@ index 143c893..0ad8e41 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -53960,7 +54092,7 @@ index 143c893..0ad8e41 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -53978,7 +54110,7 @@ index 143c893..0ad8e41 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -53992,7 +54124,7 @@ index 143c893..0ad8e41 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1066,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1067,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -54001,7 +54133,7 @@ index 143c893..0ad8e41 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -54016,7 +54148,7 @@ index 143c893..0ad8e41 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1132,36 @@ optional_policy(`
+@@ -778,16 +1133,36 @@ optional_policy(`
')
optional_policy(`
@@ -54054,7 +54186,7 @@ index 143c893..0ad8e41 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1170,10 @@ optional_policy(`
+@@ -796,6 +1171,10 @@ optional_policy(`
')
optional_policy(`
@@ -54065,7 +54197,7 @@ index 143c893..0ad8e41 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1189,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1190,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -54079,7 +54211,7 @@ index 143c893..0ad8e41 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1200,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1201,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -54088,7 +54220,7 @@ index 143c893..0ad8e41 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1213,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1214,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -54098,7 +54230,7 @@ index 143c893..0ad8e41 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1223,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1224,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -54110,7 +54242,7 @@ index 143c893..0ad8e41 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1236,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1237,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -54127,7 +54259,7 @@ index 143c893..0ad8e41 100644
')
optional_policy(`
-@@ -862,6 +1251,10 @@ optional_policy(`
+@@ -862,6 +1252,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -54138,7 +54270,7 @@ index 143c893..0ad8e41 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1298,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1299,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -54147,7 +54279,7 @@ index 143c893..0ad8e41 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1352,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1353,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -54179,7 +54311,7 @@ index 143c893..0ad8e41 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1398,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1399,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -56197,7 +56329,7 @@ index 94fd8dd..0d7aa40 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..308297d 100644
+index 29a9565..fcf5d6c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -56372,7 +56504,7 @@ index 29a9565..308297d 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +244,129 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +244,131 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -56426,6 +56558,8 @@ index 29a9565..308297d 100644
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_delete_all_pid_sockets(init_t)
++ files_create_all_pid_pipes(init_t)
++ files_delete_all_pid_pipes(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_manage_urandom_seed(init_t)
@@ -56502,7 +56636,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -199,10 +374,26 @@ optional_policy(`
+@@ -199,10 +376,26 @@ optional_policy(`
')
optional_policy(`
@@ -56529,7 +56663,7 @@ index 29a9565..308297d 100644
unconfined_domain(init_t)
')
-@@ -212,7 +403,7 @@ optional_policy(`
+@@ -212,7 +405,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -56538,7 +56672,7 @@ index 29a9565..308297d 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -56554,7 +56688,7 @@ index 29a9565..308297d 100644
init_write_initctl(initrc_t)
-@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -56591,7 +56725,7 @@ index 29a9565..308297d 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -56599,7 +56733,7 @@ index 29a9565..308297d 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -56610,7 +56744,7 @@ index 29a9565..308297d 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -56627,7 +56761,7 @@ index 29a9565..308297d 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -56635,7 +56769,7 @@ index 29a9565..308297d 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -56647,7 +56781,7 @@ index 29a9565..308297d 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -56661,7 +56795,7 @@ index 29a9565..308297d 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -56670,7 +56804,7 @@ index 29a9565..308297d 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -56678,7 +56812,7 @@ index 29a9565..308297d 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -56686,7 +56820,7 @@ index 29a9565..308297d 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -56708,7 +56842,7 @@ index 29a9565..308297d 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -56719,7 +56853,7 @@ index 29a9565..308297d 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +702,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +704,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -56728,7 +56862,7 @@ index 29a9565..308297d 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +717,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +719,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -56736,7 +56870,7 @@ index 29a9565..308297d 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +747,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +749,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -56770,7 +56904,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -531,10 +781,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +783,26 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -56797,7 +56931,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +817,39 @@ ifdef(`distro_suse',`
')
')
@@ -56837,7 +56971,7 @@ index 29a9565..308297d 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +860,8 @@ optional_policy(`
+@@ -561,6 +862,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -56846,7 +56980,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -577,6 +878,7 @@ optional_policy(`
+@@ -577,6 +880,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -56854,7 +56988,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -589,6 +891,11 @@ optional_policy(`
+@@ -589,6 +893,11 @@ optional_policy(`
')
optional_policy(`
@@ -56866,7 +57000,7 @@ index 29a9565..308297d 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +912,13 @@ optional_policy(`
+@@ -605,9 +914,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -56880,7 +57014,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -649,6 +960,11 @@ optional_policy(`
+@@ -649,6 +962,11 @@ optional_policy(`
')
optional_policy(`
@@ -56892,7 +57026,7 @@ index 29a9565..308297d 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1005,7 @@ optional_policy(`
+@@ -689,6 +1007,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -56900,7 +57034,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -706,7 +1023,13 @@ optional_policy(`
+@@ -706,7 +1025,13 @@ optional_policy(`
')
optional_policy(`
@@ -56914,7 +57048,7 @@ index 29a9565..308297d 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1052,10 @@ optional_policy(`
+@@ -729,6 +1054,10 @@ optional_policy(`
')
optional_policy(`
@@ -56925,7 +57059,7 @@ index 29a9565..308297d 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1065,20 @@ optional_policy(`
+@@ -738,10 +1067,20 @@ optional_policy(`
')
optional_policy(`
@@ -56946,7 +57080,7 @@ index 29a9565..308297d 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1087,10 @@ optional_policy(`
+@@ -750,6 +1089,10 @@ optional_policy(`
')
optional_policy(`
@@ -56957,7 +57091,7 @@ index 29a9565..308297d 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1112,6 @@ optional_policy(`
+@@ -771,8 +1114,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -56966,7 +57100,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -790,10 +1129,12 @@ optional_policy(`
+@@ -790,10 +1131,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -56979,7 +57113,7 @@ index 29a9565..308297d 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1146,6 @@ optional_policy(`
+@@ -805,7 +1148,6 @@ optional_policy(`
')
optional_policy(`
@@ -56987,7 +57121,7 @@ index 29a9565..308297d 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1155,24 @@ optional_policy(`
+@@ -815,11 +1157,24 @@ optional_policy(`
')
optional_policy(`
@@ -57013,7 +57147,7 @@ index 29a9565..308297d 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1182,25 @@ optional_policy(`
+@@ -829,6 +1184,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -57039,7 +57173,7 @@ index 29a9565..308297d 100644
')
optional_policy(`
-@@ -844,6 +1216,10 @@ optional_policy(`
+@@ -844,6 +1218,10 @@ optional_policy(`
')
optional_policy(`
@@ -57050,7 +57184,7 @@ index 29a9565..308297d 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1230,45 @@ optional_policy(`
+@@ -854,3 +1232,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -57420,7 +57554,7 @@ index ddbd8be..ac8e814 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..98b8d89 100644
+index 560dc48..6673319 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
@@ -57556,7 +57690,7 @@ index 560dc48..98b8d89 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +194,85 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -57647,6 +57781,8 @@ index 560dc48..98b8d89 100644
+/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libffmpegsumo\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -57699,7 +57835,7 @@ index 560dc48..98b8d89 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -57709,7 +57845,7 @@ index 560dc48..98b8d89 100644
') dnl end distro_redhat
#
-@@ -312,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +303,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -61430,10 +61566,10 @@ index 0000000..3248032
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..16371df
+index 0000000..67fcd26
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,344 @@
+@@ -0,0 +1,365 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -61778,12 +61914,33 @@ index 0000000..16371df
+
+ allow $1 systemd_logger_t:unix_stream_socket connectto;
+')
++
++########################################
++## <summary>
++## Allow the specified domain to connect to
++## systemd_logger with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_config_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service all_service_perms;
++')
++
++
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..155a839
+index 0000000..f0a3169
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,311 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -61903,6 +62060,8 @@ index 0000000..155a839
+
+udev_read_db(systemd_logind_t)
+
++userdom_read_all_users_state(systemd_logind_t)
++
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
@@ -62542,7 +62701,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..9f3c1c1 100644
+index 416e668..a56f542 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,34 @@
@@ -62587,20 +62746,21 @@ index 416e668..9f3c1c1 100644
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -44,6 +51,12 @@ interface(`unconfined_domain_noaudit',`
+@@ -43,6 +50,13 @@ interface(`unconfined_domain_noaudit',`
+ files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
-
++ systemd_config_all_services($1)
++
+ domain_mmap_low($1)
+
+ mcs_file_read_all($1)
+
+ ubac_process_exempt($1)
-+
+
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
- allow $1 self:process execheap;
-@@ -69,6 +82,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +83,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -62608,7 +62768,7 @@ index 416e668..9f3c1c1 100644
')
optional_policy(`
-@@ -122,6 +136,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +137,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -62619,7 +62779,7 @@ index 416e668..9f3c1c1 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -178,412 +196,3 @@ interface(`unconfined_alias_domain',`
+@@ -178,412 +197,3 @@ interface(`unconfined_alias_domain',`
interface(`unconfined_execmem_alias_program',`
refpolicywarn(`$0($1) has been deprecated.')
')
@@ -63293,7 +63453,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..b0955cf 100644
+index 4b2878a..181ada4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -64603,7 +64763,16 @@ index 4b2878a..b0955cf 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1525,8 @@ template(`userdom_security_admin_template',`
+@@ -1151,6 +1466,8 @@ template(`userdom_admin_user_template',`
+ # But presently necessary for installing the file_contexts file.
+ seutil_manage_bin_policy($1_t)
+
++ systemd_config_all_services($1_t)
++
+ userdom_manage_user_home_content_dirs($1_t)
+ userdom_manage_user_home_content_files($1_t)
+ userdom_manage_user_home_content_symlinks($1_t)
+@@ -1210,6 +1527,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -64612,7 +64781,7 @@ index 4b2878a..b0955cf 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1539,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1541,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -64620,7 +64789,7 @@ index 4b2878a..b0955cf 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1234,13 +1552,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1554,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -64649,7 +64818,7 @@ index 4b2878a..b0955cf 100644
')
optional_policy(`
-@@ -1251,12 +1580,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1582,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -64665,7 +64834,7 @@ index 4b2878a..b0955cf 100644
')
optional_policy(`
-@@ -1279,54 +1608,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1610,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -64747,7 +64916,7 @@ index 4b2878a..b0955cf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,12 +1675,49 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,9 +1677,46 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
@@ -64756,9 +64925,8 @@ index 4b2878a..b0955cf 100644
gen_require(`
- type user_devpts_t;
+ attribute admindomain;
- ')
-
-- term_create_pty($1, user_devpts_t)
++ ')
++
+ allow $1 admindomain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
@@ -64794,13 +64962,10 @@ index 4b2878a..b0955cf 100644
+interface(`userdom_create_user_pty',`
+ gen_require(`
+ type user_devpts_t;
-+ ')
-+
-+ term_create_pty($1, user_devpts_t)
- ')
+ ')
- ########################################
-@@ -1395,6 +1773,7 @@ interface(`userdom_search_user_home_dirs',`
+ term_create_pty($1, user_devpts_t)
+@@ -1395,6 +1775,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -64808,7 +64973,7 @@ index 4b2878a..b0955cf 100644
files_search_home($1)
')
-@@ -1441,6 +1820,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1822,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -64823,7 +64988,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -1456,9 +1843,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1845,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -64835,7 +65000,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -1515,6 +1904,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1906,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -64878,7 +65043,7 @@ index 4b2878a..b0955cf 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2014,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2016,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -64887,7 +65052,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -1603,10 +2030,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2032,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -64902,7 +65067,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -1649,6 +2078,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2080,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -64946,7 +65111,7 @@ index 4b2878a..b0955cf 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2134,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2136,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -64972,7 +65137,7 @@ index 4b2878a..b0955cf 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2185,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2187,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -65005,7 +65170,7 @@ index 4b2878a..b0955cf 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2221,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -65023,7 +65188,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -1779,6 +2287,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -65084,7 +65249,7 @@ index 4b2878a..b0955cf 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2372,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -65094,7 +65259,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -1827,20 +2388,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -65119,7 +65284,7 @@ index 4b2878a..b0955cf 100644
########################################
## <summary>
-@@ -1941,6 +2496,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -65144,7 +65309,7 @@ index 4b2878a..b0955cf 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2581,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -65153,7 +65318,7 @@ index 4b2878a..b0955cf 100644
files_search_home($1)
')
-@@ -2182,7 +2755,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -65162,7 +65327,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -2435,13 +3008,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3010,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -65178,7 +65343,7 @@ index 4b2878a..b0955cf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3036,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3038,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -65205,7 +65370,7 @@ index 4b2878a..b0955cf 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3126,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3128,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -65214,7 +65379,7 @@ index 4b2878a..b0955cf 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3134,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3136,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -65286,8 +65451,9 @@ index 4b2878a..b0955cf 100644
gen_require(`
- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
@@ -65354,9 +65520,9 @@ index 4b2878a..b0955cf 100644
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
- ')
-
- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -65382,7 +65548,7 @@ index 4b2878a..b0955cf 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2736,24 +3358,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3360,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -65407,7 +65573,7 @@ index 4b2878a..b0955cf 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3376,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3378,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -65433,7 +65599,7 @@ index 4b2878a..b0955cf 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3437,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3439,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -65442,7 +65608,7 @@ index 4b2878a..b0955cf 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3453,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3455,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -65476,7 +65642,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -2972,7 +3541,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3543,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -65485,7 +65651,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -3027,7 +3596,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3598,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -65532,7 +65698,7 @@ index 4b2878a..b0955cf 100644
')
########################################
-@@ -3064,6 +3671,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3673,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -65540,7 +65706,7 @@ index 4b2878a..b0955cf 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3750,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3752,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -65565,7 +65731,7 @@ index 4b2878a..b0955cf 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3820,1075 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3822,1075 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -67098,7 +67264,7 @@ index 22ca011..df6b5de 100644
#
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index f7380b3..184f238 100644
+index f7380b3..fb62555 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -67198,7 +67364,7 @@ index f7380b3..184f238 100644
#
# Sockets
-@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -317,3 +324,15 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
@@ -67212,6 +67378,7 @@ index f7380b3..184f238 100644
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
++define(`all_service_perms', `{ start stop status reload kill } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
index c4ebc7e..30d6d7a 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ad718c0..34f536c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jul 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-7
+- systemd fixes
+
* Tue Jul 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-6
- Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
More information about the scm-commits
mailing list