[selinux-policy] - Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 2 13:17:10 UTC 2011
commit a56fb9fa8f07c4208edc9dad7897c884d6988c34
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 2 15:16:46 2011 +0200
- Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
policy-F16.patch | 1382 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 8 +-
2 files changed, 935 insertions(+), 455 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index fe58b0c..9de84fb 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1585,7 +1585,7 @@ index c633aea..d1e56f6 100644
ifdef(`hide_broken_symptoms',`
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..6059aed 100644
+index af55369..9301e42 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1638,12 +1638,13 @@ index af55369..6059aed 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,13 +115,21 @@ optional_policy(`
+@@ -109,13 +115,22 @@ optional_policy(`
')
optional_policy(`
- rpm_manage_tmp_files(prelink_t)
+ gnome_dontaudit_read_config(prelink_t)
++ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
')
optional_policy(`
@@ -1662,7 +1663,7 @@ index af55369..6059aed 100644
########################################
#
# Prelink Cron system Policy
-@@ -129,6 +143,7 @@ optional_policy(`
+@@ -129,6 +144,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1670,7 +1671,7 @@ index af55369..6059aed 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +163,28 @@ optional_policy(`
+@@ -148,17 +164,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -1700,6 +1701,47 @@ index af55369..6059aed 100644
+ dbus_read_config(prelink_t)
+ ')
+')
+diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
+index bf75d99..1698e8f 100644
+--- a/policy/modules/admin/quota.if
++++ b/policy/modules/admin/quota.if
+@@ -83,3 +83,36 @@ interface(`quota_manage_flags',`
+ files_search_var_lib($1)
+ manage_files_pattern($1, quota_flag_t, quota_flag_t)
+ ')
++
++########################################
++## <summary>
++## Transition to quota named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`quota_filetrans_named_content',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ files_root_filetrans($1, quota_db_t, file, "aquota.user")
++ files_root_filetrans($1, quota_db_t, file, "aquota.group")
++ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
++ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
++ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
++ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
++ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
++ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
++ files_home_filetrans($1, quota_db_t, file, "aquota.user")
++ files_home_filetrans($1, quota_db_t, file, "aquota.group")
++ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
++ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
++ files_var_filetrans($1, quota_db_t, file, "aquota.user")
++ files_var_filetrans($1, quota_db_t, file, "aquota.group")
++ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
++ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
++')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index 5dd42f5..f13ac41 100644
--- a/policy/modules/admin/quota.te
@@ -1858,7 +1900,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..48922c9 100644
+index b206bf6..bbd902f 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -7,6 +7,7 @@
@@ -1869,7 +1911,7 @@ index b206bf6..48922c9 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -25,6 +26,9 @@ ifdef(`distro_redhat', `
+@@ -25,8 +26,12 @@ ifdef(`distro_redhat', `
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1878,8 +1920,11 @@ index b206bf6..48922c9 100644
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
++/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -36,6 +40,8 @@ ifdef(`distro_redhat', `
+
+ /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+@@ -36,6 +41,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -2065,7 +2110,7 @@ index d33daa8..c76708e 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..ba240df 100644
+index 47a8f7d..0b100a8 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -2108,16 +2153,26 @@ index 47a8f7d..ba240df 100644
corecmd_exec_all_executables(rpm_t)
-@@ -127,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
+@@ -127,6 +133,18 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
++
+#devices_manage_all_device_types(rpm_t)
++dev_create_generic_blk_files(rpm_t)
++dev_create_generic_chr_files(rpm_t)
++dev_delete_all_blk_files(rpm_t)
++dev_delete_all_chr_files(rpm_t)
++dev_relabel_all_dev_nodes(rpm_t)
++dev_rename_generic_blk_files(rpm_t)
++dev_rename_generic_chr_files(rpm_t)
++dev_setattr_all_blk_files(rpm_t)
++dev_setattr_all_chr_files(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -173,11 +181,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -2131,7 +2186,7 @@ index 47a8f7d..ba240df 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -189,7 +199,7 @@ logging_send_syslog_msg(rpm_t)
+@@ -189,7 +209,7 @@ logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
@@ -2140,7 +2195,7 @@ index 47a8f7d..ba240df 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +217,7 @@ optional_policy(`
+@@ -207,6 +227,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -2148,7 +2203,7 @@ index 47a8f7d..ba240df 100644
')
optional_policy(`
-@@ -214,7 +225,7 @@ optional_policy(`
+@@ -214,7 +235,7 @@ optional_policy(`
')
optional_policy(`
@@ -2157,7 +2212,7 @@ index 47a8f7d..ba240df 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +272,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
+@@ -261,6 +282,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -2165,7 +2220,7 @@ index 47a8f7d..ba240df 100644
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -299,7 +311,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,7 +321,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -2174,7 +2229,7 @@ index 47a8f7d..ba240df 100644
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
-@@ -308,6 +320,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
+@@ -308,6 +330,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -2183,7 +2238,7 @@ index 47a8f7d..ba240df 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -332,18 +346,18 @@ logging_send_syslog_msg(rpm_script_t)
+@@ -332,18 +356,18 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -2205,7 +2260,7 @@ index 47a8f7d..ba240df 100644
')
')
-@@ -368,6 +382,11 @@ optional_policy(`
+@@ -368,6 +392,11 @@ optional_policy(`
')
optional_policy(`
@@ -2217,7 +2272,7 @@ index 47a8f7d..ba240df 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +396,9 @@ optional_policy(`
+@@ -377,8 +406,9 @@ optional_policy(`
')
optional_policy(`
@@ -2958,10 +3013,36 @@ index c467144..fb794f9 100644
/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 81fb26f..e03c0fe 100644
+index 81fb26f..fa853d7 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
-@@ -170,6 +170,25 @@ interface(`usermanage_run_passwd',`
+@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',`
+
+ ########################################
+ ## <summary>
++## Check access to the groupadd executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_access_check_groupadd',`
++ gen_require(`
++ type groupadd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 groupadd_exec_t:file { getattr_file_perms audit_access };
++')
++
++########################################
++## <summary>
+ ## Execute groupadd in the groupadd domain, and
+ ## allow the specified role the groupadd domain.
+ ## </summary>
+@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',`
########################################
## <summary>
@@ -2979,7 +3060,7 @@ index 81fb26f..e03c0fe 100644
+ ')
+
+ corecmd_search_bin($1)
-+ allow $1 passwd_exec_t:file audit_access;
++ allow $1 passwd_exec_t:file { getattr_file_perms audit_access };
+')
+
+########################################
@@ -2987,7 +3068,7 @@ index 81fb26f..e03c0fe 100644
## Execute password admin functions in
## the admin passwd domain.
## </summary>
-@@ -285,6 +304,9 @@ interface(`usermanage_run_useradd',`
+@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -2997,7 +3078,7 @@ index 81fb26f..e03c0fe 100644
seutil_run_semanage(useradd_t, $2)
optional_policy(`
-@@ -294,6 +316,25 @@ interface(`usermanage_run_useradd',`
+@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',`
########################################
## <summary>
@@ -3015,7 +3096,7 @@ index 81fb26f..e03c0fe 100644
+ ')
+
+ corecmd_search_bin($1)
-+ allow $1 useradd_exec_t:file audit_access;
++ allow $1 useradd_exec_t:file { getattr_file_perms audit_access };
+')
+
+########################################
@@ -3955,10 +4036,10 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..f816c8d 100644
+index f5afe78..93aa20f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,623 @@
+@@ -1,44 +1,699 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -4459,6 +4540,25 @@ index f5afe78..f816c8d 100644
+
+########################################
+## <summary>
++## Do not audit attempts to read
++## inherited gconf config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++ gen_require(`
++ type gconf_etc_t;
++ ')
++
++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## read gconf config files
+## </summary>
+## <param name="domain">
@@ -4520,11 +4620,10 @@ index f5afe78..f816c8d 100644
+## Execute gnome keyringd in the caller domain.
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+#
+interface(`gnome_exec_keyringd',`
+ gen_require(`
@@ -4539,6 +4638,51 @@ index f5afe78..f816c8d 100644
+## <summary>
+## Read gconf home files
+## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ type data_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ allow $1 data_home_t:dir list_dir_perms;
++ read_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_files_pattern($1, data_home_t, data_home_t)
++ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_lnk_files_pattern($1, data_home_t, data_home_t)
++')
++
++########################################
++## <summary>
++## Search gkeyringd temporary directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## Role allowed access
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++#
++interface(`gnome_search_gkeyringd_tmp_dirs',`
++ gen_require(`
++ type gkeyringd_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## search gconf homedir (.local)
++## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
@@ -4547,33 +4691,45 @@ index f5afe78..f816c8d 100644
## </param>
#
-interface(`gnome_role',`
-+interface(`gnome_read_gconf_home_files',`
++interface(`gnome_search_gconf',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
+ type gconf_home_t;
-+ type data_home_t;
')
- role $1 types gconfd_t;
--
++ allow $1 gconf_home_t:dir search_dir_perms;
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++## Set attributes of Gnome config dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_setattr_config_dirs',`
++ gen_require(`
++ type gnome_home_t;
++ ')
+
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ allow $1 data_home_t:dir list_dir_perms;
-+ read_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_files_pattern($1, data_home_t, data_home_t)
-+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
-+ read_lnk_files_pattern($1, data_home_t, data_home_t)
++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++ files_search_home($1)
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
-+## Search gkeyringd temporary directories.
++## Manage generic gnome home files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -4581,46 +4737,46 @@ index f5afe78..f816c8d 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_search_gkeyringd_tmp_dirs',`
++interface(`gnome_manage_generic_home_files',`
+ gen_require(`
-+ type gkeyringd_tmp_t;
++ type gnome_home_t;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ files_search_tmp($1)
-+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
-+## search gconf homedir (.local)
++## Manage generic gnome home directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +625,37 @@ interface(`gnome_role',`
+@@ -46,37 +701,36 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_search_gconf',`
++interface(`gnome_manage_generic_home_dirs',`
gen_require(`
- type gconfd_exec_t;
-+ type gconf_home_t;
++ type gnome_home_t;
')
- can_exec($1, gconfd_exec_t)
-+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
++ allow $1 gnome_home_t:dir manage_dir_perms;
')
########################################
## <summary>
-## Read gconf config files.
-+## Set attributes of Gnome config dirs.
++## Append gconf home files
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -4630,48 +4786,47 @@ index f5afe78..f816c8d 100644
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_setattr_config_dirs',`
++interface(`gnome_append_gconf_home_files',`
gen_require(`
- type gconf_etc_t;
-+ type gnome_home_t;
++ type gconf_home_t;
')
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-+ files_search_home($1)
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
')
-#######################################
+########################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## Manage generic gnome home files.
++## manage gconf home files
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +663,37 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +738,42 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_manage_generic_home_files',`
++interface(`gnome_manage_gconf_home_files',`
gen_require(`
- type gconf_etc_t;
-+ type gnome_home_t;
++ type gconf_home_t;
')
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
')
########################################
## <summary>
-## gconf connection template.
-+## Manage generic gnome home directories.
++## Connect to gnome over an unix stream socket.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
@@ -4679,143 +4834,88 @@ index f5afe78..f816c8d 100644
## Domain allowed access.
## </summary>
## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_manage_generic_home_dirs',`
++interface(`gnome_stream_connect',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ type gnome_home_t;
++ attribute gnome_home_type;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gnome_home_t:dir manage_dir_perms;
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
')
########################################
## <summary>
-## Run gconfd in gconfd domain.
-+## Append gconf home files
++## list gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +701,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +781,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ allow $1 config_home_t:dir list_dir_perms;
')
########################################
## <summary>
-## Set attributes of Gnome config dirs.
-+## manage gconf home files
++## Set attributes of gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +719,378 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +799,353 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
-interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_manage_gconf_home_files',`
++template(`gnome_setattr_home_config',`
gen_require(`
- type gnome_home_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Read gnome homedir content (.config)
-+## Connect to gnome over an unix stream socket.
++## read gnome homedir content (.config)
## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- ## <param name="user_domain">
## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+## <summary>
-+## list gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_config',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_read_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
-+ ')
-+
-+ allow $1 config_home_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Set attributes of gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+template(`gnome_setattr_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
-+
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## read gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_read_home_config',`
-+ gen_require(`
-+ type config_home_t;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
@@ -4913,6 +5013,42 @@ index f5afe78..f816c8d 100644
+
+########################################
+## <summary>
++## Send signull signal to gkeyringd processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_signull_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ ')
++
++ allow $1 gkeyringd_domain:process signull;
++')
++
++########################################
++## <summary>
++## Allow the domain to read gkeyringd state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_gkeyringd_state',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ ')
++
++ ps_process_pattern($1, gkeyringd_domain)
++')
++
++########################################
++## <summary>
+## Create directories in user home directories
+## with the gnome home file type.
+## </summary>
@@ -6318,7 +6454,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..ceeb3e7 100644
+index 9a6d67d..aa29dee 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6458,7 +6594,7 @@ index 9a6d67d..ceeb3e7 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
-@@ -204,3 +304,39 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +304,57 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -6483,6 +6619,24 @@ index 9a6d67d..ceeb3e7 100644
+
+########################################
+## <summary>
++## Read mozilla_plugin tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_read_inherited_tmpfs_files',`
++ gen_require(`
++ type mozilla_plugin_tmpfs_t;
++ ')
++
++ allow $1 mozilla_plugin_tmpfs_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Dontaudit read/write to a mozilla_plugin leaks
+## </summary>
+## <param name="domain">
@@ -8060,7 +8214,7 @@ index 2ba7787..9f12b51 100644
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..ae14a7d 100644
+index c2d20a2..77178ab 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -8105,10 +8259,23 @@ index c2d20a2..ae14a7d 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -131,6 +131,10 @@ optional_policy(`
+@@ -127,10 +127,23 @@ optional_policy(`
')
optional_policy(`
++ gnome_read_gkeyringd_state(pulseaudio_t)
++ gnome_signull_gkeyringd(pulseaudio_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+ ')
+
+ optional_policy(`
++ mozilla_plugin_read_inherited_tmpfs_files(pulseaudio_t)
++')
++
++optional_policy(`
+ mpd_read_tmpfs_files(pulseaudio_t)
+')
+
@@ -8116,7 +8283,7 @@ index c2d20a2..ae14a7d 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -148,3 +152,7 @@ optional_policy(`
+@@ -148,3 +161,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -8570,10 +8737,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..0fedd57
+index 0000000..3b6af20
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,341 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -8809,6 +8976,42 @@ index 0000000..0fedd57
+
+########################################
+## <summary>
++## Delete sandbox symbolic links
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_lnk_files',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++## <summary>
++## Delete sandbox fifo files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_pipes',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++## <summary>
+## Delete sandbox sock files
+## </summary>
+## <param name="domain">
@@ -8846,7 +9049,7 @@ index 0000000..0fedd57
+
+########################################
+## <summary>
-+## allow domain to delete sandbox files
++## Delete sandbox directories
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9442,7 +9645,7 @@ index 320df26..bd8db22 100644
files_search_tmp($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..787df80 100644
+index 1dc7a85..9342572 100644
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -53,8 +53,14 @@ interface(`seunshare_run',`
@@ -9461,7 +9664,7 @@ index 1dc7a85..787df80 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -66,15 +72,31 @@ interface(`seunshare_run',`
+@@ -66,15 +72,32 @@ interface(`seunshare_run',`
## </summary>
## </param>
#
@@ -9488,6 +9691,7 @@ index 1dc7a85..787df80 100644
+
+ ps_process_pattern($3, $1_seunshare_t)
+ allow $3 $1_seunshare_t:process signal_perms;
++ allow $3 $1_seunshare_t:fd use;
+
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
@@ -9895,10 +10099,10 @@ index 0000000..1d0f110
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..16b228e
+index 0000000..e2c8015
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,388 @@
+@@ -0,0 +1,390 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -9955,6 +10159,8 @@ index 0000000..16b228e
+telepathy_domain_template(stream_engine)
+telepathy_domain_template(sunshine)
+telepathy_domain_template(logger)
++# New in F16
++permissive telepathy_logger_t;
+
+#######################################
+#
@@ -12158,7 +12364,7 @@ index 5a07a43..eb5f76e 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..16e8123 100644
+index 0757523..599c3e6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -12267,7 +12473,7 @@ index 0757523..16e8123 100644
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,2712,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -12429,7 +12635,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..dda5e2f 100644
+index e9313fb..8695196 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -12518,10 +12724,28 @@ index e9313fb..dda5e2f 100644
########################################
## <summary>
## Read and write generic files in /dev.
-@@ -444,6 +499,24 @@ interface(`dev_getattr_generic_blk_files',`
+@@ -444,6 +499,42 @@ interface(`dev_getattr_generic_blk_files',`
########################################
## <summary>
++## Rename generic block device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rename_generic_blk_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ rename_blk_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
@@ -12543,7 +12767,32 @@ index e9313fb..dda5e2f 100644
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
-@@ -628,7 +701,7 @@ interface(`dev_rw_generic_blk_files',`
+@@ -552,6 +643,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
+
+ ########################################
+ ## <summary>
++## Rename generic character device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rename_generic_chr_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ rename_chr_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ## Dontaudit setattr for generic character device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -628,7 +737,7 @@ interface(`dev_rw_generic_blk_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -12552,7 +12801,7 @@ index e9313fb..dda5e2f 100644
## </summary>
## </param>
#
-@@ -715,7 +788,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+@@ -715,7 +824,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
## <summary>
@@ -12561,7 +12810,7 @@ index e9313fb..dda5e2f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -723,17 +796,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+@@ -723,17 +832,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
## </summary>
## </param>
#
@@ -12582,7 +12831,7 @@ index e9313fb..dda5e2f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -741,17 +814,17 @@ interface(`dev_read_generic_symlinks',`
+@@ -741,17 +850,17 @@ interface(`dev_read_generic_symlinks',`
## </summary>
## </param>
#
@@ -12603,7 +12852,7 @@ index e9313fb..dda5e2f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -759,12 +832,12 @@ interface(`dev_create_generic_symlinks',`
+@@ -759,12 +868,12 @@ interface(`dev_create_generic_symlinks',`
## </summary>
## </param>
#
@@ -12618,7 +12867,7 @@ index e9313fb..dda5e2f 100644
')
########################################
-@@ -920,7 +993,7 @@ interface(`dev_filetrans',`
+@@ -920,7 +1029,7 @@ interface(`dev_filetrans',`
type device_t;
')
@@ -12627,7 +12876,7 @@ index e9313fb..dda5e2f 100644
dev_associate($2)
files_associate_tmp($2)
-@@ -1006,6 +1079,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+@@ -1006,6 +1115,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
@@ -12635,7 +12884,7 @@ index e9313fb..dda5e2f 100644
')
getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1178,6 +1252,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1178,6 +1288,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -12678,7 +12927,7 @@ index e9313fb..dda5e2f 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2663,7 +2773,7 @@ interface(`dev_write_misc',`
+@@ -2663,7 +2809,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -12687,7 +12936,7 @@ index e9313fb..dda5e2f 100644
## </summary>
## </param>
#
-@@ -3192,24 +3302,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3338,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -12712,7 +12961,7 @@ index e9313fb..dda5e2f 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3793,6 +3885,24 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3793,6 +3921,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -12737,7 +12986,7 @@ index e9313fb..dda5e2f 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3884,25 +3994,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3884,25 +4030,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -12763,7 +13012,7 @@ index e9313fb..dda5e2f 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3954,6 +4045,42 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4081,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -12806,7 +13055,7 @@ index e9313fb..dda5e2f 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4477,6 +4604,24 @@ interface(`dev_rw_vhost',`
+@@ -4477,6 +4640,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -12831,7 +13080,7 @@ index e9313fb..dda5e2f 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4514,6 +4659,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4695,24 @@ interface(`dev_rwx_vmware',`
########################################
## <summary>
@@ -12856,7 +13105,7 @@ index e9313fb..dda5e2f 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4911,772 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4947,772 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -14118,7 +14367,7 @@ index 16108f6..de3c68f 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..1204be0 100644
+index 958ca84..811174e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -14254,6 +14503,15 @@ index 958ca84..1204be0 100644
########################################
## <summary>
## Create directories in /boot
+@@ -1794,7 +1882,7 @@ interface(`files_boot_filetrans',`
+ type boot_t;
+ ')
+
+- filetrans_pattern($1, boot_t, $2, $3)
++ filetrans_pattern($1, boot_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -14421,6 +14679,15 @@ index 958ca84..1204be0 100644
')
########################################
+@@ -3247,7 +3435,7 @@ interface(`files_home_filetrans',`
+ type home_root_t;
+ ')
+
+- filetrans_pattern($1, home_root_t, $2, $3)
++ filetrans_pattern($1, home_root_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
dontaudit $1 lost_found_t:dir getattr;
')
@@ -14864,6 +15131,15 @@ index 958ca84..1204be0 100644
')
########################################
+@@ -4466,7 +4951,7 @@ interface(`files_usr_filetrans',`
+ type usr_t;
+ ')
+
+- filetrans_pattern($1, usr_t, $2, $3)
++ filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',`
########################################
@@ -14889,6 +15165,24 @@ index 958ca84..1204be0 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
+@@ -4851,7 +5354,7 @@ interface(`files_var_filetrans',`
+ type var_t;
+ ')
+
+- filetrans_pattern($1, var_t, $2, $3)
++ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
+ ########################################
+@@ -4986,7 +5489,7 @@ interface(`files_var_lib_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_lib_t, $2, $3)
++ filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',`
########################################
@@ -15064,15 +15358,17 @@ index 958ca84..1204be0 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,7 +5860,7 @@ interface(`files_lock_filetrans',`
+@@ -5275,8 +5860,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3)
+ files_search_locks($1)
- filetrans_pattern($1, var_lock_t, $2, $3)
++ filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
+ ########################################
@@ -5332,9 +5917,47 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -15121,6 +15417,15 @@ index 958ca84..1204be0 100644
########################################
## <summary>
## Do not audit attempts to search
+@@ -5463,7 +6086,7 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_run_t, $2, $3)
++ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
@@ -15229,6 +15534,15 @@ index 958ca84..1204be0 100644
')
########################################
+@@ -5769,7 +6486,7 @@ interface(`files_spool_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3)
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -5844,3 +6561,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
@@ -15579,10 +15893,38 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..1c83074 100644
+index dfe361a..7484288 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
-@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
+@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
+
+ ########################################
+ ## <summary>
++## Get attributes of cgroup files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_getattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ getattr_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++## <summary>
+ ## Search cgroup directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
')
search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15614,7 +15956,7 @@ index dfe361a..1c83074 100644
## list cgroup directories.
## </summary>
## <param name="domain">
-@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', `
+@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15644,7 +15986,7 @@ index dfe361a..1c83074 100644
########################################
## <summary>
## Delete cgroup directories.
-@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', `
+@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
')
delete_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15652,7 +15994,7 @@ index dfe361a..1c83074 100644
dev_search_sysfs($1)
')
-@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',`
+@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -15660,7 +16002,7 @@ index dfe361a..1c83074 100644
dev_search_sysfs($1)
')
-@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',`
+@@ -724,6 +787,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
@@ -15668,7 +16010,7 @@ index dfe361a..1c83074 100644
dev_search_sysfs($1)
')
-@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', `
+@@ -743,6 +807,7 @@ interface(`fs_write_cgroup_files', `
')
write_files_pattern($1, cgroup_t, cgroup_t)
@@ -15676,7 +16018,7 @@ index dfe361a..1c83074 100644
dev_search_sysfs($1)
')
-@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -763,6 +828,7 @@ interface(`fs_rw_cgroup_files',`
')
rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -15684,7 +16026,7 @@ index dfe361a..1c83074 100644
dev_search_sysfs($1)
')
-@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +869,7 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -15692,7 +16034,7 @@ index dfe361a..1c83074 100644
dev_search_sysfs($1)
')
-@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',`
+@@ -1052,6 +1119,24 @@ interface(`fs_list_noxattr_fs',`
########################################
## <summary>
@@ -15717,7 +16059,7 @@ index dfe361a..1c83074 100644
## Create, read, write, and delete all noxattrfs directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1088,6 +1173,42 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -15760,7 +16102,7 @@ index dfe361a..1c83074 100644
## Dont audit attempts to write to noxattrfs files.
## </summary>
## <param name="domain">
-@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1227,6 +1348,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -15803,7 +16145,7 @@ index dfe361a..1c83074 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1398,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -15812,7 +16154,7 @@ index dfe361a..1c83074 100644
')
########################################
-@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1661,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -15838,7 +16180,7 @@ index dfe361a..1c83074 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',`
+@@ -1659,6 +1835,25 @@ interface(`fs_search_dos',`
########################################
## <summary>
@@ -15864,7 +16206,7 @@ index dfe361a..1c83074 100644
## Create, read, write, and delete dirs
## on a DOS filesystem.
## </summary>
-@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',`
+@@ -1774,6 +1969,24 @@ interface(`fs_unmount_fusefs',`
########################################
## <summary>
@@ -15889,7 +16231,7 @@ index dfe361a..1c83074 100644
## Search directories
## on a FUSEFS filesystem.
## </summary>
-@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',`
+@@ -1892,6 +2105,26 @@ interface(`fs_manage_fusefs_files',`
########################################
## <summary>
@@ -15916,7 +16258,7 @@ index dfe361a..1c83074 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
-@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +2164,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -15944,7 +16286,7 @@ index dfe361a..1c83074 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2198,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -15986,7 +16328,7 @@ index dfe361a..1c83074 100644
########################################
## <summary>
-@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2286,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -15994,7 +16336,7 @@ index dfe361a..1c83074 100644
')
########################################
-@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',`
+@@ -2331,6 +2619,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -16002,7 +16344,7 @@ index dfe361a..1c83074 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',`
+@@ -2369,6 +2658,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -16010,7 +16352,7 @@ index dfe361a..1c83074 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2685,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -16036,7 +16378,7 @@ index dfe361a..1c83074 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2744,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -16079,7 +16421,7 @@ index dfe361a..1c83074 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2794,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -16088,7 +16430,7 @@ index dfe361a..1c83074 100644
')
########################################
-@@ -2587,7 +2911,7 @@ interface(`fs_search_removable',`
+@@ -2587,7 +2932,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -16097,7 +16439,7 @@ index dfe361a..1c83074 100644
## </summary>
## </param>
#
-@@ -2623,7 +2947,7 @@ interface(`fs_read_removable_files',`
+@@ -2623,7 +2968,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -16106,7 +16448,7 @@ index dfe361a..1c83074 100644
## </summary>
## </param>
#
-@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2982,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -16131,7 +16473,7 @@ index dfe361a..1c83074 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',`
+@@ -2653,6 +3016,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -16157,7 +16499,7 @@ index dfe361a..1c83074 100644
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2779,6 +3161,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -16165,7 +16507,7 @@ index dfe361a..1c83074 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3202,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -16173,7 +16515,7 @@ index dfe361a..1c83074 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3229,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -16182,7 +16524,7 @@ index dfe361a..1c83074 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3243,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -16190,7 +16532,7 @@ index dfe361a..1c83074 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3772,6 +4157,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -16233,7 +16575,7 @@ index dfe361a..1c83074 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4410,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -16258,7 +16600,7 @@ index dfe361a..1c83074 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4710,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -16267,7 +16609,7 @@ index dfe361a..1c83074 100644
')
########################################
-@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4317,7 +4758,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -16276,7 +16618,7 @@ index dfe361a..1c83074 100644
## Example attributes:
## </p>
## <ul>
-@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5122,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -18094,7 +18436,7 @@ index 1cb7311..1de82b2 100644
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index be4de58..2efb6e9 100644
+index be4de58..cce681a 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
@@ -18106,21 +18448,11 @@ index be4de58..2efb6e9 100644
########################################
#
-@@ -39,6 +41,9 @@ logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- logging_read_audit_config(secadm_t)
-
-+seutil_rw_config(secadm_t)
-+seutil_rw_default_contexts(secadm_t)
-+
- optional_policy(`
- aide_run(secadm_t, secadm_r)
- ')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..9482840 100644
+index 2be17d2..3664943 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -18140,6 +18472,8 @@ index 2be17d2..9482840 100644
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
++dev_read_cpuid(staff_usertype)
++
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
@@ -18172,7 +18506,7 @@ index 2be17d2..9482840 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +66,95 @@ optional_policy(`
+@@ -27,19 +68,95 @@ optional_policy(`
')
optional_policy(`
@@ -18270,7 +18604,7 @@ index 2be17d2..9482840 100644
')
optional_policy(`
-@@ -48,10 +163,48 @@ optional_policy(`
+@@ -48,10 +165,48 @@ optional_policy(`
')
optional_policy(`
@@ -18319,7 +18653,7 @@ index 2be17d2..9482840 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +244,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18330,7 +18664,7 @@ index 2be17d2..9482840 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +288,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18341,7 +18675,7 @@ index 2be17d2..9482840 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +319,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -18350,7 +18684,7 @@ index 2be17d2..9482840 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..df78564 100644
+index 4a8d146..7072611 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -18521,7 +18855,7 @@ index 4a8d146..df78564 100644
')
optional_policy(`
-@@ -225,6 +274,10 @@ optional_policy(`
+@@ -225,12 +274,20 @@ optional_policy(`
')
optional_policy(`
@@ -18532,7 +18866,17 @@ index 4a8d146..df78564 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,19 +306,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+ ')
+@@ -253,19 +310,19 @@ optional_policy(`
')
optional_policy(`
@@ -18556,7 +18900,7 @@ index 4a8d146..df78564 100644
')
optional_policy(`
-@@ -274,10 +327,7 @@ optional_policy(`
+@@ -274,10 +331,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -18568,7 +18912,7 @@ index 4a8d146..df78564 100644
')
optional_policy(`
-@@ -302,12 +352,18 @@ optional_policy(`
+@@ -302,12 +356,18 @@ optional_policy(`
')
optional_policy(`
@@ -18588,7 +18932,7 @@ index 4a8d146..df78564 100644
')
optional_policy(`
-@@ -332,10 +388,6 @@ optional_policy(`
+@@ -332,10 +392,6 @@ optional_policy(`
')
optional_policy(`
@@ -18599,7 +18943,7 @@ index 4a8d146..df78564 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +395,15 @@ optional_policy(`
+@@ -343,19 +399,15 @@ optional_policy(`
')
optional_policy(`
@@ -18621,7 +18965,7 @@ index 4a8d146..df78564 100644
')
optional_policy(`
-@@ -367,45 +415,45 @@ optional_policy(`
+@@ -367,45 +419,45 @@ optional_policy(`
')
optional_policy(`
@@ -18678,7 +19022,7 @@ index 4a8d146..df78564 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +487,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +491,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -18686,7 +19030,7 @@ index 4a8d146..df78564 100644
')
optional_policy(`
-@@ -452,5 +501,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +505,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -19457,10 +19801,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..25eea4a
+index 0000000..168668b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,527 @@
+@@ -0,0 +1,528 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19651,6 +19995,7 @@ index 0000000..25eea4a
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
++ networkmanager_filetrans_named_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -19878,7 +20223,7 @@ index 0000000..25eea4a
+')
+
+optional_policy(`
-+ quota_run(unconfined_t, unconfined_r)
++ quota_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
@@ -21482,7 +21827,7 @@ index c3a1903..19fb14a 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..ec27284 100644
+index 9e39aa5..7bace76 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -21536,15 +21881,16 @@ index 9e39aa5..ec27284 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
+@@ -86,7 +87,7 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
+@@ -109,3 +110,22 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -22181,7 +22527,7 @@ index 6480167..63822c0 100644
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..0321283 100644
+index 3136c6a..d7d9be2 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -22518,15 +22864,16 @@ index 3136c6a..0321283 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +441,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +441,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
++kernel_read_network_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +452,11 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +453,11 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -22538,7 +22885,7 @@ index 3136c6a..0321283 100644
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +468,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -22554,7 +22901,7 @@ index 3136c6a..0321283 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +481,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +482,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -22562,7 +22909,7 @@ index 3136c6a..0321283 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +493,13 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +494,13 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -22576,7 +22923,7 @@ index 3136c6a..0321283 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +514,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +515,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -22653,7 +23000,7 @@ index 3136c6a..0321283 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +594,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +595,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -22664,7 +23011,7 @@ index 3136c6a..0321283 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +608,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +609,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -22694,7 +23041,7 @@ index 3136c6a..0321283 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +638,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +639,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -22711,7 +23058,7 @@ index 3136c6a..0321283 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +662,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +663,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -22732,7 +23079,7 @@ index 3136c6a..0321283 100644
')
optional_policy(`
-@@ -513,7 +686,13 @@ optional_policy(`
+@@ -513,7 +687,13 @@ optional_policy(`
')
optional_policy(`
@@ -22747,7 +23094,7 @@ index 3136c6a..0321283 100644
')
optional_policy(`
-@@ -528,7 +707,18 @@ optional_policy(`
+@@ -528,7 +708,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -22767,7 +23114,7 @@ index 3136c6a..0321283 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +727,13 @@ optional_policy(`
+@@ -537,8 +728,13 @@ optional_policy(`
')
optional_policy(`
@@ -22782,7 +23129,7 @@ index 3136c6a..0321283 100644
')
')
-@@ -556,7 +751,13 @@ optional_policy(`
+@@ -556,7 +752,13 @@ optional_policy(`
')
optional_policy(`
@@ -22796,7 +23143,7 @@ index 3136c6a..0321283 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +768,7 @@ optional_policy(`
+@@ -567,6 +769,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -22804,7 +23151,7 @@ index 3136c6a..0321283 100644
')
optional_policy(`
-@@ -577,6 +779,16 @@ optional_policy(`
+@@ -577,6 +780,16 @@ optional_policy(`
')
optional_policy(`
@@ -22821,7 +23168,7 @@ index 3136c6a..0321283 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +803,11 @@ optional_policy(`
+@@ -591,6 +804,11 @@ optional_policy(`
')
optional_policy(`
@@ -22833,7 +23180,7 @@ index 3136c6a..0321283 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +820,11 @@ optional_policy(`
+@@ -603,6 +821,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -22845,7 +23192,7 @@ index 3136c6a..0321283 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +838,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +839,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -22858,7 +23205,7 @@ index 3136c6a..0321283 100644
########################################
#
-@@ -654,28 +880,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +881,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -22902,7 +23249,7 @@ index 3136c6a..0321283 100644
')
########################################
-@@ -685,6 +913,8 @@ optional_policy(`
+@@ -685,6 +914,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -22911,7 +23258,7 @@ index 3136c6a..0321283 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +929,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +930,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -22937,7 +23284,7 @@ index 3136c6a..0321283 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +975,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +976,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -22970,7 +23317,7 @@ index 3136c6a..0321283 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1022,25 @@ optional_policy(`
+@@ -769,6 +1023,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -22996,7 +23343,7 @@ index 3136c6a..0321283 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1061,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1062,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -23014,7 +23361,7 @@ index 3136c6a..0321283 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1080,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1081,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -23071,7 +23418,7 @@ index 3136c6a..0321283 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1131,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1132,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -23102,7 +23449,7 @@ index 3136c6a..0321283 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1166,20 @@ optional_policy(`
+@@ -842,10 +1167,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -23123,7 +23470,7 @@ index 3136c6a..0321283 100644
')
########################################
-@@ -891,11 +1225,21 @@ optional_policy(`
+@@ -891,11 +1226,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -25182,7 +25529,7 @@ index 6ee2cc8..3105b09 100644
#
interface(`ccs_domtrans',`
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
-index 4c90b57..af806c2 100644
+index 4c90b57..418eb6b 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -10,7 +10,7 @@ type ccs_exec_t;
@@ -25203,7 +25550,15 @@ index 4c90b57..af806c2 100644
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
-@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t)
+@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t)
+ files_read_etc_runtime_files(ccs_t)
+
+ init_rw_script_tmp_files(ccs_t)
++init_signal(ccs_t)
+
+ logging_send_syslog_msg(ccs_t)
+
+@@ -107,7 +108,7 @@ sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
@@ -25212,7 +25567,7 @@ index 4c90b57..af806c2 100644
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
-@@ -118,5 +118,10 @@ optional_policy(`
+@@ -118,5 +119,10 @@ optional_policy(`
')
optional_policy(`
@@ -26730,10 +27085,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..9d5aa88
+index 0000000..9d0208a
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,112 @@
+@@ -0,0 +1,117 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -26803,9 +27158,12 @@ index 0000000..9d5aa88
+files_read_usr_files(colord_t)
+
+fs_search_all(colord_t)
++fs_getattr_noxattr_fs(colord_t)
++fs_list_noxattr_fs(colord_t)
+fs_read_noxattr_fs_files(colord_t)
+
+storage_getattr_fixed_disk_dev(colord_t)
++storage_getattr_removable_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
@@ -26818,11 +27176,13 @@ index 0000000..9d5aa88
+userdom_read_inherited_user_home_content_files(colord_t)
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(colord_t)
++ fs_getattr_nfs(colord_t)
++ fs_read_nfs_files(colord_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(colord_t)
++ fs_getattr_cifs(colord_t)
++ fs_read_cifs_files(colord_t)
+')
+
+optional_policy(`
@@ -30453,7 +30813,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..778b174 100644
+index cbe14e4..ce42295 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -30573,7 +30933,7 @@ index cbe14e4..778b174 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +273,40 @@ optional_policy(`
+@@ -249,23 +273,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -30588,8 +30948,6 @@ index cbe14e4..778b174 100644
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
- allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
@@ -30598,8 +30956,12 @@ index cbe14e4..778b174 100644
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
-+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
++dovecot_stream_connect(dovecot_deliver_t)
+
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
@@ -30616,7 +30978,7 @@ index cbe14e4..778b174 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +342,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +344,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -30785,12 +31147,11 @@ index 0000000..63f11d9
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
-index 0000000..1453c54
+index 0000000..3bca7b0
--- /dev/null
+++ b/policy/modules/services/drbd.te
-@@ -0,0 +1,55 @@
-+
-+policy_module(drbd,1.0.0)
+@@ -0,0 +1,50 @@
++policy_module(drbd, 1.0.0)
+
+########################################
+#
@@ -30812,11 +31173,8 @@ index 0000000..1453c54
+# drbd local policy
+#
+
-+allow drbd_t self:capability net_admin;
-+
-+allow drbd_t self:capability { kill };
-+allow drbd_t self:process { fork };
-+
++allow drbd_t self:capability { kill net_admin };
++dontaudit drbd_t self:capability sys_tty_config;
+allow drbd_t self:fifo_file rw_fifo_file_perms;
+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
+allow drbd_t self:netlink_socket create_socket_perms;
@@ -30843,7 +31201,6 @@ index 0000000..1453c54
+miscfiles_read_localization(drbd_t)
+
+sysnet_dns_name_resolve(drbd_t)
-+
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f066..c2570df 100644
--- a/policy/modules/services/exim.fc
@@ -33258,6 +33615,18 @@ index df48e5e..6985546 100644
gen_require(`
type inetd_t;
')
+diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
+index c51a7b2..de05a6f 100644
+--- a/policy/modules/services/inetd.te
++++ b/policy/modules/services/inetd.te
+@@ -149,6 +149,7 @@ miscfiles_read_localization(inetd_t)
+ mls_fd_share_all_levels(inetd_t)
+ mls_socket_read_to_clearance(inetd_t)
+ mls_socket_write_to_clearance(inetd_t)
++mls_net_outbound_all_levels(inetd_t)
+ mls_process_set_level(inetd_t)
+
+ sysnet_read_config(inetd_t)
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
index 8ca038d..8507ee2 100644
--- a/policy/modules/services/inn.fc
@@ -33768,7 +34137,7 @@ index 3525d24..923e979 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..1692784 100644
+index 604f67b..b80c8f0 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -33979,7 +34348,7 @@ index 604f67b..1692784 100644
+
+########################################
+## <summary>
-+## Transition to apache named content
++## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
@@ -36481,7 +36850,7 @@ index 256166a..df99841 100644
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..e836951 100644
+index 343cee3..fe40cce 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -36659,7 +37028,7 @@ index 343cee3..e836951 100644
+ ')
+
+ corecmd_search_bin($1)
-+ allow $1 sendmail_exec_t:file audit_access;
++ allow $1 sendmail_exec_t:file { getattr_file_perms audit_access };
+')
+
+########################################
@@ -36677,7 +37046,15 @@ index 343cee3..e836951 100644
')
########################################
-@@ -532,7 +590,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -494,6 +552,7 @@ interface(`mta_read_aliases',`
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file read_file_perms;
++ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -532,7 +591,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -36686,7 +37063,7 @@ index 343cee3..e836951 100644
')
########################################
-@@ -552,7 +610,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -36695,7 +37072,7 @@ index 343cee3..e836951 100644
')
#######################################
-@@ -646,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -36706,7 +37083,7 @@ index 343cee3..e836951 100644
')
#######################################
-@@ -697,8 +755,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +756,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -36717,7 +37094,7 @@ index 343cee3..e836951 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +896,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -36726,7 +37103,7 @@ index 343cee3..e836951 100644
')
########################################
-@@ -899,3 +957,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +958,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -38012,7 +38389,7 @@ index 386543b..984eefc 100644
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..8069487 100644
+index 2324d9e..eebf5a7 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -38057,7 +38434,7 @@ index 2324d9e..8069487 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +213,50 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +213,77 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -38108,6 +38485,33 @@ index 2324d9e..8069487 100644
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
++
++########################################
++## <summary>
++## Transition to networkmanager named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_filetrans_named_content',`
++ gen_require(`
++ type NetworkManager_var_run_t;
++ ')
++
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
++')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..863ba2d 100644
--- a/policy/modules/services/networkmanager.te
@@ -40944,14 +41348,14 @@ index 55e62d2..6082184 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..f064487 100644
+index 46bee12..b90c902 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
-+ allow postfix_$1_t self:capability sys_nice;
++ allow postfix_$1_t self:capability { sys_nice sys_chroot };
dontaudit postfix_$1_t self:capability sys_tty_config;
- allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:process { signal_perms setpgid setsched };
@@ -40975,6 +41379,15 @@ index 46bee12..f064487 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
+@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+- allow postfix_$1_t self:capability { setuid setgid dac_override };
++ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
@@ -41846,6 +42259,18 @@ index ad15fde..6f55445 100644
')
allow $1 postgrey_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
+index 2d82c6d..a41b55f 100644
+--- a/policy/modules/services/ppp.fc
++++ b/policy/modules/services/ppp.fc
+@@ -34,5 +34,7 @@
+ # Fix pptp sockets
+ /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
++/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
++
+ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+ /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index b524673..9d90fb3 100644
--- a/policy/modules/services/ppp.if
@@ -42560,7 +42985,7 @@ index 2855a44..c71fa1e 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..401b511 100644
+index 64c5f95..7cdabb5 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
@@ -42752,16 +43177,15 @@ index 64c5f95..401b511 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +329,10 @@ optional_policy(`
+@@ -231,3 +329,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
+
+optional_policy(`
-+ usermanage_domtrans_groupadd(puppetmaster_t)
-+ # Might in some cases actually run passwd but was only able to confirm open X_ok.
++ usermanage_access_check_groupadd(puppetmaster_t)
+ usermanage_access_check_passwd(puppetmaster_t)
-+ usermanage_domtrans_useradd(puppetmaster_t)
++ usermanage_access_check_useradd(puppetmaster_t)
+')
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index d4a7750..705196e 100644
@@ -46479,14 +46903,13 @@ index 0000000..19d7347
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
new file mode 100644
-index 0000000..21a17ce
+index 0000000..6c62862
--- /dev/null
+++ b/policy/modules/services/sanlock.if
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,91 @@
+
+## <summary>policy for sanlock</summary>
+
-+
+########################################
+## <summary>
+## Execute a domain transition to run sanlock.
@@ -46577,10 +47000,10 @@ index 0000000..21a17ce
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..86d947e
+index 0000000..030a8cd
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,54 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -46618,6 +47041,8 @@ index 0000000..86d947e
+
+files_read_etc_files(sanlock_t)
+
++storage_raw_rw_fixed_disk(sanlock_t)
++
+logging_send_syslog_msg(sanlock_t)
+
+init_read_utmp(sanlock_t)
@@ -46625,21 +47050,14 @@ index 0000000..86d947e
+
+miscfiles_read_localization(sanlock_t)
+
-+wdmd_stream_connect(sanlock_t)
-+require {
-+ type sanlock_t;
-+}
-+
-+#============= sanlock_t ==============
-+storage_raw_rw_fixed_disk(sanlock_t)
-+
-+gen_require(`
-+ attribute virt_domain;
++optional_policy(`
++ wdmd_stream_connect(sanlock_t)
+')
+
-+# virt_kill_svirt(sanlock_t)
-+# virt_signal_svirt(sanlock_t)
-+allow sanlock_t virt_domain:process { signal sigkill };
++optional_policy(`
++ virt_kill_svirt(sanlock_t)
++ virt_signal_svirt(sanlock_t)
++')
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f1aea88..a5a75a8 100644
--- a/policy/modules/services/sasl.if
@@ -50497,7 +50915,7 @@ index 7c5d8d8..7e8e54f 100644
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..9a96547 100644
+index 3eca020..4dec4ad 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
@@ -50698,7 +51116,7 @@ index 3eca020..9a96547 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +211,33 @@ optional_policy(`
+@@ -174,21 +211,34 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -50727,6 +51145,7 @@ index 3eca020..9a96547 100644
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virt_domain virtd_t:fd use;
++dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
@@ -50736,7 +51155,7 @@ index 3eca020..9a96547 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +250,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -50753,7 +51172,7 @@ index 3eca020..9a96547 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +276,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -50761,7 +51180,7 @@ index 3eca020..9a96547 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +296,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -50794,7 +51213,7 @@ index 3eca020..9a96547 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +328,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -50813,14 +51232,14 @@ index 3eca020..9a96547 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +363,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -50840,7 +51259,6 @@ index 3eca020..9a96547 100644
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
-+
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -50866,16 +51284,20 @@ index 3eca020..9a96547 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +464,8 @@ optional_policy(`
+@@ -365,6 +464,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
+ qemu_entry_type(virt_domain)
+ qemu_exec(virt_domain)
++')
++
++optional_policy(`
++ sanlock_stream_connect(virtd_t)
')
optional_policy(`
-@@ -385,23 +486,37 @@ optional_policy(`
+@@ -385,23 +490,37 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -50918,7 +51340,7 @@ index 3eca020..9a96547 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -418,10 +533,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +537,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -50931,7 +51353,7 @@ index 3eca020..9a96547 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +545,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +549,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -50944,7 +51366,7 @@ index 3eca020..9a96547 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,8 +558,16 @@ files_search_all(virt_domain)
+@@ -440,8 +562,16 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -50952,17 +51374,17 @@ index 3eca020..9a96547 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -457,8 +583,117 @@ optional_policy(`
+@@ -457,8 +587,117 @@ optional_policy(`
')
optional_policy(`
@@ -55024,6 +55446,36 @@ index 66d13c4..335900f 100644
+ namespace_init_domtrans(polydomain)
+ ')
+')
+diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
+index e2f6d93..c78ccc6 100644
+--- a/policy/modules/system/clock.if
++++ b/policy/modules/system/clock.if
+@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`
+
+ ########################################
+ ## <summary>
++## Read clock drift adjustments.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`clock_read_adjtime',`
++ gen_require(`
++ type adjtime_t;
++ ')
++
++ allow $1 adjtime_t:file read_file_perms;
++ files_list_etc($1)
++')
++
++########################################
++## <summary>
+ ## Read and write clock drift adjustments.
+ ## </summary>
+ ## <param name="domain">
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index b9ed25b..de3738c 100644
--- a/policy/modules/system/clock.te
@@ -56254,7 +56706,7 @@ index cc83689..48662f1 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..353ef34 100644
+index ea29513..0eb1342 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -56349,7 +56801,7 @@ index ea29513..353ef34 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,11 +151,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,24 +151,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -56362,8 +56814,10 @@ index ea29513..353ef34 100644
+dev_read_urand(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
++dev_filetrans_all_named_dev(init_t)
-@@ -127,11 +166,16 @@ domain_kill_all_domains(init_t)
+ domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -56380,7 +56834,7 @@ index ea29513..353ef34 100644
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
-@@ -151,10 +195,16 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +196,16 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -56398,7 +56852,7 @@ index ea29513..353ef34 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +212,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +213,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -56414,7 +56868,7 @@ index ea29513..353ef34 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +231,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +232,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -56423,7 +56877,7 @@ index ea29513..353ef34 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +239,119 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +240,121 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -56503,6 +56957,8 @@ index ea29513..353ef34 100644
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
+
++ clock_read_adjtime(init_t)
++
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
@@ -56543,7 +56999,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -199,10 +359,26 @@ optional_policy(`
+@@ -199,10 +362,26 @@ optional_policy(`
')
optional_policy(`
@@ -56570,7 +57026,7 @@ index ea29513..353ef34 100644
unconfined_domain(init_t)
')
-@@ -212,7 +388,7 @@ optional_policy(`
+@@ -212,7 +391,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -56579,7 +57035,7 @@ index ea29513..353ef34 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +417,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +420,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -56595,7 +57051,7 @@ index ea29513..353ef34 100644
init_write_initctl(initrc_t)
-@@ -258,20 +437,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +440,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -56632,7 +57088,7 @@ index ea29513..353ef34 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +470,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +473,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -56640,7 +57096,7 @@ index ea29513..353ef34 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +481,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +484,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -56651,13 +57107,14 @@ index ea29513..353ef34 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +492,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +495,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
++dev_filetrans_all_named_dev(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -56667,7 +57124,7 @@ index ea29513..353ef34 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +510,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +514,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -56675,7 +57132,7 @@ index ea29513..353ef34 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +518,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +522,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -56687,7 +57144,7 @@ index ea29513..353ef34 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +537,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +541,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -56701,7 +57158,7 @@ index ea29513..353ef34 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +552,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +556,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -56710,7 +57167,7 @@ index ea29513..353ef34 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +566,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +570,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -56718,7 +57175,7 @@ index ea29513..353ef34 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +578,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +582,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -56726,7 +57183,7 @@ index ea29513..353ef34 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +599,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +603,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -56748,7 +57205,7 @@ index ea29513..353ef34 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +662,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +666,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -56759,7 +57216,7 @@ index ea29513..353ef34 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +686,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +690,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -56768,7 +57225,7 @@ index ea29513..353ef34 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +701,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +705,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -56776,7 +57233,7 @@ index ea29513..353ef34 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +731,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +735,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -56806,7 +57263,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -531,10 +761,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +765,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -56829,7 +57286,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -549,6 +791,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +795,39 @@ ifdef(`distro_suse',`
')
')
@@ -56869,7 +57326,7 @@ index ea29513..353ef34 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +836,8 @@ optional_policy(`
+@@ -561,6 +840,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -56878,7 +57335,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -577,6 +854,7 @@ optional_policy(`
+@@ -577,6 +858,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -56886,7 +57343,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -589,6 +867,11 @@ optional_policy(`
+@@ -589,6 +871,11 @@ optional_policy(`
')
optional_policy(`
@@ -56898,7 +57355,7 @@ index ea29513..353ef34 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +888,13 @@ optional_policy(`
+@@ -605,9 +892,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -56912,7 +57369,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -649,6 +936,11 @@ optional_policy(`
+@@ -649,6 +940,11 @@ optional_policy(`
')
optional_policy(`
@@ -56924,7 +57381,7 @@ index ea29513..353ef34 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +998,13 @@ optional_policy(`
+@@ -706,7 +1002,13 @@ optional_policy(`
')
optional_policy(`
@@ -56938,7 +57395,7 @@ index ea29513..353ef34 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1027,10 @@ optional_policy(`
+@@ -729,6 +1031,10 @@ optional_policy(`
')
optional_policy(`
@@ -56949,7 +57406,7 @@ index ea29513..353ef34 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1040,20 @@ optional_policy(`
+@@ -738,10 +1044,20 @@ optional_policy(`
')
optional_policy(`
@@ -56970,7 +57427,7 @@ index ea29513..353ef34 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1062,10 @@ optional_policy(`
+@@ -750,6 +1066,10 @@ optional_policy(`
')
optional_policy(`
@@ -56981,7 +57438,7 @@ index ea29513..353ef34 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1087,6 @@ optional_policy(`
+@@ -771,8 +1091,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -56990,7 +57447,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -781,14 +1095,21 @@ optional_policy(`
+@@ -781,14 +1099,21 @@ optional_policy(`
')
optional_policy(`
@@ -57012,7 +57469,7 @@ index ea29513..353ef34 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1121,6 @@ optional_policy(`
+@@ -800,7 +1125,6 @@ optional_policy(`
')
optional_policy(`
@@ -57020,7 +57477,7 @@ index ea29513..353ef34 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1130,24 @@ optional_policy(`
+@@ -810,11 +1134,24 @@ optional_policy(`
')
optional_policy(`
@@ -57046,7 +57503,7 @@ index ea29513..353ef34 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1157,25 @@ optional_policy(`
+@@ -824,6 +1161,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -57072,7 +57529,7 @@ index ea29513..353ef34 100644
')
optional_policy(`
-@@ -849,3 +1201,42 @@ optional_policy(`
+@@ -849,3 +1205,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -58265,7 +58722,7 @@ index d97d16d..ed84884 100644
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..18c1561 100644
+index bf416a4..91f5506 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -58295,10 +58752,11 @@ index bf416a4..18c1561 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
-@@ -103,6 +105,10 @@ ifdef(`distro_ubuntu',`
+@@ -103,6 +105,11 @@ ifdef(`distro_ubuntu',`
')
')
++userdom_list_user_home_dirs(ldconfig_t)
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
@@ -58306,7 +58764,7 @@ index bf416a4..18c1561 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -131,6 +137,10 @@ optional_policy(`
+@@ -131,6 +138,10 @@ optional_policy(`
')
optional_policy(`
@@ -58317,7 +58775,7 @@ index bf416a4..18c1561 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +151,7 @@ optional_policy(`
+@@ -141,6 +152,7 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@@ -62076,10 +62534,10 @@ index 0000000..c59c37c
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..13b7617
+index 0000000..0fc12cc
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,189 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -62240,6 +62698,8 @@ index 0000000..13b7617
+ sandbox_list(systemd_tmpfiles_t)
+ sandbox_delete_dirs(systemd_tmpfiles_t)
+ sandbox_delete_files(systemd_tmpfiles_t)
++ sandbox_delete_lnk_files(systemd_tmpfiles_t)
++ sandbox_delete_pipes(systemd_tmpfiles_t)
+ sandbox_delete_sock_files(systemd_tmpfiles_t)
+ sandbox_setattr_dirs(systemd_tmpfiles_t)
+')
@@ -62258,6 +62718,8 @@ index 0000000..13b7617
+
+files_read_etc_files(systemd_notify_t)
+
++fs_getattr_cgroup_files(systemd_notify_t)
++
+auth_use_nsswitch(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
@@ -62487,7 +62949,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..1b1d6a2 100644
+index d88f7c3..ca207d7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -62569,7 +63031,14 @@ index d88f7c3..1b1d6a2 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -105,21 +112,27 @@ dev_relabel_all_dev_nodes(udev_t)
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
+ dev_manage_generic_symlinks(udev_t)
++dev_filetrans_all_named_dev(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -62591,7 +63060,7 @@ index d88f7c3..1b1d6a2 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -62599,7 +63068,7 @@ index d88f7c3..1b1d6a2 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,15 +199,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +200,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -62620,7 +63089,7 @@ index d88f7c3..1b1d6a2 100644
')
optional_policy(`
-@@ -216,11 +230,16 @@ optional_policy(`
+@@ -216,11 +231,16 @@ optional_policy(`
')
optional_policy(`
@@ -62638,7 +63107,7 @@ index d88f7c3..1b1d6a2 100644
')
optional_policy(`
-@@ -230,6 +249,15 @@ optional_policy(`
+@@ -230,6 +250,15 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -62654,7 +63123,7 @@ index d88f7c3..1b1d6a2 100644
')
optional_policy(`
-@@ -259,6 +287,10 @@ optional_policy(`
+@@ -259,6 +288,10 @@ optional_policy(`
')
optional_policy(`
@@ -62665,7 +63134,7 @@ index d88f7c3..1b1d6a2 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +305,11 @@ optional_policy(`
+@@ -273,6 +306,11 @@ optional_policy(`
')
optional_policy(`
@@ -63449,7 +63918,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..eba9213 100644
+index 28b88de..d7d8b53 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -64731,7 +65200,7 @@ index 28b88de..eba9213 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1234,9 +1512,14 @@ template(`userdom_security_admin_template',`
+@@ -1234,11 +1512,22 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -64745,8 +65214,16 @@ index 28b88de..eba9213 100644
+ seutil_run_setsebool($1,$2)
seutil_run_setfiles($1, $2)
++ seutil_manage_bin_policy($1)
++ seutil_manage_default_contexts($1)
++ seutil_manage_file_contexts($1)
++ seutil_manage_module_store($1)
++ seutil_manage_config($1)
++
optional_policy(`
-@@ -1279,11 +1562,37 @@ template(`userdom_security_admin_template',`
+ aide_run($1,$2)
+ ')
+@@ -1279,11 +1568,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -64784,7 +65261,7 @@ index 28b88de..eba9213 100644
ubac_constrained($1)
')
-@@ -1395,6 +1704,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1710,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -64792,7 +65269,7 @@ index 28b88de..eba9213 100644
files_search_home($1)
')
-@@ -1441,6 +1751,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1757,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -64807,7 +65284,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -1456,9 +1774,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1780,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -64819,7 +65296,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -1515,10 +1835,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1841,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -64832,7 +65309,7 @@ index 28b88de..eba9213 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,19 +1846,55 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,17 +1852,53 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -64850,8 +65327,6 @@ index 28b88de..eba9213 100644
########################################
## <summary>
-## Do a domain transition to the specified
--## domain when executing a program in the
--## user home directory.
+## Relabel user home files.
+## </summary>
+## <param name="domain">
@@ -64890,12 +65365,10 @@ index 28b88de..eba9213 100644
+########################################
+## <summary>
+## Do a domain transition to the specified
-+## domain when executing a program in the
-+## user home directory.
+ ## domain when executing a program in the
+ ## user home directory.
## </summary>
- ## <desc>
- ## <p>
-@@ -1589,6 +1945,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1951,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -64904,7 +65377,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -1603,10 +1961,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1967,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -64919,7 +65392,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -1649,6 +2009,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2015,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -64945,7 +65418,7 @@ index 28b88de..eba9213 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2079,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2085,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -64978,7 +65451,7 @@ index 28b88de..eba9213 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2115,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2121,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -64996,7 +65469,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -1779,6 +2181,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2187,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -65021,7 +65494,7 @@ index 28b88de..eba9213 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2230,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2236,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -65031,7 +65504,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -1827,20 +2246,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2252,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -65045,18 +65518,19 @@ index 28b88de..eba9213 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2008,7 +2421,7 @@ interface(`userdom_user_home_dir_filetrans',`
+ ## Do not audit attempts to execute user home files.
+@@ -2008,7 +2427,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -65065,7 +65539,7 @@ index 28b88de..eba9213 100644
files_search_home($1)
')
-@@ -2182,7 +2595,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2601,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -65074,7 +65548,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -2435,13 +2848,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2854,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -65090,7 +65564,7 @@ index 28b88de..eba9213 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2876,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2882,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -65117,7 +65591,7 @@ index 28b88de..eba9213 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,6 +2966,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2972,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -65142,7 +65616,7 @@ index 28b88de..eba9213 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +3002,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3008,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -65185,7 +65659,7 @@ index 28b88de..eba9213 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3038,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3044,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -65223,7 +65697,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -2815,7 +3258,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3264,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -65232,7 +65706,7 @@ index 28b88de..eba9213 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3274,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3280,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -65248,7 +65722,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -2917,7 +3362,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3368,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -65257,7 +65731,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -2972,7 +3417,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3423,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -65304,7 +65778,7 @@ index 28b88de..eba9213 100644
')
########################################
-@@ -3009,6 +3492,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3498,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -65312,7 +65786,7 @@ index 28b88de..eba9213 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3571,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3577,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -65337,7 +65811,7 @@ index 28b88de..eba9213 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3641,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3647,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8cf0228..fb9c1a2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,12 @@ exit 0
%endif
%changelog
+* Jun 2 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-25
+- Fixes for sanlock policy
+- Fixes for colord policy
+- Other fixes
+ * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
+
* Thu May 26 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-24
- Add rhev policy module to modules-targeted.conf
More information about the scm-commits
mailing list